dependabot[bot] opened a new pull request, #1445: URL: https://github.com/apache/iceberg-go/pull/1445
Bumps [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) from 1.1.4 to 1.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sigstore/sigstore-go/releases">github.com/sigstore/sigstore-go's releases</a>.</em></p> <blockquote> <h2>v1.2.0</h2> <h2>What's Changed</h2> <ul> <li>Add preferred method for verifying log entry proofs by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/557">sigstore/sigstore-go#557</a></li> <li>docs(verify): annotate identity matchers and regexp semantics by <a href="https://github.com/1seal"><code>@1seal</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/558">sigstore/sigstore-go#558</a></li> <li>Bump actions/setup-go from 6.1.0 to 6.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/563">sigstore/sigstore-go#563</a></li> <li>Bump the minor-patch group across 1 directory with 7 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/565">sigstore/sigstore-go#565</a></li> <li>ensure we have verification material before attempting to extract public key by <a href="https://github.com/bobcallaway"><code>@bobcallaway</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/566">sigstore/sigstore-go#566</a></li> <li>fix(tlog): fail closed for rekor v2 parsing by <a href="https://github.com/1seal"><code>@1seal</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/562">sigstore/sigstore-go#562</a></li> <li>Bump sigstore-conformance to latest by <a href="https://github.com/cmurphy"><code>@cmurphy</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/559">sigstore/sigstore-go#559</a></li> <li>Bump actions/checkout from 6.0.1 to 6.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/573">sigstore/sigstore-go#573</a></li> <li>Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 in /examples/oci-image-verification by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/576">sigstore/sigstore-go#576</a></li> <li>Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 in /examples/oci-image-verification by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/571">sigstore/sigstore-go#571</a></li> <li>Bump production and staging TUF roots by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/580">sigstore/sigstore-go#580</a></li> <li>Support DSSE signing conformance test by <a href="https://github.com/aaronlew02"><code>@aaronlew02</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/582">sigstore/sigstore-go#582</a></li> <li>Fix nil pointer dereference in LiveTrustedRoot refresh by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/584">sigstore/sigstore-go#584</a></li> <li>Bump sigstore/sigstore-conformance from 0.0.25 to 0.0.26 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/585">sigstore/sigstore-go#585</a></li> <li>chore: remove large test dependencies by replacing ctfe usage by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/587">sigstore/sigstore-go#587</a></li> <li>Bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/575">sigstore/sigstore-go#575</a></li> <li>Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/569">sigstore/sigstore-go#569</a></li> <li>Bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.4.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/578">sigstore/sigstore-go#578</a></li> <li>Set minimum threshold for WithIntegratedTimestamps by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/590">sigstore/sigstore-go#590</a></li> <li>Bump all recent deps by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/586">sigstore/sigstore-go#586</a></li> <li>Bump the minor-patch group across 1 directory with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/591">sigstore/sigstore-go#591</a></li> <li>Bump github.com/docker/cli from 29.0.3+incompatible to 29.2.0+incompatible in /examples/oci-image-verification by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/595">sigstore/sigstore-go#595</a></li> <li>deps: update go-openapi/strfmt to v0.26.1 by <a href="https://github.com/tonistiigi"><code>@tonistiigi</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/603">sigstore/sigstore-go#603</a></li> <li>verify message digest matches artifact hash by <a href="https://github.com/piceri"><code>@piceri</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/600">sigstore/sigstore-go#600</a></li> <li>Run go fix across codebase by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/610">sigstore/sigstore-go#610</a></li> <li>Harden verification, HTTP clients, and TUF by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/609">sigstore/sigstore-go#609</a></li> <li>Verify log entry digest matches artifact/envelope by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/611">sigstore/sigstore-go#611</a></li> <li>Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/608">sigstore/sigstore-go#608</a></li> <li>Bump actions/setup-go from 6.2.0 to 6.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/606">sigstore/sigstore-go#606</a></li> <li>Bump github.com/sigstore/timestamp-authority/v2 from 2.0.4 to 2.0.6 in /examples/oci-image-verification by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/614">sigstore/sigstore-go#614</a></li> <li>Bump google.golang.org/grpc from 1.78.0 to 1.79.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/601">sigstore/sigstore-go#601</a></li> <li>Bump github.com/sigstore/timestamp-authority/v2 from 2.0.4 to 2.0.6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/613">sigstore/sigstore-go#613</a></li> <li>Bump go-tuf, rekor-tiles versions by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/616">sigstore/sigstore-go#616</a></li> <li>Bump sigstore/sigstore-conformance from 0.0.26 to 0.0.27 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/621">sigstore/sigstore-go#621</a></li> <li>Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 in /examples/oci-image-verification by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/623">sigstore/sigstore-go#623</a></li> <li>Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/624">sigstore/sigstore-go#624</a></li> <li>bundle: cap raw TlogEntries length before per-entry parse by <a href="https://github.com/tonghuaroot"><code>@tonghuaroot</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/630">sigstore/sigstore-go#630</a></li> <li>Prevent multi-log threshold bypasses via single compromised log by <a href="https://github.com/Hayden-IO"><code>@Hayden-IO</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/633">sigstore/sigstore-go#633</a></li> <li>Verify Rekor v2 inclusion using reconstructed leaf hash by <a href="https://github.com/codysoyland"><code>@codysoyland</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/635">sigstore/sigstore-go#635</a></li> <li>Encode Rekor v2 DSSE envelopes as hashedrekord by <a href="https://github.com/codysoyland"><code>@codysoyland</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/627">sigstore/sigstore-go#627</a></li> <li>Bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/631">sigstore/sigstore-go#631</a></li> <li>Bump the minor-patch group across 2 directories with 10 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/637">sigstore/sigstore-go#637</a></li> <li>Fix conformance test failures for managed-key verification by <a href="https://github.com/codysoyland"><code>@codysoyland</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/638">sigstore/sigstore-go#638</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/1seal"><code>@1seal</code></a> made their first contribution in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/558">sigstore/sigstore-go#558</a></li> <li><a href="https://github.com/aaronlew02"><code>@aaronlew02</code></a> made their first contribution in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/582">sigstore/sigstore-go#582</a></li> <li><a href="https://github.com/tonistiigi"><code>@tonistiigi</code></a> made their first contribution in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/603">sigstore/sigstore-go#603</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sigstore/sigstore-go/commit/8ca80c47ef03d26ebf174db7c296700b075b2c16"><code>8ca80c4</code></a> Fix conformance test failures for managed-key verification (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/561">#561</a>) (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/638">#638</a>)</li> <li><a href="https://github.com/sigstore/sigstore-go/commit/40d743a4757019f71a5cca6e66bfa0e2fd86d048"><code>40d743a</code></a> Bump the minor-patch group across 2 directories with 10 updates (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/637">#637</a>)</li> <li><a href="https://github.com/sigstore/sigstore-go/commit/7960906321475348f5c32286f4857e067541f58d"><code>7960906</code></a> Bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/631">#631</a>)</li> <li><a href="https://github.com/sigstore/sigstore-go/commit/ef6e924863714720e67d82a7908038b7f092c89e"><code>ef6e924</code></a> Encode Rekor v2 DSSE envelopes as hashedrekord (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/627">#627</a>)</li> <li><a href="https://github.com/sigstore/sigstore-go/commit/56c2528195bf85aadcdd52b40c469e2d02b5a084"><code>56c2528</code></a> Verify Rekor v2 inclusion using reconstructed leaf hash (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/635">#635</a>)</li> <li><a href="https://github.com/sigstore/sigstore-go/commit/dbb07e62623edd5b175fb9dd5a41dcb85a159207"><code>dbb07e6</code></a> Prevent multi-log threshold bypasses via single compromised log (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/633">#633</a>)</li> <li><a href="https://github.com/sigstore/sigstore-go/commit/7e8ee0fa3154ccfaf0183e6d5d7b218faca59bae"><code>7e8ee0f</code></a> bundle: cap raw TlogEntries length before per-entry parse (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/630">#630</a>)</li> <li><a href="https://github.com/sigstore/sigstore-go/commit/58c7950fa12b4d7e59daf376d2e51a89400a70c5"><code>58c7950</code></a> Bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/624">#624</a>)</li> <li><a href="https://github.com/sigstore/sigstore-go/commit/1ad51ea97321c344d52e8e100f3a68d5039b0647"><code>1ad51ea</code></a> Bump github.com/in-toto/in-toto-golang (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/623">#623</a>)</li> <li><a href="https://github.com/sigstore/sigstore-go/commit/566ec6c9210f4c54bf0c89d0acf3c8b031d23a04"><code>566ec6c</code></a> Bump sigstore/sigstore-conformance from 0.0.26 to 0.0.27 (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/621">#621</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sigstore/sigstore-go/compare/v1.1.4...v1.2.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/iceberg-go/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
