Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for email_verified being a string or bool #1744

Merged
merged 1 commit into from
Jul 30, 2024

Conversation

sabre1041
Copy link
Contributor

Summary

Introduces support for email_verifed claim to be either a boolean or string value

References sigstore/sigstore#1698

Release Note

  • Boolean and String data type support for email_verified claim

Copy link

codecov bot commented Jul 28, 2024

Codecov Report

Attention: Patch coverage is 66.66667% with 4 lines in your changes missing coverage. Please review.

Project coverage is 50.38%. Comparing base (cf238ac) to head (650764e).
Report is 153 commits behind head on main.

Files Patch % Lines
pkg/oauthflow/oidc.go 66.66% 4 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1744      +/-   ##
==========================================
- Coverage   57.93%   50.38%   -7.55%     
==========================================
  Files          50       70      +20     
  Lines        3119     4130    +1011     
==========================================
+ Hits         1807     2081     +274     
- Misses       1154     1819     +665     
- Partials      158      230      +72     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sigstore/sigstore#1698 (comment) mentions that this would not be spec-compliant. Has there been any attempt to resolve this via the IDP?

@sabre1041
Copy link
Contributor Author

sigstore/sigstore#1698 (comment) mentions that this would not be spec-compliant. Has there been any attempt to resolve this via the IDP?

This is a limitation (only one of many) of Azure as also mentioned in the referenced issue.

However, there is already some precedence in the library sigstore uses to workaround this same limitation

https://github.com/coreos/go-oidc/blob/v3/oidc/oidc.go#L309
https://github.com/coreos/go-oidc/blob/v3/oidc/oidc.go#L491-L503

Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, will get a new release cut after the open PRs get merged.

@haydentherapper haydentherapper merged commit 9c80a81 into sigstore:main Jul 30, 2024
13 checks passed
@sabre1041
Copy link
Contributor Author

@haydentherapper thanks a bunch!

Theres a similar change incoming for https://github.com/sigstore/sigstore that will be submitted soon

lance pushed a commit to lance/fulcio that referenced this pull request Sep 5, 2024
lance added a commit to securesign/fulcio that referenced this pull request Sep 5, 2024
* Bump github.com/sigstore/sigstore/pkg/signature/kms/gcp

Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump google.golang.org/grpc from 1.62.0 to 1.62.1

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.62.0 to 1.62.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.62.0...v1.62.1)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0

Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.1.7 to 2.2.0.
- [Release notes](https://github.com/spiffe/go-spiffe/releases)
- [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/spiffe/go-spiffe/compare/v2.1.7...v2.2.0)

---
updated-dependencies:
- dependency-name: github.com/spiffe/go-spiffe/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1

Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.7.7 to 0.8.1.
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.7.7...v0.8.1)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump codecov/codecov-action from 4.1.1 to 4.2.0

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.1.1 to 4.2.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/c16abc29c95fcf9174b58eb7e1abf4c866893bc8...7afa10ed9b269c561c2336fd862446844e0cbf71)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Upgrade go to 1.22 (#1625)

* upgrade go to 1.22

Signed-off-by: cpanato <[email protected]>

* ci housekeeping

Signed-off-by: cpanato <[email protected]>

* fix lints

Signed-off-by: cpanato <[email protected]>

* update go.mod to pin on go1.21.9

Signed-off-by: cpanato <[email protected]>

---------

Signed-off-by: cpanato <[email protected]>

* Bump codecov/codecov-action from 4.2.0 to 4.3.0 in the all group

Bumps the all group with 1 update: [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `codecov/codecov-action` from 4.2.0 to 4.3.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/7afa10ed9b269c561c2336fd862446844e0cbf71...84508663e988701840491b86de86b666e8a86bed)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group with 4 updates

Bumps the all group with 4 updates: [chainguard.dev/go-grpc-kit](https://github.com/chainguard-dev/go-grpc-kit), [github.com/prometheus/client_model](https://github.com/prometheus/client_model), [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) and [go.step.sm/crypto](https://github.com/smallstep/crypto).

Updates `chainguard.dev/go-grpc-kit` from 0.17.2 to 0.17.3
- [Release notes](https://github.com/chainguard-dev/go-grpc-kit/releases)
- [Commits](https://github.com/chainguard-dev/go-grpc-kit/compare/v0.17.2...v0.17.3)

Updates `github.com/prometheus/client_model` from 0.6.0 to 0.6.1
- [Release notes](https://github.com/prometheus/client_model/releases)
- [Commits](https://github.com/prometheus/client_model/compare/v0.6.0...v0.6.1)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.2 to 1.8.3
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3)

Updates `go.step.sm/crypto` from 0.44.2 to 0.44.3
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.2...v0.44.3)

---
updated-dependencies:
- dependency-name: chainguard.dev/go-grpc-kit
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/prometheus/client_model
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* switch to community repo of reusable-release (#1636)

Signed-off-by: Bob Callaway <[email protected]>

* Bump github.com/googleapis/api-linter in /hack/tools in the all group

Bumps the all group in /hack/tools with 1 update: [github.com/googleapis/api-linter](https://github.com/googleapis/api-linter).


Updates `github.com/googleapis/api-linter` from 1.64.0 to 1.65.0
- [Release notes](https://github.com/googleapis/api-linter/releases)
- [Changelog](https://github.com/googleapis/api-linter/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/api-linter/compare/v1.64.0...v1.65.0)

---
updated-dependencies:
- dependency-name: github.com/googleapis/api-linter
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 in the all group

Bumps the all group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `sigstore/cosign-installer` from 3.4.0 to 3.5.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/e1523de7571e31dbe865fd2e80c5c7c23ae71eb4...59acb6260d9c0ba8f4a2f9d9b48431a222b68e20)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group with 2 updates

Bumps the all group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/checkout` from 4.1.2 to 4.1.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/9bb56186c3b09b4f86b1c65136769dd318469633...1d96c772d19495a3b5c517cd2bc0cb401ea0529f)

Updates `actions/upload-artifact` from 4.3.1 to 4.3.2
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/5d5d22a31266ced268874388b861e4b58bb5c2f3...1746f4ab65b179e0ea60a494b83293b640dd5bba)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump go.step.sm/crypto from 0.44.3 to 0.44.6 in the all group

Bumps the all group with 1 update: [go.step.sm/crypto](https://github.com/smallstep/crypto).

Updates `go.step.sm/crypto` from 0.44.3 to 0.44.6
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.3...v0.44.6)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group with 2 updates

Bumps the all group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/checkout` from 4.1.3 to 4.1.4
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/1d96c772d19495a3b5c517cd2bc0cb401ea0529f...0ad4b8fadaa221de15dcec353f45205ec38ea70b)

Updates `actions/upload-artifact` from 4.3.2 to 4.3.3
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/1746f4ab65b179e0ea60a494b83293b640dd5bba...65462800fd760344b1a7b4382951275a0abb4808)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4.0.0 to 5.0.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/3cfe3a4abbb849e10058ce4af15d205b6da42804...82d40c283aeb1f2b6595839195e95c2d6a49081b)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group with 2 updates

Bumps the all group with 2 updates: [go.step.sm/crypto](https://github.com/smallstep/crypto) and [google.golang.org/api](https://github.com/googleapis/google-api-go-client).

Updates `go.step.sm/crypto` from 0.44.6 to 0.44.8
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.6...v0.44.8)

Updates `google.golang.org/api` from 0.175.0 to 0.176.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.175.0...v0.176.0)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group with 3 updates

Bumps the all group with 3 updates: [actions/setup-go](https://github.com/actions/setup-go), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action).


Updates `actions/setup-go` from 5.0.0 to 5.0.1
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/0c52d547c9bc32b1aa3301fd7a9cb496313a4491...cdcb36043654635271a94b9a6d1392de5bb323a7)

Updates `codecov/codecov-action` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/84508663e988701840491b86de86b666e8a86bed...5ecb98a3c6b747ed38dc09f787459979aebb39be)

Updates `golangci/golangci-lint-action` from 5.0.0 to 5.3.0
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/82d40c283aeb1f2b6595839195e95c2d6a49081b...38e1018663fa5173f3968ea0777460d3de38f256)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 5.3.0 to 6.0.1.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/38e1018663fa5173f3968ea0777460d3de38f256...a4f60bb28d35aeee14e6880718e0c85ff1882e64)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group with 2 updates

Bumps the all group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action).


Updates `actions/checkout` from 4.1.4 to 4.1.5
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/0ad4b8fadaa221de15dcec353f45205ec38ea70b...44c2b7a8a4ea60a981eaca3cf939b5f4305c123b)

Updates `ossf/scorecard-action` from 2.3.1 to 2.3.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/0864cf19026789058feabb7e87baa5f140aac736...dc50aa9510b46c811795eb24b2f1ba02a914e534)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group across 1 directory with 2 updates

Bumps the all group with 2 updates in the / directory: [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils).


Updates `github.com/prometheus/client_golang` from 1.19.0 to 1.19.1
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.19.0...v1.19.1)

Updates `sigs.k8s.io/release-utils` from 0.8.1 to 0.8.2
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.8.1...v0.8.2)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* docs: Fix extensions for digest values requiring a type prefix (#1661)

* docs: Fix extensions for digest values requiring a type prefix

Signed-off-by: Facundo Tuesca <[email protected]>

* docs: Reformat table mapping OIDC token claims to Fulcio OIDs

Signed-off-by: Facundo Tuesca <[email protected]>

---------

Signed-off-by: Facundo Tuesca <[email protected]>

* oid-info: fix table render (#1662)

Signed-off-by: William Woodruff <[email protected]>

* update jobs to use go1.22.3 (#1660)

Signed-off-by: cpanato <[email protected]>

* Bump golang.org/x/net (#1640)

Bumps the go_modules group with 1 update in the /hack/tools directory: [golang.org/x/net](https://github.com/golang/net).


Updates `golang.org/x/net` from 0.21.0 to 0.23.0
- [Commits](https://github.com/golang/net/compare/v0.21.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump the all group with 3 updates

Bumps the all group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [google-github-actions/auth](https://github.com/google-github-actions/auth) and [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `actions/checkout` from 4.1.5 to 4.1.6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b...a5ac7e51b41094c92402da3b24376905380afc29)

Updates `google-github-actions/auth` from 2.1.2 to 2.1.3
- [Release notes](https://github.com/google-github-actions/auth/releases)
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google-github-actions/auth/compare/55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c...71fee32a0bb7e97b4d33d548e7d957010649d8fa)

Updates `codecov/codecov-action` from 4.3.1 to 4.4.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/5ecb98a3c6b747ed38dc09f787459979aebb39be...6d798873df2b1b8e5846dba6fb86631229fbcb17)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google-github-actions/auth
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump go.step.sm/crypto from 0.44.8 to 0.45.0

Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.44.8 to 0.45.0.
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.44.8...v0.45.0)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump codecov/codecov-action from 4.4.0 to 4.4.1 in the all group

Bumps the all group with 1 update: [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `codecov/codecov-action` from 4.4.0 to 4.4.1
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/6d798873df2b1b8e5846dba6fb86631229fbcb17...125fc84a9a348dbcf27191600683ec096ec9021c)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump protocolbuffers/protobuf from 26.1 to 27.0 (#1674)

* Bump protocolbuffers/protobuf from 26.1 to 27.0

Bumps [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf) from 26.1 to 27.0.
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl)
- [Commits](https://github.com/protocolbuffers/protobuf/compare/v26.1...v27.0)

---
updated-dependencies:
- dependency-name: protocolbuffers/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update main.yml

Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <[email protected]>

* Bump github.com/spf13/viper from 1.18.2 to 1.19.0

Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.18.2 to 1.19.0.
- [Release notes](https://github.com/spf13/viper/releases)
- [Commits](https://github.com/spf13/viper/compare/v1.18.2...v1.19.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/viper
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Adding support for configuration from yaml file (#1687)

* Create support for configuration from yaml file

Signed-off-by: Javan lacerda <[email protected]>

* conform code to lint

Signed-off-by: Javan lacerda <[email protected]>

---------

Signed-off-by: Javan lacerda <[email protected]>

* Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity

Bumps the go_modules group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go).


Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.5.2 to 1.6.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/internal/v1.5.2...sdk/azcore/v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group across 1 directory with 6 updates (#1699)

* Bump the all group across 1 directory with 6 updates

Bumps the all group with 3 updates in the / directory: [chainguard.dev/go-grpc-kit](https://github.com/chainguard-dev/go-grpc-kit), [github.com/spf13/cobra](https://github.com/spf13/cobra) and google.golang.org/protobuf.

Updates `chainguard.dev/go-grpc-kit` from 0.17.3 to 0.17.5
- [Release notes](https://github.com/chainguard-dev/go-grpc-kit/releases)
- [Commits](https://github.com/chainguard-dev/go-grpc-kit/compare/v0.17.3...v0.17.5)

Updates `github.com/grpc-ecosystem/grpc-gateway/v2` from 2.19.1 to 2.20.0
- [Release notes](https://github.com/grpc-ecosystem/grpc-gateway/releases)
- [Changelog](https://github.com/grpc-ecosystem/grpc-gateway/blob/main/.goreleaser.yml)
- [Commits](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.19.1...v2.20.0)

Updates `github.com/spf13/cobra` from 1.8.0 to 1.8.1
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.8.0...v1.8.1)

Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20240513163218-0867130af1f8 to 0.0.0-20240520151616-dc85e6b867a5
- [Commits](https://github.com/googleapis/go-genproto/commits)

Updates `google.golang.org/grpc` from 1.63.2 to 1.64.0
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.63.2...v1.64.0)

Updates `google.golang.org/protobuf` from 1.34.1 to 1.34.2

---
updated-dependencies:
- dependency-name: chainguard.dev/go-grpc-kit
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/grpc-ecosystem/grpc-gateway/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/genproto/googleapis/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* fix deprecation

Signed-off-by: cpanato <[email protected]>

* update e2e tests

Signed-off-by: cpanato <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: cpanato <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <[email protected]>

* Bump go.step.sm/crypto from 0.45.0 to 0.47.1

Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.45.0 to 0.47.1.
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.45.0...v0.47.1)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* bump to go1.22.4 and update goreleaser and golangci-lint

Signed-off-by: cpanato <[email protected]>

* update deprecated flags

Signed-off-by: cpanato <[email protected]>

* Bump google.golang.org/api from 0.183.0 to 0.185.0

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.183.0 to 0.185.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.183.0...v0.185.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump github.com/spiffe/go-spiffe/v2 from 2.2.0 to 2.3.0

Bumps [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/spiffe/go-spiffe/releases)
- [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/spiffe/go-spiffe/compare/v2.2.0...v2.3.0)

---
updated-dependencies:
- dependency-name: github.com/spiffe/go-spiffe/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump github.com/google/certificate-transparency-go from 1.1.8 to 1.2.1

Bumps [github.com/google/certificate-transparency-go](https://github.com/google/certificate-transparency-go) from 1.1.8 to 1.2.1.
- [Release notes](https://github.com/google/certificate-transparency-go/releases)
- [Changelog](https://github.com/google/certificate-transparency-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/google/certificate-transparency-go/compare/v1.1.8...v1.2.1)

---
updated-dependencies:
- dependency-name: github.com/google/certificate-transparency-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group across 1 directory with 4 updates

Bumps the all group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [ko-build/setup-ko](https://github.com/ko-build/setup-ko), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf).


Updates `actions/checkout` from 4.1.6 to 4.1.7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332)

Updates `ko-build/setup-ko` from 0.6 to 0.7
- [Release notes](https://github.com/ko-build/setup-ko/releases)
- [Commits](https://github.com/ko-build/setup-ko/compare/ace48d793556083a76f1e3e6068850c1f4a369aa...3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037)

Updates `codecov/codecov-action` from 4.4.1 to 4.5.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/125fc84a9a348dbcf27191600683ec096ec9021c...e28ff129e5465c2c0dcc6f003fc735cb6ae0c673)

Updates `protocolbuffers/protobuf` from 27.0 to 27.1
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl)
- [Commits](https://github.com/protocolbuffers/protobuf/compare/v27.0...v27.1)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ko-build/setup-ko
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: protocolbuffers/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update README.md (#1700)

Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>

* replace gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v4 (#1686)

Signed-off-by: cpanato <[email protected]>

* Add Chainguard OIDC provider. (#1703)

This adds support for Chainguard issued tokens, so that users can sign with their Chainguard-issued identity, and so that we can explore signing our own content with our internal service principal construct (see issue).

Related: https://github.com/sigstore/fulcio/issues/1702

Signed-off-by: Matt Moore <[email protected]>

* Bump github.com/hashicorp/go-retryablehttp in the go_modules group

Bumps the go_modules group with 1 update: [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp).


Updates `github.com/hashicorp/go-retryablehttp` from 0.7.6 to 0.7.7
- [Changelog](https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/go-retryablehttp/compare/v0.7.6...v0.7.7)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-retryablehttp
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump github.com/prometheus/common from 0.54.0 to 0.55.0

Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.54.0 to 0.55.0.
- [Release notes](https://github.com/prometheus/common/releases)
- [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md)
- [Commits](https://github.com/prometheus/common/compare/v0.54.0...v0.55.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/common
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump protocolbuffers/protobuf from 27.1 to 27.2 in the all group

Bumps the all group with 1 update: [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf).


Updates `protocolbuffers/protobuf` from 27.1 to 27.2
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl)
- [Commits](https://github.com/protocolbuffers/protobuf/compare/v27.1...v27.2)

---
updated-dependencies:
- dependency-name: protocolbuffers/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update main.yml

Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>

* Bump actions/upload-artifact from 4.3.3 to 4.3.4 in the all group

Bumps the all group with 1 update: [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/upload-artifact` from 4.3.3 to 4.3.4
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/65462800fd760344b1a7b4382951275a0abb4808...0b2256b8c012f0828dc542b3febcab082c67f72b)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Add changelog for v1.5.0 (#1723)

Signed-off-by: Hayden Blauzvern <[email protected]>

* CiProvider as a new OIDCIssuer type (#1679)

This adds a new generic CI provider so that new CI providers can be added via configuration without any code changes. The existing CI providers will be migrated over.

Ref: #1111

Signed-off-by: Javan lacerda <[email protected]>

* Bump google.golang.org/grpc in the go_modules group (#1724)

Bumps the go_modules group with 1 update: [google.golang.org/grpc](https://github.com/grpc/grpc-go).


Updates `google.golang.org/grpc` from 1.64.0 to 1.64.1
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.64.0...v1.64.1)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Surface the right `Name()` from our principal. (#1726)

The cosign logic for interacting with Fulcio treats identity tokens as *largely* opaque, and most of the logic for how issuers and subjects and whatnot is handled happens server-side.  However, for the "proof of possession" `cosign` has some logic (from `sigstore/sigstore`) that fumbles with `email` and `sub` claims in ways that have (until now) been compatible with Fulcio principals.

The Chainguard provider is the first provider that optionally includes an `email` claim, but we always want the subject we use to be our opaque identifier string (from `sub`).  This creates a tear in the fulcio/cosign continuum, and so we must surface what `cosign` is signing as `Name()` even though that isn't necessarily what we embed in the certificate.

The only correct way to implement `Name()` today is to match what this function does, and current implementations happen to align, but unfortunately because of how this abstraction is formulated it is challenging to actually change how we confirm the proof of possession to use this directly in place of the principal itself.

Fixes: https://github.com/sigstore/cosign/issues/3777

Signed-off-by: Matt Moore <[email protected]>

* Revert "CiProvider as a new OIDCIssuer type (#1679)" (#1727)

This reverts commit 66485b693867adc650aea85777f1899286c3c7ce.

* Changelog for v1.5.1 (#1728)

Signed-off-by: Hayden Blauzvern <[email protected]>

* CiProvider as a new OIDCIssuer type (#1729)

This adds a new generic CI provider so that new CI providers can be added via configuration without any code changes. The existing CI providers will be migrated over.

Ref: #1111
Add back #1679

Signed-off-by: Javan lacerda [email protected]

* Bump the all group across 1 directory with 8 updates (#1719)

* Bump the all group across 1 directory with 8 updates

Bumps the all group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go) | `1.17.0` | `1.17.2` |
| [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` |
| [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` |
| [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` |
| [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` |
| [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.8.4` | `1.8.6` |

Updates `cloud.google.com/go/security` from 1.17.0 to 1.17.2
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.17.0...asset/v1.17.2)

Updates `github.com/sigstore/sigstore` from 1.8.4 to 1.8.6
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.4 to 1.8.6
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.8.4 to 1.8.6
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.8.4 to 1.8.6
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.8.4 to 1.8.6
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.4...v1.8.6)

Updates `google.golang.org/api` from 0.185.0 to 0.187.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.185.0...v0.187.0)

Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20240610135401-a8a62080eff3 to 0.0.0-20240617180043-68d350f18fd4
- [Commits](https://github.com/googleapis/go-genproto/commits)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/security
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: google.golang.org/genproto/googleapis/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* update test

Signed-off-by: cpanato <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: cpanato <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <[email protected]>

* Bump go.step.sm/crypto from 0.47.1 to 0.50.0

Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.47.1 to 0.50.0.
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.47.1...v0.50.0)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump actions/setup-go from 5.0.1 to 5.0.2 in the all group

Bumps the all group with 1 update: [actions/setup-go](https://github.com/actions/setup-go).


Updates `actions/setup-go` from 5.0.1 to 5.0.2
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/cdcb36043654635271a94b9a6d1392de5bb323a7...0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump github.com/coreos/go-oidc/v3 from 3.10.0 to 3.11.0

Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.10.0 to 3.11.0.
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](https://github.com/coreos/go-oidc/compare/v3.10.0...v3.11.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Move configuration to yaml format (#1720)

Migrate the configuration file from json to yaml
Also removes the fulcio-config.yaml file that isn't used
Concentrate the issuers and meta-issuers in a single file that can be found at config/identity/config.yaml
Also removes the https://auth-staging.eclipse.org/realms/sigstore from the list of issuers, as it is unavailable.
Removes the federation script as it has not been used, and switches over to a test that's run to check validity of the configuration.

Ref #1111

Signed-off-by: Javan lacerda <[email protected]>

* Removes identity providers federation (#1736)

Removes the identity providers federation, and update the documentation for adding new identity providers, including ci-providers.

Ref #1111

Signed-off-by: Javan Lacerda <[email protected]>

* Bump the all group across 1 directory with 11 updates

Bumps the all group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [chainguard.dev/sdk](https://github.com/chainguard-dev/sdk) | `0.1.20` | `0.1.21` |
| [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go) | `1.17.2` | `1.17.3` |
| [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) | `4.0.2` | `4.0.3` |
| [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.8.6` | `1.8.7` |
| [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.8.6` | `1.8.7` |
| [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.8.6` | `1.8.7` |
| [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.8.6` | `1.8.7` |
| [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.8.6` | `1.8.7` |
| [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) | `0.8.2` | `0.8.3` |

Updates `chainguard.dev/sdk` from 0.1.20 to 0.1.21
- [Release notes](https://github.com/chainguard-dev/sdk/releases)
- [Commits](https://github.com/chainguard-dev/sdk/compare/v0.1.20...v0.1.21)

Updates `cloud.google.com/go/security` from 1.17.2 to 1.17.3
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/asset/v1.17.2...retail/v1.17.3)

Updates `github.com/go-jose/go-jose/v4` from 4.0.2 to 4.0.3
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.0.2...v4.0.3)

Updates `github.com/sigstore/sigstore` from 1.8.6 to 1.8.7
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.6 to 1.8.7
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.8.6 to 1.8.7
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.8.6 to 1.8.7
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.8.6 to 1.8.7
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Updates `google.golang.org/api` from 0.187.0 to 0.188.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.187.0...v0.188.0)

Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20240617180043-68d350f18fd4 to 0.0.0-20240701130421-f6361c86f094
- [Commits](https://github.com/googleapis/go-genproto/commits)

Updates `sigs.k8s.io/release-utils` from 0.8.2 to 0.8.3
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.8.2...v0.8.3)

---
updated-dependencies:
- dependency-name: chainguard.dev/sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: cloud.google.com/go/security
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: google.golang.org/genproto/googleapis/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* update builder

Signed-off-by: cpanato <[email protected]>

* sync go mod

Signed-off-by: cpanato <[email protected]>

* add Hellō provider (#1739)

Signed-off-by: dickhardt <[email protected]>

* Migrate github to ci provider flow (#1738)

Contribute towards #1111

Moves GitHub configuration to the new ci-provider configuration. No changes to issued certificates.

Signed-off-by: Javan Lacerda <[email protected]>

* Move gitlab to ci-provider (#1740)

* move fulcio config from json to yaml

Signed-off-by: Javan lacerda <[email protected]>

* move fulcio-config to a new file

Signed-off-by: Javan lacerda <[email protected]>

* updating test for check-config workflow

Signed-off-by: Javan lacerda <[email protected]>

* set verify k8s workflow for get configg directly

Signed-off-by: Javan lacerda <[email protected]>

* migrate gitlab to ci provider

Signed-off-by: Javan lacerda <[email protected]>

* set gitlab ref for using a conditional template

Signed-off-by: Javan lacerda <[email protected]>

---------

Signed-off-by: Javan lacerda <[email protected]>

* Update IDP requirements (#1742)

This adds policy documentation around requirements for new IDPs.

Signed-off-by: Hayden B <[email protected]>

* Bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.20.0 to 2.21.0

Bumps [github.com/grpc-ecosystem/grpc-gateway/v2](https://github.com/grpc-ecosystem/grpc-gateway) from 2.20.0 to 2.21.0.
- [Release notes](https://github.com/grpc-ecosystem/grpc-gateway/releases)
- [Changelog](https://github.com/grpc-ecosystem/grpc-gateway/blob/main/.goreleaser.yml)
- [Commits](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.20.0...v2.21.0)

---
updated-dependencies:
- dependency-name: github.com/grpc-ecosystem/grpc-gateway/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump ossf/scorecard-action from 2.3.3 to 2.4.0 in the all group

Bumps the all group with 1 update: [ossf/scorecard-action](https://github.com/ossf/scorecard-action).


Updates `ossf/scorecard-action` from 2.3.3 to 2.4.0
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/dc50aa9510b46c811795eb24b2f1ba02a914e534...62b2cac7ed8198b15735ed49ab1e5cf35480ba46)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group across 1 directory with 4 updates

Bumps the all group with 3 updates in the / directory: [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go), [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils).


Updates `cloud.google.com/go/security` from 1.17.3 to 1.17.4
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/retail/v1.17.3...retail/v1.17.4)

Updates `github.com/go-jose/go-jose/v4` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.0.3...v4.0.4)

Updates `google.golang.org/api` from 0.188.0 to 0.189.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.188.0...v0.189.0)

Updates `sigs.k8s.io/release-utils` from 0.8.3 to 0.8.4
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.8.3...v0.8.4)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/security
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Added support for email_verified being a string or bool (#1744)

Signed-off-by: Andrew Block <[email protected]>

* Bump chainguard.dev/sdk from 0.1.21 to 0.1.22 in the all group

Bumps the all group with 1 update: [chainguard.dev/sdk](https://github.com/chainguard-dev/sdk).


Updates `chainguard.dev/sdk` from 0.1.21 to 0.1.22
- [Release notes](https://github.com/chainguard-dev/sdk/releases)
- [Commits](https://github.com/chainguard-dev/sdk/compare/v0.1.21...0.1.22)

---
updated-dependencies:
- dependency-name: chainguard.dev/sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the all group with 3 updates

Bumps the all group with 3 updates: [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action).


Updates `protocolbuffers/protobuf` from 27.2 to 27.3
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl)
- [Commits](https://github.com/protocolbuffers/protobuf/compare/v27.2...v27.3)

Updates `actions/upload-artifact` from 4.3.4 to 4.3.5
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/0b2256b8c012f0828dc542b3febcab082c67f72b...89ef406dd8d7e03cfd12d9e0a4a378f454709029)

Updates `golangci/golangci-lint-action` from 6.0.1 to 6.1.0
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/a4f60bb28d35aeee14e6880718e0c85ff1882e64...aaa42aa0628b4ae2578232a66b541047968fac86)

---
updated-dependencies:
- dependency-name: protocolbuffers/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump go.step.sm/crypto from 0.50.0 to 0.51.1

Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.50.0 to 0.51.1.
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.50.0...v0.51.1)

---
updated-dependencies:
- dependency-name: go.step.sm/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Move codefresh and buildkite to ci-provider identity (#1743)

* migrating codefresh and buildkite to ci provider

Signed-off-by: Javan lacerda <[email protected]>

* adding test case for comparing with empty key

Signed-off-by: Javan lacerda <[email protected]>

* add comments for codefresh extensions

Signed-off-by: Javan lacerda <[email protected]>

* set claimed data to have priority over defaults

Signed-off-by: Javan lacerda <[email protected]>

* fix identation

Signed-off-by: Javan lacerda <[email protected]>

* adding comments for github and gitlab in config file

Signed-off-by: Javan lacerda <[email protected]>

* adding tests for check claims priority over defaults

Signed-off-by: Javan lacerda <[email protected]>

---------

Signed-off-by: Javan lacerda <[email protected]>

* Bump google.golang.org/api from 0.189.0 to 0.190.0 (#1753)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.189.0 to 0.190.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.189.0...v0.190.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump the all group across 1 directory with 4 updates (#1754)

* Bump the all group across 1 directory with 4 updates

Bumps the all group with 3 updates in the /hack/tools directory: [github.com/googleapis/api-linter](https://github.com/googleapis/api-linter), [github.com/grpc-ecosystem/grpc-gateway/v2](https://github.com/grpc-ecosystem/grpc-gateway) and [google.golang.org/grpc/cmd/protoc-gen-go-grpc](https://github.com/grpc/grpc-go).


Updates `github.com/googleapis/api-linter` from 1.65.0 to 1.67.1
- [Release notes](https://github.com/googleapis/api-linter/releases)
- [Changelog](https://github.com/googleapis/api-linter/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/api-linter/compare/v1.65.0...v1.67.1)

Updates `github.com/grpc-ecosystem/grpc-gateway/v2` from 2.19.1 to 2.21.0
- [Release notes](https://github.com/grpc-ecosystem/grpc-gateway/releases)
- [Changelog](https://github.com/grpc-ecosystem/grpc-gateway/blob/main/.goreleaser.yml)
- [Commits](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.19.1...v2.21.0)

Updates `google.golang.org/grpc/cmd/protoc-gen-go-grpc` from 1.3.0 to 1.5.1
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.3.0...v1.5.1)

Updates `google.golang.org/protobuf` from 1.33.0 to 1.34.2

---
updated-dependencies:
- dependency-name: github.com/googleapis/api-linter
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: github.com/grpc-ecosystem/grpc-gateway/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: google.golang.org/grpc/cmd/protoc-gen-go-grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <[email protected]>

* update gen protos

Signed-off-by: Hayden Blauzvern <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Hayden Blauzvern <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Hayden Blauzvern <[email protected]>

* Add changelog for v1.6.0 (#1756)

Signed-off-by: Hayden Blauzvern <[email protected]>

* fixup

Signed-off-by: Lance Ball <[email protected]>

* chore: remove hermetic builds

Signed-off-by: Lance Ball <[email protected]>

* chore: downgrade golang dep

Signed-off-by: Lance Ball <[email protected]>

* konflux: remove unit test pipeline

Unit tests do not seem to work with go 1.23. Removing for now.

Signed-off-by: Lance Ball <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: cpanato <[email protected]>
Signed-off-by: Bob Callaway <[email protected]>
Signed-off-by: Facundo Tuesca <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: Carlos Tadeu Panato Junior <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Matt Moore <[email protected]>
Signed-off-by: Hayden Blauzvern <[email protected]>
Signed-off-by: Javan lacerda [email protected]
Signed-off-by: Javan Lacerda <[email protected]>
Signed-off-by: dickhardt <[email protected]>
Signed-off-by: Hayden B <[email protected]>
Signed-off-by: Andrew Block <[email protected]>
Signed-off-by: Lance Ball <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <[email protected]>
Co-authored-by: Bob Callaway <[email protected]>
Co-authored-by: Facundo Tuesca <[email protected]>
Co-authored-by: William Woodruff <[email protected]>
Co-authored-by: Javan Lacerda <[email protected]>
Co-authored-by: Matt Moore <[email protected]>
Co-authored-by: Hayden B <[email protected]>
Co-authored-by: Dick Hardt <[email protected]>
Co-authored-by: Andrew Block <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants