fix(deps): update go (#825)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/google/go-containerregistry](https://redirect.github.com/google/go-containerregistry)
| `v0.20.2` -> `v0.20.3` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgoogle%2fgo-containerregistry/v0.20.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgoogle%2fgo-containerregistry/v0.20.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgoogle%2fgo-containerregistry/v0.20.2/v0.20.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgoogle%2fgo-containerregistry/v0.20.2/v0.20.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/secure-systems-lab/go-securesystemslib](https://redirect.github.com/secure-systems-lab/go-securesystemslib)
| `v0.8.0` -> `v0.9.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsecure-systems-lab%2fgo-securesystemslib/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsecure-systems-lab%2fgo-securesystemslib/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsecure-systems-lab%2fgo-securesystemslib/v0.8.0/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsecure-systems-lab%2fgo-securesystemslib/v0.8.0/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/cosign/v2](https://redirect.github.com/sigstore/cosign)
| `v2.2.4` -> `v2.4.1` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fcosign%2fv2/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fcosign%2fv2/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/fulcio](https://redirect.github.com/sigstore/fulcio)
| `v1.4.5` -> `v1.6.5` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2ffulcio/v1.6.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2ffulcio/v1.6.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2ffulcio/v1.4.5/v1.6.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2ffulcio/v1.4.5/v1.6.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/protobuf-specs](https://redirect.github.com/sigstore/protobuf-specs)
| `v0.3.2` -> `v0.3.3` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fprotobuf-specs/v0.3.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fprotobuf-specs/v0.3.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fprotobuf-specs/v0.3.2/v0.3.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fprotobuf-specs/v0.3.2/v0.3.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/rekor](https://redirect.github.com/sigstore/rekor)
| `v1.3.6` -> `v1.3.8` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2frekor/v1.3.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2frekor/v1.3.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2frekor/v1.3.6/v1.3.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2frekor/v1.3.6/v1.3.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/sigstore](https://redirect.github.com/sigstore/sigstore)
| `v1.8.9` -> `v1.8.12` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fsigstore/v1.8.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fsigstore/v1.8.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fsigstore/v1.8.9/v1.8.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fsigstore/v1.8.9/v1.8.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/slsa-framework/slsa-github-generator](https://redirect.github.com/slsa-framework/slsa-github-generator)
| `v1.9.0` -> `v1.10.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fslsa-framework%2fslsa-github-generator/v1.10.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fslsa-framework%2fslsa-github-generator/v1.10.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fslsa-framework%2fslsa-github-generator/v1.9.0/v1.10.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fslsa-framework%2fslsa-github-generator/v1.9.0/v1.10.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| golang.org/x/mod | `v0.21.0` -> `v0.22.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fmod/v0.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/golang.org%2fx%2fmod/v0.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/golang.org%2fx%2fmod/v0.21.0/v0.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fmod/v0.21.0/v0.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[google.golang.org/protobuf](https://redirect.github.com/protocolbuffers/protobuf-go)
| `v1.34.2` -> `v1.36.3` |
[![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fprotobuf/v1.36.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/google.golang.org%2fprotobuf/v1.36.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/google.golang.org%2fprotobuf/v1.34.2/v1.36.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fprotobuf/v1.34.2/v1.36.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[sigs.k8s.io/release-utils](https://redirect.github.com/kubernetes-sigs/release-utils)
| `v0.8.4` -> `v0.9.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/sigs.k8s.io%2frelease-utils/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/sigs.k8s.io%2frelease-utils/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/sigs.k8s.io%2frelease-utils/v0.8.4/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/sigs.k8s.io%2frelease-utils/v0.8.4/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>google/go-containerregistry
(github.com/google/go-containerregistry)</summary>

###
[`v0.20.3`](https://redirect.github.com/google/go-containerregistry/releases/tag/v0.20.3)

[Compare
Source](https://redirect.github.com/google/go-containerregistry/compare/v0.20.2...v0.20.3)

#### What's Changed

- remote/transport: Make bearer transport go-routine-safe by
[@&#8203;2opremio](https://redirect.github.com/2opremio) in
[https://github.com/google/go-containerregistry/pull/1806](https://redirect.github.com/google/go-containerregistry/pull/1806)
- Expose compare package by
[@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) in
[https://github.com/google/go-containerregistry/pull/2001](https://redirect.github.com/google/go-containerregistry/pull/2001)
- fix: redact.URL uses (\*URL).Redacted to omit basic-auth password by
[@&#8203;bmoylan](https://redirect.github.com/bmoylan) in
[https://github.com/google/go-containerregistry/pull/1947](https://redirect.github.com/google/go-containerregistry/pull/1947)
- bump actions to latest by
[@&#8203;ajayk](https://redirect.github.com/ajayk) in
[https://github.com/google/go-containerregistry/pull/2011](https://redirect.github.com/google/go-containerregistry/pull/2011)
- don't pin chainguard-dev/actions by
[@&#8203;imjasonh](https://redirect.github.com/imjasonh) in
[https://github.com/google/go-containerregistry/pull/2025](https://redirect.github.com/google/go-containerregistry/pull/2025)
- Check for 406 status code when handling referrers API endpoint
response by [@&#8203;malancas](https://redirect.github.com/malancas) in
[https://github.com/google/go-containerregistry/pull/2026](https://redirect.github.com/google/go-containerregistry/pull/2026)
- mutate: Create a defensive annotations copy by
[@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) in
[https://github.com/google/go-containerregistry/pull/2030](https://redirect.github.com/google/go-containerregistry/pull/2030)
- Detect zstd in crane append by
[@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) in
[https://github.com/google/go-containerregistry/pull/2023](https://redirect.github.com/google/go-containerregistry/pull/2023)
- bump deps using hack/bump-deps.sh by
[@&#8203;imjasonh](https://redirect.github.com/imjasonh) in
[https://github.com/google/go-containerregistry/pull/2042](https://redirect.github.com/google/go-containerregistry/pull/2042)

