fix: ignore the in-toto manifest when promoting the docker build#5859
Merged
Skarlso merged 1 commit intoexternal-secrets:mainfrom Jan 23, 2026
Merged
fix: ignore the in-toto manifest when promoting the docker build#5859Skarlso merged 1 commit intoexternal-secrets:mainfrom
Skarlso merged 1 commit intoexternal-secrets:mainfrom
Conversation
WalkthroughThe Makefile's Changes
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Author
|
Getting some errors from local testing. Hang on. |
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
5ca789f to
e7f09b9
Compare
Contributor
Author
Okay, worked locally. 🤞 |
|
gusfcarvalho
approved these changes
Jan 23, 2026
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Jan 23, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.2.1` → `1.3.1` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v1.3.1`](https://github.com/external-secrets/external-secrets/releases/tag/v1.3.1) [Compare Source](external-secrets/external-secrets@v1.2.1...v1.3.1) Image: `ghcr.io/external-secrets/external-secrets:v1.3.1` Image: `ghcr.io/external-secrets/external-secrets:v1.3.1-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.3.1-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> For a Full release please referre to <https://github.com/external-secrets/external-secrets/releases/tag/v1.3.0>. This is a fix build for the docker publish flow. #### What's Changed ##### General - fix: ignore the in-toto manifest when promoting the docker build by [@​Skarlso](https://github.com/Skarlso) in [#​5859](external-secrets/external-secrets#5859) **Full Changelog**: <external-secrets/external-secrets@v1.3.0...v1.3.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42OS4yIiwidXBkYXRlZEluVmVyIjoiNDIuNjkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiY2hhcnQiXX0=--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3394 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
radermacher-iits
pushed a commit
to kubara-io/kubara
that referenced
this pull request
Feb 19, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.2.1` → `1.3.2` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v1.3.2`](https://github.com/external-secrets/external-secrets/releases/tag/v1.3.2) [Compare Source](external-secrets/external-secrets@v1.3.1...v1.3.2) Image: `ghcr.io/external-secrets/external-secrets:v1.3.2` Image: `ghcr.io/external-secrets/external-secrets:v1.3.2-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.3.2-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### General - chore: release helm chart for v1.3.1 by [@​Skarlso](https://github.com/Skarlso) in [#​5860](external-secrets/external-secrets#5860) - chore(chart): Add missing tests for readinessProbe by [@​jcpunk](https://github.com/jcpunk) in [#​5769](external-secrets/external-secrets#5769) - docs: Update FluxCD example by [@​umizoom](https://github.com/umizoom) in [#​5862](external-secrets/external-secrets#5862) - fix(ci): Removed the unused check for Windows in Makefile by [@​HauptJ](https://github.com/HauptJ) in [#​5870](external-secrets/external-secrets#5870) - docs(release): Add actual dates for EOL of 1.x releases in stability and support page by [@​n4zukker](https://github.com/n4zukker) in [#​5889](external-secrets/external-secrets#5889) - docs: Passbolt provider maintenance ownership by [@​stripthis](https://github.com/stripthis) in [#​5886](external-secrets/external-secrets#5886) - chore: Update Passbolt MaintenanceStatus to MaintenanceStatusMaintained by [@​stripthis](https://github.com/stripthis) in [#​5887](external-secrets/external-secrets#5887) - fix(security): sanitize json.Unmarshal errors to prevent secret data … by [@​moolen](https://github.com/moolen) in [#​5884](external-secrets/external-secrets#5884) - fix: webhook initialization order by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5901](external-secrets/external-secrets#5901) - chore: Cleanup flags by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​5845](external-secrets/external-secrets#5845) - fix: onepasswordsdk shared tenant by altering the provider in the client cache by [@​Skarlso](https://github.com/Skarlso) in [#​5921](external-secrets/external-secrets#5921) ##### Dependencies - chore(deps): bump github/codeql-action from 4.31.10 to 4.31.11 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5873](external-secrets/external-secrets#5873) - chore(deps): bump pymdown-extensions from 10.20 to 10.20.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5877](external-secrets/external-secrets#5877) - chore(deps): bump markdown from 3.10 to 3.10.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5880](external-secrets/external-secrets#5880) - chore(deps): bump ubi9/ubi from `22e9573` to `1f84f5c` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5871](external-secrets/external-secrets#5871) - chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5872](external-secrets/external-secrets#5872) - chore(deps): bump hashicorp/setup-terraform from [`93d5a27`](external-secrets/external-secrets@93d5a27) to [`dcc3150`](external-secrets/external-secrets@dcc3150) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5875](external-secrets/external-secrets#5875) - chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5876](external-secrets/external-secrets#5876) - chore(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5878](external-secrets/external-secrets#5878) - chore(deps): bump anchore/sbom-action from 0.21.1 to 0.22.