Skip to content

build(deps): bump sigstore/sigstore-conformance from 0.0.24 to 0.0.25 in the actions group #1660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 2 commits into
base: main
Choose a base branch
from
Open

build(deps): bump sigstore/sigstore-conformance from 0.0.24 to 0.0.25 in the actions group #1660

dependabot wants to merge 2 commits into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 16, 2026
edited
Loading

Bumps the actions group with 1 update: sigstore/sigstore-conformance.

Updates sigstore/sigstore-conformance from 0.0.24 to 0.0.25

Release notes

Sourced from sigstore/sigstore-conformance's releases.

v0.0.25

This release contains a number of new tests and a change to the client-under-test CLI: users need to modify their client wrappers (or add new tests to expected failures).

Changes in client-under-test CLI

  • The expected client CLI now includes --key <FILE> as an alternative to --certificate-identity <IDENTITY> --certificate-oidc-issuer <URL>. Details in ‎cli_protocol.md. Clients that do not support keys as identities can add "test_verify*managed-key-happy-path] test_verify*managed-key-and-trusted-root]" to their expected failure list.

Added tests

  • Bundle validity checks bundle-empty-certificate-chain, bundle-invalid-base64-signature, bundle-malformed-json, bundle-negative-log-index, bundle-unknown-version, inclusion-proof-corrupted-hash
  • message-digest-mismatch: Note that the message digest field in the signature is an unauthenticated hint. The conformance test suite expects a verification failure here only for consistency.
  • Bundle with SCT extensions bundle-with-sct-with-extensions -- this is a requirement for using TesseraCT as Fulcio CT in future
  • Managed key tests managed-key-happy-path ,managed-key-and-trusted-root, managed-key-no-key, managed-key-wrong-key -- these tests require the client-under-test CLI to implement the --key argument
Commits
  • eae6eb1 suggest implementation strategy for managed key verify tests (#306)
  • d375b73 Add bundle with SCT with extensions to tests (#319)
  • 468e8b2 add a test for message digest mismatch with artifact hash (#312)
  • 120147f workflows: Add sigstore-rust to client conformance report (#316)
  • ecb8250 add a simple corrupted inclusion proof check (#315)
  • 70c3a2e Bump the actions group with 2 updates (#310)
  • 6c410c9 Bump certifi from 2025.11.12 to 2026.1.4 (#313)
  • 6f2bf82 add some checks for malformed content (#314)
  • c301daf Bump urllib3 from 2.6.2 to 2.6.3 (#311)
  • ef55a33 Bump the python-minor-and-patch-updates group with 2 updates (#308)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump sigstore/sigstore-conformance in the actions group
ed3cc32 
Bumps the actions group with 1 update: [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance).


Updates `sigstore/sigstore-conformance` from 0.0.24 to 0.0.25
- [Release notes](https://github.com/sigstore/sigstore-conformance/releases)
- [Commits](sigstore/sigstore-conformance@b7856cf...eae6eb1)

---
updated-dependencies:
- dependency-name: sigstore/sigstore-conformance
  dependency-version: 0.0.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jan 16, 2026
woodruffw
woodruffw previously approved these changes Jan 16, 2026
View reviewed changes
@woodruffw
Copy link
Member

woodruffw commented Jan 16, 2026

/gcbrun

@jku
Copy link
Member

jku commented Jan 16, 2026

I expect this to fail since there are "managed key" tests now:

I'll add some xfails

@jku
conformance: Add expected failures for the "managed key" tests
6e684bf 
We only support OIDC identities at the moment

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku
Copy link
Member

jku commented Jan 16, 2026

/gcbrun

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@woodruffw @jku