chore: merge upstream v1-6-0 (#166)

* Bump github.com/sigstore/sigstore/pkg/signature/kms/gcp

Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump google.golang.org/grpc from 1.62.0 to 1.62.1

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.62.0 to 1.62.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.62.0...v1.62.1)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0

Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.1.7 to 2.2.0.
- [Release notes](https://github.com/spiffe/go-spiffe/releases)
- [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/spiffe/go-spiffe/compare/v2.1.7...v2.2.0)

---
updated-dependencies:
- dependency-name: github.com/spiffe/go-spiffe/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1

Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.7.7 to 0.8.1.
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.7.7...v0.8.1)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump codecov/codecov-action from 4.1.1 to 4.2.0

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.1.1 to 4.2.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/c16abc29c95fcf9174b58eb7e1abf4c866893bc8...7afa10ed9b269c561c2336fd862446844e0cbf71)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Upgrade go to 1.22 (#1625)

* upgrade go to 1.22

Signed-off-by: cpanato <ctadeu@gmail.com>

* ci housekeeping

Signed-off-by: cpanato <ctadeu@gmail.com>

* fix lints

Signed-off-by: cpanato <ctadeu@gmail.com>

* update go.mod to pin on go1.21.9

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: cpanato <ctadeu@gmail.com>

* Bump codecov/codecov-action from 4.2.0 to 4.3.0 in the all group

Bumps the all group with 1 update: [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `codecov/codecov-action` from 4.2.0 to 4.3.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/7afa10ed9b269c561c2336fd862446844e0cbf71...84508663e988701840491b86de86b666e8a86bed)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group with 4 updates

Bumps the all group with 4 updates: [chainguard.dev/go-grpc-kit](https://github.com/chainguard-dev/go-grpc-kit), [github.com/prometheus/client_model](https://github.com/prometheus/client_model), [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) and [go.step.sm/crypto](https://github.com/smallstep/crypto).

Updates `chainguard.dev/go-grpc-kit` from 0.17.2 to 0.17.3
- [Release notes](https://github.com/chainguard-dev/go-grpc-kit/releases)
- [Commits](https://github.com/chainguard-dev/go-grpc-kit/compare/v0.17.2...v0.17.3)

Updates `github.com/prometheus/client_model` from 0.6.0 to 0.6.1
- [Release notes](https://github.com/prometheus/client_model/releases)
- [Commits](https://github.com/prometheus/client_model/compare/v0.6.0...v0.6.1)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.2 to 1.8.3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3)

Updates `go.step.sm/crypto` from 0.44.2 to 0.44.3
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.2...v0.44.3)

---
updated-dependencies:
- dependency-name: chainguard.dev/go-grpc-kit
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/prometheus/client_model
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* switch to community repo of reusable-release (#1636)

Signed-off-by: Bob Callaway <bcallaway@google.com>

* Bump github.com/googleapis/api-linter in /hack/tools in the all group

Bumps the all group in /hack/tools with 1 update: [github.com/googleapis/api-linter](https://github.com/googleapis/api-linter).


Updates `github.com/googleapis/api-linter` from 1.64.0 to 1.65.0
- [Release notes](https://github.com/googleapis/api-linter/releases)
- [Changelog](https://github.com/googleapis/api-linter/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/api-linter/compare/v1.64.0...v1.65.0)

---
updated-dependencies:
- dependency-name: github.com/googleapis/api-linter
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 in the all group

Bumps the all group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `sigstore/cosign-installer` from 3.4.0 to 3.5.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/e1523de7571e31dbe865fd2e80c5c7c23ae71eb4...59acb6260d9c0ba8f4a2f9d9b48431a222b68e20)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group with 2 updates

Bumps the all group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/checkout` from 4.1.2 to 4.1.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/9bb56186c3b09b4f86b1c65136769dd318469633...1d96c772d19495a3b5c517cd2bc0cb401ea0529f)

Updates `actions/upload-artifact` from 4.3.1 to 4.3.2
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/5d5d22a31266ced268874388b861e4b58bb5c2f3...1746f4ab65b179e0ea60a494b83293b640dd5bba)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump go.step.sm/crypto from 0.44.3 to 0.44.6 in the all group

Bumps the all group with 1 update: [go.step.sm/crypto](https://github.com/smallstep/crypto).

Updates `go.step.sm/crypto` from 0.44.3 to 0.44.6
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.3...v0.44.6)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group with 2 updates

Bumps the all group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/checkout` from 4.1.3 to 4.1.4
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/1d96c772d19495a3b5c517cd2bc0cb401ea0529f...0ad4b8fadaa221de15dcec353f45205ec38ea70b)

Updates `actions/upload-artifact` from 4.3.2 to 4.3.3
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/1746f4ab65b179e0ea60a494b83293b640dd5bba...65462800fd760344b1a7b4382951275a0abb4808)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4.0.0 to 5.0.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/3cfe3a4abbb849e10058ce4af15d205b6da42804...82d40c283aeb1f2b6595839195e95c2d6a49081b)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group with 2 updates

Bumps the all group with 2 updates: [go.step.sm/crypto](https://github.com/smallstep/crypto) and [google.golang.org/api](https://github.com/googleapis/google-api-go-client).

Updates `go.step.sm/crypto` from 0.44.6 to 0.44.8
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.6...v0.44.8)

Updates `google.golang.org/api` from 0.175.0 to 0.176.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.175.0...v0.176.0)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group with 3 updates

Bumps the all group with 3 updates: [actions/setup-go](https://github.com/actions/setup-go), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action).


Updates `actions/setup-go` from 5.0.0 to 5.0.1
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/0c52d547c9bc32b1aa3301fd7a9cb496313a4491...cdcb36043654635271a94b9a6d1392de5bb323a7)

Updates `codecov/codecov-action` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/84508663e988701840491b86de86b666e8a86bed...5ecb98a3c6b747ed38dc09f787459979aebb39be)

Updates `golangci/golangci-lint-action` from 5.0.0 to 5.3.0
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/82d40c283aeb1f2b6595839195e95c2d6a49081b...38e1018663fa5173f3968ea0777460d3de38f256)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 5.3.0 to 6.0.1.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/38e1018663fa5173f3968ea0777460d3de38f256...a4f60bb28d35aeee14e6880718e0c85ff1882e64)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group with 2 updates

Bumps the all group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action).


Updates `actions/checkout` from 4.1.4 to 4.1.5
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/0ad4b8fadaa221de15dcec353f45205ec38ea70b...44c2b7a8a4ea60a981eaca3cf939b5f4305c123b)

Updates `ossf/scorecard-action` from 2.3.1 to 2.3.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/0864cf19026789058feabb7e87baa5f140aac736...dc50aa9510b46c811795eb24b2f1ba02a914e534)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group across 1 directory with 2 updates

Bumps the all group with 2 updates in the / directory: [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils).


Updates `github.com/prometheus/client_golang` from 1.19.0 to 1.19.1
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.19.0...v1.19.1)

Updates `sigs.k8s.io/release-utils` from 0.8.1 to 0.8.2
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.8.1...v0.8.2)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* docs: Fix extensions for digest values requiring a type prefix (#1661)

* docs: Fix extensions for digest values requiring a type prefix

Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>

* docs: Reformat table mapping OIDC token claims to Fulcio OIDs

Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>

---------

Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>

* oid-info: fix table render (#1662)

Signed-off-by: William Woodruff <william@trailofbits.com>

* update jobs to use go1.22.3 (#1660)

Signed-off-by: cpanato <ctadeu@gmail.com>

* Bump golang.org/x/net (#1640)

Bumps the go_modules group with 1 update in the /hack/tools directory: [golang.org/x/net](https://github.com/golang/net).


Updates `golang.org/x/net` from 0.21.0 to 0.23.0
- [Commits](https://github.com/golang/net/compare/v0.21.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump the all group with 3 updates

Bumps the all group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [google-github-actions/auth](https://github.com/google-github-actions/auth) and [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `actions/checkout` from 4.1.5 to 4.1.6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b...a5ac7e51b41094c92402da3b24376905380afc29)

Updates `google-github-actions/auth` from 2.1.2 to 2.1.3
- [Release notes](https://github.com/google-github-actions/auth/releases)
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google-github-actions/auth/compare/55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c...71fee32a0bb7e97b4d33d548e7d957010649d8fa)

Updates `codecov/codecov-action` from 4.3.1 to 4.4.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/5ecb98a3c6b747ed38dc09f787459979aebb39be...6d798873df2b1b8e5846dba6fb86631229fbcb17)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google-github-actions/auth
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump go.step.sm/crypto from 0.44.8 to 0.45.0

Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.44.8 to 0.45.0.
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.8...v0.45.0)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump codecov/codecov-action from 4.4.0 to 4.4.1 in the all group

Bumps the all group with 1 update: [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `codecov/codecov-action` from 4.4.0 to 4.4.1
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/6d798873df2b1b8e5846dba6fb86631229fbcb17...125fc84a9a348dbcf27191600683ec096ec9021c)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump protocolbuffers/protobuf from 26.1 to 27.0 (#1674)

* Bump protocolbuffers/protobuf from 26.1 to 27.0

Bumps [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf) from 26.1 to 27.0.
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl)
- [Commits](https://github.com/protocolbuffers/protobuf/compare/v26.1...v27.0)

---
updated-dependencies:
- dependency-name: protocolbuffers/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update main.yml

Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>

* Bump github.com/spf13/viper from 1.18.2 to 1.19.0

Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.18.2 to 1.19.0.
- [Release notes](https://github.com/spf13/viper/releases)
- [Commits](https://github.com/spf13/viper/compare/v1.18.2...v1.19.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/viper
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Adding support for configuration from yaml file (#1687)

* Create support for configuration from yaml file

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* conform code to lint

Signed-off-by: Javan lacerda <javanlacerda@google.com>

---------

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity

Bumps the go_modules group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go).


Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.5.2 to 1.6.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/internal/v1.5.2...sdk/azcore/v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group across 1 directory with 6 updates (#1699)

* Bump the all group across 1 directory with 6 updates

Bumps the all group with 3 updates in the / directory: [chainguard.dev/go-grpc-kit](https://github.com/chainguard-dev/go-grpc-kit), [github.com/spf13/cobra](https://github.com/spf13/cobra) and google.golang.org/protobuf.

Updates `chainguard.dev/go-grpc-kit` from 0.17.3 to 0.17.5
- [Release notes](https://github.com/chainguard-dev/go-grpc-kit/releases)
- [Commits](https://github.com/chainguard-dev/go-grpc-kit/compare/v0.17.3...v0.17.5)

Updates `github.com/grpc-ecosystem/grpc-gateway/v2` from 2.19.1 to 2.20.0
- [Release notes](https://github.com/grpc-ecosystem/grpc-gateway/releases)
- [Changelog](https://github.com/grpc-ecosystem/grpc-gateway/blob/main/.goreleaser.yml)
- [Commits](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.19.1...v2.20.0)

Updates `github.com/spf13/cobra` from 1.8.0 to 1.8.1
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.8.0...v1.8.1)

Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20240513163218-0867130af1f8 to 0.0.0-20240520151616-dc85e6b867a5
- [Commits](https://github.com/googleapis/go-genproto/commits)

Updates `google.golang.org/grpc` from 1.63.2 to 1.64.0
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.63.2...v1.64.0)

Updates `google.golang.org/protobuf` from 1.34.1 to 1.34.2

---
updated-dependencies:
- dependency-name: chainguard.dev/go-grpc-kit
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/grpc-ecosystem/grpc-gateway/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/genproto/googleapis/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix deprecation

Signed-off-by: cpanato <ctadeu@gmail.com>

* update e2e tests

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

* Bump go.step.sm/crypto from 0.45.0 to 0.47.1

Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.45.0 to 0.47.1.
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.45.0...v0.47.1)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* bump to go1.22.4 and update goreleaser and golangci-lint

Signed-off-by: cpanato <ctadeu@gmail.com>

* update deprecated flags

Signed-off-by: cpanato <ctadeu@gmail.com>

* Bump google.golang.org/api from 0.183.0 to 0.185.0

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.183.0 to 0.185.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.183.0...v0.185.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/spiffe/go-spiffe/v2 from 2.2.0 to 2.3.0

Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/spiffe/go-spiffe/releases)
- [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/spiffe/go-spiffe/compare/v2.2.0...v2.3.0)

---
updated-dependencies:
- dependency-name: github.com/spiffe/go-spiffe/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/google/certificate-transparency-go from 1.1.8 to 1.2.1

Bumps [github.com/google/certificate-transparency-go](https://github.com/google/certificate-transparency-go) from 1.1.8 to 1.2.1.
- [Release notes](https://github.com/google/certificate-transparency-go/releases)
- [Changelog](https://github.com/google/certificate-transparency-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/google/certificate-transparency-go/compare/v1.1.8...v1.2.1)

---
updated-dependencies:
- dependency-name: github.com/google/certificate-transparency-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group across 1 directory with 4 updates

Bumps the all group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [ko-build/setup-ko](https://github.com/ko-build/setup-ko), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf).


Updates `actions/checkout` from 4.1.6 to 4.1.7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332)

Updates `ko-build/setup-ko` from 0.6 to 0.7
- [Release notes](https://github.com/ko-build/setup-ko/releases)
- [Commits](https://github.com/ko-build/setup-ko/compare/ace48d793556083a76f1e3e6068850c1f4a369aa...3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037)

Updates `codecov/codecov-action` from 4.4.1 to 4.5.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/125fc84a9a348dbcf27191600683ec096ec9021c...e28ff129e5465c2c0dcc6f003fc735cb6ae0c673)

Updates `protocolbuffers/protobuf` from 27.0 to 27.1
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl)
- [Commits](https://github.com/protocolbuffers/protobuf/compare/v27.0...v27.1)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ko-build/setup-ko
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: protocolbuffers/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update README.md (#1700)

Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>

* replace gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v4 (#1686)

Signed-off-by: cpanato <ctadeu@gmail.com>

* Add Chainguard OIDC provider. (#1703)

This adds support for Chainguard issued tokens, so that users can sign with their Chainguard-issued identity, and so that we can explore signing our own content with our internal service principal construct (see issue).

Related: https://github.com/sigstore/fulcio/issues/1702

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>

* Bump github.com/hashicorp/go-retryablehttp in the go_modules group

Bumps the go_modules group with 1 update: [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp).