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5874](external-secrets/external-secrets#5874) - chore(deps): bump packaging from 25.0 to 26.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5879](external-secrets/external-secrets#5879) - chore(deps): bump golang from `d9b2e14` to `98e6cff` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5907](external-secrets/external-secrets#5907) - chore(deps): bump alpine from `865b95f` to `2510918` in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5914](external-secrets/external-secrets#5914) - chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5909](external-secrets/external-secrets#5909) - chore(deps): bump actions/cache from 5.0.2 to 5.0.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5912](external-secrets/external-secrets#5912) - chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5910](external-secrets/external-secrets#5910) - chore(deps): bump hashicorp/setup-terraform from [`dcc3150`](external-secrets/external-secrets@dcc3150) to [`ce70bcf`](external-secrets/external-secrets@ce70bcf) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5911](external-secrets/external-secrets#5911) - chore(deps): bump ubi9/ubi from `1f84f5c` to `c8df11b` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5908](external-secrets/external-secrets#5908) - chore(deps): bump alpine from 3.23.2 to 3.23.3 in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5915](external-secrets/external-secrets#5915) - chore(deps): bump alpine from `865b95f` to `2510918` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5906](external-secrets/external-secrets#5906) - chore(deps): bump pathspec from 1.0.3 to 1.0.4 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5916](external-secrets/external-secrets#5916) - chore(deps): bump babel from 2.17.0 to 2.18.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5917](external-secrets/external-secrets#5917) - chore(deps): bump github/codeql-action from 4.31.11 to 4.32.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5913](external-secrets/external-secrets#5913) #### New Contributors - [@​umizoom](https://github.com/umizoom) made their first contribution in [#​5862](external-secrets/external-secrets#5862) - [@​HauptJ](https://github.com/HauptJ) made their first contribution in [#​5870](external-secrets/external-secrets#5870) - [@​n4zukker](https://github.com/n4zukker) made their first contribution in [#​5889](external-secrets/external-secrets#5889) - [@​stripthis](https://github.com/stripthis) made their first contribution in [#​5886](external-secrets/external-secrets#5886) **Full Changelog**: <external-secrets/external-secrets@v1.3.1...v1.3.2> ### [`v1.3.1`](https://github.com/external-secrets/external-secrets/releases/tag/v1.3.1) [Compare Source](external-secrets/external-secrets@v1.2.1...v1.3.1) Image: `ghcr.io/external-secrets/external-secrets:v1.3.1` Image: `ghcr.io/external-secrets/external-secrets:v1.3.1-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.3.1-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> For a Full release please referre to <https://github.com/external-secrets/external-secrets/releases/tag/v1.3.0>. This is a fix build for the docker publish flow. #### What's Changed ##### General - fix: ignore the in-toto manifest when promoting the docker build by [@​Skarlso](https://github.com/Skarlso) in [#​5859](external-secrets/external-secrets#5859) **Full Changelog**: <external-secrets/external-secrets@v1.3.0...v1.3.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuNSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119--> Reviewed-on: https://kubara.git.onstackit.cloud/STACKIT/kubara/pulls/250
dsp0x4
pushed a commit
to dsp0x4/external-secrets
that referenced
this pull request
Mar 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
Dockerx now includes attestations. So we ignore that.
Related Issue
Fixes #...
Proposed Changes
How do you like to solve the issue and why?
Format
Please ensure that your PR follows the following format for the title:
Where
scopeis optionally one of:Checklist
git commit --signoffmake testmake reviewableChanges
Makefile
Updated the
docker.promotetarget to ignore in-toto manifest entries by filtering descriptors withDescriptor.platform.architecture != "unknown"whenmanifest inspectreturns an array. The loop that pulls digests and the--amendlist construction now both use the filtered descriptors, preventingunknown-architecture (in-toto) entries from being included. Non-array manifests retain the previous behavior.Files changed: 1 (Makefile)
Lines changed: +2/-2