#### New Contributors

- [@&#8203;bmoylan](https://redirect.github.com/bmoylan) made their
first contribution in
[https://github.com/google/go-containerregistry/pull/1947](https://redirect.github.com/google/go-containerregistry/pull/1947)
- [@&#8203;ajayk](https://redirect.github.com/ajayk) made their first
contribution in
[https://github.com/google/go-containerregistry/pull/2011](https://redirect.github.com/google/go-containerregistry/pull/2011)
- [@&#8203;malancas](https://redirect.github.com/malancas) made their
first contribution in
[https://github.com/google/go-containerregistry/pull/2026](https://redirect.github.com/google/go-containerregistry/pull/2026)

**Full Changelog**:
google/go-containerregistry@v0.20.2...v0.20.3

</details>

<details>
<summary>secure-systems-lab/go-securesystemslib
(github.com/secure-systems-lab/go-securesystemslib)</summary>

###
[`v0.9.0`](https://redirect.github.com/secure-systems-lab/go-securesystemslib/compare/v0.8.0...v0.9.0)

[Compare
Source](https://redirect.github.com/secure-systems-lab/go-securesystemslib/compare/v0.8.0...v0.9.0)

</details>

<details>
<summary>sigstore/cosign (github.com/sigstore/cosign/v2)</summary>

###
[`v2.4.1`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v241)

[Compare
Source](https://redirect.github.com/sigstore/cosign/compare/v2.4.0...v2.4.1)

v2.4.1 largely contains bug fixes and updates dependencies.

#### Features

-   Added fuzzing coverage to multiple packages

#### Bug Fixes

- Fix bug in attest-blob when using a timestamp authority with new
bundles
([#&#8203;3877](https://redirect.github.com/sigstore/cosign/issues/3877))
- fix: documentation link for installation guide
([#&#8203;3884](https://redirect.github.com/sigstore/cosign/issues/3884))

#### Contributors

-   AdamKorcz
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Hayden B
-   Hemil K
-   Sota Sugiura
-   Zach Steindler

###
[`v2.4.0`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v240)

[Compare
Source](https://redirect.github.com/sigstore/cosign/compare/v2.3.0...v2.4.0)

v2.4.0 begins the modernization of the Cosign client, which includes:

-   Support for the newer Sigstore specification-compliant bundle format
- Support for providing trust roots (e.g. Fulcio certificates, Rekor
keys)
    through a trust root file, instead of many different flags
- Conformance test suite integration to verify signing and verification
behavior

In future updates, we'll include:

- General support for the trust root file, instead of only when using
the bundle
    format during verification
-   Simplification of trust root flags and deprecation of the
    Cosign-specific bundle format
-   Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of
GCR.

#### Features

- Add new bundle support to `verify-blob` and `verify-blob-attestation`
([#&#8203;3796](https://redirect.github.com/sigstore/cosign/issues/3796))
- Adding protobuf bundle support to sign-blob and attest-blob
([#&#8203;3752](https://redirect.github.com/sigstore/cosign/issues/3752))
- Bump sigstore/sigstore to support `email_verified` as string or
boolean
([#&#8203;3819](https://redirect.github.com/sigstore/cosign/issues/3819))
- Conformance testing for cosign
([#&#8203;3806](https://redirect.github.com/sigstore/cosign/issues/3806))
- move incremental builds per commit to GHCR instead of GCR
([#&#8203;3808](https://redirect.github.com/sigstore/cosign/issues/3808))
- Add support for recording creation timestamp for cosign attest
([#&#8203;3797](https://redirect.github.com/sigstore/cosign/issues/3797))
- Include SCT verification failure details in error message
([#&#8203;3799](https://redirect.github.com/sigstore/cosign/issues/3799))

#### Contributors

-   Bob Callaway
-   Hayden B
-   Slavek Kabrda
-   Zach Steindler
-   Zsolt Horvath

###
[`v2.3.0`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v230)

[Compare
Source](https://redirect.github.com/sigstore/cosign/compare/v2.2.4...v2.3.0)

