Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update go #2854

Closed
wants to merge 1 commit into from
Closed

fix(deps): update go #2854

wants to merge 1 commit into from

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Oct 14, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/coreos/go-oidc/v3 require minor v3.6.0 -> v3.7.0
github.com/google/go-cmp require minor v0.5.9 -> v0.6.0
github.com/sigstore/cosign/v2 require minor v2.1.1 -> v2.2.0
github.com/sigstore/rekor require minor v1.2.2-0.20230530122220-67cc9e58bd23 -> v1.3.2
github.com/sigstore/sigstore require patch v1.7.1 -> v1.7.4
golang.org/x/oauth2 require minor v0.10.0 -> v0.13.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

coreos/go-oidc (github.com/coreos/go-oidc/v3)

v3.7.0

Compare Source

What's Changed

New Contributors

Full Changelog: coreos/go-oidc@v3.6.0...v3.7.0

google/go-cmp (github.com/google/go-cmp)

v0.6.0

Compare Source

New API:

  • (#​340) Add cmpopts.EquateComparable

Documentation changes:

  • (#​337) Use of hotlinking of Go identifiers

Build changes:

  • (#​325) Remove purego fallbacks

Testing changes:

  • (#​322) Run tests for Go 1.20 version
  • (#​332) Pin GitHub action versions
  • (#​327) set workflow permission to read-only
sigstore/cosign (github.com/sigstore/cosign/v2)

v2.2.0

Compare Source

Enhancements

  • switch to uploading DSSE types to rekor instead of intoto (#​3113)
  • add 'cosign sign' command-line parameters for mTLS (#​3052)
  • improve error messages around bundle != payload hash (#​3146)
  • make VerifyImageAttestation function public (#​3156)
  • Switch to cryptoutils function for SANS (#​3185)
  • Handle HTTP_1_1_REQUIRED errors in github provider (#​3172)

Bug Fixes

  • Fix nondeterminsitic timestamps (#​3121)

Documentation

  • doc: Add example of sign-blob with key in env var (#​3152)
  • add deprecation notice for cosign-releases GCS bucket (#​3148)
  • update doc links (#​3186)

Others

  • Upgrade to go1.21 (#​3188)
  • Updates ci tests (#​3142)
  • test using latest release of scaffolding (#​3187)
  • ci: free up disk space for the gh runner (#​3169)
  • update go-github to v53 (#​3116)
  • call e2e test for cosign attach (#​3112)
  • bump build cross to use go1.20.6 and cosign image to 2.1.1 (#​3108)

Contributors

  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Dmitry Savintsev
  • Hayden B
  • Hector Fernandez
  • Jason Hall
  • Jon Johnson
  • Jubril Oyetunji
  • Paulo Gomes
  • Priya Wadhwa
  • 张志强
sigstore/rekor (github.com/sigstore/rekor)

v1.3.2

Compare Source

Bug Fixes

  • build(deps): Bump golang.org/x/net from 0.16.0 to 0.17.0 (#​1753)
  • build(deps): Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#​1755)
  • build(deps): Bump google/cloud-sdk from 449.0.0 to 450.0.0 (#​1757)
  • build(deps): Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#​1754)
  • update Dockerfile for go 1.21.3 (#​1752)
  • update builder image to use go1.21.3 (#​1751)

Contributors

  • Carlos Tadeu Panato Junior

v1.3.1

Compare Source

New Features

  • enable GCP cloud profiling on rekor-server (#​1746)
  • move index storage into interface (#​1741)
  • add info to readme to denote additional documentation sources (#​1722)
  • Add type of ed25519 key for TUF (#​1677)
  • Allow parsing base64-encoded TUF metadata and root content (#​1671)

Quality Enhancements

  • disable quota in trillian in test harness (#​1680)

Bug Fixes

  • Update contact for code of conduct (#​1720)
  • fix: typo (#​1711)
  • Fix panic when parsing SSH SK pubkeys (#​1712)
  • Correct index creation (#​1708)
  • Update .ko.yaml (#​1682)
  • docs: fixzes a small typo on the readme (#​1686)
  • chore: fix backfill-redis Makefile target (#​1685)

Contributors

  • Andres Galante
  • Andrew Block
  • Appu
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • guangwu
  • Hayden B
  • jonvnadelberg
  • Lance Ball

v1.3.0

Compare Source

New Features

  • feat: Support publishing new log entries to Pub/Sub topics (#​1580)
  • Change values of Identity.Raw, add fingerprints (#​1628)
  • Extract all subjects from SANs for x509 verifier (#​1632)
  • Fix type comment for Identity struct (#​1619)
  • Refactor Identities API (#​1611)
  • Refactor Verifiers to return multiple keys (#​1601)

Quality Enhancements

Bug Fixes

  • Update openapi.yaml (#​1655)
  • pass transient errors through retrieveLogEntry (#​1653)
  • return full entryID on HTTP 409 responses (#​1650)
  • Update checkpoint link (#​1597)
  • Use correct log index in inclusion proof (#​1599)
  • remove instrumentation library (#​1595)
  • pki: clean up fuzzer (#​1594)
  • alpine: add max metadata size to fuzzer (#​1571)

Contributors

  • AdamKorcz
  • Appu
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Ceridwen Coghlan
  • Hayden B
  • James Alseth
sigstore/sigstore (github.com/sigstore/sigstore)

v1.7.4

Compare Source

What's Changed

New Contributors

Full Changelog: sigstore/sigstore@v1.7.3...v1.7.4

v1.7.3

Compare Source

What's Changed

New Contributors

Full Changelog: sigstore/sigstore@v1.7.2...v1.7.3

v1.7.2

Compare Source

What's Changed

Full Changelog: sigstore/sigstore@v1.7.1...v1.7.2

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot force-pushed the renovate/go branch 2 times, most recently from a2f2e62 to 19a76a3 Compare October 23, 2023 10:42
@renovate-bot
fix(deps): update go
a0a8c1e 
Signed-off-by: Mend Renovate <[email protected]>
@ianlewis
Copy link
Member

Great, CodeQL doesn't know about the new toolchain directive in go.mod...

@laurentsimon
Copy link
Collaborator

How about swapping codeQL for another golang-specific SAST tool? Any tool comes to mind?

@ianlewis
Copy link
Member

How about swapping codeQL for another golang-specific SAST tool? Any tool comes to mind?

I'd like on that scorecards knows about. :-/ What other SAST tools does it support?

@ianlewis
Copy link
Member

Seems that it's because the default GHA runner has Go 1.20 installed and Go 1.20 doesn't know about the toolchain directive.

According to this we should be able to fix it by using setup-go in our CodeQL workflow to install Go 1.21 ourselves.
github/codeql-action#1842 (comment)

@renovate-bot renovate-bot deleted the renovate/go branch October 25, 2023 22:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asraa asraa Awaiting requested review from asraa

@ianlewis ianlewis Awaiting requested review from ianlewis

@laurentsimon laurentsimon Awaiting requested review from laurentsimon laurentsimon is a code owner

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl is a code owner

@kpk47 kpk47 Awaiting requested review from kpk47 kpk47 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@renovate-bot @ianlewis @laurentsimon