Updates `github.com/hashicorp/go-retryablehttp` from 0.7.6 to 0.7.7
- [Changelog](https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/go-retryablehttp/compare/v0.7.6...v0.7.7)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-retryablehttp
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/prometheus/common from 0.54.0 to 0.55.0

Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.54.0 to 0.55.0.
- [Release notes](https://github.com/prometheus/common/releases)
- [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md)
- [Commits](https://github.com/prometheus/common/compare/v0.54.0...v0.55.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/common
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump protocolbuffers/protobuf from 27.1 to 27.2 in the all group

Bumps the all group with 1 update: [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf).


Updates `protocolbuffers/protobuf` from 27.1 to 27.2
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl)
- [Commits](https://github.com/protocolbuffers/protobuf/compare/v27.1...v27.2)

---
updated-dependencies:
- dependency-name: protocolbuffers/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update main.yml

Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>

* Bump actions/upload-artifact from 4.3.3 to 4.3.4 in the all group

Bumps the all group with 1 update: [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/upload-artifact` from 4.3.3 to 4.3.4
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/65462800fd760344b1a7b4382951275a0abb4808...0b2256b8c012f0828dc542b3febcab082c67f72b)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add changelog for v1.5.0 (#1723)

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* CiProvider as a new OIDCIssuer type (#1679)

This adds a new generic CI provider so that new CI providers can be added via configuration without any code changes. The existing CI providers will be migrated over.

Ref: #1111

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* Bump google.golang.org/grpc in the go_modules group (#1724)

Bumps the go_modules group with 1 update: [google.golang.org/grpc](https://github.com/grpc/grpc-go).


Updates `google.golang.org/grpc` from 1.64.0 to 1.64.1
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.64.0...v1.64.1)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Surface the right `Name()` from our principal. (#1726)

The cosign logic for interacting with Fulcio treats identity tokens as *largely* opaque, and most of the logic for how issuers and subjects and whatnot is handled happens server-side.  However, for the "proof of possession" `cosign` has some logic (from `sigstore/sigstore`) that fumbles with `email` and `sub` claims in ways that have (until now) been compatible with Fulcio principals.

The Chainguard provider is the first provider that optionally includes an `email` claim, but we always want the subject we use to be our opaque identifier string (from `sub`).  This creates a tear in the fulcio/cosign continuum, and so we must surface what `cosign` is signing as `Name()` even though that isn't necessarily what we embed in the certificate.

The only correct way to implement `Name()` today is to match what this function does, and current implementations happen to align, but unfortunately because of how this abstraction is formulated it is challenging to actually change how we confirm the proof of possession to use this directly in place of the principal itself.

Fixes: https://github.com/sigstore/cosign/issues/3777

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>

* Revert "CiProvider as a new OIDCIssuer type (#1679)" (#1727)

This reverts commit 66485b693867adc650aea85777f1899286c3c7ce.

* Changelog for v1.5.1 (#1728)

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* CiProvider as a new OIDCIssuer type (#1729)

This adds a new generic CI provider so that new CI providers can be added via configuration without any code changes. The existing CI providers will be migrated over.

Ref: #1111
Add back #1679

Signed-off-by: Javan lacerda javanlacerda@google.com

* Bump the all group across 1 directory with 8 updates (#1719)

* Bump the all group across 1 directory with 8 updates

Bumps the all group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go) | `1.17.0` | `1.17.2` |
| [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` |
| [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` |
| [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` |
| [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` |
| [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` |

Updates `cloud.google.com/go/security` from 1.17.0 to 1.17.2
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.17.0...asset/v1.17.2)

Updates `github.com/sigstore/sigstore` from 1.8.4 to 1.8.6
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.4 to 1.8.6
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.8.4 to 1.8.6
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.8.4 to 1.8.6
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.8.4 to 1.8.6
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6)

Updates `google.golang.org/api` from 0.185.0 to 0.187.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.185.0...v0.187.0)

Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20240610135401-a8a62080eff3 to 0.0.0-20240617180043-68d350f18fd4
- [Commits](https://github.com/googleapis/go-genproto/commits)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/security
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: google.golang.org/genproto/googleapis/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* update test

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

* Bump go.step.sm/crypto from 0.47.1 to 0.50.0

Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.47.1 to 0.50.0.
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.47.1...v0.50.0)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump actions/setup-go from 5.0.1 to 5.0.2 in the all group

Bumps the all group with 1 update: [actions/setup-go](https://github.com/actions/setup-go).


Updates `actions/setup-go` from 5.0.1 to 5.0.2
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/cdcb36043654635271a94b9a6d1392de5bb323a7...0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github.com/coreos/go-oidc/v3 from 3.10.0 to 3.11.0

Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.10.0 to 3.11.0.
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](https://github.com/coreos/go-oidc/compare/v3.10.0...v3.11.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Move configuration to yaml format (#1720)

Migrate the configuration file from json to yaml
Also removes the fulcio-config.yaml file that isn't used
Concentrate the issuers and meta-issuers in a single file that can be found at config/identity/config.yaml
Also removes the https://auth-staging.eclipse.org/realms/sigstore from the list of issuers, as it is unavailable.
Removes the federation script as it has not been used, and switches over to a test that's run to check validity of the configuration.

Ref #1111

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* Removes identity providers federation (#1736)

Removes the identity providers federation, and update the documentation for adding new identity providers, including ci-providers.

Ref #1111

Signed-off-by: Javan Lacerda <javanlacerda@google.com>

* Bump the all group across 1 directory with 11 updates

Bumps the all group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [chainguard.dev/sdk](https://github.com/chainguard-dev/sdk) | `0.1.20` | `0.1.21` |
| [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go) | `1.17.2` | `1.17.3` |
| [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) | `4.0.2` | `4.0.3` |
| [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.8.6` | `1.8.7` |
| [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.8.6` | `1.8.7` |
| [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.8.6` | `1.8.7` |
| [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.8.6` | `1.8.7` |
| [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.8.6` | `1.8.7` |
| [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) | `0.8.2` | `0.8.3` |

Updates `chainguard.dev/sdk` from 0.1.20 to 0.1.21
- [Release notes](https://github.com/chainguard-dev/sdk/releases)
- [Commits](https://github.com/chainguard-dev/sdk/compare/v0.1.20...v0.1.21)

Updates `cloud.google.com/go/security` from 1.17.2 to 1.17.3
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/asset/v1.17.2...retail/v1.17.3)

Updates `github.com/go-jose/go-jose/v4` from 4.0.2 to 4.0.3
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.0.2...v4.0.3)

Updates `github.com/sigstore/sigstore` from 1.8.6 to 1.8.7
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.6 to 1.8.7
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.8.6 to 1.8.7
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.8.6 to 1.8.7
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.8.6 to 1.8.7
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Updates `google.golang.org/api` from 0.187.0 to 0.188.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.187.0...v0.188.0)

Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20240617180043-68d350f18fd4 to 0.0.0-20240701130421-f6361c86f094
- [Commits](https://github.com/googleapis/go-genproto/commits)

Updates `sigs.k8s.io/release-utils` from 0.8.2 to 0.8.3
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.8.2...v0.8.3)

---
updated-dependencies:
- dependency-name: chainguard.dev/sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: cloud.google.com/go/security
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: google.golang.org/genproto/googleapis/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* update builder

Signed-off-by: cpanato <ctadeu@gmail.com>

* sync go mod

Signed-off-by: cpanato <ctadeu@gmail.com>

* add Hellō provider (#1739)

Signed-off-by: dickhardt <dick.hardt@hello.coop>

* Migrate github to ci provider flow (#1738)

Contribute towards #1111

Moves GitHub configuration to the new ci-provider configuration. No changes to issued certificates.

Signed-off-by: Javan Lacerda <javanlacerda@google.com>

* Move gitlab to ci-provider (#1740)

* move fulcio config from json to yaml

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* move fulcio-config to a new file

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* updating test for check-config workflow

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* set verify k8s workflow for get configg directly

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* migrate gitlab to ci provider

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* set gitlab ref for using a conditional template

Signed-off-by: Javan lacerda <javanlacerda@google.com>

---------

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* Update IDP requirements (#1742)

This adds policy documentation around requirements for new IDPs.

Signed-off-by: Hayden B <hblauzvern@google.com>

* Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.20.0 to 2.21.0

Bumps [github.com/grpc-ecosystem/grpc-gateway/v2](https://github.com/grpc-ecosystem/grpc-gateway) from 2.20.0 to 2.21.0.
- [Release notes](https://github.com/grpc-ecosystem/grpc-gateway/releases)
- [Changelog](https://github.com/grpc-ecosystem/grpc-gateway/blob/main/.goreleaser.yml)
- [Commits](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.20.0...v2.21.0)

---
updated-dependencies:
- dependency-name: github.com/grpc-ecosystem/grpc-gateway/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump ossf/scorecard-action from 2.3.3 to 2.4.0 in the all group

Bumps the all group with 1 update: [ossf/scorecard-action](https://github.com/ossf/scorecard-action).


Updates `ossf/scorecard-action` from 2.3.3 to 2.4.0
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/dc50aa9510b46c811795eb24b2f1ba02a914e534...62b2cac7ed8198b15735ed49ab1e5cf35480ba46)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group across 1 directory with 4 updates

Bumps the all group with 3 updates in the / directory: [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go), [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils).


Updates `cloud.google.com/go/security` from 1.17.3 to 1.17.4
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/retail/v1.17.3...retail/v1.17.4)

Updates `github.com/go-jose/go-jose/v4` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.0.3...v4.0.4)

Updates `google.golang.org/api` from 0.188.0 to 0.189.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.188.0...v0.189.0)

Updates `sigs.k8s.io/release-utils` from 0.8.3 to 0.8.4
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.8.3...v0.8.4)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/security
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Added support for email_verified being a string or bool (#1744)

Signed-off-by: Andrew Block <andy.block@gmail.com>

* Bump chainguard.dev/sdk from 0.1.21 to 0.1.22 in the all group

Bumps the all group with 1 update: [chainguard.dev/sdk](https://github.com/chainguard-dev/sdk).


Updates `chainguard.dev/sdk` from 0.1.21 to 0.1.22
- [Release notes](https://github.com/chainguard-dev/sdk/releases)
- [Commits](https://github.com/chainguard-dev/sdk/compare/v0.1.21...0.1.22)

---
updated-dependencies:
- dependency-name: chainguard.dev/sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump the all group with 3 updates

Bumps the all group with 3 updates: [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action).


Updates `protocolbuffers/protobuf` from 27.2 to 27.3
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl)
- [Commits](https://github.com/protocolbuffers/protobuf/compare/v27.2...v27.3)

Updates `actions/upload-artifact` from 4.3.4 to 4.3.5
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/0b2256b8c012f0828dc542b3febcab082c67f72b...89ef406dd8d7e03cfd12d9e0a4a378f454709029)

Updates `golangci/golangci-lint-action` from 6.0.1 to 6.1.0
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/a4f60bb28d35aeee14e6880718e0c85ff1882e64...aaa42aa0628b4ae2578232a66b541047968fac86)

---
updated-dependencies:
- dependency-name: protocolbuffers/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump go.step.sm/crypto from 0.50.0 to 0.51.1

Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.50.0 to 0.51.1.
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.50.0...v0.51.1)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Move codefresh and buildkite to ci-provider identity (#1743)

* migrating codefresh and buildkite to ci provider

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* adding test case for comparing with empty key

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* add comments for codefresh extensions

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* set claimed data to have priority over defaults

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* fix identation

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* adding comments for github and gitlab in config file

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* adding tests for check claims priority over defaults

Signed-off-by: Javan lacerda <javanlacerda@google.com>

---------

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* Bump google.golang.org/api from 0.189.0 to 0.190.0 (#1753)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.189.0 to 0.190.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.189.0...v0.190.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump the all group across 1 directory with 4 updates (#1754)

* Bump the all group across 1 directory with 4 updates

Bumps the all group with 3 updates in the /hack/tools directory: [github.com/googleapis/api-linter](https://github.com/googleapis/api-linter), [github.com/grpc-ecosystem/grpc-gateway/v2](https://github.com/grpc-ecosystem/grpc-gateway) and [google.golang.org/grpc/cmd/protoc-gen-go-grpc](https://github.com/grpc/grpc-go).


Updates `github.com/googleapis/api-linter` from 1.65.0 to 1.67.1
- [Release notes](https://github.com/googleapis/api-linter/releases)
- [Changelog](https://github.com/googleapis/api-linter/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/api-linter/compare/v1.65.0...v1.67.1)

Updates `github.com/grpc-ecosystem/grpc-gateway/v2` from 2.19.1 to 2.21.0
- [Release notes](https://github.com/grpc-ecosystem/grpc-gateway/releases)
- [Changelog](https://github.com/grpc-ecosystem/grpc-gateway/blob/main/.goreleaser.yml)
- [Commits](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.19.1...v2.21.0)

Updates `google.golang.org/grpc/cmd/protoc-gen-go-grpc` from 1.3.0 to 1.5.1
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.3.0...v1.5.1)

Updates `google.golang.org/protobuf` from 1.33.0 to 1.34.2

---
updated-dependencies:
- dependency-name: github.com/googleapis/api-linter
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: github.com/grpc-ecosystem/grpc-gateway/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: google.golang.org/grpc/cmd/protoc-gen-go-grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* update gen protos

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Hayden Blauzvern <hblauzvern@google.com>

* Add changelog for v1.6.0 (#1756)

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* fixup

Signed-off-by: Lance Ball <lball@redhat.com>

* chore: remove hermetic builds

Signed-off-by: Lance Ball <lball@redhat.com>

* chore: downgrade golang dep

Signed-off-by: Lance Ball <lball@redhat.com>

* konflux: remove unit test pipeline

Unit tests do not seem to work with go 1.23. Removing for now.

Signed-off-by: Lance Ball <lball@redhat.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
Signed-off-by: Bob Callaway <bcallaway@google.com>
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
Signed-off-by: Javan lacerda <javanlacerda@google.com>
Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Javan lacerda javanlacerda@google.com
Signed-off-by: Javan Lacerda <javanlacerda@google.com>
Signed-off-by: dickhardt <dick.hardt@hello.coop>
Signed-off-by: Hayden B <hblauzvern@google.com>
Signed-off-by: Andrew Block <andy.block@gmail.com>
Signed-off-by: Lance Ball <lball@redhat.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com>
Co-authored-by: Facundo Tuesca <facu@tuesca.com>
Co-authored-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Javan Lacerda <javanlacerda@google.com>
Co-authored-by: Matt Moore <mattmoor@chainguard.dev>
Co-authored-by: Hayden B <hblauzvern@google.com>
Co-authored-by: Dick Hardt <dick.hardt@hello.coop>
Co-authored-by: Andrew Block <andy.block@gmail.com>