#### Features

- Add PayloadProvider interface to decouple AttestationToPayloadJSON
from oci.Signature interface
([#&#8203;3693](https://redirect.github.com/sigstore/cosign/issues/3693))
- add registry options to cosign save
([#&#8203;3645](https://redirect.github.com/sigstore/cosign/issues/3645))
- Add debug providers command.
([#&#8203;3728](https://redirect.github.com/sigstore/cosign/issues/3728))
- Make config layers in ociremote mountable
([#&#8203;3741](https://redirect.github.com/sigstore/cosign/issues/3741))
- upgrade to go1.22
([#&#8203;3739](https://redirect.github.com/sigstore/cosign/issues/3739))
- adds tsa cert chain check for env var or tuf targets.
([#&#8203;3600](https://redirect.github.com/sigstore/cosign/issues/3600))
- add --ca-roots and --ca-intermediates flags to 'cosign verify'
([#&#8203;3464](https://redirect.github.com/sigstore/cosign/issues/3464))
- add handling of keyless verification for all verify commands
([#&#8203;3761](https://redirect.github.com/sigstore/cosign/issues/3761))

#### Bug Fixes

- fix: close attestationFile
([#&#8203;3679](https://redirect.github.com/sigstore/cosign/issues/3679))
- Set `bundleVerified` to true after Rekor verification (Resolves
[#&#8203;3740](https://redirect.github.com/sigstore/cosign/issues/3740))
([#&#8203;3745](https://redirect.github.com/sigstore/cosign/issues/3745))

#### Documentation

- Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign
([#&#8203;3776](https://redirect.github.com/sigstore/cosign/issues/3776))

#### Testing

- Refactor KMS E2E tests
([#&#8203;3684](https://redirect.github.com/sigstore/cosign/issues/3684))
- Remove sign_blob_test.sh test
([#&#8203;3707](https://redirect.github.com/sigstore/cosign/issues/3707))
- Remove KMS E2E test script
([#&#8203;3702](https://redirect.github.com/sigstore/cosign/issues/3702))
- Refactor insecure registry E2E tests
([#&#8203;3701](https://redirect.github.com/sigstore/cosign/issues/3701))

#### Contributors

-   Billy Lynch
-   bminahan73
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Cody Soyland
-   Colleen Murphy
-   Dmitry Savintsev
-   guangwu
-   Hayden B
-   Hector Fernandez
-   ian hundere
-   Jason Power
-   Jon Johnson
-   Max Lambrecht
-   Meeki1l

</details>

<details>
<summary>sigstore/fulcio (github.com/sigstore/fulcio)</summary>

###
[`v1.6.5`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v165)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.4...v1.6.5)

#### Features

- use go1.23.2
([#&#8203;1834](https://redirect.github.com/sigstore/fulcio/issues/1834))
- fallback to json default cfg path if yaml does not exist
([#&#8203;1810](https://redirect.github.com/sigstore/fulcio/issues/1810))
- Include IDP type and subject domain in configuration API response
([#&#8203;1824](https://redirect.github.com/sigstore/fulcio/issues/1824))

#### Documentation

- Update OIDC claim mapping table to reflect the current state
([#&#8203;1801](https://redirect.github.com/sigstore/fulcio/issues/1801))

#### Contributors

-   Aditya Sirish
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Hayden B
-   Nina
-   Richard Fan

###
[`v1.6.4`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v164)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.3...v1.6.4)

#### Features

- use go1.22.6 to build fulcio
([#&#8203;1793](https://redirect.github.com/sigstore/fulcio/issues/1793))

#### Bugs

- Revert "If custom server url exists, use that instead of the default
one."
([#&#8203;1791](https://redirect.github.com/sigstore/fulcio/issues/1791))

#### Contributors

-   Carlos Tadeu Panato Junior
-   Fredrik Skogman

###
[`v1.6.3`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v163)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.2...v1.6.3)

#### Features

- If custom server url exists, use that instead of the default one.
([#&#8203;1776](https://redirect.github.com/sigstore/fulcio/issues/1776))

#### Contributors

-   Fredrik Skogman
-   Javan Lacerda

###
[`v1.6.2`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v162)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.1...v1.6.2)

#### Bug Fixes

- fix: adding ci provider for meta-issuers
([#&#8203;1767](https://redirect.github.com/sigstore/fulcio/issues/1767))

#### Contributors

-   Javan Lacerda

###
[`v1.6.1`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v161)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.0...v1.6.1)

#### Bug Fixes

- fix: removing surplus slash, making logs richer
([#&#8203;1762](https://redirect.github.com/sigstore/fulcio/issues/1762))

#### Contributors

-   Javan Lacerda

###
[`v1.6.0`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v160)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.5.1...v1.6.0)

v1.6.0 adds support for onboarding CI identity providers via
configuration
rather than code changes, which should greatly simplify the onboarding
process.

