From 8d54be745ae132652a25e2349651d5d89d321e08 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Mon, 8 Dec 2025 20:22:12 +0000
Subject: [PATCH] zarf/0.67.0-r0: fix GHSA-f83f-xpx7-ffpw
 <!--ci-cve-scan:must-fix: GHSA-f83f-xpx7-ffpw-->

---
 zarf.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/zarf.yaml b/zarf.yaml
index e01d1525a45..42576bc10af 100644
--- a/zarf.yaml
+++ b/zarf.yaml
@@ -1,7 +1,7 @@
 package:
   name: zarf
   version: "0.67.0"
-  epoch: 0 # GHSA-j5w8-q4qc-rx2x
+  epoch: 1 # GHSA-f83f-xpx7-ffpw
   description: DevSecOps for Air Gap & Limited-Connection Systems.
   copyright:
     - license: Apache-2.0
@@ -22,6 +22,11 @@ pipeline:
       repository: https://github.com/zarf-dev/zarf
       tag: v${{package.version}}
 
+  - uses: go/bump
+    with:
+      deps: |-
+        github.com/sigstore/fulcio@v1.8.3
+
   # We don't use go/bump here because go.mod now also contains an indirect
   # dependency on a newer version of anchore/archiver: go/bump raises an error
   # if we don't use that newer version for the replacement, but doing so causes