fix(deps): update go

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/google/go-containerregistry	v0.20.2 -> v0.20.3
github.com/secure-systems-lab/go-securesystemslib	v0.8.0 -> v0.9.0
github.com/sigstore/cosign/v2	v2.2.4 -> v2.4.1
github.com/sigstore/fulcio	v1.4.5 -> v1.6.5
github.com/sigstore/protobuf-specs	v0.3.2 -> v0.3.3
github.com/sigstore/rekor	v1.3.6 -> v1.3.8
github.com/sigstore/sigstore	v1.8.9 -> v1.8.12
github.com/slsa-framework/slsa-github-generator	v1.9.0 -> v1.10.0
golang.org/x/mod	v0.21.0 -> v0.22.0
google.golang.org/protobuf	v1.34.2 -> v1.36.3
sigs.k8s.io/release-utils	v0.8.4 -> v0.9.0

---

Release Notes

google/go-containerregistry (github.com/google/go-containerregistry)

v0.20.3

Compare Source

What's Changed

• remote/transport: Make bearer transport go-routine-safe by @​2opremio in https://github.com/google/go-containerregistry/pull/1806
• Expose compare package by @​jonjohnsonjr in https://github.com/google/go-containerregistry/pull/2001
• fix: redact.URL uses (*URL).Redacted to omit basic-auth password by @​bmoylan in https://github.com/google/go-containerregistry/pull/1947
• bump actions to latest by @​ajayk in https://github.com/google/go-containerregistry/pull/2011
• don't pin chainguard-dev/actions by @​imjasonh in https://github.com/google/go-containerregistry/pull/2025
• Check for 406 status code when handling referrers API endpoint response by @​malancas in https://github.com/google/go-containerregistry/pull/2026
• mutate: Create a defensive annotations copy by @​jonjohnsonjr in https://github.com/google/go-containerregistry/pull/2030
• Detect zstd in crane append by @​jonjohnsonjr in https://github.com/google/go-containerregistry/pull/2023
• bump deps using hack/bump-deps.sh by @​imjasonh in https://github.com/google/go-containerregistry/pull/2042

New Contributors

• @​bmoylan made their first contribution in https://github.com/google/go-containerregistry/pull/1947
• @​ajayk made their first contribution in https://github.com/google/go-containerregistry/pull/2011
• @​malancas made their first contribution in https://github.com/google/go-containerregistry/pull/2026

Full Changelog: google/go-containerregistry@v0.20.2...v0.20.3

secure-systems-lab/go-securesystemslib (github.com/secure-systems-lab/go-securesystemslib)

v0.9.0

Compare Source

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.4.1

Compare Source

v2.4.1 largely contains bug fixes and updates dependencies.

Features

• Added fuzzing coverage to multiple packages

Bug Fixes

• Fix bug in attest-blob when using a timestamp authority with new bundles (#​3877)
• fix: documentation link for installation guide (#​3884)

Contributors

• AdamKorcz
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• Hemil K
• Sota Sugiura
• Zach Steindler

v2.4.0

Compare Source

v2.4.0 begins the modernization of the Cosign client, which includes:

• Support for the newer Sigstore specification-compliant bundle format
• Support for providing trust roots (e.g. Fulcio certificates, Rekor keys)
  through a trust root file, instead of many different flags
• Conformance test suite integration to verify signing and verification behavior

In future updates, we'll include:

• General support for the trust root file, instead of only when using the bundle
  format during verification
• Simplification of trust root flags and deprecation of the
  Cosign-specific bundle format
• Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of GCR.

Features

• Add new bundle support to verify-blob and verify-blob-attestation (#​3796)
• Adding protobuf bundle support to sign-blob and attest-blob (#​3752)
• Bump sigstore/sigstore to support email_verified as string or boolean (#​3819)
• Conformance testing for cosign (#​3806)
• move incremental builds per commit to GHCR instead of GCR (#​3808)
• Add support for recording creation timestamp for cosign attest (#​3797)
• Include SCT verification failure details in error message (#​3799)

Contributors

• Bob Callaway
• Hayden B
• Slavek Kabrda
• Zach Steindler
• Zsolt Horvath

v2.3.0

Compare Source

Features

• Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#​3693)
• add registry options to cosign save (#​3645)
• Add debug providers command. (#​3728)
• Make config layers in ociremote mountable (#​3741)
• upgrade to go1.22 (#​3739)
• adds tsa cert chain check for env var or tuf targets. (#​3600)
• add --ca-roots and --ca-intermediates flags to 'cosign verify' (#​3464)
• add handling of keyless verification for all verify commands (#​3761)

Bug Fixes

• fix: close attestationFile (#​3679)
• Set bundleVerified to true after Rekor verification (Resolves #​3740) (#​3745)

Documentation

• Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#​3776)

Testing

• Refactor KMS E2E tests (#​3684)
• Remove sign_blob_test.sh test (#​3707)
• Remove KMS E2E test script (#​3702)
• Refactor insecure registry E2E tests (#​3701)

Contributors

• Billy Lynch
• bminahan73
• Bob Callaway
• Carlos Tadeu Panato Junior
• Cody Soyland
• Colleen Murphy
• Dmitry Savintsev
• guangwu
• Hayden B
• Hector Fernandez
• ian hundere
• Jason Power
• Jon Johnson
• Max Lambrecht
• Meeki1l

sigstore/fulcio (github.com/sigstore/fulcio)

v1.6.5

Compare Source

Features

• use go1.23.2 (#​1834)
• fallback to json default cfg path if yaml does not exist (#​1810)
• Include IDP type and subject domain in configuration API response (#​1824)

Documentation

• Update OIDC claim mapping table to reflect the current state (#​1801)

Contributors

• Aditya Sirish
• Bob Callaway
• Carlos Tadeu Panato Junior
• Hayden B
• Nina
• Richard Fan

v1.6.4

Compare Source

Features

• use go1.22.6 to build fulcio (#​1793)

Bugs

• Revert "If custom server url exists, use that instead of the default one." (#​1791)

Contributors

• Carlos Tadeu Panato Junior
• Fredrik Skogman

v1.6.3

Compare Source

Features

• If custom server url exists, use that instead of the default one. (#​1776)

Contributors

• Fredrik Skogman
• Javan Lacerda

v1.6.2

Compare Source

Bug Fixes

• fix: adding ci provider for meta-issuers (#​1767)

Contributors

• Javan Lacerda

v1.6.1

Compare Source

Bug Fixes

• fix: removing surplus slash, making logs richer (#​1762)

Contributors

• Javan Lacerda

v1.6.0

Compare Source

v1.6.0 adds support for onboarding CI identity providers via configuration
rather than code changes, which should greatly simplify the onboarding process.

Features

• CiProvider as a new OIDCIssuer type (#​1729)
• Add TLS support for CTLog (#​1718)
• Added support for email_verified being a string or bool (#​1744)

Documentation

• Update IDP requirements (#​1742)

Public Good Instance Configuration

• Move codefresh and buildkite to ci-provider identity (#​1743)
• Move gitlab to ci-provider (#​1740)
• Migrate github to ci provider flow (#​1738)
• add Hellō provider (#​1739)
• Move configuration to yaml format (#​1720)
• Removes identity providers federation (#​1736)

Contributors

• Andrew Block
• cpanato
• Dick Hardt
• Firas Ghanmi
• Hayden B
• Javan Lacerda
• Matt Moore

v1.5.1

Compare Source

Bug Fixes

• Surface the right Name() from our principal. (#​1726)

Contributors

• Matt Moore

v1.5.0

Compare Source

Features

• Add Chainguard OIDC provider. (#​1703)
• Adding support for configuration from yaml file (#​1687)
• Upgrade go to 1.22 (#​1625)

Documentation

• oid-info: fix table render (#​1662)
• docs: Fix extensions for digest values requiring a type prefix (#​1661)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Facundo Tuesca
• Javan Lacerda
• Matt Moore
• Tomas Turek
• William Woodruff

sigstore/protobuf-specs (github.com/sigstore/protobuf-specs)

v0.3.3

Compare Source

sigstore/rekor (github.com/sigstore/rekor)

v1.3.8

Compare Source

Bug Fixes

• fix zizmor issues (#​2298)
• remove unneeded value in log message (#​2282)

Quality Enhancements

• chore: relax go directive to permit 1.22.x
• fetch minisign from homebrew instead of custom ppa (#​2329)
• fix(ci): simplify GOVERSION extraction
• chore(deps): bump actions pins to latest
• Updates go and golangci-lint (#​2302)
• update builder to use go1.23.4 (#​2301)
• clean up spaces
• log request body on 500 error to aid debugging (#​2283)

Contributors

• Appu Goundan
• Bob Callaway
• Carlos Tadeu Panato Junior
• Dominic Evans
• sgpinkus

v1.3.7

Compare Source

New Features

• log request body on 500 error to aid debugging (#​2283)
• Add support for signing with Tink keyset (#​2228)
• Add public key hash check in Signed Note verification (#​2214)
• update Trillian TLS configuration (#​2202)
• Add TLS support for Trillian server (#​2164)
• Replace docker-compose with plugin if available (#​2153)
• Add flags to backfill script (#​2146)
• Unset DisableKeepalive for backfill HTTP client (#​2137)
• Add script to delete indexes from Redis (#​2120)
• Run CREATE statement in backfill script (#​2109)
• Add MySQL support to backfill script (#​2081)
• Run e2e tests on mysql and redis index backends (#​2079)

Bug Fixes

• remove unneeded value in log message (#​2282)
• Add error message when computing consistency proof (#​2278)
• fix validation error handling on API (#​2217)
• fix error in pretty-printed inclusion proof from verify subcommand (#​2210)
• Fix index scripts (#​2203)
• fix failing sharding test
• Better error handling in backfill script (#​2148)
• Batch entries in cleanup script (#​2158)
• Add missing workflow for index cleanup test (#​2121)
• hashedrekord: fix schema $id (#​2092)

Contributors

• Aditya Sirish
• Bob Callaway
• Colleen Murphy
• cpanato
• Firas Ghanmi
• Hayden B
• Hojoung (Brian) Jang
• William Woodruff

sigstore/sigstore (github.com/sigstore/sigstore)

v1.8.12

Compare Source

What's Changed

• build(deps): Bump google.golang.org/api from 0.210.0 to 0.212.0 in /pkg/signature/kms/gcp by @​dependabot in https://github.com/sigstore/sigstore/pull/1912
• build(deps): Bump google.golang.org/protobuf from 1.35.2 to 1.36.0 in /pkg/signature/kms/gcp by @​dependabot in https://github.com/sigstore/sigstore/pull/1911
• build(deps): Bump actions/setup-go from 5.1.0 to 5.2.0 in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1909
• build(deps): Bump google.golang.org/api from 0.212.0 to 0.214.0 in /pkg/signature/kms/gcp by @​dependabot in https://github.com/sigstore/sigstore/pull/1917
• build(deps): Bump hashicorp/vault from 1.18.2 to 1.18.3 in /test/e2e in the all group by @​dependabot in https://github.com/sigstore/sigstore/pull/1915
• build(deps): Bump the gomod group across 2 directories with 5 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1916
• build(deps): Bump cloud.google.com/go/kms from 1.20.3 to 1.20.4 in /pkg/signature/kms/gcp in the gomod group across 1 directory by @​dependabot in https://github.com/sigstore/sigstore/pull/1920
• build(deps): Bump github.com/coreos/go-oidc/v3 from 3.11.0 to 3.12.0 by @​dependabot in https://github.com/sigstore/sigstore/pull/1924
• build(deps): Bump golang.org/x/oauth2 from 0.24.0 to 0.25.0 by @​dependabot in https://github.com/sigstore/sigstore/pull/1921
• build(deps): Bump golang.org/x/term from 0.27.0 to 0.28.0 by @​dependabot in https://github.com/sigstore/sigstore/pull/1922
• build(deps): Bump golang.org/x/crypto from 0.31.0 to 0.32.0 by @​dependabot in https://github.com/sigstore/sigstore/pull/1923
• build(deps): Bump golang.org/x/crypto from 0.28.0 to 0.31.0 in /test/fuzz by @​dependabot in https://github.com/sigstore/sigstore/pull/1908
• build(deps): Bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @​dependabot in https://github.com/sigstore/sigstore/pull/1910
• build(deps): Bump the tools group across 1 directory with 2 updates by @​dependabot in https://github.com/sigstore/sigstore/pull/1913
• cleanup ci by @​cpanato in https://github.com/sigstore/sigstore/pull/1927

Full Changelog: sigstore/sigstore@v1.8.11...v1.8.12

v1.8.11

Compare Source

What's Changed

• several dependabot updates
• Replace custom auth code with azidentity.NewDefaultCredential for Azure KMS client by @​malancas in https://github.com/sigstore/sigstore/pull/1888
• fix: set go module directive to 1.22.0 by @​dnwe in https://github.com/sigstore/sigstore/pull/1878

New Contributors

• @​dnwe made their first contribution in https://github.com/sigstore/sigstore/pull/1878

Full Changelog: sigstore/sigstore@v1.8.10...v1.8.11

v1.8.10

Compare Source

What's Changed

• fix(kms): fix CreateKey may panic when using GCP KMS by @​mozillazg in https://github.com/sigstore/sigstore/pull/1829
• update to go1.22.7 and ci job by @​cpanato in https://github.com/sigstore/sigstore/pull/1847
• Mark TUF client as deprecated by @​haydentherapper in https://github.com/sigstore/sigstore/pull/1858
• bump to go 1.22.8 by @​cpanato in https://github.com/sigstore/sigstore/pull/1865

and several dependencies updates

New Contributors

• @​mozillazg made their first contribution in https://github.com/sigstore/sigstore/pull/1829

Full Changelog: sigstore/sigstore@v1.8.9...v1.8.10

slsa-framework/slsa-github-generator (github.com/slsa-framework/slsa-github-generator)

v1.10.0

Compare Source

Release v1.10.0 includes bug fixes and new features.

See the full change list.

v1.10.0: TUF fix

• The cosign TUF roots were fixed (#​3350).
  More details here.

v1.10.0: Gradle Builder

• The Gradle Builder was fixed when the project root is the same as the
  repository root (#​2727)

v1.10.0: Go Builder

• The go-version-file input was fixed so that it can find the go.mod file
  (#​2661)

v1.10.0: Container Generator

• A new provenance-repository input was added to allow reading provenance from
  a different container repository than the image itself (#​2956)

v1.9.1

Compare Source

This is an un-finalized release.

See the CHANGELOG for details.

protocolbuffers/protobuf-go (google.golang.org/protobuf)

v1.36.3

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.36.2...v1.36.3

Bug fixes:
CL/642575: reflect/protodesc: fix panic when working with dynamicpb
CL/641036: cmd/protoc-gen-go: remove json struct tags from unexported fields

User-visible changes:
CL/641876: proto: add example for GetExtension, SetExtension
CL/642015: runtime/protolazy: replace internal doc link with external link

Maintenance:
CL/641635: all: split flags.ProtoLegacyWeak out of flags.ProtoLegacy
CL/641019: internal/impl: remove unused exporter parameter
CL/641018: internal/impl: switch to reflect.Value.IsZero
CL/641035: internal/impl: clean up unneeded Go<1.12 MapRange() alternative
CL/641017: types/dynamicpb: switch atomicExtFiles to atomic.Uint64 type

v1.36.2

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.36.1...v1.36.2

Bug fixes:
CL/638515: internal/impl: fix WhichOneof() to work with synthetic oneofs

v1.36.1

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.36.0...v1.36.1

Bug fixes:
CL/638495: internal/impl: revert IsSynthetic() check to fix panic

Maintenance:
CL/637475: internal/errors: delete compatibility code for Go before 1.13

v1.36.0

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.35.2...v1.36.0

User-visible changes:

CL/635139: src/google/protobuf: document UnmarshalJSON / API level behavior
CL/635138: reflect/protoreflect: use [] syntax to reference method
CL/635137: proto: add reference to size semantics with lazy decoding to comment
CL/634818: compiler/protogen: allow overriding API level from --go_opt
CL/634817: cmd/protoc-gen-go: generate _protoopaque variant for hybrid
CL/634816: all: regenerate.bash for Opaque API
CL/634815: all: Release the Opaque API
CL/634015: types/descriptorpb: regenerate using latest protobuf v29.1 release
CL/632735: internal/impl: skip synthetic oneofs in messageInfo
CL/627876: all: start v1.35.2-devel

v1.35.2

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.35.1...v1.35.2

Maintenance:

CL/623115: proto: refactor equal_test from explicit table to use makeMessages()
CL/623116: encoding/prototext: use testmessages_test.go approach, too
CL/623117: internal/testprotos/test: add nested message field with [lazy=true]
CL/624415: proto: switch messageset_test to use makeMessages() injection point
CL/624416: internal/impl: fix TestMarshalMessageSetLazyRace (was a no-op!)

User-visible changes:

CL/618395: encoding/protojson: allow missing value for Any of type Empty
CL/618979: all: implement strip_enum_prefix editions feature
CL/622575: testing/protocmp: document behavior when combining Ignore and Sort

v1.35.1

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.34.2...v1.35.1

Maintenance:

• CL/606755: all: remove unused purego support
• CL/608316: all: set Go language version to Go 1.21

User-visible changes:

• CL/587536: protojson: include field name in error messages
• CL/597055: compiler/protogen: always report editions support level of the plugin
• CL/596539: all: plumb the lazy option into filedesc.Field and .Extension
• CL/601775: types/known/structpb: add support for more types and json.Number
• CL/607995: proto: extend documentation of GetExtension, SetExtension
• CL/609035: proto: implement proto.Equal fast-path

Bug fixes:

• CL/595337: reflect/protodesc: fix handling of delimited extensions in editions
• CL/602055: internal/cmd/generate-protos: fix pkg check for editions features
• CL/603015: internal: generate extension numbers, fix editions parsing

v1.35.0

Compare Source

kubernetes-sigs/release-utils (sigs.k8s.io/release-utils)

v0.9.0

Compare Source

v0.8.5

Compare Source

---

Configuration

📅 Schedule: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 22 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.23.1 -> 1.23.5
github.com/google/trillian	v1.6.0 -> v1.7.1
github.com/go-jose/go-jose/v4	v4.0.2 -> v4.0.4
go.opentelemetry.io/otel/metric	v1.27.0 -> v1.33.0
google.golang.org/genproto/googleapis/api	v0.0.0-20240520151616-dc85e6b867a5 -> v0.0.0-20241209162323-e6fa225c2576
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240520151616-dc85e6b867a5 -> v0.0.0-20250102185135-69823020774d
github.com/containerd/stargz-snapshotter/estargz	v0.14.3 -> v0.16.3
github.com/docker/cli	v27.1.1+incompatible -> v27.5.0+incompatible
github.com/docker/docker-credential-helpers	v0.8.0 -> v0.8.2
github.com/go-logr/logr	v1.4.1 -> v1.4.2
github.com/klauspost/compress	v1.17.8 -> v1.17.11
github.com/pelletier/go-toml/v2	v2.1.0 -> v2.2.2
github.com/spf13/cast	v1.6.0 -> v1.7.0
github.com/spf13/viper	v1.18.2 -> v1.19.0
github.com/vbatts/tar-split	v0.11.5 -> v0.11.6
go.opentelemetry.io/otel	v1.27.0 -> v1.33.0
go.opentelemetry.io/otel/trace	v1.27.0 -> v1.33.0
golang.org/x/crypto	v0.31.0 -> v0.32.0
golang.org/x/net	v0.33.0 -> v0.34.0
golang.org/x/sys	v0.28.0 -> v0.29.0
golang.org/x/term	v0.27.0 -> v0.28.0
google.golang.org/grpc	v1.64.1 -> v1.69.4
k8s.io/klog/v2	v2.120.1 -> v2.130.1