#### Features

- CiProvider as a new OIDCIssuer type
([#&#8203;1729](https://redirect.github.com/sigstore/fulcio/issues/1729))
- Add TLS support for CTLog
([#&#8203;1718](https://redirect.github.com/sigstore/fulcio/issues/1718))
- Added support for email_verified being a string or bool
([#&#8203;1744](https://redirect.github.com/sigstore/fulcio/issues/1744))

#### Documentation

- Update IDP requirements
([#&#8203;1742](https://redirect.github.com/sigstore/fulcio/issues/1742))

#### Public Good Instance Configuration

- Move codefresh and buildkite to ci-provider identity
([#&#8203;1743](https://redirect.github.com/sigstore/fulcio/issues/1743))
- Move gitlab to ci-provider
([#&#8203;1740](https://redirect.github.com/sigstore/fulcio/issues/1740))
- Migrate github to ci provider flow
([#&#8203;1738](https://redirect.github.com/sigstore/fulcio/issues/1738))
- add Hellō provider
([#&#8203;1739](https://redirect.github.com/sigstore/fulcio/issues/1739))
- Move configuration to yaml format
([#&#8203;1720](https://redirect.github.com/sigstore/fulcio/issues/1720))
- Removes identity providers federation
([#&#8203;1736](https://redirect.github.com/sigstore/fulcio/issues/1736))

#### Contributors

-   Andrew Block
-   cpanato
-   Dick Hardt
-   Firas Ghanmi
-   Hayden B
-   Javan Lacerda
-   Matt Moore

###
[`v1.5.1`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v151)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.5.0...v1.5.1)

#### Bug Fixes

- Surface the right `Name()` from our principal.
([#&#8203;1726](https://redirect.github.com/sigstore/fulcio/issues/1726))

#### Contributors

-   Matt Moore

###
[`v1.5.0`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v150)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.4.5...v1.5.0)

#### Features

- Add Chainguard OIDC provider.
([#&#8203;1703](https://redirect.github.com/sigstore/fulcio/issues/1703))
- Adding support for configuration from yaml file
([#&#8203;1687](https://redirect.github.com/sigstore/fulcio/issues/1687))
- Upgrade go to 1.22
([#&#8203;1625](https://redirect.github.com/sigstore/fulcio/issues/1625))

#### Documentation

- oid-info: fix table render
([#&#8203;1662](https://redirect.github.com/sigstore/fulcio/issues/1662))
- docs: Fix extensions for digest values requiring a type prefix
([#&#8203;1661](https://redirect.github.com/sigstore/fulcio/issues/1661))

#### Contributors

-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Facundo Tuesca
-   Javan Lacerda
-   Matt Moore
-   Tomas Turek
-   William Woodruff

</details>

<details>
<summary>sigstore/protobuf-specs
(github.com/sigstore/protobuf-specs)</summary>

###
[`v0.3.3`](https://redirect.github.com/sigstore/protobuf-specs/compare/v0.3.2...v0.3.3)

[Compare
Source](https://redirect.github.com/sigstore/protobuf-specs/compare/v0.3.2...v0.3.3)

</details>

<details>
<summary>sigstore/rekor (github.com/sigstore/rekor)</summary>

###
[`v1.3.8`](https://redirect.github.com/sigstore/rekor/blob/HEAD/CHANGELOG.md#v138)

[Compare
Source](https://redirect.github.com/sigstore/rekor/compare/v1.3.7...v1.3.8)

#### Bug Fixes

- fix zizmor issues
([#&#8203;2298](https://redirect.github.com/sigstore/rekor/issues/2298))
- remove unneeded value in log message
([#&#8203;2282](https://redirect.github.com/sigstore/rekor/issues/2282))

#### Quality Enhancements

-   chore: relax go directive to permit 1.22.x
- fetch minisign from homebrew instead of custom ppa
([#&#8203;2329](https://redirect.github.com/sigstore/rekor/issues/2329))
-   fix(ci): simplify GOVERSION extraction
-   chore(deps): bump actions pins to latest
- Updates go and golangci-lint
([#&#8203;2302](https://redirect.github.com/sigstore/rekor/issues/2302))
- update builder to use go1.23.4
([#&#8203;2301](https://redirect.github.com/sigstore/rekor/issues/2301))
-   clean up spaces
- log request body on 500 error to aid debugging
([#&#8203;2283](https://redirect.github.com/sigstore/rekor/issues/2283))

#### Contributors

-   Appu Goundan
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Dominic Evans
-   sgpinkus

###
[`v1.3.7`](https://redirect.github.com/sigstore/rekor/blob/HEAD/CHANGELOG.md#v137)

[Compare
Source](https://redirect.github.com/sigstore/rekor/compare/v1.3.6...v1.3.7)

