sigstore/cosign v1.9.0

on GitHub

What's Changed

• Bump github.com/armon/go-metrics from 0.3.10 to 0.3.11 by @dependabot in #1808
• update changelog for 1.8.0 by @cpanato in #1807
• Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 by @dependabot in #1809
• Bump google.golang.org/api from 0.75.0 to 0.76.0 by @dependabot in #1810
• Bump github/codeql-action from 2.1.8 to 2.1.9 by @dependabot in #1814
• Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 by @dependabot in #1813
• Check failure message of policy that fails with issuer mismatch by @vaikas in #1815
• [Cosigned] Add signature pull secrets by @DennyHoang in #1805
• feat: add rego policy support by @hectorj2f in #1817
• Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818
• cosigned: Test unsupported KMS providers by @imjasonh in #1820
• chore(deps): Included dependency review by @naveensrinivasan in #1792
• Bump github.com/spiffe/go-spiffe/v2 from 2.0.0 to 2.1.0 by @dependabot in #1828
• Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 by @dependabot in #1830
• Add auth flow option to KeyOpts. by @wlynch in #1827
• Bump google.golang.org/api from 0.76.0 to 0.77.0 by @dependabot in #1829
• Bump mikefarah/yq from 4.24.5 to 4.25.1 by @dependabot in #1831
• Document Staging instance usage with Keyless by @k4leung4 in #1824
• New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832
• Validate tlog entry when verifying signature via public key. by @wlynch in #1833
• Add function to explicitly request a certain provider by @priyawadhwa in #1837
• cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841
• Bump google.golang.org/api from 0.77.0 to 0.78.0 by @dependabot in #1838
• Bump github.com/hashicorp/go-plugin from 1.4.3 to 1.4.4 by @dependabot in #1843
• remove exclude from go.mod by @cpanato in #1846
• [Cosigned] Glob matching improvement by @DennyHoang in #1842
• Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 by @dependabot in #1851
• sget: Enable KMS providers for sget by @imjasonh in #1852
• Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850
• Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856
• Bump github.com/xanzy/go-gitlab from 0.64.0 to 0.65.0 by @dependabot in #1857
• Bump google.golang.org/api from 0.78.0 to 0.79.0 by @dependabot in #1858
• If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859
• Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860
• Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 by @dependabot in #1864
• Bump github/codeql-action from 2.1.9 to 2.1.10 by @dependabot in #1863
• Normalize certificate flag names by @haydentherapper in #1868
• Check certificate policy flags with only a certificate by @haydentherapper in #1869
• Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861
• Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in #1870
• Point git commmit FUN.md to gitsign! by @wlynch in #1874
• Bump actions/github-script from 6.0.0 to 6.1.0 by @dependabot in #1876
• Bump actions/dependency-review-action from 3f943b86c9a289f4e632c632695e2e0898d9d67d to 1 by @dependabot in #1875
• [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873
• go.mod: format go.mod by @zchee in #1879
• Bump google-github-actions/auth from 0.7.1 to 0.7.2 by @dependabot in #1886
• Bump google.golang.org/grpc from 1.46.0 to 1.46.2 by @dependabot in #1884
• Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887
• tree: only report artifacts that are present by @ribbybibby in #1872
• update README with ebpf modules by @EItanya in #1888
• Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889
• Bump github/codeql-action from 2.1.10 to 2.1.11 by @dependabot in #1891
• v1beta1 API for cosigned by @vaikas in #1890
• Bump google-github-actions/auth from 0.7.2 to 0.7.3 by @dependabot in #1898
• Bump google.golang.org/api from 0.79.0 to 0.80.0 by @dependabot in #1897
• tree: support --attachment-tag-prefix by @ribbybibby in #1900
• [cosigned] Remove undefined apiGroups from policy clusterrole by @vpnachev in #1896
• GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by @janisz in #1894
• The timeout arg in golangci-lint has been moved to the generic args p… by @dlorenc in #1901
• Bump actions/upload-artifact from 3.0.0 to 3.1.0 by @dependabot in #1907
• Bump cloud.google.com/go/storage from 1.22.0 to 1.22.1 by @dependabot in #1906
• [cosigned] Rename cosigned references to policy-controller by @hectorj2f in #1893
• Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.4 to 0.1.5 by @dependabot in #1883
• Bump github.com/hashicorp/go-version from 1.4.0 to 1.5.0 by @dependabot in #1902
• Move deprecated dependency: google/trillian/merkle to transparency-dev by @cpanato in #1910
• Bump github.com/xanzy/go-gitlab from 0.65.0 to 0.66.0 by @dependabot in #1913
• Add support for "**" in image glob matching by @imjasonh in #1914
• Add privacy statement for PII storage by @haydentherapper in #1909
• Bump github.com/xanzy/go-gitlab from 0.66.0 to 0.68.0 by @dependabot in #1920
• Bump github.com/armon/go-metrics from 0.3.11 to 0.4.0 by @dependabot in #1919
• Bump google.golang.org/api from 0.80.0 to 0.81.0 by @dependabot in #1918
• Bump ossf/scorecard-action from 1.0.4 to 1.1.0 by @dependabot in #1922
• Bump google-github-actions/auth from 0.7.3 to 0.8.0 by @dependabot in #1916
• Bump actions/dependency-review-action from 1.0.1 to 1.0.2 by @dependabot in #1915
• Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in #1927
• Bump github.com/hashicorp/vault/sdk from 0.4.1 to 0.5.0 by @dependabot in #1926
• Bump github.com/spf13/viper from 1.11.0 to 1.12.0 by @dependabot in #1924
• Do not push to public rekor. by @vaikas in #1931
• Bump mikefarah/yq from 4.25.1 to 4.25.2 by @dependabot in #1933
• Bump actions/cache from 3.0.2 to 3.0.3 by @dependabot in #1937
• fix: fix fetching updated targets from TUF root by @asraa in #1921
• Bump github.com/secure-systems-lab/go-securesystemslib from 0.3.1 to 0.4.0 by @dependabot in #1944
• Bump ossf/scorecard-action from 1.1.0 to 1.1.1 by @dependabot in #1945
• fix: fix #1930 for AWS KMS formats by @vaikas in #1946
• update cross-builder image to use go1.17.11 by @cpanato in #1950
• Bump github.com/aws/aws-sdk-go-v2 from 1.14.0 to 1.16.4 by @dependabot in #1949
• remove deprecation from goreleaser, go-fish is not supported anymore by @cpanato in #1952
• add changelog for v1.9.0 by @cpanato in #1955
• add parallelism for goreleaser by @cpanato in #1957

New Contributors

• @elfotografo007 made their first contribution in #1841
• @nealmcb made their first contribution in #1850
• @bainsy88 made their first contribution in #1856
• @zchee made their first contribution in #1879
• @EItanya made their first contribution in #1888
• @janisz made their first contribution in #1894

Full Changelog: v1.8.0...v1.9.0

Thanks to all contributors!