Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

default cosign to v2.1.1 #137

Merged
merged 1 commit into from
Jun 27, 2023
Merged

default cosign to v2.1.1 #137

merged 1 commit into from
Jun 27, 2023

Conversation

cpanato
Copy link
Member

@cpanato cpanato commented Jun 27, 2023

Summary

  • default cosign to v2.1.1

@cpanato cpanato merged commit 6e04d22 into sigstore:main Jun 27, 2023
@cpanato cpanato deleted the bump-cosign branch June 27, 2023 10:29
ianlewis referenced this pull request in slsa-framework/slsa-github-generator Jul 12, 2023
@renovate-bot
chore(deps): update github-actions (#2352)
205e9bc 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/setup-java | action | digest | `1f2faad` -> `75c6561` |
| [actions/setup-java](https://github.com/actions/setup-java) | action
| pinDigest | -> `5ffc13f` |
| [actions/setup-node](https://github.com/actions/setup-node) | action
| minor | `v3.6.0` -> `v3.7.0` |
| [actions/setup-node](https://github.com/actions/setup-node) | action
| digest | `64ed1c7` -> `e33196f` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | patch | `v2.20.1` -> `v2.20.3` |
|
[gradle/gradle-build-action](https://github.com/gradle/gradle-build-action)
| action | minor | `v2.4.2` -> `v2.6.0` |
|
[sigstore/cosign-installer](https://github.com/sigstore/cosign-installer)
| action | patch | `v3.1.0` -> `v3.1.1` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.7.0`](https://github.com/actions/setup-node/releases/tag/v3.7.0)

[Compare
Source](https://github.com/actions/setup-node/compare/v3.6.0...v3.7.0)

##### What's Changed

In scope of this release we added a logic to save an additional cache
path for yarn 3 ([related pull
request](https://github.com/actions/setup-node/pull/744) and [feature
request](https://github.com/actions/setup-node/issues/325)). Moreover,
we added functionality to use all the sub directories derived from
`cache-dependency-path` input and add detect all dependencies
directories to cache (related [pull
request](https://github.com/actions/setup-node/pull/735) and [feature
request](https://github.com/actions/setup-node/issues/488)).

##### Besides, we made such changes as:

- Replace workflow badge with new badge by
[@&#8203;jongwooo](https://github.com/jongwooo) in
[https://github.com/actions/setup-node/pull/653](https://github.com/actions/setup-node/pull/653)
- Fix a minor typo by [@&#8203;phanan](https://github.com/phanan) in
[https://github.com/actions/setup-node/pull/662](https://github.com/actions/setup-node/pull/662)
- docs: fix typo in advanced-usage.md by
[@&#8203;remarkablemark](https://github.com/remarkablemark) in
[https://github.com/actions/setup-node/pull/697](https://github.com/actions/setup-node/pull/697)
- bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by
[@&#8203;domdomegg](https://github.com/domdomegg) in
[https://github.com/actions/setup-node/pull/718](https://github.com/actions/setup-node/pull/718)
- Update to node 18.x by
[@&#8203;feelepxyz](https://github.com/feelepxyz) in
[https://github.com/actions/setup-node/pull/751](https://github.com/actions/setup-node/pull/751)
- Remove implicit dependencies by
[@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/758](https://github.com/actions/setup-node/pull/758)
- Fix description about ensuring workflow access to private package by
[@&#8203;x86chi](https://github.com/x86chi) in
[https://github.com/actions/setup-node/pull/704](https://github.com/actions/setup-node/pull/704)

##### New Contributors

- [@&#8203;jongwooo](https://github.com/jongwooo) made their first
contribution in
[https://github.com/actions/setup-node/pull/653](https://github.com/actions/setup-node/pull/653)
- [@&#8203;phanan](https://github.com/phanan) made their first
contribution in
[https://github.com/actions/setup-node/pull/662](https://github.com/actions/setup-node/pull/662)
- [@&#8203;remarkablemark](https://github.com/remarkablemark) made
their first contribution in
[https://github.com/actions/setup-node/pull/697](https://github.com/actions/setup-node/pull/697)
- [@&#8203;domdomegg](https://github.com/domdomegg) made their first
contribution in
[https://github.com/actions/setup-node/pull/718](https://github.com/actions/setup-node/pull/718)
- [@&#8203;feelepxyz](https://github.com/feelepxyz) made their first
contribution in
[https://github.com/actions/setup-node/pull/751](https://github.com/actions/setup-node/pull/751)
- [@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) made
their first contribution in
[https://github.com/actions/setup-node/pull/758](https://github.com/actions/setup-node/pull/758)
- [@&#8203;x86chi](https://github.com/x86chi) made their first
contribution in
[https://github.com/actions/setup-node/pull/704](https://github.com/actions/setup-node/pull/704)

**Full Changelog**:
actions/setup-node@v3...v3.7.0

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.20.3`](https://github.com/github/codeql-action/compare/v2.20.2...v2.20.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.2...v2.20.3)

###
[`v2.20.2`](https://github.com/github/codeql-action/compare/v2.20.1...v2.20.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.1...v2.20.2)

</details>

<details>
<summary>gradle/gradle-build-action
(gradle/gradle-build-action)</summary>

###
[`v2.6.0`](https://github.com/gradle/gradle-build-action/releases/tag/v2.6.0)

[Compare
Source](https://github.com/gradle/gradle-build-action/compare/v2.5.1...v2.6.0)

##### GitHub Dependency Graph support (Experimental)

This release brings experimental support for submitting a [GitHub
Dependency
Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)
snapshot via the [GitHub Dependency Submission
API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28).

The dependency graph snapshot is generated via integration with the
[GitHub Dependency Graph Gradle
Plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin),
and saved as a workflow artifact. The generated snapshot files can be
submitted either in the same job, or in a subsequent job (in the same or
a dependent workflow).

The generated dependency graph snapshot reports all of the dependencies
that were resolved during a bulid execution, and is used by GitHub to
generate [Dependabot
Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
for vulnerable dependencies, as well as to populate the [Dependency
Graph insights
view](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph).

Check out the README chapter for more details on how this works and how
to configure a workflow that submits a dependency graph.

##### Changelog

###
[`v2.5.1`](https://github.com/gradle/gradle-build-action/releases/tag/v2.5.1)

[Compare
Source](https://github.com/gradle/gradle-build-action/compare/v2.5.0...v2.5.1)

Fixes a regression in v2.5.0 that resulted in failure when running a
workflow that has a name containing a comma.

##### Fixes

- Cache key Validation Error when workflow name contains a comma
[#&#8203;756](https://github.com/gradle/gradle-build-action/issues/756)

##### Changelog

###
[`v2.5.0`](https://github.com/gradle/gradle-build-action/releases/tag/v2.5.0)

[Compare
Source](https://github.com/gradle/gradle-build-action/compare/v2.4.2...v2.5.0)

This minor release fixes a couple of issues that affected the action in
particular scenarios, and updates all dependencies to recent versions.

##### Fixes

- Parallel workflows containing jobs with the same name use the same
cache key
[#&#8203;699](https://github.com/gradle/gradle-build-action/issues/699)
- Build scans are not captured when GE plugin is applied within
`settingsEvaluated`
[#&#8203;626](https://github.com/gradle/gradle-build-action/issues/626)

**Full changelog**:
gradle/gradle-build-action@v2.4.2...v2.5.0

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.1.1`](https://github.com/sigstore/cosign-installer/releases/tag/v3.1.1)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.1.0...v3.1.1)

#### What's Changed

- default cosign to v2.1.1 by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/137](https://github.com/sigstore/cosign-installer/pull/137)

**Full Changelog**:
sigstore/cosign-installer@v3.1.0...v3.1.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Signed-off-by: Mend Renovate <[email protected]>
enteraga6 referenced this pull request in enteraga6/slsa-github-generator Jul 18, 2023
@renovate-bot @enteraga6
chore(deps): update github-actions (slsa-framework#2352)
3d13998 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/setup-java | action | digest | `1f2faad` -> `75c6561` |
| [actions/setup-java](https://github.com/actions/setup-java) | action
| pinDigest | -> `5ffc13f` |
| [actions/setup-node](https://github.com/actions/setup-node) | action
| minor | `v3.6.0` -> `v3.7.0` |
| [actions/setup-node](https://github.com/actions/setup-node) | action
| digest | `64ed1c7` -> `e33196f` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | patch | `v2.20.1` -> `v2.20.3` |
|
[gradle/gradle-build-action](https://github.com/gradle/gradle-build-action)
| action | minor | `v2.4.2` -> `v2.6.0` |
|
[sigstore/cosign-installer](https://github.com/sigstore/cosign-installer)
| action | patch | `v3.1.0` -> `v3.1.1` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.7.0`](https://github.com/actions/setup-node/releases/tag/v3.7.0)

[Compare
Source](https://github.com/actions/setup-node/compare/v3.6.0...v3.7.0)

##### What's Changed

In scope of this release we added a logic to save an additional cache
path for yarn 3 ([related pull
request](https://github.com/actions/setup-node/pull/744) and [feature
request](https://github.com/actions/setup-node/issues/325)). Moreover,
we added functionality to use all the sub directories derived from
`cache-dependency-path` input and add detect all dependencies
directories to cache (related [pull
request](https://github.com/actions/setup-node/pull/735) and [feature
request](https://github.com/actions/setup-node/issues/488)).

##### Besides, we made such changes as:

- Replace workflow badge with new badge by
[@&#8203;jongwooo](https://github.com/jongwooo) in
[https://github.com/actions/setup-node/pull/653](https://github.com/actions/setup-node/pull/653)
- Fix a minor typo by [@&#8203;phanan](https://github.com/phanan) in
[https://github.com/actions/setup-node/pull/662](https://github.com/actions/setup-node/pull/662)
- docs: fix typo in advanced-usage.md by
[@&#8203;remarkablemark](https://github.com/remarkablemark) in
[https://github.com/actions/setup-node/pull/697](https://github.com/actions/setup-node/pull/697)
- bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by
[@&#8203;domdomegg](https://github.com/domdomegg) in
[https://github.com/actions/setup-node/pull/718](https://github.com/actions/setup-node/pull/718)
- Update to node 18.x by
[@&#8203;feelepxyz](https://github.com/feelepxyz) in
[https://github.com/actions/setup-node/pull/751](https://github.com/actions/setup-node/pull/751)
- Remove implicit dependencies by
[@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/758](https://github.com/actions/setup-node/pull/758)
- Fix description about ensuring workflow access to private package by
[@&#8203;x86chi](https://github.com/x86chi) in
[https://github.com/actions/setup-node/pull/704](https://github.com/actions/setup-node/pull/704)

##### New Contributors

- [@&#8203;jongwooo](https://github.com/jongwooo) made their first
contribution in
[https://github.com/actions/setup-node/pull/653](https://github.com/actions/setup-node/pull/653)
- [@&#8203;phanan](https://github.com/phanan) made their first
contribution in
[https://github.com/actions/setup-node/pull/662](https://github.com/actions/setup-node/pull/662)
- [@&#8203;remarkablemark](https://github.com/remarkablemark) made
their first contribution in
[https://github.com/actions/setup-node/pull/697](https://github.com/actions/setup-node/pull/697)
- [@&#8203;domdomegg](https://github.com/domdomegg) made their first
contribution in
[https://github.com/actions/setup-node/pull/718](https://github.com/actions/setup-node/pull/718)
- [@&#8203;feelepxyz](https://github.com/feelepxyz) made their first
contribution in
[https://github.com/actions/setup-node/pull/751](https://github.com/actions/setup-node/pull/751)
- [@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) made
their first contribution in
[https://github.com/actions/setup-node/pull/758](https://github.com/actions/setup-node/pull/758)
- [@&#8203;x86chi](https://github.com/x86chi) made their first
contribution in
[https://github.com/actions/setup-node/pull/704](https://github.com/actions/setup-node/pull/704)

**Full Changelog**:
actions/setup-node@v3...v3.7.0

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.20.3`](https://github.com/github/codeql-action/compare/v2.20.2...v2.20.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.2...v2.20.3)

###
[`v2.20.2`](https://github.com/github/codeql-action/compare/v2.20.1...v2.20.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.1...v2.20.2)

</details>

<details>
<summary>gradle/gradle-build-action
(gradle/gradle-build-action)</summary>

###
[`v2.6.0`](https://github.com/gradle/gradle-build-action/releases/tag/v2.6.0)

[Compare
Source](https://github.com/gradle/gradle-build-action/compare/v2.5.1...v2.6.0)

##### GitHub Dependency Graph support (Experimental)

This release brings experimental support for submitting a [GitHub
Dependency
Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)
snapshot via the [GitHub Dependency Submission
API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28).

The dependency graph snapshot is generated via integration with the
[GitHub Dependency Graph Gradle
Plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin),
and saved as a workflow artifact. The generated snapshot files can be
submitted either in the same job, or in a subsequent job (in the same or
a dependent workflow).

The generated dependency graph snapshot reports all of the dependencies
that were resolved during a bulid execution, and is used by GitHub to
generate [Dependabot
Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
for vulnerable dependencies, as well as to populate the [Dependency
Graph insights
view](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph).

Check out the README chapter for more details on how this works and how
to configure a workflow that submits a dependency graph.

##### Changelog

###
[`v2.5.1`](https://github.com/gradle/gradle-build-action/releases/tag/v2.5.1)

[Compare
Source](https://github.com/gradle/gradle-build-action/compare/v2.5.0...v2.5.1)

Fixes a regression in v2.5.0 that resulted in failure when running a
workflow that has a name containing a comma.

##### Fixes

- Cache key Validation Error when workflow name contains a comma
[#&#8203;756](https://github.com/gradle/gradle-build-action/issues/756)

##### Changelog

###
[`v2.5.0`](https://github.com/gradle/gradle-build-action/releases/tag/v2.5.0)

[Compare
Source](https://github.com/gradle/gradle-build-action/compare/v2.4.2...v2.5.0)

This minor release fixes a couple of issues that affected the action in
particular scenarios, and updates all dependencies to recent versions.

##### Fixes

- Parallel workflows containing jobs with the same name use the same
cache key
[#&#8203;699](https://github.com/gradle/gradle-build-action/issues/699)
- Build scans are not captured when GE plugin is applied within
`settingsEvaluated`
[#&#8203;626](https://github.com/gradle/gradle-build-action/issues/626)

**Full changelog**:
gradle/gradle-build-action@v2.4.2...v2.5.0

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.1.1`](https://github.com/sigstore/cosign-installer/releases/tag/v3.1.1)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.1.0...v3.1.1)

#### What's Changed

- default cosign to v2.1.1 by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/137](https://github.com/sigstore/cosign-installer/pull/137)

**Full Changelog**:
sigstore/cosign-installer@v3.1.0...v3.1.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
enteraga6 referenced this pull request in enteraga6/slsa-github-generator Aug 8, 2023
@renovate-bot @enteraga6
chore(deps): update github-actions (slsa-framework#2352)
c8e000b 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/setup-java | action | digest | `1f2faad` -> `75c6561` |
| [actions/setup-java](https://github.com/actions/setup-java) | action
| pinDigest | -> `5ffc13f` |
| [actions/setup-node](https://github.com/actions/setup-node) | action
| minor | `v3.6.0` -> `v3.7.0` |
| [actions/setup-node](https://github.com/actions/setup-node) | action
| digest | `64ed1c7` -> `e33196f` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | patch | `v2.20.1` -> `v2.20.3` |
|
[gradle/gradle-build-action](https://github.com/gradle/gradle-build-action)
| action | minor | `v2.4.2` -> `v2.6.0` |
|
[sigstore/cosign-installer](https://github.com/sigstore/cosign-installer)
| action | patch | `v3.1.0` -> `v3.1.1` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.7.0`](https://github.com/actions/setup-node/releases/tag/v3.7.0)

[Compare
Source](https://github.com/actions/setup-node/compare/v3.6.0...v3.7.0)

##### What's Changed

In scope of this release we added a logic to save an additional cache
path for yarn 3 ([related pull
request](https://github.com/actions/setup-node/pull/744) and [feature
request](https://github.com/actions/setup-node/issues/325)). Moreover,
we added functionality to use all the sub directories derived from
`cache-dependency-path` input and add detect all dependencies
directories to cache (related [pull
request](https://github.com/actions/setup-node/pull/735) and [feature
request](https://github.com/actions/setup-node/issues/488)).

##### Besides, we made such changes as:

- Replace workflow badge with new badge by
[@&#8203;jongwooo](https://github.com/jongwooo) in
[https://github.com/actions/setup-node/pull/653](https://github.com/actions/setup-node/pull/653)
- Fix a minor typo by [@&#8203;phanan](https://github.com/phanan) in
[https://github.com/actions/setup-node/pull/662](https://github.com/actions/setup-node/pull/662)
- docs: fix typo in advanced-usage.md by
[@&#8203;remarkablemark](https://github.com/remarkablemark) in
[https://github.com/actions/setup-node/pull/697](https://github.com/actions/setup-node/pull/697)
- bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by
[@&#8203;domdomegg](https://github.com/domdomegg) in
[https://github.com/actions/setup-node/pull/718](https://github.com/actions/setup-node/pull/718)
- Update to node 18.x by
[@&#8203;feelepxyz](https://github.com/feelepxyz) in
[https://github.com/actions/setup-node/pull/751](https://github.com/actions/setup-node/pull/751)
- Remove implicit dependencies by
[@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/758](https://github.com/actions/setup-node/pull/758)
- Fix description about ensuring workflow access to private package by
[@&#8203;x86chi](https://github.com/x86chi) in
[https://github.com/actions/setup-node/pull/704](https://github.com/actions/setup-node/pull/704)

##### New Contributors

- [@&#8203;jongwooo](https://github.com/jongwooo) made their first
contribution in
[https://github.com/actions/setup-node/pull/653](https://github.com/actions/setup-node/pull/653)
- [@&#8203;phanan](https://github.com/phanan) made their first
contribution in
[https://github.com/actions/setup-node/pull/662](https://github.com/actions/setup-node/pull/662)
- [@&#8203;remarkablemark](https://github.com/remarkablemark) made
their first contribution in
[https://github.com/actions/setup-node/pull/697](https://github.com/actions/setup-node/pull/697)
- [@&#8203;domdomegg](https://github.com/domdomegg) made their first
contribution in
[https://github.com/actions/setup-node/pull/718](https://github.com/actions/setup-node/pull/718)
- [@&#8203;feelepxyz](https://github.com/feelepxyz) made their first
contribution in
[https://github.com/actions/setup-node/pull/751](https://github.com/actions/setup-node/pull/751)
- [@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) made
their first contribution in
[https://github.com/actions/setup-node/pull/758](https://github.com/actions/setup-node/pull/758)
- [@&#8203;x86chi](https://github.com/x86chi) made their first
contribution in
[https://github.com/actions/setup-node/pull/704](https://github.com/actions/setup-node/pull/704)

**Full Changelog**:
actions/setup-node@v3...v3.7.0

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.20.3`](https://github.com/github/codeql-action/compare/v2.20.2...v2.20.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.2...v2.20.3)

###
[`v2.20.2`](https://github.com/github/codeql-action/compare/v2.20.1...v2.20.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.1...v2.20.2)

</details>

<details>
<summary>gradle/gradle-build-action
(gradle/gradle-build-action)</summary>

###
[`v2.6.0`](https://github.com/gradle/gradle-build-action/releases/tag/v2.6.0)

[Compare
Source](https://github.com/gradle/gradle-build-action/compare/v2.5.1...v2.6.0)

##### GitHub Dependency Graph support (Experimental)

This release brings experimental support for submitting a [GitHub
Dependency
Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)
snapshot via the [GitHub Dependency Submission
API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28).

The dependency graph snapshot is generated via integration with the
[GitHub Dependency Graph Gradle
Plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin),
and saved as a workflow artifact. The generated snapshot files can be
submitted either in the same job, or in a subsequent job (in the same or
a dependent workflow).

The generated dependency graph snapshot reports all of the dependencies
that were resolved during a bulid execution, and is used by GitHub to
generate [Dependabot
Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
for vulnerable dependencies, as well as to populate the [Dependency
Graph insights
view](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph).

Check out the README chapter for more details on how this works and how
to configure a workflow that submits a dependency graph.

##### Changelog

###
[`v2.5.1`](https://github.com/gradle/gradle-build-action/releases/tag/v2.5.1)

[Compare
Source](https://github.com/gradle/gradle-build-action/compare/v2.5.0...v2.5.1)

Fixes a regression in v2.5.0 that resulted in failure when running a
workflow that has a name containing a comma.

##### Fixes

- Cache key Validation Error when workflow name contains a comma
[#&#8203;756](https://github.com/gradle/gradle-build-action/issues/756)

##### Changelog

###
[`v2.5.0`](https://github.com/gradle/gradle-build-action/releases/tag/v2.5.0)

[Compare
Source](https://github.com/gradle/gradle-build-action/compare/v2.4.2...v2.5.0)

This minor release fixes a couple of issues that affected the action in
particular scenarios, and updates all dependencies to recent versions.

##### Fixes

- Parallel workflows containing jobs with the same name use the same
cache key
[#&#8203;699](https://github.com/gradle/gradle-build-action/issues/699)
- Build scans are not captured when GE plugin is applied within
`settingsEvaluated`
[#&#8203;626](https://github.com/gradle/gradle-build-action/issues/626)

**Full changelog**:
gradle/gradle-build-action@v2.4.2...v2.5.0

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.1.1`](https://github.com/sigstore/cosign-installer/releases/tag/v3.1.1)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.1.0...v3.1.1)

#### What's Changed

- default cosign to v2.1.1 by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/137](https://github.com/sigstore/cosign-installer/pull/137)

**Full Changelog**:
sigstore/cosign-installer@v3.1.0...v3.1.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Racer159 referenced this pull request in zarf-dev/zarf Dec 19, 2023
@renovate
chore(deps): update sigstore/cosign-installer action to v3 (#1400)
b43064c 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[sigstore/cosign-installer](https://github.com/sigstore/cosign-installer)
| action | major | `v2.8.1` -> `v3.3.0` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.3.0`](https://github.com/sigstore/cosign-installer/releases/tag/v3.3.0)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.2.0...v3.3.0)

#### What's Changed

- Bump actions/setup-go from 4.1.0 to 5.0.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/152](https://github.com/sigstore/cosign-installer/pull/152)
- update action to use latest cosign v2.2.2 by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/153](https://github.com/sigstore/cosign-installer/pull/153)

**Full Changelog**:
sigstore/cosign-installer@v3.2.0...v3.3.0

###
[`v3.2.0`](https://github.com/sigstore/cosign-installer/releases/tag/v3.2.0)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.1.2...v3.2.0)

**Note: This release comes with a fix for CVE-2023-46737 described in
this [Github Security
Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
Please upgrade to this release ASAP**

see https://github.com/sigstore/cosign/releases/tag/v2.2.1

#### What's Changed

- Support the runner context of gitea act by
[@&#8203;josedev-union](https://github.com/josedev-union) in
[https://github.com/sigstore/cosign-installer/pull/147](https://github.com/sigstore/cosign-installer/pull/147)
- bump cosign to v2.2.1 by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/148](https://github.com/sigstore/cosign-installer/pull/148)
- test with latest go version by
[@&#8203;bobcallaway](https://github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/150](https://github.com/sigstore/cosign-installer/pull/150)

#### New Contributors

- [@&#8203;josedev-union](https://github.com/josedev-union) made their
first contribution in
[https://github.com/sigstore/cosign-installer/pull/147](https://github.com/sigstore/cosign-installer/pull/147)

**Full Changelog**:
sigstore/cosign-installer@v3...v3.2.0

###
[`v3.1.2`](https://github.com/sigstore/cosign-installer/releases/tag/v3.1.2)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.1.1...v3.1.2)

#### What's Changed

- Fix build and push step Readme missing id by
[@&#8203;hbenali](https://github.com/hbenali) in
[https://github.com/sigstore/cosign-installer/pull/138](https://github.com/sigstore/cosign-installer/pull/138)
- bump cosign to v2.2.0 by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/142](https://github.com/sigstore/cosign-installer/pull/142)

#### New Contributors

- [@&#8203;hbenali](https://github.com/hbenali) made their first
contribution in
[https://github.com/sigstore/cosign-installer/pull/138](https://github.com/sigstore/cosign-installer/pull/138)

**Full Changelog**:
sigstore/cosign-installer@v3...v3.1.2

###
[`v3.1.1`](https://github.com/sigstore/cosign-installer/releases/tag/v3.1.1)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.1.0...v3.1.1)

#### What's Changed

- default cosign to v2.1.1 by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/137](https://github.com/sigstore/cosign-installer/pull/137)

**Full Changelog**:
sigstore/cosign-installer@v3.1.0...v3.1.1

###
[`v3.1.0`](https://github.com/sigstore/cosign-installer/releases/tag/v3.1.0)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.0.5...v3.1.0)

#### What's Changed

- update job to use latest action release by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/130](https://github.com/sigstore/cosign-installer/pull/130)
- Update action example for keyless signing as xarg is not required by
[@&#8203;jbtrystram](https://github.com/jbtrystram) in
[https://github.com/sigstore/cosign-installer/pull/132](https://github.com/sigstore/cosign-installer/pull/132)
- update examples by [@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/133](https://github.com/sigstore/cosign-installer/pull/133)
- bump cosign to default to release v2.1.0 and update docs by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/136](https://github.com/sigstore/cosign-installer/pull/136)

#### New Contributors

- [@&#8203;jbtrystram](https://github.com/jbtrystram) made their first
contribution in
[https://github.com/sigstore/cosign-installer/pull/132](https://github.com/sigstore/cosign-installer/pull/132)

**Full Changelog**:
sigstore/cosign-installer@v3.0.5...v3.1.0

###
[`v3.0.5`](https://github.com/sigstore/cosign-installer/releases/tag/v3.0.5)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.0.4...v3.0.5)

#### What's Changed

- download cosign releases from GitHub rather than GCS by
[@&#8203;bobcallaway](https://github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/126](https://github.com/sigstore/cosign-installer/pull/126)

**Full Changelog**:
sigstore/cosign-installer@v3.0.4...v3.0.5

###
[`v3.0.4`](https://github.com/sigstore/cosign-installer/releases/tag/v3.0.4)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.0.3...v3.0.4)

- Include fix for
[https://github.com/sigstore/cosign-installer/pull/124](https://github.com/sigstore/cosign-installer/pull/124)
- changes download URL for `cosign` binary to github.com instead of GCS

###
[`v3.0.3`](https://github.com/sigstore/cosign-installer/releases/tag/v3.0.3)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.0.2...v3.0.3)

##### What's Changed

- bump to cosign v2.0.2 by
[@&#8203;bobcallaway](https://github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/119](https://github.com/sigstore/cosign-installer/pull/119)
- changes download URL for `cosign` binary to github.com instead of GCS

**Full Changelog**:
sigstore/cosign-installer@v3.0.2...v3.0.3

###
[`v3.0.2`](https://github.com/sigstore/cosign-installer/releases/tag/v3.0.2)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.0.1...v3.0.2)

##### What's Changed

- add --yes to example workflow by
[@&#8203;sebhoss](https://github.com/sebhoss) in
[https://github.com/sigstore/cosign-installer/pull/110](https://github.com/sigstore/cosign-installer/pull/110)
- Fix aarch64 action run by
[@&#8203;ananos](https://github.com/ananos) in
[https://github.com/sigstore/cosign-installer/pull/113](https://github.com/sigstore/cosign-installer/pull/113)
- Bump actions/checkout from 3.3.0 to 3.4.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/115](https://github.com/sigstore/cosign-installer/pull/115)
- Bump actions/setup-go from 3.5.0 to 4.0.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/114](https://github.com/sigstore/cosign-installer/pull/114)
- Bump actions/checkout from 3.4.0 to 3.5.0 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/116](https://github.com/sigstore/cosign-installer/pull/116)
- default cosign to v2.0.1 by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/117](https://github.com/sigstore/cosign-installer/pull/117)
- changes download URL for `cosign` binary to github.com instead of GCS

##### New Contributors

- [@&#8203;sebhoss](https://github.com/sebhoss) made their first
contribution in
[https://github.com/sigstore/cosign-installer/pull/110](https://github.com/sigstore/cosign-installer/pull/110)
- [@&#8203;ananos](https://github.com/ananos) made their first
contribution in
[https://github.com/sigstore/cosign-installer/pull/113](https://github.com/sigstore/cosign-installer/pull/113)

**Full Changelog**:
sigstore/cosign-installer@v3...v3.0.2

###
[`v3.0.1`](https://github.com/sigstore/cosign-installer/releases/tag/v3.0.1)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.0.0...v3.0.1)

##### What's Changed

- make cosign v2.0.0 default version by
[@&#8203;developer-guy](https://github.com/developer-guy) in
[https://github.com/sigstore/cosign-installer/pull/109](https://github.com/sigstore/cosign-installer/pull/109)
- changes download URL for `cosign` binary to github.com instead of GCS

**Full Changelog**:
sigstore/cosign-installer@v3.0.0...v3.0.1

###
[`v3.0.0`](https://github.com/sigstore/cosign-installer/releases/tag/v3.0.0)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v2.8.1...v3.0.0)

##### Breaking change

Cosign v2 has some breaking changes. Please check those:
https://blog.sigstore.dev/cosign-2-0-released/

##### What's Changed

- test: add logs when downloading the public keys by
[@&#8203;hectorj2f](https://github.com/hectorj2f) in
[https://github.com/sigstore/cosign-installer/pull/106](https://github.com/sigstore/cosign-installer/pull/106)
- Add support to install v2 and any other cosign release candidate by
[@&#8203;hectorj2f](https://github.com/hectorj2f) in
[https://github.com/sigstore/cosign-installer/pull/105](https://github.com/sigstore/cosign-installer/pull/105)
- v2.0.0 release by [@&#8203;sabre1041](https://github.com/sabre1041)
in
[https://github.com/sigstore/cosign-installer/pull/108](https://github.com/sigstore/cosign-installer/pull/108)
- changes download URL for `cosign` binary to github.com instead of GCS

##### New Contributors

- [@&#8203;hectorj2f](https://github.com/hectorj2f) made their first
contribution in
[https://github.com/sigstore/cosign-installer/pull/106](https://github.com/sigstore/cosign-installer/pull/106)
- [@&#8203;sabre1041](https://github.com/sabre1041) made their first
contribution in
[https://github.com/sigstore/cosign-installer/pull/108](https://github.com/sigstore/cosign-installer/pull/108)

**Full Changelog**:
sigstore/cosign-installer@v2...v3.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/defenseunicorns/zarf).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3Ljg3LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcallaway bobcallaway bobcallaway approved these changes

@priyawadhwa priyawadhwa Awaiting requested review from priyawadhwa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cpanato @bobcallaway