#### New Features

- log request body on 500 error to aid debugging
([#&#8203;2283](https://redirect.github.com/sigstore/rekor/issues/2283))
- Add support for signing with Tink keyset
([#&#8203;2228](https://redirect.github.com/sigstore/rekor/issues/2228))
- Add public key hash check in Signed Note verification
([#&#8203;2214](https://redirect.github.com/sigstore/rekor/issues/2214))
- update Trillian TLS configuration
([#&#8203;2202](https://redirect.github.com/sigstore/rekor/issues/2202))
- Add TLS support for Trillian server
([#&#8203;2164](https://redirect.github.com/sigstore/rekor/issues/2164))
- Replace docker-compose with plugin if available
([#&#8203;2153](https://redirect.github.com/sigstore/rekor/issues/2153))
- Add flags to backfill script
([#&#8203;2146](https://redirect.github.com/sigstore/rekor/issues/2146))
- Unset DisableKeepalive for backfill HTTP client
([#&#8203;2137](https://redirect.github.com/sigstore/rekor/issues/2137))
- Add script to delete indexes from Redis
([#&#8203;2120](https://redirect.github.com/sigstore/rekor/issues/2120))
- Run CREATE statement in backfill script
([#&#8203;2109](https://redirect.github.com/sigstore/rekor/issues/2109))
- Add MySQL support to backfill script
([#&#8203;2081](https://redirect.github.com/sigstore/rekor/issues/2081))
- Run e2e tests on mysql and redis index backends
([#&#8203;2079](https://redirect.github.com/sigstore/rekor/issues/2079))

#### Bug Fixes

- remove unneeded value in log message
([#&#8203;2282](https://redirect.github.com/sigstore/rekor/issues/2282))
- Add error message when computing consistency proof
([#&#8203;2278](https://redirect.github.com/sigstore/rekor/issues/2278))
- fix validation error handling on API
([#&#8203;2217](https://redirect.github.com/sigstore/rekor/issues/2217))
- fix error in pretty-printed inclusion proof from verify subcommand
([#&#8203;2210](https://redirect.github.com/sigstore/rekor/issues/2210))
- Fix index scripts
([#&#8203;2203](https://redirect.github.com/sigstore/rekor/issues/2203))
-   fix failing sharding test
- Better error handling in backfill script
([#&#8203;2148](https://redirect.github.com/sigstore/rekor/issues/2148))
- Batch entries in cleanup script
([#&#8203;2158](https://redirect.github.com/sigstore/rekor/issues/2158))
- Add missing workflow for index cleanup test
([#&#8203;2121](https://redirect.github.com/sigstore/rekor/issues/2121))
- hashedrekord: fix schema $id
([#&#8203;2092](https://redirect.github.com/sigstore/rekor/issues/2092))

#### Contributors

-   Aditya Sirish
-   Bob Callaway
-   Colleen Murphy
-   cpanato
-   Firas Ghanmi
-   Hayden B
-   Hojoung (Brian) Jang
-   William Woodruff

</details>

<details>
<summary>sigstore/sigstore (github.com/sigstore/sigstore)</summary>

###
[`v1.8.12`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.12)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.11...v1.8.12)

#### What's Changed

- build(deps): Bump google.golang.org/api from 0.210.0 to 0.212.0 in
/pkg/signature/kms/gcp by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1912](https://redirect.github.com/sigstore/sigstore/pull/1912)
- build(deps): Bump google.golang.org/protobuf from 1.35.2 to 1.36.0 in
/pkg/signature/kms/gcp by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1911](https://redirect.github.com/sigstore/sigstore/pull/1911)
- build(deps): Bump actions/setup-go from 5.1.0 to 5.2.0 in the all
group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1909](https://redirect.github.com/sigstore/sigstore/pull/1909)
- build(deps): Bump google.golang.org/api from 0.212.0 to 0.214.0 in
/pkg/signature/kms/gcp by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1917](https://redirect.github.com/sigstore/sigstore/pull/1917)
- build(deps): Bump hashicorp/vault from 1.18.2 to 1.18.3 in /test/e2e
in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1915](https://redirect.github.com/sigstore/sigstore/pull/1915)
- build(deps): Bump the gomod group across 2 directories with 5 updates
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1916](https://redirect.github.com/sigstore/sigstore/pull/1916)
- build(deps): Bump cloud.google.com/go/kms from 1.20.3 to 1.20.4 in
/pkg/signature/kms/gcp in the gomod group across 1 directory by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1920](https://redirect.github.com/sigstore/sigstore/pull/1920)
- build(deps): Bump github.com/coreos/go-oidc/v3 from 3.11.0 to 3.12.0
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1924](https://redirect.github.com/sigstore/sigstore/pull/1924)
- build(deps): Bump golang.org/x/oauth2 from 0.24.0 to 0.25.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1921](https://redirect.github.com/sigstore/sigstore/pull/1921)
- build(deps): Bump golang.org/x/term from 0.27.0 to 0.28.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1922](https://redirect.github.com/sigstore/sigstore/pull/1922)
- build(deps): Bump golang.org/x/crypto from 0.31.0 to 0.32.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1923](https://redirect.github.com/sigstore/sigstore/pull/1923)
- build(deps): Bump golang.org/x/crypto from 0.28.0 to 0.31.0 in
/test/fuzz by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1908](https://redirect.github.com/sigstore/sigstore/pull/1908)
- build(deps): Bump github.com/secure-systems-lab/go-securesystemslib
from 0.8.0 to 0.9.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1910](https://redirect.github.com/sigstore/sigstore/pull/1910)
- build(deps): Bump the tools group across 1 directory with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1913](https://redirect.github.com/sigstore/sigstore/pull/1913)
- cleanup ci by [@&#8203;cpanato](https://redirect.github.com/cpanato)
in
[https://github.com/sigstore/sigstore/pull/1927](https://redirect.github.com/sigstore/sigstore/pull/1927)

