Bump github.com/sigstore/cosign from 1.5.2 to 1.10.1 in /pipeline/trusted-resources

[dependabot[bot]]

Bumps github.com/sigstore/cosign from 1.5.2 to 1.10.1.

Release notes

Sourced from github.com/sigstore/cosign's releases.

v1.10.1

This release fixes a security issue

cosign verify-attestaton --type can report a false positive if any attestation exists https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296

What's Changed

• Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by @​dependabot in sigstore/cosign#2088
• Remove knative/pkg deps by @​imjasonh in sigstore/cosign#2092
• add flag to allow skipping upload to transparency log by @​k4leung4 in sigstore/cosign#2089
• Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by @​dependabot in sigstore/cosign#2100
• Improve error message when no sigs/atts are found for an image by @​imjasonh in sigstore/cosign#2101
• Change Result in Vulnerability Attestation to interface{} by @​knqyf263 in sigstore/cosign#2096
• Fix field names in the vulnerability attestation by @​otms61 in sigstore/cosign#2099
• Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 by @​dependabot in sigstore/cosign#2103
• remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @​cpanato in sigstore/cosign#2105
• Bump imjasonh/setup-ko from 0.4 to 0.5 by @​dependabot in sigstore/cosign#2107
• Bump google.golang.org/api from 0.88.0 to 0.89.0 by @​dependabot in sigstore/cosign#2106
• ✨ Enable Scorecard badge by @​azeemshaikh38 in sigstore/cosign#2109
• Resolves #522 set Created date to time of execution by @​Lerentis in sigstore/cosign#2108
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @​dependabot in sigstore/cosign#2110
• Introduce a custom error type to classify errors. by @​mattmoor in sigstore/cosign#2114
• Bump github/codeql-action from 2.1.16 to 2.1.17 by @​dependabot in sigstore/cosign#2112
• Bump google.golang.org/api from 0.89.0 to 0.90.0 by @​dependabot in sigstore/cosign#2111
• feat: attach: attestation: allow passing multiple payloads by @​Dentrax in sigstore/cosign#2085
• Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 by @​dependabot in sigstore/cosign#2115
• Bump mikefarah/yq from 4.26.1 to 4.27.2 by @​dependabot in sigstore/cosign#2116
• update cross-builder to go1.18.5 and cosign image to 1.10.0 by @​cpanato in sigstore/cosign#2119
• Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 by @​dependabot in sigstore/cosign#2120
• chore: fix documentation and warning on using untrusted rekor key by @​asraa in sigstore/cosign#2124
• Bump google.golang.org/api from 0.90.0 to 0.91.0 by @​dependabot in sigstore/cosign#2125
• Correct the type used for attest by @​mattmoor in sigstore/cosign#2128

New Contributors

• @​otms61 made their first contribution in sigstore/cosign#2099
• @​azeemshaikh38 made their first contribution in sigstore/cosign#2109
• @​Lerentis made their first contribution in sigstore/cosign#2108

Full Changelog: https://github.com/sigstore/cosign/compare/v1.10.0...v1.10.1

Thanks to all contributors!

v1.10.0

What's Changed

• Bump google.golang.org/api from 0.81.0 to 0.82.0 by @​dependabot in sigstore/cosign#1948
• Bump github/codeql-action from 2.1.11 to 2.1.12 by @​dependabot in sigstore/cosign#1951
• replace gcr.io/distroless/ to use ghcr.io/distroless/ by @​cpanato in sigstore/cosign#1961

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign's changelog.

v1.10.1

Note: This release comes with a fix for CVE-2022-35929 described in this Github Security Advisory. Please upgrade to this release ASAP

Enhancements

• update cross-builder to go1.18.5 and cosign image to 1.10.0 (#2119)
• feat: attach: attestation: allow passing multiple payloads (#2085)
• Resolves #522 set Created date to time of execution (#2108)
• Fix field names in the vulnerability attestation (#2099)
• Change Result in Vulnerability Attestation to interface{} (#2096)
• Improve error message when no sigs/atts are found for an image (#2101)
• add flag to allow skipping upload to transparency log (#2089)

Documention

• chore: fix documentation and warning on using untrusted rekor key (#2124)
• Enable Scorecard badge (#2109)

Bug Fixes

• Merge pull request from GHSA-vjxv-45g9-9296
• Correct the type used for attest (#2128)

Others

• Bump mikefarah/yq from 4.26.1 to 4.27.2 (#2116)
• Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 (#2115)
• Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 (#2120)
• Bump google.golang.org/api from 0.90.0 to 0.91.0 (#2125)
• Bump google.golang.org/api from 0.89.0 to 0.90.0 (#2111)
• Bump github/codeql-action from 2.1.16 to 2.1.17 (#2112)
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#2110)
• Bump google.golang.org/api from 0.88.0 to 0.89.0 (#2106)
• Bump imjasonh/setup-ko from 0.4 to 0.5 (#2107)
• Introduce a custom error type to classify errors. (#2114)
• Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 (#2103)
• remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint (#2105)
• Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 (#2100)
• Remove knative/pkg deps (#2092)

Contributors

• Azeem Shaikh
• Carlos Tadeu Panato Junior
• Furkan Türkal
• Jason Hall
• Kenny Leung
• Matt Moore
• Teppei Fukuda
• Tobias Trabelsi
• asraa
• saso

... (truncated)

Commits

• a39ce91 Correct the type used for attest (#2128)
• c5fda01 Merge pull request from GHSA-vjxv-45g9-9296
• 641f02b Bump google.golang.org/api from 0.90.0 to 0.91.0 (#2125)
• 0f017f8 chore: fix documentation and warning on using untrusted rekor key (#2124)
• 5aa17b9 Bump github.com/xanzy/go-gitlab from 0.69.0 to 0.70.0 (#2120)
• 998323f update cross-builder to go1.18.5 and cosign image to 1.10.0 (#2119)
• d58d23a Bump mikefarah/yq from 4.26.1 to 4.27.2 (#2116)
• ecd794b Bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 (#2115)
• 938ad43 feat: attach: attestation: allow passing multiple payloads (#2085)
• 7b1c0c0 Bump google.golang.org/api from 0.89.0 to 0.90.0 (#2111)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[tekton-robot]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: To complete the pull request process, please assign yongxuanzhang after the PR has been reviewed. You can assign the PR to them by writing /assign @yongxuanzhang in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• pipeline/trusted-resources/OWNERS

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[dependabot[bot]]

Superseded by #894.