Skip to content

Update go modules (release-v0.7) (patch)#3146

Open
renovate[bot] wants to merge 1 commit into
release-v0.7from
renovate/release-v0.7-patch-go-modules
Open

Update go modules (release-v0.7) (patch)#3146
renovate[bot] wants to merge 1 commit into
release-v0.7from
renovate/release-v0.7-patch-go-modules

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 2, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
cuelang.org/go v0.16.0v0.16.1 age adoption passing confidence
cuelang.org/go v0.15.1v0.15.4 age adoption passing confidence
github.com/enterprise-contract/enterprise-contract-controller/api v0.1.257v0.1.281 age adoption passing confidence
github.com/gkampitakis/go-snaps v0.5.19v0.5.22 age adoption passing confidence
github.com/go-openapi/strfmt v0.26.1v0.26.3 age adoption passing confidence
github.com/google/go-containerregistry v0.21.5v0.21.6 age adoption passing confidence
github.com/mattn/go-isatty v0.0.20v0.0.22 age adoption passing confidence
github.com/package-url/packageurl-go v0.1.3v0.1.6 age adoption passing confidence
github.com/sigstore/cosign/v2 v2.4.1v2.4.3 age adoption passing confidence
github.com/sigstore/cosign/v2 v2.6.2v2.6.3 age adoption passing confidence
github.com/sigstore/rekor v1.5.0v1.5.2 age adoption passing confidence
github.com/sigstore/sigstore v1.10.5v1.10.8 age adoption passing confidence
github.com/tektoncd/chains v0.26.2v0.26.4 age adoption passing confidence
github.com/tektoncd/cli v0.44.0v0.44.1 age adoption passing confidence
k8s.io/api v0.35.4v0.35.5 age adoption passing confidence
k8s.io/apiextensions-apiserver v0.35.4v0.35.5 age adoption passing confidence
k8s.io/apimachinery v0.35.4v0.35.5 age adoption passing confidence
k8s.io/client-go v0.35.4v0.35.5 age adoption passing confidence
k8s.io/kubernetes v1.34.3v1.34.8 age adoption passing confidence

Release Notes

cue-lang/cue (cuelang.org/go)

v0.16.1

Compare Source

Language

The fallback keyword in the aliasv2 experiment is replaced by otherwise, which is clearer. cue fmt or cue fix can be used to rewrite existing code.

Evaluator

Fix a regression where the compiler could add comments to the input AST value, which could lead to increased memory usage.

Fix a bug where exporting certain schemas could result in "cannot have both alias and field in same scope" errors.

cmd/cue

Fix a panic which could occur when using non-label expressions in the --path flag.

Teach cue login to give helpful errors when used with OCI registries which don't support the OAuth2 device flow.

Go API

Fix a regression where cue.Context.Encode could panic on custom marshaler types with pointer receivers.

Full list of changes since v0.16.0
gkampitakis/go-snaps (github.com/gkampitakis/go-snaps)

v0.5.22

Compare Source

What's Changed

New Contributors

Full Changelog: gkampitakis/go-snaps@v0.5.21...v0.5.22

v0.5.21

Compare Source

What's Changed

Full Changelog: gkampitakis/go-snaps@v0.5.20...v0.5.21

v0.5.20

Compare Source

What's Changed

Full Changelog: gkampitakis/go-snaps@v0.5.19...v0.5.20

go-openapi/strfmt (github.com/go-openapi/strfmt)

v0.26.3

Compare Source

0.26.3 - 2026-05-31

Full Changelog: go-openapi/strfmt@v0.26.2...v0.26.3

15 commits in this release.

Documentation
Miscellaneous tasks
Updates
People who contributed to this release

strfmt license terms

License

Per-module changes

enable/mongodb (0.26.3)

Miscellaneous tasks
Updates

internal/testintegration (0.26.3)

Miscellaneous tasks
Updates

v0.26.2

Compare Source

0.26.2 - 2026-04-29

Full Changelog: go-openapi/strfmt@v0.26.1...v0.26.2

13 commits in this release.

Documentation
Performance
Miscellaneous tasks
Updates
People who contributed to this release

strfmt license terms

License

Per-module changes

enable/mongodb (0.26.2)

Miscellaneous tasks
Updates

internal/testintegration (0.26.2)

Miscellaneous tasks
Updates
  • build(deps): bump the other-dependencies group across 2 directories with 2 updates by @​dependabot[bot] in #​245 ...
  • build(deps): bump golang.org/x/net from 0.52.0 to 0.53.0 in the golang-org-dependencies group across 1 directory by @​dependabot[bot] in #​241 ...
  • build(deps): bump github.com/jackc/pgx/v5 from 5.8.0 to 5.9.1 in /internal/testintegration in the other-dependencies group across 1 directory by @​dependabot[bot] in #​240 ...
  • build(deps): bump the go-openapi-dependencies group across 2 directories with 1 update by @​dependabot[bot] in #​238 ...
  • build(deps): bump golang.org/x/net from 0.50.0 to 0.52.0 in the golang-org-dependencies group across 1 directory by @​dependabot[bot] in #​228 ...
google/go-containerregistry (github.com/google/go-containerregistry)

v0.21.6

Compare Source

What's Changed
New Contributors

Full Changelog: google/go-containerregistry@v0.21.5...v0.21.6

mattn/go-isatty (github.com/mattn/go-isatty)

v0.0.22

Compare Source

v0.0.21

Compare Source

package-url/packageurl-go (github.com/package-url/packageurl-go)

v0.1.6

Compare Source

v0.1.5

Compare Source

What's Changed

New Contributors

Full Changelog: package-url/packageurl-go@v0.1.4...v0.1.5

v0.1.4

Compare Source

What's Changed

New Contributors

Full Changelog: package-url/packageurl-go@v0.1.3...v0.1.4

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.4.3

Compare Source

Features

  • Bump sigstore/sigstore to support KMS plugins (#​4073)
  • Enable fetching signatures without remote get. (#​4047)
  • Feat/file flag completion improvements (#​4028)
  • Update builder to use go1.23.6 (#​4052)

Bug Fixes

  • fix parsing error in --only for cosign copy (#​4049)

Cleanup

  • Refactor verifyNewBundle into library function (#​4013)
  • fix comment typo and imports order (#​4061)
  • sync comment with parameter name in function signature (#​4063)
  • sort properly Go imports (#​4071)

Contributors

  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Dmitry Savintsev
  • Hayden B
  • Tomasz Janiszewski
  • Ville Skyttä

v2.4.2

Compare Source

Features

  • Updated open-policy-agent to 1.1.0 library (#​4036)
    • Note that only Rego v0 policies are supported at this time
  • Add UseSignedTimestamps to CheckOpts, refactor TSA options (#​4006)
  • Add support for verifying root checksum in cosign initialize (#​3953)
  • Detect if user supplied a valid protobuf bundle (#​3931)
  • Add a log message if user doesn't provide --trusted-root (#​3933)
  • Support mTLS towards container registry (#​3922)
  • Add bundle create helper command (#​3901)
  • Add trusted-root create helper command (#​3876)

Bug Fixes

  • fix: set tls config while retaining other fields from default http transport (#​4007)
  • policy fuzzer: ignore known panics (#​3993)
  • Fix for multiple WithRemote options (#​3982)
  • Add nightly conformance test workflow (#​3979)
  • Fix copy --only for signatures + update/align docs (#​3904)

Documentation

  • Remove usage.md from spec, point to client spec (#​3918)
  • move reference from gcr to ghcr (#​3897)