**Full Changelog**:
sigstore/sigstore@v1.8.11...v1.8.12

###
[`v1.8.11`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.11)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.10...v1.8.11)

#### What's Changed

-   several dependabot updates
- Replace custom auth code with `azidentity.NewDefaultCredential` for
Azure KMS client by
[@&#8203;malancas](https://redirect.github.com/malancas) in
[https://github.com/sigstore/sigstore/pull/1888](https://redirect.github.com/sigstore/sigstore/pull/1888)
- fix: set go module directive to 1.22.0 by
[@&#8203;dnwe](https://redirect.github.com/dnwe) in
[https://github.com/sigstore/sigstore/pull/1878](https://redirect.github.com/sigstore/sigstore/pull/1878)

#### New Contributors

- [@&#8203;dnwe](https://redirect.github.com/dnwe) made their first
contribution in
[https://github.com/sigstore/sigstore/pull/1878](https://redirect.github.com/sigstore/sigstore/pull/1878)

**Full Changelog**:
sigstore/sigstore@v1.8.10...v1.8.11

###
[`v1.8.10`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.10)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.9...v1.8.10)

#### What's Changed

- fix(kms): fix CreateKey may panic when using GCP KMS by
[@&#8203;mozillazg](https://redirect.github.com/mozillazg) in
[https://github.com/sigstore/sigstore/pull/1829](https://redirect.github.com/sigstore/sigstore/pull/1829)
- update to go1.22.7 and ci job by
[@&#8203;cpanato](https://redirect.github.com/cpanato) in
[https://github.com/sigstore/sigstore/pull/1847](https://redirect.github.com/sigstore/sigstore/pull/1847)
- Mark TUF client as deprecated by
[@&#8203;haydentherapper](https://redirect.github.com/haydentherapper)
in
[https://github.com/sigstore/sigstore/pull/1858](https://redirect.github.com/sigstore/sigstore/pull/1858)
- bump to go 1.22.8 by
[@&#8203;cpanato](https://redirect.github.com/cpanato) in
[https://github.com/sigstore/sigstore/pull/1865](https://redirect.github.com/sigstore/sigstore/pull/1865)

and several dependencies updates

#### New Contributors

- [@&#8203;mozillazg](https://redirect.github.com/mozillazg) made their
first contribution in
[https://github.com/sigstore/sigstore/pull/1829](https://redirect.github.com/sigstore/sigstore/pull/1829)

**Full Changelog**:
sigstore/sigstore@v1.8.9...v1.8.10

</details>

<details>
<summary>slsa-framework/slsa-github-generator
(github.com/slsa-framework/slsa-github-generator)</summary>

###
[`v1.10.0`](https://redirect.github.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100)

[Compare
Source](https://redirect.github.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0)

Release
[v1.10.0](https://redirect.github.com/slsa-framework/slsa-github-generator/releases/tag/v1.10.0)
includes bug fixes and new features.

See the [full change
list](https://redirect.github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0).

##### v1.10.0: TUF fix

- The cosign TUF roots were fixed
([#&#8203;3350](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/3350)).
More details
[here](https://redirect.github.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid).

##### v1.10.0: Gradle Builder

- The Gradle Builder was fixed when the project root is the same as the
repository root
([#&#8203;2727](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/2727))

##### v1.10.0: Go Builder

- The `go-version-file` input was fixed so that it can find the `go.mod`
file

([#&#8203;2661](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/2661))

##### v1.10.0: Container Generator

- A new `provenance-repository` input was added to allow reading
provenance from
a different container repository than the image itself
([#&#8203;2956](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/2956))

###
[`v1.9.1`](https://redirect.github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1)

[Compare
Source](https://redirect.github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1)

**This is an un-finalized release.**

See the [CHANGELOG](./CHANGELOG.md) for details.

</details>

<details>
<summary>protocolbuffers/protobuf-go
(google.golang.org/protobuf)</summary>

###
[`v1.36.3`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.3)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.2...v1.36.3)

**Full Changelog**:
protocolbuffers/protobuf-go@v1.36.2...v1.36.3

Bug fixes:
[CL/642575](https://go-review.googlesource.com/c/protobuf/+/642575):
reflect/protodesc: fix panic when working with dynamicpb
[CL/641036](https://go-review.googlesource.com/c/protobuf/+/641036):
cmd/protoc-gen-go: remove json struct tags from unexported fields

User-visible changes:
[CL/641876](https://go-review.googlesource.com/c/protobuf/+/641876):
proto: add example for GetExtension, SetExtension
[CL/642015](https://go-review.googlesource.com/c/protobuf/+/642015):
runtime/protolazy: replace internal doc link with external link

Maintenance:
[CL/641635](https://go-review.googlesource.com/c/protobuf/+/641635):
all: split flags.ProtoLegacyWeak out of flags.ProtoLegacy
[CL/641019](https://go-review.googlesource.com/c/protobuf/+/641019):
internal/impl: remove unused exporter parameter
[CL/641018](https://go-review.googlesource.com/c/protobuf/+/641018):
internal/impl: switch to reflect.Value.IsZero
[CL/641035](https://go-review.googlesource.com/c/protobuf/+/641035):
internal/impl: clean up unneeded Go<1.12 MapRange() alternative
[CL/641017](https://go-review.googlesource.com/c/protobuf/+/641017):
types/dynamicpb: switch atomicExtFiles to atomic.Uint64 type

###
[`v1.36.2`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.2)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.1...v1.36.2)

**Full Changelog**:
protocolbuffers/protobuf-go@v1.36.1...v1.36.2

Bug fixes:
[CL/638515](https://go-review.googlesource.com/c/protobuf/+/638515):
internal/impl: fix WhichOneof() to work with synthetic oneofs

###
[`v1.36.1`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.1)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.0...v1.36.1)

**Full Changelog**:
protocolbuffers/protobuf-go@v1.36.0...v1.36.1

Bug fixes:
[CL/638495](https://go-review.googlesource.com/c/protobuf/+/638495):
internal/impl: revert IsSynthetic() check to fix panic

Maintenance:
[CL/637475](https://go-review.googlesource.com/c/protobuf/+/637475):
internal/errors: delete compatibility code for Go before 1.13

###
[`v1.36.0`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.0)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.35.2...v1.36.0)

**Full Changelog**:
protocolbuffers/protobuf-go@v1.35.2...v1.36.0

User-visible changes:

[CL/635139](https://go-review.googlesource.com/c/protobuf/+/635139):
src/google/protobuf: document UnmarshalJSON / API level behavior
[CL/635138](https://go-review.googlesource.com/c/protobuf/+/635138):
reflect/protoreflect: use \[] syntax to reference method
[CL/635137](https://go-review.googlesource.com/c/protobuf/+/635137):
proto: add reference to size semantics with lazy decoding to comment
[CL/634818](https://go-review.googlesource.com/c/protobuf/+/634818):
compiler/protogen: allow overriding API level from --go_opt
[CL/634817](https://go-review.googlesource.com/c/protobuf/+/634817):
cmd/protoc-gen-go: generate \_protoopaque variant for hybrid
[CL/634816](https://go-review.googlesource.com/c/protobuf/+/634816):
all: regenerate.bash for Opaque API
[CL/634815](https://go-review.googlesource.com/c/protobuf/+/634815):
all: Release the Opaque API
[CL/634015](https://go-review.googlesource.com/c/protobuf/+/634015):
types/descriptorpb: regenerate using latest protobuf v29.1 release
[CL/632735](https://go-review.googlesource.com/c/protobuf/+/632735):
internal/impl: skip synthetic oneofs in messageInfo
[CL/627876](https://go-review.googlesource.com/c/protobuf/+/627876):
all: start v1.35.2-devel

###
[`v1.35.2`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.35.2)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.35.1...v1.35.2)

**Full Changelog**:
protocolbuffers/protobuf-go@v1.35.1...v1.35.2

Maintenance:

[CL/623115](https://go-review.googlesource.com/c/protobuf/+/623115):
proto: refactor equal_test from explicit table to use makeMessages()
[CL/623116](https://go-review.googlesource.com/c/protobuf/+/623116):
encoding/prototext: use testmessages_test.go approach, too
[CL/623117](https://go-review.googlesource.com/c/protobuf/+/623117):
internal/testprotos/test: add nested message field with \[lazy=true]
[CL/624415](https://go-review.googlesource.com/c/protobuf/+/624415):
proto: switch messageset_test to use makeMessages() injection point
[CL/624416](https://go-review.googlesource.com/c/protobuf/+/624416):
internal/impl: fix TestMarshalMessageSetLazyRace (was a no-op!)

