Bump the minor-patch group across 2 directories with 4 updates

[dependabot]

Bumps the minor-patch group with 3 updates in the / directory: github.com/in-toto/attestation, github.com/sigstore/rekor and github.com/google/go-containerregistry.
Bumps the minor-patch group with 3 updates in the /examples/oci-image-verification directory: github.com/in-toto/attestation, github.com/sigstore/rekor and github.com/google/go-containerregistry.

Updates github.com/in-toto/attestation from 1.1.0 to 1.1.1

Release notes

Sourced from github.com/in-toto/attestation's releases.

v1.1.1

What's Changed

• Fix broken links to ResourceDescriptor by @​alanssitis in in-toto/attestation#367
• Update link to SLSA framework proto file by @​phantomwhale in in-toto/attestation#382
• Simplify SCAI predicate TypeURI by @​marcelamelara in in-toto/attestation#380
• Add the reference predicate by @​mdeicas in in-toto/attestation#375
• Add proto definition for vuln predicate type by @​hectorj2f in in-toto/attestation#345
• vsa: Make verifiedLevels field repeated to match spec by @​adityasaky in in-toto/attestation#429
• fix discrepencies in v0.2 example by @​lumjjb in in-toto/attestation#408
• VulnsV2: Add missing invocation to protos and spec by @​puerco in in-toto/attestation#434
• Expose known algorithms by @​puerco in in-toto/attestation#427
• add slsa provenance predicate v0.2 protobuf by @​kpauljoseph in in-toto/attestation#417

New Contributors

• @​tannerjones4075 made their first contribution in in-toto/attestation#366
• @​alanssitis made their first contribution in in-toto/attestation#367
• @​phantomwhale made their first contribution in in-toto/attestation#382
• @​mdeicas made their first contribution in in-toto/attestation#375
• @​Dman0808 made their first contribution in in-toto/attestation#394
• @​lumjjb made their first contribution in in-toto/attestation#408
• @​puerco made their first contribution in in-toto/attestation#434
• @​kpauljoseph made their first contribution in in-toto/attestation#417

Full Changelog: in-toto/attestation@v1.1.0...v1.1.1

Commits

• 7017ad8 Regenerate attestation libraries (#435)
• 808ca43 Merge pull request #417 from kpauljoseph/in-toto-v0.2-provenance
• 2358a9c Merge pull request #427 from puerco/expose-algos
• 6e0b70a Merge pull request #434 from puerco/vulnsv02-proto
• 4d9125d Merge pull request #408 from lumjjb/update-vuln-02
• e474a1f Fix typo in vulns02 example
• 72054e5 Fix inconsistencies in vulnsv2 proto vs spec
• 4a4ddf5 add slsa provenance predicate v0.2
• a50a5a1 Expose known algorithms
• 11ca4fc Regenerate attestation libraries (#430)
• Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.3.8 to 1.3.9

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.3.9

Changelog

• f3db95b2bb18be7e1904fa25d1bcdb7d55caa73a Cache checkpoint for inactive shards (#2332)
• f875aa2d39b2bcef0e84e43a6153447bed0077f6 Support per-shard signing keys (#2330)

Thanks for all contributors!

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.3.9

Features

• Cache checkpoint for inactive shards (#2332)
• Support per-shard signing keys (#2330)

Contributors

• Hayden B

Commits

• b67ee82 build(deps): Bump google.golang.org/grpc from 1.69.4 to 1.70.0
• 40f29ba build(deps): Bump golang from 51a6466 to 8c10f21
• 2497b42 build(deps): Bump google/cloud-sdk from 506.0.0 to 507.0.0
• ac42c19 build(deps): Bump google.golang.org/api from 0.217.0 to 0.218.0
• 10e8115 build(deps): Bump the all group with 3 updates
• 2f182a1 build(deps): Bump google.golang.org/protobuf in the all group
• f3db95b Cache checkpoint for inactive shards (#2332)
• 1cb78ca build(deps): Bump google/cloud-sdk from 505.0.0 to 506.0.0
• b68f6bb build(deps): Bump google.golang.org/api from 0.216.0 to 0.217.0
• 15c696c build(deps): Bump github.com/tink-crypto/tink-go/v2 from 2.2.0 to 2.3.0
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.36.3 to 1.36.4

Updates github.com/google/go-containerregistry from 0.20.2 to 0.20.3

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.3

What's Changed

• remote/transport: Make bearer transport go-routine-safe by @​2opremio in google/go-containerregistry#1806
• Expose compare package by @​jonjohnsonjr in google/go-containerregistry#2001
• fix: redact.URL uses (*URL).Redacted to omit basic-auth password by @​bmoylan in google/go-containerregistry#1947
• bump actions to latest by @​ajayk in google/go-containerregistry#2011
• don't pin chainguard-dev/actions by @​imjasonh in google/go-containerregistry#2025
• Check for 406 status code when handling referrers API endpoint response by @​malancas in google/go-containerregistry#2026
• mutate: Create a defensive annotations copy by @​jonjohnsonjr in google/go-containerregistry#2030
• Detect zstd in crane append by @​jonjohnsonjr in google/go-containerregistry#2023
• bump deps using hack/bump-deps.sh by @​imjasonh in google/go-containerregistry#2042

New Contributors

• @​bmoylan made their first contribution in google/go-containerregistry#1947
• @​ajayk made their first contribution in google/go-containerregistry#2011
• @​malancas made their first contribution in google/go-containerregistry#2026

Full Changelog: google/go-containerregistry@v0.20.2...v0.20.3

Commits

• c4dd792 bump deps using hack/bump-deps.sh (#2042)
• 6bce25e Detect zstd in crane append (#2023)
• 06dcd85 mutate: Create a defensive annotations copy (#2030)
• a9a53a8 check for 406 status code when handling referrers endpoint response (#2026)
• 4630c40 don't pin chainguard-dev/actions (#2025)
• 808e354 bump actions to latest (#2011)
• a07d1ca fix: redact.URL uses (*URL).Redacted to omit basic-auth password (#1947)
• 00f182b Expose compare package (#2001)
• b8e87ed remote/transport: Make bearer transport go-routine-safe (#1806)
• See full diff in compare view

Updates github.com/in-toto/attestation from 1.1.0 to 1.1.1

Release notes

Sourced from github.com/in-toto/attestation's releases.

v1.1.1

What's Changed

• Fix broken links to ResourceDescriptor by @​alanssitis in in-toto/attestation#367
• Update link to SLSA framework proto file by @​phantomwhale in in-toto/attestation#382
• Simplify SCAI predicate TypeURI by @​marcelamelara in in-toto/attestation#380
• Add the reference predicate by @​mdeicas in in-toto/attestation#375
• Add proto definition for vuln predicate type by @​hectorj2f in in-toto/attestation#345
• vsa: Make verifiedLevels field repeated to match spec by @​adityasaky in in-toto/attestation#429
• fix discrepencies in v0.2 example by @​lumjjb in in-toto/attestation#408
• VulnsV2: Add missing invocation to protos and spec by @​puerco in in-toto/attestation#434
• Expose known algorithms by @​puerco in in-toto/attestation#427
• add slsa provenance predicate v0.2 protobuf by @​kpauljoseph in in-toto/attestation#417

New Contributors

• @​tannerjones4075 made their first contribution in in-toto/attestation#366
• @​alanssitis made their first contribution in in-toto/attestation#367
• @​phantomwhale made their first contribution in in-toto/attestation#382
• @​mdeicas made their first contribution in in-toto/attestation#375
• @​Dman0808 made their first contribution in in-toto/attestation#394
• @​lumjjb made their first contribution in in-toto/attestation#408
• @​puerco made their first contribution in in-toto/attestation#434
• @​kpauljoseph made their first contribution in in-toto/attestation#417

Full Changelog: in-toto/attestation@v1.1.0...v1.1.1

Commits

• 7017ad8 Regenerate attestation libraries (#435)
• 808ca43 Merge pull request #417 from kpauljoseph/in-toto-v0.2-provenance
• 2358a9c Merge pull request #427 from puerco/expose-algos
• 6e0b70a Merge pull request #434 from puerco/vulnsv02-proto
• 4d9125d Merge pull request #408 from lumjjb/update-vuln-02
• e474a1f Fix typo in vulns02 example
• 72054e5 Fix inconsistencies in vulnsv2 proto vs spec
• 4a4ddf5 add slsa provenance predicate v0.2
• a50a5a1 Expose known algorithms
• 11ca4fc Regenerate attestation libraries (#430)
• Additional commits viewable in compare view

Updates github.com/sigstore/rekor from 1.3.8 to 1.3.9

Release notes

Sourced from github.com/sigstore/rekor's releases.

v1.3.9

Changelog

• f3db95b2bb18be7e1904fa25d1bcdb7d55caa73a Cache checkpoint for inactive shards (#2332)
• f875aa2d39b2bcef0e84e43a6153447bed0077f6 Support per-shard signing keys (#2330)

Thanks for all contributors!

Changelog

Sourced from github.com/sigstore/rekor's changelog.

v1.3.9

Features

• Cache checkpoint for inactive shards (#2332)
• Support per-shard signing keys (#2330)

Contributors

• Hayden B

Commits

• b67ee82 build(deps): Bump google.golang.org/grpc from 1.69.4 to 1.70.0
• 40f29ba build(deps): Bump golang from 51a6466 to 8c10f21
• 2497b42 build(deps): Bump google/cloud-sdk from 506.0.0 to 507.0.0
• ac42c19 build(deps): Bump google.golang.org/api from 0.217.0 to 0.218.0
• 10e8115 build(deps): Bump the all group with 3 updates
• 2f182a1 build(deps): Bump google.golang.org/protobuf in the all group
• f3db95b Cache checkpoint for inactive shards (#2332)
• 1cb78ca build(deps): Bump google/cloud-sdk from 505.0.0 to 506.0.0
• b68f6bb build(deps): Bump google.golang.org/api from 0.216.0 to 0.217.0
• 15c696c build(deps): Bump github.com/tink-crypto/tink-go/v2 from 2.2.0 to 2.3.0
• Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.36.3 to 1.36.4

Updates github.com/google/go-containerregistry from 0.20.2 to 0.20.3

Release notes

Sourced from github.com/google/go-containerregistry's releases.

v0.20.3

What's Changed

• remote/transport: Make bearer transport go-routine-safe by @​2opremio in google/go-containerregistry#1806
• Expose compare package by @​jonjohnsonjr in google/go-containerregistry#2001
• fix: redact.URL uses (*URL).Redacted to omit basic-auth password by @​bmoylan in google/go-containerregistry#1947
• bump actions to latest by @​ajayk in google/go-containerregistry#2011
• don't pin chainguard-dev/actions by @​imjasonh in google/go-containerregistry#2025
• Check for 406 status code when handling referrers API endpoint response by @​malancas in google/go-containerregistry#2026
• mutate: Create a defensive annotations copy by @​jonjohnsonjr in google/go-containerregistry#2030
• Detect zstd in crane append by @​jonjohnsonjr in google/go-containerregistry#2023
• bump deps using hack/bump-deps.sh by @​imjasonh in google/go-containerregistry#2042

New Contributors

• @​bmoylan made their first contribution in google/go-containerregistry#1947
• @​ajayk made their first contribution in google/go-containerregistry#2011
• @​malancas made their first contribution in google/go-containerregistry#2026

Full Changelog: google/go-containerregistry@v0.20.2...v0.20.3

Commits

• c4dd792 bump deps using hack/bump-deps.sh (#2042)
• 6bce25e Detect zstd in crane append (#2023)
• 06dcd85 mutate: Create a defensive annotations copy (#2030)
• a9a53a8 check for 406 status code when handling referrers endpoint response (#2026)
• 4630c40 don't pin chainguard-dev/actions (#2025)
• 808e354 bump actions to latest (#2011)
• a07d1ca fix: redact.URL uses (*URL).Redacted to omit basic-auth password (#1947)
• 00f182b Expose compare package (#2001)
• b8e87ed remote/transport: Make bearer transport go-routine-safe (#1806)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codysoyland]

The update to go-containerregistry requires go1.23, which we downgraded from in #384. Thoughts on resuming go1.23 requirement? We recently tagged v0.7.0 so users who cannot upgrade their compiler can use the tagged version.

[Hayden-IO]

I think we should ignore the update, given all of the work that went into keeping the Go mod version lower. go-containerregistry doesn't seem like a critical dependency, as only the example code needs the library.