.github/dependabot.yml

@@ -20,15 +20,34 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+    groups:
+      all:
+        update-types:
+          - "patch"
   - package-ecosystem: "gomod"
     directory: "./hack/tools"
     schedule:
       interval: "weekly"
+    groups:
+      all:
+        update-types:
+          - "minor"
+          - "patch"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      all:
+        update-types:
+          - "minor"
+          - "patch"
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      all:
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/codeql-analysis.yml

@@ -39,13 +39,17 @@ jobs:
         language: [ 'go' ]
     steps:
     - name: Checkout repository
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-    - name: Extract version of Go to use
-      run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+    # TODO: uncomment when we bump to go1.22 in go.mod
+    # - name: Extract version of Go to use
+    #   run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
+
+    - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
-        go-version: ${{ env.GOVERSION }}
+        go-version: '1.22'
+        check-latest: true
+
     - uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0
       name: Install protobuf
       with:

.github/workflows/container-build.yml

@@ -26,28 +26,32 @@ jobs:
     name: build
     runs-on: ubuntu-latest
 
+    if: github.repository == 'sigstore/fulcio'
+
     permissions:
       id-token: write
       contents: read
 
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
-      - name: Extract version of Go to use
-        run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
+      # TODO: uncomment when we bump to go1.22 in go.mod
+      # - name: Extract version of Go to use
+      #   run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
 
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: ${{ env.GOVERSION }}
+          go-version: '1.22'
+          check-latest: true
 
       - name: deps
         run: sudo apt-get update && sudo apt-get install -yq libpcsclite-dev
 
-      - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
 
       - name: Set up Cloud SDK
-        uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
+        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
         with:
           workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-fulcio'
           service_account: 'github-actions-fulcio@projectsigstore.iam.gserviceaccount.com'

.github/workflows/cut-release.yml

@@ -21,7 +21,7 @@ concurrency: cut-release
 jobs:
   cut-release:
     name: Cut release
-    uses: sigstore/sigstore/.github/workflows/reusable-release.yml@main
+    uses: sigstore/community/.github/workflows/reusable-release.yml@main
     permissions:
       id-token: write
       contents: read

.github/workflows/main.yml

@@ -29,23 +29,31 @@ jobs:
     runs-on: ubuntu-20.04
 
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: Extract version of Go to use
-        run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      # TODO: uncomment when we bump to go1.22 in go.mod
+      # - name: Extract version of Go to use
+      #   run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
+
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: ${{ env.GOVERSION }}
+          go-version: '1.22'
+          check-latest: true
+
       - uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0
         name: Install protobuf
         with:
-          version: '25.1'
+          version: '27.2'
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
         run: make -C $GITHUB_WORKSPACE all
+
       - name: Test
         run: go test -v -coverprofile=coverage.txt -covermode=atomic ./...
+
       - name: Upload Coverage Report
-        uses: codecov/codecov-action@c16abc29c95fcf9174b58eb7e1abf4c866893bc8 # v4.1.1
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
+
       - name: Ensure no files were modified as a result of the build
         run: git update-index --refresh && git diff-index --quiet -I"^\/\/\s+(-\s+)?protoc(-gen-go)?\s+v[0-9]+\.[0-9]+\.[0-9]+$" HEAD -- || git diff -I"^\/\/\s+(-\s+)?protoc(-gen-go)?\s+v[0-9]+\.[0-9]+\.[0-9]+$" --exit-code

.github/workflows/protoc-dependabot-hack.yml

@@ -11,9 +11,9 @@ jobs:
 
   dependabot_hack:
     name: Ensure dependabot version checks
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
 
       # update the version in these places manually when Dependabot proposes a change to it here:
       # 1. the version in main.yml used to install protoc
-      - uses: protocolbuffers/protobuf@v26.1
+      - uses: protocolbuffers/protobuf@v27.3

.github/workflows/scorecard_action.yml

@@ -23,12 +23,12 @@ jobs:
       id-token: write
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -44,7 +44,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/validate-release.yml

@@ -28,14 +28,14 @@ jobs:
   check-signature:
     runs-on: ubuntu-latest
     container:
-      image: gcr.io/projectsigstore/cosign:v2.2.3-dev@sha256:0d795fa145b03026b7bc2a35e33068cdb75e1c1f974e604c17408bf7bd174967
+      image: gcr.io/projectsigstore/cosign:v2.2.4-dev@sha256:13efd4c62710d75f07d12d8aad36a8657eeffd4f5f3a40bcbc207d8aafa67d41
 
     steps:
       - name: Check Signature
         run: |
-          cosign verify ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405 \
+          cosign verify ghcr.io/gythialy/golang-cross:v1.22.5-0@sha256:5cf8fca7fe80392c8d1597fe89d291d49120507390f25507746f73d4b7f8a8f2 \
           --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-          --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.8-0"
+          --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.22.5-0"
         env:
           TUF_ROOT: /tmp
 
@@ -44,10 +44,10 @@ jobs:
     needs:
       - check-signature
     container:
-      image: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405
+      image: ghcr.io/gythialy/golang-cross:v1.22.5-0@sha256:5cf8fca7fe80392c8d1597fe89d291d49120507390f25507746f73d4b7f8a8f2
 
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       # Error: fatal: detected dubious ownership in repository at '/__w/fulcio/fulcio'
       #      To add an exception for this directory, call:

.github/workflows/verify-k8s.yml

@@ -25,14 +25,20 @@ jobs:
     name: k8s manifest check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: Extract version of Go to use
-        run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      # TODO: uncomment when we bump to go1.22 in go.mod
+      # - name: Extract version of Go to use
+      #   run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
+
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ env.GOVERSION }}
+          check-latest: true
+
       - name: Install kubeval
         run: go install github.com/instrumenta/kubeval@v0.16.1
+
       - run: kubeval config/*.yaml
 
   verify-k8s-deployment:
@@ -46,12 +52,11 @@ jobs:
 
         include:
         - issuer: "OIDC Issuer"
-          issuer-config: |
-            "OIDCIssuers": {"https://kubernetes.default.svc": {"IssuerURL": "https://kubernetes.default.svc","ClientID": "sigstore","Type": "kubernetes"}}
+          issuer-config:
+            "oidc-issuers:\n      https://kubernetes.default.svc:\n        issuer-url: \"https://kubernetes.default.svc\"\n        client-id: \"sigstore\"\n        type: \"kubernetes\""
         - issuer: "Meta Issuer"
-          issuer-config: |
-            "MetaIssuers": {"https://kubernetes.*.svc": {"ClientID": "sigstore","Type": "kubernetes"}}
-
+          issuer-config:
+            "meta-issuers:\n      https://kubernetes.*.svc: \n        client-id: \"sigstore\"\n        type: \"kubernetes\""
     env:
       # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
       # '*.local' hostnames. This works both for `ko` and our own tag-to-digest resolution logic,
@@ -63,14 +68,18 @@ jobs:
       GIT_VERSION: test
 
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: Extract version of Go to use
-        run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      # TODO: uncomment when we bump to go1.22 in go.mod
+      # - name: Extract version of Go to use
+      #   run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
+
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: ${{ env.GOVERSION }}
+          go-version: '1.22'
+          check-latest: true
 
-      - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
 
       - name: Setup Cluster
         uses: chainguard-dev/actions/setup-kind@f94883c3bd16936401291899070258f855b5d849 # main
@@ -114,10 +123,8 @@ jobs:
             name: fulcio-config
             namespace: fulcio-system
           data:
-            config.json: |-
-              {
-                ${{ matrix.issuer-config }}
-              }
+            config.yaml: |-
+              ${{ matrix.issuer-config }}
             server.yaml: |-
               host: 0.0.0.0
               port: 5555
@@ -129,7 +136,6 @@ jobs:
               ct-log-url: ""
               log_type: prod
           EOF
-
           # Create secret needed to use fileca
           cat <<EOF > config/fulcio-secret.yaml
           apiVersion: v1

.github/workflows/verify.yml

@@ -15,7 +15,11 @@
 
 name: Verify
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - main
+  pull_request:
 
 permissions:
   contents: read
@@ -25,14 +29,20 @@ jobs:
     name: license boilerplate check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: Extract version of Go to use
-        run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      # TODO: uncomment when we bump to go1.22 in go.mod
+      # - name: Extract version of Go to use
+      #   run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
+
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: ${{ env.GOVERSION }}
+          go-version: '1.22'
+          check-latest: true
+
       - name: Install addlicense
         run: go install github.com/google/addlicense@v1.0.0
+
       - name: Check license headers
         run: |
           set -e
@@ -43,32 +53,42 @@ jobs:
     name: golangci-lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - name: deps
         run: sudo apt-get update && sudo apt-get install -yq libpcsclite-dev
-      - name: Extract version of Go to use
-        run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+
+      # TODO: uncomment when we bump to go1.22 in go.mod
+      # - name: Extract version of Go to use
+      #   run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
+
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: ${{ env.GOVERSION }}
+          go-version: '1.22'
+          check-latest: true
+
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
-        timeout-minutes: 5
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
+        timeout-minutes: 10
         with:
-          version: v1.55
+          version: v1.59
 
   oidc-config:
     name: oidc-config
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: Extract version of Go to use
-        run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      # TODO: uncomment when we bump to go1.22 in go.mod
+      # - name: Extract version of Go to use
+      #   run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
+
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: ${{ env.GOVERSION }}
+          go-version: '1.22'
+          check-latest: true
+
       - name: check-config
         run: |
           set -e
-          go run federation/main.go
-          git diff --exit-code
+          go test -timeout 30s -run ^TestLoadFulcioConfig$ github.com/sigstore/fulcio/pkg/config