User-visible changes:

[CL/618395](https://go-review.googlesource.com/c/protobuf/+/618395):
encoding/protojson: allow missing value for Any of type Empty
[CL/618979](https://go-review.googlesource.com/c/protobuf/+/618979):
all: implement strip_enum_prefix editions feature
[CL/622575](https://go-review.googlesource.com/c/protobuf/+/622575):
testing/protocmp: document behavior when combining Ignore and Sort

###
[`v1.35.1`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.35.1)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.35.0...v1.35.1)

**Full Changelog**:
protocolbuffers/protobuf-go@v1.34.2...v1.35.1

Maintenance:

- [CL/606755](https://go-review.googlesource.com/c/protobuf/+/606755):
all: remove unused purego support
- [CL/608316](https://go-review.googlesource.com/c/protobuf/+/608316):
all: set Go language version to Go 1.21

User-visible changes:

- [CL/587536](https://go-review.googlesource.com/c/protobuf/+/587536):
protojson: include field name in error messages
- [CL/597055](https://go-review.googlesource.com/c/protobuf/+/597055):
compiler/protogen: always report editions support level of the plugin
- [CL/596539](https://go-review.googlesource.com/c/protobuf/+/596539):
all: plumb the lazy option into filedesc.Field and .Extension
- [CL/601775](https://go-review.googlesource.com/c/protobuf/+/601775):
types/known/structpb: add support for more types and json.Number
- [CL/607995](https://go-review.googlesource.com/c/protobuf/+/607995):
proto: extend documentation of GetExtension, SetExtension
- [CL/609035](https://go-review.googlesource.com/c/protobuf/+/609035):
proto: implement proto.Equal fast-path

Bug fixes:

- [CL/595337](https://go-review.googlesource.com/c/protobuf/+/595337):
reflect/protodesc: fix handling of delimited extensions in editions
- [CL/602055](https://go-review.googlesource.com/c/protobuf/+/602055):
internal/cmd/generate-protos: fix pkg check for editions features
- [CL/603015](https://go-review.googlesource.com/c/protobuf/+/603015):
internal: generate extension numbers, fix editions parsing

###
[`v1.35.0`](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.34.2...v1.35.0)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.34.2...v1.35.0)

</details>

<details>
<summary>kubernetes-sigs/release-utils
(sigs.k8s.io/release-utils)</summary>

###
[`v0.9.0`](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.5...v0.9.0)

[Compare
Source](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.5...v0.9.0)

###
[`v0.8.5`](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.4...v0.8.5)

[Compare
Source](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.4...v0.8.5)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44NS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTA3LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

go.mod

@@ -1,35 +1,37 @@
 module github.com/slsa-framework/slsa-verifier/v2
 
-go 1.23.1
+go 1.23.2
+
+toolchain go1.23.5
 
 require (
 	github.com/docker/go v1.5.1-1
 	github.com/go-openapi/runtime v0.28.0
 	github.com/google/go-cmp v0.6.0
-	github.com/google/trillian v1.6.0 // indirect
+	github.com/google/trillian v1.7.1 // indirect
 	github.com/in-toto/in-toto-golang v0.9.0
-	github.com/secure-systems-lab/go-securesystemslib v0.8.0
-	github.com/sigstore/rekor v1.3.6
-	github.com/sigstore/sigstore v1.8.9
+	github.com/secure-systems-lab/go-securesystemslib v0.9.0
+	github.com/sigstore/rekor v1.3.8
+	github.com/sigstore/sigstore v1.8.12
 )
 
 require (
-	github.com/google/go-containerregistry v0.20.2
+	github.com/google/go-containerregistry v0.20.3
 	github.com/gorilla/mux v1.8.1
 	github.com/in-toto/attestation v1.1.0
-	github.com/sigstore/cosign/v2 v2.2.4
+	github.com/sigstore/cosign/v2 v2.4.1
 	github.com/sigstore/sigstore-go v0.6.2
-	github.com/slsa-framework/slsa-github-generator v1.9.0
+	github.com/slsa-framework/slsa-github-generator v1.10.0
 	github.com/spf13/cobra v1.8.1
-	golang.org/x/mod v0.21.0
-	sigs.k8s.io/release-utils v0.8.4
+	golang.org/x/mod v0.22.0
+	sigs.k8s.io/release-utils v0.9.0
 )
 
 require (
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -40,23 +42,24 @@ require (
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/theupdateframework/go-tuf/v2 v2.0.1 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
-	go.opentelemetry.io/otel/metric v1.27.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/otel/metric v1.33.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250102185135-69823020774d // indirect
 )
 
 require (
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
-	github.com/docker/cli v27.1.1+incompatible // indirect
+	github.com/docker/cli v27.5.0+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.0 // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
 	github.com/go-openapi/errors v0.22.0 // indirect
@@ -73,7 +76,7 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/klauspost/compress v1.17.8 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -83,38 +86,38 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/sigstore/fulcio v1.4.5
-	github.com/sigstore/protobuf-specs v0.3.2
+	github.com/sigstore/fulcio v1.6.5
+	github.com/sigstore/protobuf-specs v0.3.3
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.18.2 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
-	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/vbatts/tar-split v0.11.6 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
-	go.opentelemetry.io/otel v1.27.0 // indirect
-	go.opentelemetry.io/otel/trace v1.27.0 // indirect
+	go.opentelemetry.io/otel v1.33.0 // indirect
+	go.opentelemetry.io/otel/trace v1.33.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
 	golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6
-	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	google.golang.org/grpc v1.64.1 // indirect
-	google.golang.org/protobuf v1.34.2
+	google.golang.org/grpc v1.69.4 // indirect
+	google.golang.org/protobuf v1.36.3
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )