search

tektoncd / chains

Supply Chain Security in Tekton Pipelines
Apache License 2.0
240 stars 125 forks source link

Bump the all group with 13 updates #1066

Closed dependabot[bot] closed 4 months ago

dependabot[bot] commented 4 months ago

Bumps the all group with 13 updates:

Package From To
cloud.google.com/go/storage 1.38.0 1.39.0
github.com/sigstore/cosign/v2 2.2.2 2.2.3
github.com/sigstore/sigstore 1.8.1 1.8.2
github.com/sigstore/sigstore/pkg/signature/kms/aws 1.8.1 1.8.2
github.com/sigstore/sigstore/pkg/signature/kms/azure 1.8.1 1.8.2
github.com/sigstore/sigstore/pkg/signature/kms/gcp 1.8.1 1.8.2
github.com/sigstore/sigstore/pkg/signature/kms/hashivault 1.8.1 1.8.2
github.com/stretchr/testify 1.8.4 1.9.0
github.com/tektoncd/pipeline 0.56.1 0.57.0
go.uber.org/zap 1.26.0 1.27.0
golang.org/x/crypto 0.19.0 0.20.0
google.golang.org/grpc 1.61.1 1.62.1
google.golang.org/protobuf 1.32.0 1.33.0

Updates cloud.google.com/go/storage from 1.38.0 to 1.39.0

Release notes

Sourced from cloud.google.com/go/storage's releases.

storage: v1.39.0

1.39.0 (2024-02-29)

Features

  • storage: Make it possible to disable Content-Type sniffing (#9431) (0676670)
Commits
  • 2b87538 chore(main): release spanner 1.39.0 (#6622)
  • a1ce541 fix(spanner): destroy session when client is closing (#6700)
  • 37d209c chore(storage): multi-transport BucketCreateDelete test (#6670)
  • 3d26091 feat(bigquery): add reference file schema option for federated formats (#6693)
  • 17cceeb chore(storage): parse out project number if available (#6671)
  • feb7d7d feat(bigquery/analyticshub): start generating apiv1 (#6707)
  • 402eb24 chore: update how we handle mod replacements (#6704)
  • f1ef6d8 chore: release main (#6696)
  • 4aa2f48 chore: fix v2 beta edge case (#6698)
  • 1b56cd0 feat(spanner): retry spanner transactions and mutations when RST_STREAM error...
  • Additional commits viewable in compare view


Updates github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.2.3

Bug Fixes

  • Fix race condition on verification with multiple signatures attached to image (#3486)
  • fix(clean): Fix clean cmd for private registries (#3446)
  • Fixed BYO PKI verification (#3427)

Features

  • Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
  • Add support for OpenVEX predicate type (#3405)

Documentation

  • Resolves #3088: version sub-command expected behaviour documentation and testing (#3447)
  • add examples for cosign attach signature cmd (#3468)

Misc

  • Remove CertSubject function (#3467)
  • Use local rekor and fulcio instances in e2e tests (#3478)

Full Changelog: https://github.com/sigstore/cosign/compare/v2.2.2...v2.2.3

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v2.2.3

Bug Fixes

  • Fix race condition on verification with multiple signatures attached to image (#3486)
  • fix(clean): Fix clean cmd for private registries (#3446)
  • Fixed BYO PKI verification (#3427)

Features

  • Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
  • Add support for OpenVEX predicate type (#3405)

Documentation

  • Resolves #3088: version sub-command expected behaviour documentation and testing (#3447)
  • add examples for cosign attach signature cmd (#3468)

Misc

  • Remove CertSubject function (#3467)
  • Use local rekor and fulcio instances in e2e tests (#3478)

Contributors

  • aalsabag
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Colleen Murphy
  • Hayden B
  • Mukuls77
  • Omri Bornstein
  • Puerco
  • vivek kumar sahu
Commits
  • 493e6e2 Add changelog for v2.2.3 (#3513)
  • 628df78 chore(deps): bump cpanato/vault-installer from 0.0.2 to 1.0.0 (#3510)
  • 7be8de0 chore(deps): bump google.golang.org/api from 0.157.0 to 0.159.0 (#3508)
  • 554015c chore(deps): bump the actions group with 3 updates (#3509)
  • 8395d97 chore(deps): bump github.com/go-openapi/runtime from 0.26.2 to 0.27.1 (#3507)
  • 1c90a3a chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 (#3505)
  • 3f20bde chore(deps): bump github.com/buildkite/agent/v3 from 3.61.0 to 3.62.0 (#3506)
  • 5d79ebf chore(deps): bump the gomod group with 2 updates (#3504)
  • 381c657 fix cross test (#3502)
  • a445167 Fix CI test failing (#3501)
  • Additional commits viewable in compare view


Updates github.com/sigstore/sigstore from 1.8.1 to 1.8.2

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.8.2

What's Changed

New Contributors

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2

Commits
  • 01aee87 build(deps): Bump the all group with 2 updates (#1647)
  • 7dd77e3 build(deps): Bump the all group with 2 updates (#1640)
  • 8f9b512 build(deps): Bump the all group (#1641)
  • 2cbe097 fix: adds TSA URI for customMetadata. (#1646)
  • 0bfcc5b build(deps): Bump the all group in /pkg/signature/kms/gcp with 1 update
  • fbeebcb build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates
  • 0e830c5 Add support for autoclosing oauth flow window (#1618)
  • b80197f build(deps): Bump the all group
  • 7664feb build(deps): Bump the all group with 1 update
  • 44c6e90 build(deps): Bump the all group in /pkg/signature/kms/aws with 5 updates
  • Additional commits viewable in compare view


Updates github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.8.1 to 1.8.2

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/aws's releases.

v1.8.2

What's Changed

New Contributors

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2

Commits
  • 01aee87 build(deps): Bump the all group with 2 updates (#1647)
  • 7dd77e3 build(deps): Bump the all group with 2 updates (#1640)
  • 8f9b512 build(deps): Bump the all group (#1641)
  • 2cbe097 fix: adds TSA URI for customMetadata. (#1646)
  • 0bfcc5b build(deps): Bump the all group in /pkg/signature/kms/gcp with 1 update
  • fbeebcb build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates
  • 0e830c5 Add support for autoclosing oauth flow window (#1618)
  • b80197f build(deps): Bump the all group
  • 7664feb build(deps): Bump the all group with 1 update
  • 44c6e90 build(deps): Bump the all group in /pkg/signature/kms/aws with 5 updates
  • Additional commits viewable in compare view


Updates github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.8.1 to 1.8.2

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/azure's releases.

v1.8.2

What's Changed

New Contributors

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2

Commits
  • 01aee87 build(deps): Bump the all group with 2 updates (#1647)
  • 7dd77e3 build(deps): Bump the all group with 2 updates (#1640)
  • 8f9b512 build(deps): Bump the all group (#1641)
  • 2cbe097 fix: adds TSA URI for customMetadata. (#1646)
  • 0bfcc5b build(deps): Bump the all group in /pkg/signature/kms/gcp with 1 update
  • fbeebcb build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates
  • 0e830c5 Add support for autoclosing oauth flow window (#1618)
  • b80197f build(deps): Bump the all group
  • 7664feb build(deps): Bump the all group with 1 update
  • 44c6e90 build(deps): Bump the all group in /pkg/signature/kms/aws with 5 updates
  • Additional commits viewable in compare view


Updates github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.8.1 to 1.8.2

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/gcp's releases.

v1.8.2

What's Changed

New Contributors

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2

Commits
  • 01aee87 build(deps): Bump the all group with 2 updates (#1647)
  • 7dd77e3 build(deps): Bump the all group with 2 updates (#1640)
  • 8f9b512 build(deps): Bump the all group (#1641)
  • 2cbe097 fix: adds TSA URI for customMetadata. (#1646)
  • 0bfcc5b build(deps): Bump the all group in /pkg/signature/kms/gcp with 1 update
  • fbeebcb build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates
  • 0e830c5 Add support for autoclosing oauth flow window (#1618)
  • b80197f build(deps): Bump the all group
  • 7664feb build(deps): Bump the all group with 1 update
  • 44c6e90 build(deps): Bump the all group in /pkg/signature/kms/aws with 5 updates
  • Additional commits viewable in compare view


Updates github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.8.1 to 1.8.2

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/hashivault's releases.

v1.8.2

What's Changed

New Contributors

Full Changelog: https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2

Commits
  • 01aee87 build(deps): Bump the all group with 2 updates (#1647)
  • 7dd77e3 build(deps): Bump the all group with 2 updates (#1640)
  • 8f9b512 build(deps): Bump the all group (#1641)
  • 2cbe097 fix: adds TSA URI for customMetadata. (#1646)
  • 0bfcc5b build(deps): Bump the all group in /pkg/signature/kms/gcp with 1 update
  • fbeebcb build(deps): Bump the all group in /pkg/signature/kms/aws with 4 updates
  • 0e830c5 Add support for autoclosing oauth flow window (#1618)
  • b80197f build(deps): Bump the all group
  • 7664feb build(deps): Bump the all group with 1 update
  • 44c6e90 build(deps): Bump the all group in /pkg/signature/kms/aws with 5 updates
  • Additional commits viewable in compare view


Updates github.com/stretchr/testify from 1.8.4 to 1.9.0

Release notes

Sourced from github.com/stretchr/testify's releases.

v1.9.0

What's Changed

... (truncated)

Commits
  • bb548d0 Merge pull request #1552 from stretchr/dependabot/go_modules/github.com/stret...
  • 814075f build(deps): bump github.com/stretchr/objx from 0.5.1 to 0.5.2
  • e045612 Merge pull request #1339 from bogdandrutu/uintptr
  • 5b6926d Merge pull request #1385 from hslatman/not-implements
  • 9f97d67 Merge pull request #1550 from stretchr/release-notes
  • bcb0d3f Include the auto-release notes in releases
  • fb770f8 Merge pull request #1247 from ccoVeille/typos
  • 85d8bb6 fix typos in comments, tests and github templates
  • e2741fa Merge pull request #1548 from arjunmahishi/msgAndArgs
  • 6e59f20 http_assertions: assert that the msgAndArgs actually works in tests
  • Additional commits viewable in compare view


Updates github.com/tektoncd/pipeline from 0.56.1 to 0.57.0

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v0.57.0 "Burmilla Baymax"

-Docs @ v0.57.0 -Examples @ v0.57.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.57.0/release.yaml

Attestation

The Rekor UUID for this release is 24296fb24b8ad77add7b0a9a7946185efd5c044009544db4ec1a3799c4b6a95285f979f1fd78cc75

Obtain the attestation:

REKOR_UUID=24296fb24b8ad77add7b0a9a7946185efd5c044009544db4ec1a3799c4b6a95285f979f1fd78cc75
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.57.0/release.yaml
REKOR_UUID=24296fb24b8ad77add7b0a9a7946185efd5c044009544db4ec1a3799c4b6a95285f979f1fd78cc75

Obtains the list of images with sha from the attestation


REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.57.0@sha256:" + .digest.sha256')


Download the release file


curl "$RELEASE_FILE" > release.yaml


For each image in the attestation, match it to the release file


for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

  • :sparkles: Allow for the specified duration (#7666)

... (truncated)

Changelog

Sourced from github.com/tektoncd/pipeline's changelog.

Tekton Pipeline Releases

Release Frequency

Tekton Pipelines follows the Tekton community [release policy][release-policy] as follows:

  • Versions are numbered according to semantic versioning: vX.Y.Z
  • A new release is produced on a monthly basis
  • Four releases a year are chosen for long term support (LTS). All remaining releases are supported for approximately 1 month (until the next release is produced)
    • LTS releases take place in January, April, July and October every year
    • The first Tekton Pipelines LTS release will be v0.41.0 in October 2022
    • Releases happen towards the middle of the month, between the 13th and the 20th, depending on week-ends and readiness

Tekton Pipelines produces nightly builds, publicly available on gcr.io/tekton-nightly.

Transition Process

Before release v0.41 Tekton Pipelines has worked on the basis of an undocumented support period of four months, which will be maintained for the releases between v0.37 and v0.40.

Release Process

Tekton Pipeline releases are made of YAML manifests and container images. Manifests are published to cloud object-storage as well as [GitHub][tekton-pipeline-releases]. Container images are signed by [Sigstore][sigstore] via [Tekton Chains][tekton-chains]; signatures can be verified through the [public key][chains-public-key] hosted by the Tekton Chains project.

Further documentation available:

  • The Tekton Pipeline [release process][tekton-releases-docs]
  • [Installing Tekton][tekton-installation]
  • Standard for [release notes][release-notes-standards]

Release

v0.57

  • Latest Release: [v0.57.0][v0.57-0] (2024-02-20) ([docs][v0.57-0-docs], [examples][v0.57-0-examples])
  • Initial Release: [v0.57.0][v0.57-0] (2024-02-20)
  • Estimated End of Life: 2024-03-20
  • Patch Releases: [v0.57.0][v0.57-0]

... (truncated)

Commits
  • d714545 Isolate new env nightly feature flag test
  • f3d4fe6 chore(deps): bump github/codeql-action from 3.24.0 to 3.24.3
  • 3d1ec13 chore(deps): bump tj-actions/changed-files from 42.0.2 to 42.0.4
  • 60dde23 chore(deps): bump github.com/opencontainers/image-spec
  • 1f44652 chore(deps): bump github.com/google/cel-go from 0.19.0 to 0.20.0
  • e160b59 chore(deps): bump k8s.io/client-go
  • 123f4a2 Update e2e-test script for per feature flag test
  • 73bac5a Fix typo in publish task
  • fd17c74 wait for a given duration in case of imagePullBackOff
  • 9fd9383 Patch Release v0.56.1
  • Additional commits viewable in compare view


Updates go.uber.org/zap from 1.26.0 to 1.27.0

Release notes

Sourced from go.uber.org/zap's releases.

v1.27.0

Enhancements:

  • #1378[]: Add WithLazy method for SugaredLogger.
  • #1399[]: zaptest: Add NewTestingWriter for customizing TestingWriter with more flexibility than NewLogger.
  • #1406[]: Add Log, Logw, Logln methods for SugaredLogger.
  • #1416[]: Add WithPanicHook option for testing panic logs.

Thanks to @​defval, @​dimmo, @​arxeiss, and @​MKrupauskas for their contributions to this release.

#1378: uber-go/zap#1378 #1399: uber-go/zap#1399 #1406: uber-go/zap#1406 #1416: uber-go/zap#1416

Changelog

Sourced from go.uber.org/zap's changelog.

1.27.0 (20 Feb 2024)

Enhancements:

  • #1378[]: Add WithLazy method for SugaredLogger.
  • #1399[]: zaptest: Add NewTestingWriter for customizing TestingWriter with more flexibility than NewLogger.
  • #1406[]: Add Log, Logw, Logln methods for SugaredLogger.
  • #1416[]: Add WithPanicHook option for testing panic logs.

Thanks to @​defval, @​dimmo, @​arxeiss, and @​MKrupauskas for their contributions to this release.

#1378: uber-go/zap#1378 #1399: uber-go/zap#1399 #1406: uber-go/zap#1406 #1416: uber-go/zap#1416

Commits


Updates golang.org/x/crypto from 0.19.0 to 0.20.0

Commits
  • 0aab8d0 all: update go.mod x/net dependency
  • 5bead59 ocsp: don't use iota for externally defined constants
  • 1a86580 x/crypto/internal/poly1305: improve sum_ppc64le.s
  • 1c981e6 ssh/test: don't use DSA keys in integrations tests, update test RSA key
  • 62c9f17 x509roots/nss: manually exclude a confusingly constrained root
  • See full diff in compare view


Updates google.golang.org/grpc from 1.61.1 to 1.62.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.62.1

Bug Fixes

  • xds: fix a bug that results in no matching virtual host found RPC errors due to a difference between the target and LDS resource names (#6997)
  • server: fixed stats handler data InPayload.Length for unary RPC calls (#6766)
  • grpc: the experimental RecvBufferPool DialOption and ServerOption are now active during unary RPCs with compression (#6766)
  • grpc: trim whitespaces in accept-encoding header before determining compressors

Release 1.62.0

New Features

  • grpc: Add StaticMethod CallOption as a signal to stats handler that a method is safe to use as an instrument key (#6986)

Behavior Changes

  • grpc: Return canonical target string from ClientConn.Target() and resolver.Address.String() (#6923)

Bug Fixes

  • server: wait to close connection until incoming socket is drained (with timeout) to prevent data loss on... _Description has been truncated_
tekton-robot commented 4 months ago

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
tekton-robot commented 4 months ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: To complete the pull request process, please assign chuangw6 after the PR has been reviewed. You can assign the PR to them by writing /assign @chuangw6 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/tektoncd/chains/blob/main/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
tekton-robot commented 4 months ago

@dependabot[bot]: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-tekton-chains-unit-tests 513e9394d2dbf9da32ad14ce5af979918d83d775 link true /test pull-tekton-chains-unit-tests
pull-tekton-chains-build-tests 513e9394d2dbf9da32ad14ce5af979918d83d775 link true /test pull-tekton-chains-build-tests
pull-tekton-chains-integration-tests 513e9394d2dbf9da32ad14ce5af979918d83d775 link true /test pull-tekton-chains-integration-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
dependabot[bot] commented 4 months ago

Superseded by #1071.