Contributors

  • AdamKorcz
  • Aditya Sirish
  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Cody Soyland
  • Colleen Murphy
  • Hayden B
  • Jussi Kukkonen
  • Marco Franssen
  • Nianyu Shen
  • Slavek Kabrda
  • Søren Juul
  • Warren Hodgkinson
  • Zach Steindler
sigstore/rekor (github.com/sigstore/rekor)

v1.5.2

Compare Source

Changelog
  • 759b98e alpine: Enforce max size limit on decompression (#​2831)
  • c7e77ee Support restricting kinds on insertion (#​2814)
  • a10818a fix(trillianclient): strip dns:/// scheme from TLS ServerName in gRPC dial (#​2812)
  • 8a2f3a2 add checks to ensure returned entries match client inputs to rekor-cli (#​2799)
  • 0e88bac add nil pointer check to resolve fuzzing crash (#​2807)
  • 93da954 client: surface last-response details after retries are exhausted (#​2796)
  • 4d67ecd Fix internal error detail leakage in 500 responses (#​2801)
  • b34ca94 add defensive check to ensure tid is in config ahead of getting client (#​2795)
  • 656c832 restapi: include inactiveShards in the homepage total count (#​2797)
Thanks for all contributors!

v1.5.1

Compare Source

Features

  • optimize memory for DSSE v0.0.1 processing (#​2766)

Bug Fixes

  • Type assert the entry bundle when verifying inclusion proof (#​2755)
  • return correct errors in rare failure situations (#​2753)
  • raise error if decoding hash fails during inclusion proof (#​2754)
sigstore/sigstore (github.com/sigstore/sigstore)

v1.10.8

Compare Source

What's Changed

  • Support standard PKCS#8 encrypted private key decryption in #​2333

Full Changelog: sigstore/sigstore@v1.10.7...v1.10.8

v1.10.7

Compare Source

What's Changed
  • add functional options to DSSE to improve memory usage, validation in #​2326
  • Extend PEM private key unmarshalling to support legacy format in #​2332

Full Changelog: sigstore/sigstore@v1.10.6...v1.10.7

v1.10.6

Compare Source

What's Changed

Full Changelog: sigstore/sigstore@v1.10.5...v1.10.6

tektoncd/chains (github.com/tektoncd/chains)

v0.26.4: Tekton Chains "Release v0.26.4"

Compare Source

Tekton Chains "Release v0.26.4"

-Docs @​ v0.26.4
-Examples @​ v0.26.4

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.4/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.4/release.yaml
REKOR_UUID=108e9186e8c5677a530b574bc14f60d678f287e5f81e8707750ea0808ede65f1f7a4add3183e74a1



>**Note**
> 
> PR body was truncated to here.


</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/conforma/cli).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4yIiwidXBkYXRlZEluVmVyIjoiNDMuMjA5LjQiLCJ0YXJnZXRCcmFuY2giOiJyZWxlYXNlLXYwLjciLCJsYWJlbHMiOlsicmVsZWFzZS12MC43IiwicmVub3ZhdGUiXX0=-->

@renovate renovate Bot enabled auto-merge March 2, 2026 02:08
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Mar 2, 2026
edited
Loading

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 45 additional dependencies were updated

Details:

Package Change
github.com/go-openapi/strfmt v0.25.0 -> v0.26.2
github.com/secure-systems-lab/go-securesystemslib v0.10.0 -> v0.11.0
github.com/gkampitakis/ciinfo v0.3.2 -> v0.3.4
github.com/go-chi/chi/v5 v5.2.4 -> v5.2.5
github.com/go-openapi/analysis v0.24.1 -> v0.25.0
github.com/go-openapi/errors v0.22.6 -> v0.22.7
github.com/go-openapi/jsonpointer v0.22.4 -> v0.22.5
github.com/go-openapi/jsonreference v0.21.4 -> v0.21.5
github.com/go-openapi/loads v0.23.2 -> v0.23.3
github.com/go-openapi/runtime v0.29.2 -> v0.29.4
github.com/go-openapi/spec v0.22.3 -> v0.22.4
github.com/go-openapi/swag v0.25.4 -> v0.26.0
github.com/go-openapi/swag/cmdutils v0.25.4 -> v0.26.0
github.com/go-openapi/swag/conv v0.25.4 -> v0.26.0
github.com/go-openapi/swag/fileutils v0.25.4 -> v0.26.0
github.com/go-openapi/swag/jsonname v0.25.4 -> v0.26.0
github.com/go-openapi/swag/jsonutils v0.25.4 -> v0.26.0
github.com/go-openapi/swag/loading v0.25.4 -> v0.26.0
github.com/go-openapi/swag/mangling v0.25.4 -> v0.26.0
github.com/go-openapi/swag/netutils v0.25.4 -> v0.26.0
github.com/go-openapi/swag/stringutils v0.25.4 -> v0.26.0
github.com/go-openapi/swag/typeutils v0.25.4 -> v0.26.0
github.com/go-openapi/swag/yamlutils v0.25.4 -> v0.26.0
github.com/go-openapi/validate v0.25.1 -> v0.25.2
github.com/go-viper/mapstructure/v2 v2.4.0 -> v2.5.0
github.com/goccy/go-yaml v1.18.0 -> v1.19.2
github.com/letsencrypt/boulder v0.20251110.0 -> v0.20260223.0
github.com/maruel/natural v1.1.1 -> v1.3.0
github.com/sigstore/protobuf-specs v0.5.0 -> v0.5.1
github.com/tidwall/gjson v1.18.0 -> v1.19.0
go.opentelemetry.io/otel v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/metric v1.42.0 -> v1.43.0
go.uber.org/zap v1.27.1 -> v1.28.0
golang.org/x/crypto v0.49.0 -> v0.50.0
golang.org/x/net v0.52.0 -> v0.53.0
golang.org/x/oauth2 v0.35.0 -> v0.36.0
golang.org/x/sys v0.42.0 -> v0.43.0
golang.org/x/term v0.41.0 -> v0.42.0
golang.org/x/text v0.35.0 -> v0.36.0
golang.org/x/time v0.14.0 -> v0.15.0
google.golang.org/api v0.260.0 -> v0.274.0
google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/grpc v1.79.3 -> v1.80.0
k8s.io/klog/v2 v2.130.1 -> v2.140.0
File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 67 additional dependencies were updated

Details:

Package Change
github.com/secure-systems-lab/go-securesystemslib v0.10.0 -> v0.11.0
golang.org/x/net v0.52.0 -> v0.53.0
k8s.io/klog/v2 v2.130.1 -> v2.140.0
cloud.google.com/go/auth v0.18.2 -> v0.19.0
cloud.google.com/go/iam v1.5.3 -> v1.7.0
cloud.google.com/go/storage v1.61.3 -> v1.62.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 -> v1.31.0
github.com/aws/aws-sdk-go-v2 v1.41.4 -> v1.41.6
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.7 -> v1.7.8
github.com/aws/aws-sdk-go-v2/config v1.32.12 -> v1.32.14
github.com/aws/aws-sdk-go-v2/credentials v1.19.12 -> v1.19.14
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 -> v1.18.21
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 -> v1.4.22
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 -> v2.7.22
github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.21 -> v1.4.22
github.com/aws/aws-sdk-go-v2/service/ecr v1.32.2 -> v1.40.3
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.4 -> v1.31.2
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.12 -> v1.9.13
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 -> v1.13.21
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.20 -> v1.19.21
github.com/aws/aws-sdk-go-v2/service/s3 v1.97.1 -> v1.97.3
github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 -> v1.0.9
github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 -> v1.30.15
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 -> v1.35.19
github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 -> v1.41.10
github.com/aws/smithy-go v1.24.2 -> v1.25.0
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240826150212-5dc58b6e29f8 -> v0.9.1
github.com/clipperhouse/displaywidth v0.6.0 -> v0.10.0
github.com/clipperhouse/uax29/v2 v2.3.0 -> v2.6.0
github.com/gkampitakis/ciinfo v0.3.2 -> v0.3.4
github.com/go-chi/chi/v5 v5.2.4 -> v5.2.5
github.com/go-openapi/analysis v0.24.3 -> v0.25.0
github.com/go-openapi/runtime v0.29.2 -> v0.29.4
github.com/go-openapi/swag v0.25.4 -> v0.26.0
github.com/go-openapi/swag/cmdutils v0.25.4 -> v0.26.0
github.com/go-openapi/swag/conv v0.25.5 -> v0.26.0
github.com/go-openapi/swag/fileutils v0.25.5 -> v0.26.0
github.com/go-openapi/swag/jsonname v0.25.5 -> v0.26.0
github.com/go-openapi/swag/jsonutils v0.25.5 -> v0.26.0
github.com/go-openapi/swag/loading v0.25.5 -> v0.26.0
github.com/go-openapi/swag/mangling v0.25.5 -> v0.26.0
github.com/go-openapi/swag/netutils v0.25.4 -> v0.26.0
github.com/go-openapi/swag/stringutils v0.25.5 -> v0.26.0
github.com/go-openapi/swag/typeutils v0.25.5 -> v0.26.0
github.com/go-openapi/swag/yamlutils v0.25.5 -> v0.26.0
github.com/goccy/go-yaml v1.18.0 -> v1.19.2
github.com/googleapis/gax-go/v2 v2.17.0 -> v2.22.0
github.com/maruel/natural v1.1.1 -> v1.3.0
github.com/olekukonko/errors v1.1.0 -> v1.2.0
github.com/olekukonko/ll v0.1.3 -> v0.1.6
github.com/olekukonko/tablewriter v1.1.2 -> v1.1.4
github.com/sigstore/fulcio v1.6.3 -> v1.6.6
github.com/sigstore/protobuf-specs v0.5.0 -> v0.5.1
github.com/tidwall/gjson v1.18.0 -> v1.19.0
go.uber.org/zap v1.27.1 -> v1.28.0
golang.org/x/crypto v0.49.0 -> v0.50.0
golang.org/x/sys v0.42.0 -> v0.43.0
golang.org/x/term v0.41.0 -> v0.42.0
golang.org/x/text v0.35.0 -> v0.36.0
google.golang.org/api v0.271.0 -> v0.274.0
google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 -> v0.0.0-20260319201613-d00831a3d3e7
google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/grpc v1.79.3 -> v1.80.0
gopkg.in/ini.v1 v1.67.1 -> v1.67.2
k8s.io/api v0.34.3 -> v0.34.8
sigs.k8s.io/release-utils v0.12.3 -> v0.12.4
File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 2 additional dependencies were updated

Details:

Package Change
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 -> v1.31.0
google.golang.org/grpc v1.79.3 -> v1.80.0
File name: tools/kubectl/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 2 additional dependencies were updated

Details:

Package Change
go.opentelemetry.io/otel v1.35.0 -> v1.41.0
go.opentelemetry.io/otel/trace v1.35.0 -> v1.41.0

@renovate renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 5 times, most recently from bb1e687 to 608b025 Compare March 10, 2026 03:21
@renovate renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 4 times, most recently from cb09e7b to 2bdf2b5 Compare March 19, 2026 11:20
@renovate renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 4 times, most recently from d17ae93 to 9539d46 Compare April 2, 2026 01:41
@renovate renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 9 times, most recently from e56c120 to 31ef858 Compare April 14, 2026 09:15
@renovate renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch from 31ef858 to a411eb7 Compare April 15, 2026 10:40
@github-actions github-actions Bot added size: M and removed size: L labels Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 4 times, most recently from 12dbda3 to 487f3c1 Compare May 4, 2026 20:51
@renovate renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 5 times, most recently from d913cc0 to 57ef03f Compare May 8, 2026 20:46
@renovate renovate Bot force-pushed the renovate/release-v0.7-patch-go-modules branch 6 times, most recently from 89371f7 to 2729ee7 Compare May 15, 2026 21:47
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 27, 2026
edited
Loading

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum
Command failed: go mod tidy
go: downloading github.com/go-openapi/testify/v2 v2.4.2
go: downloading go.etcd.io/etcd/client/pkg/v3 v3.6.5
go: downloading go.etcd.io/etcd/client/v3 v3.6.5
go: downloading github.com/evanphx/json-patch v5.9.0+incompatible
go: downloading go.etcd.io/etcd/api/v3 v3.6.5
go: downloading cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084
go: downloading github.com/emicklei/proto v1.14.2
go: downloading github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91
go: finding module for package knative.dev/pkg/metrics
go: finding module for package knative.dev/pkg/tracing/config
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260602142205-ac97e43f6622), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260602142205-ac97e43f6622), but does not contain package knative.dev/pkg/tracing/config
File name: tools/go.sum
Command failed: go mod tidy
go: downloading github.com/dlclark/regexp2 v1.11.0
go: downloading go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0
go: downloading github.com/tidwall/gjson v1.14.2
go: downloading github.com/alecthomas/repr v0.4.0
go: downloading github.com/tidwall/pretty v1.2.0
go: downloading github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6
go: finding module for package knative.dev/pkg/metrics
go: finding module for package knative.dev/pkg/tracing/config
go: github.com/conforma/cli/tools imports
	github.com/tektoncd/cli/cmd/tkn imports
	github.com/tektoncd/cli/pkg/cmd imports
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding tested by
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding.test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260602142205-ac97e43f6622), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/tools imports
	github.com/tektoncd/cli/cmd/tkn imports
	github.com/tektoncd/cli/pkg/cmd imports
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding tested by
	github.com/tektoncd/cli/pkg/cmd/clustertriggerbinding.test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260602142205-ac97e43f6622), but does not contain package knative.dev/pkg/tracing/config

@fullsend-ai-review
Copy link
Copy Markdown

fullsend-ai-review Bot commented Jun 3, 2026
edited
Loading

Review

Findings

No findings.

This is a Renovate bot dependency update PR that modifies only go.mod and go.sum files with patch-level version bumps. Key updates include the sigstore ecosystem (cosign, rekor, sigstore, fulcio), Kubernetes client libraries, AWS SDK, and various indirect dependencies. No production code, tests, or documentation are changed. The existing replace directives are preserved. All changes are mechanical version string updates consistent with standard Go module maintenance.

Previous run

Review

Findings

Info

  • [version-consistency] acceptance/go.modk8s.io/api and k8s.io/apimachinery are bumped to v0.35.5 while k8s.io/client-go remains at v0.35.4. This is safe due to Go's minimum version selection and k8s.io patch-level compatibility, but aligning all three to the same patch version would improve consistency.

  • [dependency-change] go.modgo-securesystemslib bumps from v0.10.0 to v0.11.0 (minor version). As a minor version bump, this could include API changes, but CI will catch any compilation failures.

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on deployment. This dimension would have early-exited with no findings for a mechanical dependency bump PR.

Previous run (2)

Review

Findings

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on vertex deployment. For a mechanical dependency version bump PR, this dimension would have triggered early exit with no findings regardless.

No blocking findings. This is a standard Renovate bot dependency update confined to go.mod and go.sum files across four Go modules (root, acceptance, tools, tools/kubectl). All version bumps are patch or minor increments following semver backward-compatibility guarantees. Security-critical dependencies (sigstore/cosign, sigstore/rekor, sigstore/sigstore, go-securesystemslib, golang.org/x/crypto, golang.org/x/net) are updated to newer patch releases. New transitive dependencies are from trusted supply-chain security projects (sigstore ecosystem, The Update Framework). No production code, test files, workflows, or protected paths are modified.

Previous run (3)

Review

Findings

Low

  • [api-contract] go.mod:33go-securesystemslib bumped from v0.10.0 to v0.11.0 (minor version in 0.x range). This library is used directly for DSSE envelope handling and encrypted key operations in signature verification paths. Minor 0.x bumps may include breaking API changes. CI should catch compilation failures, but behavioral changes in signature verification would not be caught by compilation alone.

  • [api-contract] go.mod:30packageurl-go bumped from v0.1.3 to v0.1.6 (multiple releases in 0.x range). This is a direct dependency used for PURL parsing in policy evaluation. Changes to PURL parsing behavior could affect policy evaluation results without causing build failures.

Info

  • [api-contract] go.mod — Several indirect dependencies removed (filippo.io/edwards25519, go.step.sm/crypto, github.com/xanzy/go-gitlab) and new ones added (sigstore/rekor-tiles/v2, sigstore/sigstore-go, go-tuf/v2, etc.), consistent with upstream sigstore library restructuring. Risk is limited to transitive behavioral changes.
Previous run (4)

Review

Findings

Low

  • [api-contract] go.mod:33go-securesystemslib is bumped from v0.10.0 to v0.11.0, a minor version increment on a pre-1.0 library. The codebase uses its dsse package extensively across 13 files. While pre-1.0 minor bumps can theoretically contain breaking API changes, Renovate successfully resolved the dependency graph and CI will catch any compilation failures. Verify CI passes.

  • [api-contract] go.mod:30packageurl-go is bumped from v0.1.3 to v0.1.6, skipping multiple patch versions on a pre-1.0 library used in internal/rego/purl/purl.go. Low risk of subtle behavioral changes in PURL parsing. Verify CI passes.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable in deployment. This dimension is non-critical for a dependency-only update.

  • [edge-case] go.mod:63 — The go-containerregistry replace directive correctly overrides the declared v0.21.6 with the conforma fork. No action needed.

Previous run (5)

Review

Findings

No findings.

Previous run (6)

Review

Findings

Low

  • [api-contract] go.modgo-securesystemslib is bumped from v0.10.0 to v0.11.0, which is a minor version bump for a v0.x module. Per semver, v0.x minor bumps may include breaking API changes. This library is directly imported across 13 source files (internal/validate/vsa/, benchmark/offliner/, acceptance/rekor/). CI compilation and tests should validate compatibility.

  • [api-contract] go.modpackageurl-go is bumped from v0.1.3 to v0.1.6 (v0.x minor bump). It is directly imported in internal/rego/purl/purl.go. The core API has historically remained stable, but CI should confirm.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on deployment. This dimension was not evaluated.

  • [api-contract] go.mod — Transitive dependency major version changes (go-piv/piv-go v1→v2, xanzy/go-gitlab replaced by gitlab.com/gitlab-org/api/client-go) are indirect dependencies with no direct source imports found in this codebase. Risk is limited to transitive compatibility handled by Go's module system.

Previous run (7)

Review

Findings

No findings.

Previous run (8)

Review

Findings

No findings.

Previous run (9)

Review

Findings

Medium

  • [api-contract] go.modgo-securesystemslib is bumped from v0.10.0 to v0.11.0 (minor version bump on a pre-v1 module). Under Go semantic versioning for v0.x modules, minor bumps may contain breaking changes. This project uses dsse.Envelope, dsse.Signature, dsse.NewEnvelopeVerifier, and the encrypted package across 13+ source files. Verify that CI builds and tests pass to confirm API compatibility. If Renovate's merge-confidence analysis and CI have already succeeded, this is a non-issue.

Low

  • [test-inadequate] go.modgo-snaps is bumped from v0.5.19 to v0.5.22 in both go.mod and acceptance/go.mod. Snapshot testing library updates can occasionally change serialization format, which would either break tests (forcing review) or silently update snapshots. This is patch-level and unlikely to change format, but worth awareness.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailability. This dimension is non-critical for a dependency-only update.
  • [dependency-update] go.mod — Sigstore ecosystem patch updates (cosign, rekor, sigstore, fulcio, timestamp-authority) are beneficial security maintenance. Several updates specifically address known CVEs (tektoncd/chains CVE-2026-33814, CVE-2026-34986, CVE-2026-33211, CVE-2026-33186; go-containerregistry SSRF fixes).
  • [dependency-update] go.mod — The replacement of github.com/xanzy/go-gitlab with gitlab.com/gitlab-org/api/client-go reflects GitLab's official client library migration. This is a legitimate upstream change.
  • [dependency-consistency] tools/go.mod — The tools module uses cosign v2.6.x while the main module uses a different cosign version. This version split is pre-existing and not introduced by this PR.
Previous run (10)

Review

Findings

Info

  • [dependency version skew] go.mod — The go-securesystemslib update (v0.10.0 → v0.11.0) is a minor version bump used across multiple source files importing its dsse and encrypted packages. Go's module compatibility promise applies, but CI compilation and test results should confirm no breakage.

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on deployment. This dimension is not material for a dependency-only PR (go.mod/go.sum changes only).

No blocking findings. This is a standard Renovate bot patch-level dependency update modifying only go.mod and go.sum files across four Go modules. All version bumps are patch or minor level. Security-relevant updates (sigstore, golang.org/x/crypto, golang.org/x/net) are positive changes. No source code, tests, CI/CD configuration, or protected paths are modified.

Previous run (11)

Review

Findings

Info

  • [version-consistency] tools/go.modsigstore/timestamp-authority/v2 is at v2.0.3 in tools/go.mod but v2.0.4 in go.mod and acceptance/go.mod. This is expected since these are separate Go modules with independent dependency resolution; Go's MVS handles this correctly.

  • [version-consistency] tools/go.modsigstore/cosign/v2 (v2.6.2) is used in tools/go.mod while go.mod and acceptance/go.mod use sigstore/cosign/v3 (v3.0.4). These are different major versions pulled by different dependency trees (tools depends on tektoncd/chains which still uses cosign/v2). Expected and not a conflict.

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5 unavailable on deployment. This dimension has minimal relevance for a go.mod/go.sum-only change.

fullsend-ai-review[bot]
fullsend-ai-review Bot approved these changes Jun 5, 2026
View reviewed changes
Comment thread go.mod
github.com/sigstore/cosign/v2 v2.4.1
github.com/sigstore/rekor v1.5.0
github.com/sigstore/sigstore v1.10.5
github.com/secure-systems-lab/go-securesystemslib v0.11.0
Copy link
Copy Markdown

@fullsend-ai-review fullsend-ai-review Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] api-contract

go-securesystemslib bumped from v0.10.0 to v0.11.0 (minor version in 0.x range). This library is used directly for DSSE envelope handling and encrypted key operations in signature verification paths. Minor 0.x bumps may include breaking API changes. CI should catch compilation failures, but behavioral changes in signature verification would not be caught by compilation alone.

Comment thread go.mod
github.com/open-policy-agent/conftest v0.66.0
github.com/open-policy-agent/opa v1.15.2
github.com/package-url/packageurl-go v0.1.3
github.com/package-url/packageurl-go v0.1.6
Copy link
Copy Markdown

@fullsend-ai-review fullsend-ai-review Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] api-contract

packageurl-go bumped from v0.1.3 to v0.1.6 (multiple releases in 0.x range). This is a direct dependency used for PURL parsing in policy evaluation. Changes to PURL parsing behavior could affect policy evaluation results without causing build failures.

@fullsend-ai-review
Copy link
Copy Markdown

fullsend-ai-review Bot commented Jun 8, 2026
edited
Loading

🤖 Finished Review · ✅ Success · Started 4:15 PM UTC · Completed 4:21 PM UTC
Commit: 47d3320 · View workflow run →

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@fullsend-ai-review fullsend-ai-review[bot] fullsend-ai-review[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ready-for-merge All reviewers approved — ready to merge release-v0.7 renovate size: XXL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants