Skip to content

chore(deps): update module github.com/sigstore/rekor to v1.4.2 #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/sigstore/rekor to v1.4.2 #95

wants to merge 1 commit into from

Conversation

renovate-rancher[bot]
Copy link
Contributor

@renovate-rancher renovate-rancher bot commented Aug 2, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/sigstore/rekor require minor v1.3.10 -> v1.4.2

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

sigstore/rekor (github.com/sigstore/rekor)

v1.4.2

Compare Source

This release includes some performance optimizations and a bug fix for publishing events to a pub/sub topic.

Fixes

  • use pubsub client to check IAM permissions (#​2605)
  • process type contents serially (#​2604)
  • move to direct decoding instead of mapstructure (#​2598)
  • optimize performance of regex operations (#​2603)

Contributors

  • Bob Callaway

v1.4.1

Compare Source

This release includes updated dependencies for known CVEs, as well as some optimizations to minimize gRPC traffic between Rekor and Trillian.

Fixes

  • use less expensive gRPC call to implement GetLeafAndProofByHash (#​2581)
  • move to per-shard trillian client manager (#​2564)
  • use cheaper gRPC endpoint when we already have the inclusion proof (#​2580)
  • simplify hash and signature verification in rekord type (#​2579)
  • use correct type; just look for len() instead of nil check (#​2576)
  • return correct error if GetLeafAndProofByHash fails (#​2574)
  • fix incorrect client lb policy in test config (#​2551)
  • numerous upgraded dependencies

Contributors

  • Bob Callaway
  • Carlos Alexandro Becker

v1.4.0

Compare Source

This is a minor version release given the removal of the stable checkpoint feature. To our knowledge, this was not
used effectively anywhere and therefore was removed from Rekor v1. Witnessing will be added as part of the upcoming
Rekor v2 release.

Features

  • enable retries and timeouts on GCP KMS calls (#​2548)
  • allow configuring gRPC default service config for trillian client load balancing & timeouts (#​2549)
  • move context handling in trillian RPC calls to be request based and idiomatic (#​2536)

Fixes

  • Fix docker compose up --wait failing when Trillian server isn't healthy (#​2473)
  • better mysql healthcheck (#​2459)
  • numerous upgraded dependencies, including moving to go 1.24

Removed

  • remove stable checkpoint feature (#​2537)
  • Don't initialize index storage with stable checkpoint publishing (#​2486)

Contributors

  • Bob Callaway
  • Carlos Tadeu Panato Junior
  • Emmanuel Ferdman
  • Hayden B
  • Ramon Petgrave

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@renovate-rancher renovate-rancher
Copy link
Contributor Author

renovate-rancher bot commented Aug 2, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 21 additional dependencies were updated

Details:

Package Change
github.com/go-jose/go-jose/v4 v4.0.5 -> v4.1.1
github.com/go-openapi/errors v0.22.1 -> v0.22.2
github.com/go-openapi/swag v0.23.1 -> v0.24.1
github.com/hashicorp/go-retryablehttp v0.7.7 -> v0.7.8
github.com/secure-systems-lab/go-securesystemslib v0.9.0 -> v0.9.1
github.com/sigstore/protobuf-specs v0.4.3 -> v0.5.0
github.com/spf13/pflag v1.0.6 -> v1.0.9
go.opentelemetry.io/otel v1.36.0 -> v1.37.0
go.opentelemetry.io/otel/metric v1.36.0 -> v1.37.0
go.opentelemetry.io/otel/trace v1.36.0 -> v1.37.0
golang.org/x/crypto v0.39.0 -> v0.41.0
golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 -> v0.0.0-20250620022241-b7579e27df2b
golang.org/x/mod v0.25.0 -> v0.27.0
golang.org/x/net v0.41.0 -> v0.43.0
golang.org/x/sync v0.15.0 -> v0.16.0
golang.org/x/sys v0.33.0 -> v0.35.0
golang.org/x/term v0.32.0 -> v0.34.0
golang.org/x/text v0.26.0 -> v0.28.0
google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 -> v0.0.0-20250721164621-a45f3dfb1074
google.golang.org/protobuf v1.36.6 -> v1.36.8
sigs.k8s.io/yaml v1.4.0 -> v1.6.0

@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-sigstore-rekor-1.x branch from c54b044 to ac7cb26 Compare August 30, 2025 04:36
@renovate-rancher renovate-rancher bot changed the title chore(deps): update module github.com/sigstore/rekor to v1.4.0 chore(deps): update module github.com/sigstore/rekor to v1.4.1 Aug 30, 2025
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-sigstore-rekor-1.x branch from ac7cb26 to 02451cf Compare September 6, 2025 04:36
@renovate-rancher renovate-rancher bot changed the title chore(deps): update module github.com/sigstore/rekor to v1.4.1 chore(deps): update module github.com/sigstore/rekor to v1.4.2 Sep 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants