fix(deps): update go (#3930)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/coreos/go-oidc/v3](https://redirect.github.com/coreos/go-oidc)
| `v3.10.0` -> `v3.11.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fcoreos%2fgo-oidc%2fv3/v3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fcoreos%2fgo-oidc%2fv3/v3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fcoreos%2fgo-oidc%2fv3/v3.10.0/v3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fcoreos%2fgo-oidc%2fv3/v3.10.0/v3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/cosign/v2](https://redirect.github.com/sigstore/cosign)
| `v2.2.4` -> `v2.4.1` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fcosign%2fv2/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fcosign%2fv2/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/sigstore](https://redirect.github.com/sigstore/sigstore)
| `v1.8.3` -> `v1.8.10` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fsigstore/v1.8.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fsigstore/v1.8.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fsigstore/v1.8.3/v1.8.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fsigstore/v1.8.3/v1.8.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [github.com/spf13/cobra](https://redirect.github.com/spf13/cobra) |
`v1.8.0` -> `v1.8.1` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fspf13%2fcobra/v1.8.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fspf13%2fcobra/v1.8.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fspf13%2fcobra/v1.8.0/v1.8.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fspf13%2fcobra/v1.8.0/v1.8.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>coreos/go-oidc (github.com/coreos/go-oidc/v3)</summary>

###
[`v3.11.0`](https://redirect.github.com/coreos/go-oidc/releases/tag/v3.11.0)

[Compare
Source](https://redirect.github.com/coreos/go-oidc/compare/v3.10.0...v3.11.0)

#### What's Changed

- oidc: verify support for algs from discovery by
[@&#8203;ericchiang](https://redirect.github.com/ericchiang) in
[https://github.com/coreos/go-oidc/pull/430](https://redirect.github.com/coreos/go-oidc/pull/430)
- chore(deps): bump dependencies to address security issues by
[@&#8203;clambin](https://redirect.github.com/clambin) in
[https://github.com/coreos/go-oidc/pull/432](https://redirect.github.com/coreos/go-oidc/pull/432)
- oidc: ignore cancellation of remote key set context by
[@&#8203;ericchiang](https://redirect.github.com/ericchiang) in
[https://github.com/coreos/go-oidc/pull/433](https://redirect.github.com/coreos/go-oidc/pull/433)

#### New Contributors

- [@&#8203;clambin](https://redirect.github.com/clambin) made their
first contribution in
[https://github.com/coreos/go-oidc/pull/432](https://redirect.github.com/coreos/go-oidc/pull/432)

**Full Changelog**:
coreos/go-oidc@v3.10.0...v3.11.0

</details>

<details>
<summary>sigstore/cosign (github.com/sigstore/cosign/v2)</summary>

###
[`v2.4.1`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v241)

[Compare
Source](https://redirect.github.com/sigstore/cosign/compare/v2.4.0...v2.4.1)

v2.4.1 largely contains bug fixes and updates dependencies.

#### Features

-   Added fuzzing coverage to multiple packages

#### Bug Fixes

- Fix bug in attest-blob when using a timestamp authority with new
bundles
([#&#8203;3877](https://redirect.github.com/sigstore/cosign/issues/3877))
- fix: documentation link for installation guide
([#&#8203;3884](https://redirect.github.com/sigstore/cosign/issues/3884))

#### Contributors

-   AdamKorcz
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Hayden B
-   Hemil K
-   Sota Sugiura
-   Zach Steindler

###
[`v2.4.0`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v240)

[Compare
Source](https://redirect.github.com/sigstore/cosign/compare/v2.3.0...v2.4.0)

v2.4.0 begins the modernization of the Cosign client, which includes:

-   Support for the newer Sigstore specification-compliant bundle format
- Support for providing trust roots (e.g. Fulcio certificates, Rekor
keys)
    through a trust root file, instead of many different flags
- Conformance test suite integration to verify signing and verification
behavior

In future updates, we'll include:

- General support for the trust root file, instead of only when using
the bundle
    format during verification
-   Simplification of trust root flags and deprecation of the
    Cosign-specific bundle format
-   Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of
GCR.

#### Features

- Add new bundle support to `verify-blob` and `verify-blob-attestation`
([#&#8203;3796](https://redirect.github.com/sigstore/cosign/issues/3796))
- Adding protobuf bundle support to sign-blob and attest-blob
([#&#8203;3752](https://redirect.github.com/sigstore/cosign/issues/3752))
- Bump sigstore/sigstore to support `email_verified` as string or
boolean
([#&#8203;3819](https://redirect.github.com/sigstore/cosign/issues/3819))
- Conformance testing for cosign
([#&#8203;3806](https://redirect.github.com/sigstore/cosign/issues/3806))
- move incremental builds per commit to GHCR instead of GCR
([#&#8203;3808](https://redirect.github.com/sigstore/cosign/issues/3808))
- Add support for recording creation timestamp for cosign attest
([#&#8203;3797](https://redirect.github.com/sigstore/cosign/issues/3797))
- Include SCT verification failure details in error message
([#&#8203;3799](https://redirect.github.com/sigstore/cosign/issues/3799))

#### Contributors

-   Bob Callaway
-   Hayden B
-   Slavek Kabrda
-   Zach Steindler
-   Zsolt Horvath

###
[`v2.3.0`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v230)

[Compare
Source](https://redirect.github.com/sigstore/cosign/compare/v2.2.4...v2.3.0)

#### Features

- Add PayloadProvider interface to decouple AttestationToPayloadJSON
from oci.Signature interface
([#&#8203;3693](https://redirect.github.com/sigstore/cosign/issues/3693))
- add registry options to cosign save
([#&#8203;3645](https://redirect.github.com/sigstore/cosign/issues/3645))
- Add debug providers command.
([#&#8203;3728](https://redirect.github.com/sigstore/cosign/issues/3728))
- Make config layers in ociremote mountable
([#&#8203;3741](https://redirect.github.com/sigstore/cosign/issues/3741))
- upgrade to go1.22
([#&#8203;3739](https://redirect.github.com/sigstore/cosign/issues/3739))
- adds tsa cert chain check for env var or tuf targets.
([#&#8203;3600](https://redirect.github.com/sigstore/cosign/issues/3600))
- add --ca-roots and --ca-intermediates flags to 'cosign verify'
([#&#8203;3464](https://redirect.github.com/sigstore/cosign/issues/3464))
- add handling of keyless verification for all verify commands
([#&#8203;3761](https://redirect.github.com/sigstore/cosign/issues/3761))

#### Bug Fixes

- fix: close attestationFile
([#&#8203;3679](https://redirect.github.com/sigstore/cosign/issues/3679))
- Set `bundleVerified` to true after Rekor verification (Resolves
[#&#8203;3740](https://redirect.github.com/sigstore/cosign/issues/3740))
([#&#8203;3745](https://redirect.github.com/sigstore/cosign/issues/3745))

#### Documentation

- Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign
([#&#8203;3776](https://redirect.github.com/sigstore/cosign/issues/3776))

#### Testing

- Refactor KMS E2E tests
([#&#8203;3684](https://redirect.github.com/sigstore/cosign/issues/3684))
- Remove sign_blob_test.sh test
([#&#8203;3707](https://redirect.github.com/sigstore/cosign/issues/3707))
- Remove KMS E2E test script
([#&#8203;3702](https://redirect.github.com/sigstore/cosign/issues/3702))
- Refactor insecure registry E2E tests
([#&#8203;3701](https://redirect.github.com/sigstore/cosign/issues/3701))

#### Contributors

-   Billy Lynch
-   bminahan73
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Cody Soyland
-   Colleen Murphy
-   Dmitry Savintsev
-   guangwu
-   Hayden B
-   Hector Fernandez
-   ian hundere
-   Jason Power
-   Jon Johnson
-   Max Lambrecht
-   Meeki1l

</details>

<details>
<summary>sigstore/sigstore (github.com/sigstore/sigstore)</summary>

###
[`v1.8.10`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.10)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.9...v1.8.10)

#### What's Changed

- fix(kms): fix CreateKey may panic when using GCP KMS by
[@&#8203;mozillazg](https://redirect.github.com/mozillazg) in
[https://github.com/sigstore/sigstore/pull/1829](https://redirect.github.com/sigstore/sigstore/pull/1829)
- update to go1.22.7 and ci job by
[@&#8203;cpanato](https://redirect.github.com/cpanato) in
[https://github.com/sigstore/sigstore/pull/1847](https://redirect.github.com/sigstore/sigstore/pull/1847)
- Mark TUF client as deprecated by
[@&#8203;haydentherapper](https://redirect.github.com/haydentherapper)
in
[https://github.com/sigstore/sigstore/pull/1858](https://redirect.github.com/sigstore/sigstore/pull/1858)
- bump to go 1.22.8 by
[@&#8203;cpanato](https://redirect.github.com/cpanato) in
[https://github.com/sigstore/sigstore/pull/1865](https://redirect.github.com/sigstore/sigstore/pull/1865)

and several dependencies updates

#### New Contributors

- [@&#8203;mozillazg](https://redirect.github.com/mozillazg) made their
first contribution in
[https://github.com/sigstore/sigstore/pull/1829](https://redirect.github.com/sigstore/sigstore/pull/1829)

**Full Changelog**:
sigstore/sigstore@v1.8.9...v1.8.10

###
[`v1.8.9`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.9)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.8...v1.8.9)

#### What's Changed

- fuzzing: improve coverage by
[@&#8203;AdamKorcz](https://redirect.github.com/AdamKorcz) in
[https://github.com/sigstore/sigstore/pull/1809](https://redirect.github.com/sigstore/sigstore/pull/1809)
- Deserialize
[`ed25519`](https://redirect.github.com/sigstore/sigstore/commit/ed25519)
keys from hashivault correctly by
[@&#8203;stevenjohnstone](https://redirect.github.com/stevenjohnstone)
in
[https://github.com/sigstore/sigstore/pull/1811](https://redirect.github.com/sigstore/sigstore/pull/1811)
- oauthflow: Add SubjectFromUnverifiedToken by
[@&#8203;adityasaky](https://redirect.github.com/adityasaky) in
[https://github.com/sigstore/sigstore/pull/1826](https://redirect.github.com/sigstore/sigstore/pull/1826)

**Full Changelog**:
sigstore/sigstore@v1.8.8...v1.8.9

###
[`v1.8.8`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.8)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.7...v1.8.8)

#### What's Changed

- Fixes issue in Device access token request by
[@&#8203;rishabhsvats](https://redirect.github.com/rishabhsvats) in
[https://github.com/sigstore/sigstore/pull/1752](https://redirect.github.com/sigstore/sigstore/pull/1752)
- Support email_verified as a String by
[@&#8203;sabre1041](https://redirect.github.com/sabre1041) in
[https://github.com/sigstore/sigstore/pull/1794](https://redirect.github.com/sigstore/sigstore/pull/1794)
-   Dependency updates

**Full Changelog**:
sigstore/sigstore@v1.8.7...v1.8.8

###
[`v1.8.7`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.7)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.6...v1.8.7)

Dependencies updates only

#### What's Changed

- build(deps): Bump the all group in /pkg/signature/kms/gcp with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/sigstore/sigstore/pull/1770](https://redirect.github.com/sigstore/sigstore/pull/1770)
- build(deps): Bump the all group in /pkg/signature/kms/aws with 4
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/sigstore/sigstore/pull/1769](https://redirect.github.com/sigstore/sigstore/pull/1769)
- build(deps): Bump hashicorp/vault from 1.17.0 to 1.17.1 in /test/e2e
in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1767](https://redirect.github.com/sigstore/sigstore/pull/1767)
- build(deps): Bump github.com/sigstore/sigstore from 1.8.4 to 1.8.6 in
/test/fuzz in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1768](https://redirect.github.com/sigstore/sigstore/pull/1768)
- build(deps): Bump golang.org/x/crypto from 0.24.0 to 0.25.0 in
/pkg/signature/kms/azure in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1772](https://redirect.github.com/sigstore/sigstore/pull/1772)
- build(deps): Bump the all group across 1 directory with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1776](https://redirect.github.com/sigstore/sigstore/pull/1776)
- build(deps): Bump actions/upload-artifact from 4.3.3 to 4.3.4 in the
all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1771](https://redirect.github.com/sigstore/sigstore/pull/1771)
- build(deps): Bump the all group in /pkg/signature/kms/gcp with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/sigstore/sigstore/pull/1773](https://redirect.github.com/sigstore/sigstore/pull/1773)
- build(deps): Bump google.golang.org/grpc from 1.64.0 to 1.64.1 in
/pkg/signature/kms/gcp by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1778](https://redirect.github.com/sigstore/sigstore/pull/1778)
- build(deps): Bump the all group across 1 directory with 4 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1777](https://redirect.github.com/sigstore/sigstore/pull/1777)

**Full Changelog**:
sigstore/sigstore@v1.8.6...v1.8.7

###
[`v1.8.6`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.6)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.5...v1.8.6)

#### What's Changed

- Bump goodkey, fix breakage by
[@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) in
[https://github.com/sigstore/sigstore/pull/1761](https://redirect.github.com/sigstore/sigstore/pull/1761)

#### New Contributors

- [@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) made
their first contribution in
[https://github.com/sigstore/sigstore/pull/1761](https://redirect.github.com/sigstore/sigstore/pull/1761)

**Full Changelog**:
sigstore/sigstore@v1.8.5...v1.8.6

###
[`v1.8.5`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.5)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.4...v1.8.5)

Major are dependencies updates

#### What's Changed

- build(deps): Bump google.golang.org/api from 0.181.0 to 0.182.0 in
/pkg/signature/kms/gcp in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1741](https://redirect.github.com/sigstore/sigstore/pull/1741)
- build(deps): Bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 in
/test/fuzz in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1743](https://redirect.github.com/sigstore/sigstore/pull/1743)
- build(deps): Bump hashicorp/vault from 1.16.2 to 1.16.3 in /test/e2e
in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1742](https://redirect.github.com/sigstore/sigstore/pull/1742)
- build(deps): Bump github.com/aws/aws-sdk-go from 1.53.10 to 1.53.14 in
/pkg/signature/kms/aws in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1740](https://redirect.github.com/sigstore/sigstore/pull/1740)
- build(deps): Bump actions/dependency-review-action from 4.3.2 to 4.3.3
in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1746](https://redirect.github.com/sigstore/sigstore/pull/1746)
- build(deps): Bump the all group in /pkg/signature/kms/azure with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/sigstore/sigstore/pull/1744](https://redirect.github.com/sigstore/sigstore/pull/1744)
- build(deps): Bump the all group in /pkg/signature/kms/aws with 4
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/sigstore/sigstore/pull/1745](https://redirect.github.com/sigstore/sigstore/pull/1745)
- build(deps): Bump dexidp/dex from v2.39.1 to v2.40.0 in /test/e2e in
the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1748](https://redirect.github.com/sigstore/sigstore/pull/1748)
- build(deps): Bump the all group in /pkg/signature/kms/gcp with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/sigstore/sigstore/pull/1749](https://redirect.github.com/sigstore/sigstore/pull/1749)
- Update to latest letsencrypt/boulder. by
[@&#8203;kommendorkapten](https://redirect.github.com/kommendorkapten)
in
[https://github.com/sigstore/sigstore/pull/1753](https://redirect.github.com/sigstore/sigstore/pull/1753)
- build(deps): Bump actions/checkout from 4.1.6 to 4.1.7 in the all
group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1760](https://redirect.github.com/sigstore/sigstore/pull/1760)
- build(deps): Bump the all group in /pkg/signature/kms/aws with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/sigstore/sigstore/pull/1759](https://redirect.github.com/sigstore/sigstore/pull/1759)
- build(deps): Bump the all group in /test/e2e with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1758](https://redirect.github.com/sigstore/sigstore/pull/1758)
- build(deps): Bump the all group in /pkg/signature/kms/gcp with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/sigstore/sigstore/pull/1756](https://redirect.github.com/sigstore/sigstore/pull/1756)
- build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity
from 1.5.2 to 1.6.0 in /pkg/signature/kms/azure in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1755](https://redirect.github.com/sigstore/sigstore/pull/1755)
- build(deps): Bump github.com/hashicorp/go-retryablehttp from 0.7.6 to
0.7.7 in /pkg/signature/kms/hashivault by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1766](https://redirect.github.com/sigstore/sigstore/pull/1766)
- build(deps): Bump the all group in /pkg/signature/kms/aws with 4
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/sigstore/sigstore/pull/1765](https://redirect.github.com/sigstore/sigstore/pull/1765)
- build(deps): Bump the all group in /pkg/signature/kms/gcp with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/sigstore/sigstore/pull/1764](https://redirect.github.com/sigstore/sigstore/pull/1764)
- build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity
from 1.6.0 to 1.7.0 in /pkg/signature/kms/azure in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1762](https://redirect.github.com/sigstore/sigstore/pull/1762)
- build(deps): Bump the all group across 1 directory with 6 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1763](https://redirect.github.com/sigstore/sigstore/pull/1763)

**Full Changelog**:
sigstore/sigstore@v1.8.4...v1.8.5

###
[`v1.8.4`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.4)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.3...v1.8.4)

#### What's Changed

- finish move of reusable-release to sigstore/community by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/sigstore/pull/1699](https://redirect.github.com/sigstore/sigstore/pull/1699)
- update Makefile so CodeQL covers all go files by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/sigstore/pull/1700](https://redirect.github.com/sigstore/sigstore/pull/1700)
- bump go to 1.21 by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/sigstore/pull/1701](https://redirect.github.com/sigstore/sigstore/pull/1701)
- pin container images to quiet scorecard alert by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/sigstore/pull/1709](https://redirect.github.com/sigstore/sigstore/pull/1709)
- set gh action perms by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/sigstore/pull/1710](https://redirect.github.com/sigstore/sigstore/pull/1710)
- tuf: Remove debug metadata downloads by
[@&#8203;jku](https://redirect.github.com/jku) in
[https://github.com/sigstore/sigstore/pull/1717](https://redirect.github.com/sigstore/sigstore/pull/1717)
- Fix Hashicorp Vault KMS to use PKCS1 v1.5 by
[@&#8203;berkitamas](https://redirect.github.com/berkitamas) in
[https://github.com/sigstore/sigstore/pull/1736](https://redirect.github.com/sigstore/sigstore/pull/1736)

#### New Contributors

- [@&#8203;jku](https://redirect.github.com/jku) made their first
contribution in
[https://github.com/sigstore/sigstore/pull/1717](https://redirect.github.com/sigstore/sigstore/pull/1717)
- [@&#8203;berkitamas](https://redirect.github.com/berkitamas) made
their first contribution in
[https://github.com/sigstore/sigstore/pull/1736](https://redirect.github.com/sigstore/sigstore/pull/1736)

**Full Changelog**:
sigstore/sigstore@v1.8.3...v1.8.4

</details>

<details>
<summary>spf13/cobra (github.com/spf13/cobra)</summary>

###
[`v1.8.1`](https://redirect.github.com/spf13/cobra/releases/tag/v1.8.1)

[Compare
Source](https://redirect.github.com/spf13/cobra/compare/v1.8.0...v1.8.1)

#### ✨ Features

- Add env variable to suppress completion descriptions on create by
[@&#8203;scop](https://redirect.github.com/scop) in
[https://github.com/spf13/cobra/pull/1938](https://redirect.github.com/spf13/cobra/pull/1938)

#### 🐛 Bug fixes

- Micro-optimizations by
[@&#8203;scop](https://redirect.github.com/scop) in
[https://github.com/spf13/cobra/pull/1957](https://redirect.github.com/spf13/cobra/pull/1957)

#### 🔧 Maintenance

- build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.3 to 2.0.4
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/spf13/cobra/pull/2127](https://redirect.github.com/spf13/cobra/pull/2127)
- Consistent annotation names by
[@&#8203;nirs](https://redirect.github.com/nirs) in
[https://github.com/spf13/cobra/pull/2140](https://redirect.github.com/spf13/cobra/pull/2140)
- Remove fully inactivated linters by
[@&#8203;nirs](https://redirect.github.com/nirs) in
[https://github.com/spf13/cobra/pull/2148](https://redirect.github.com/spf13/cobra/pull/2148)
- Address golangci-lint deprecation warnings, enable some more linters
by [@&#8203;scop](https://redirect.github.com/scop) in
[https://github.com/spf13/cobra/pull/2152](https://redirect.github.com/spf13/cobra/pull/2152)

#### 🧪 Testing & CI/CD

- Add test for func in cobra.go by
[@&#8203;korovindenis](https://redirect.github.com/korovindenis) in
[https://github.com/spf13/cobra/pull/2094](https://redirect.github.com/spf13/cobra/pull/2094)
- ci: test golang 1.22 by
[@&#8203;cyrilico](https://redirect.github.com/cyrilico) in
[https://github.com/spf13/cobra/pull/2113](https://redirect.github.com/spf13/cobra/pull/2113)
- Optimized and added more linting by
[@&#8203;scop](https://redirect.github.com/scop) in
[https://github.com/spf13/cobra/pull/2099](https://redirect.github.com/spf13/cobra/pull/2099)
- build(deps): bump actions/setup-go from 4 to 5 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/spf13/cobra/pull/2087](https://redirect.github.com/spf13/cobra/pull/2087)
- build(deps): bump actions/labeler from 4 to 5 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/spf13/cobra/pull/2086](https://redirect.github.com/spf13/cobra/pull/2086)
- build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/spf13/cobra/pull/2108](https://redirect.github.com/spf13/cobra/pull/2108)
- build(deps): bump actions/cache from 3 to 4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/spf13/cobra/pull/2102](https://redirect.github.com/spf13/cobra/pull/2102)

#### ✏️ Documentation

- Fixes and docs for usage as plugin by
[@&#8203;nirs](https://redirect.github.com/nirs) in
[https://github.com/spf13/cobra/pull/2070](https://redirect.github.com/spf13/cobra/pull/2070)
- flags: clarify documentation that LocalFlags related function do not
modify the state by
[@&#8203;niamster](https://redirect.github.com/niamster) in
[https://github.com/spf13/cobra/pull/2064](https://redirect.github.com/spf13/cobra/pull/2064)
- chore: remove repetitive words by
[@&#8203;racerole](https://redirect.github.com/racerole) in
[https://github.com/spf13/cobra/pull/2122](https://redirect.github.com/spf13/cobra/pull/2122)
- Add LXC to the list of projects using Cobra
[@&#8203;VaradBelwalkar](https://redirect.github.com/VaradBelwalkar) in
[https://github.com/spf13/cobra/pull/2071](https://redirect.github.com/spf13/cobra/pull/2071)
- Update projects_using_cobra.md by
[@&#8203;marcuskohlberg](https://redirect.github.com/marcuskohlberg) in
[https://github.com/spf13/cobra/pull/2089](https://redirect.github.com/spf13/cobra/pull/2089)
- \[chore]: update projects using cobra by
[@&#8203;cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/spf13/cobra/pull/2093](https://redirect.github.com/spf13/cobra/pull/2093)
- Add Taikun CLI to list of projects by
[@&#8203;Smidra](https://redirect.github.com/Smidra) in
[https://github.com/spf13/cobra/pull/2098](https://redirect.github.com/spf13/cobra/pull/2098)
- Add Incus to the list of projects using Cobra by
[@&#8203;montag451](https://redirect.github.com/montag451) in
[https://github.com/spf13/cobra/pull/2118](https://redirect.github.com/spf13/cobra/pull/2118)

#### New Contributors

- [@&#8203;VaradBelwalkar](https://redirect.github.com/VaradBelwalkar)
made their first contribution in
[https://github.com/spf13/cobra/pull/2071](https://redirect.github.com/spf13/cobra/pull/2071)
- [@&#8203;marcuskohlberg](https://redirect.github.com/marcuskohlberg)
made their first contribution in
[https://github.com/spf13/cobra/pull/2089](https://redirect.github.com/spf13/cobra/pull/2089)
- [@&#8203;cmwylie19](https://redirect.github.com/cmwylie19) made their
first contribution in
[https://github.com/spf13/cobra/pull/2093](https://redirect.github.com/spf13/cobra/pull/2093)
- [@&#8203;korovindenis](https://redirect.github.com/korovindenis) made
their first contribution in
[https://github.com/spf13/cobra/pull/2094](https://redirect.github.com/spf13/cobra/pull/2094)
- [@&#8203;niamster](https://redirect.github.com/niamster) made their
first contribution in
[https://github.com/spf13/cobra/pull/2064](https://redirect.github.com/spf13/cobra/pull/2064)
- [@&#8203;Smidra](https://redirect.github.com/Smidra) made their first
contribution in
[https://github.com/spf13/cobra/pull/2098](https://redirect.github.com/spf13/cobra/pull/2098)
- [@&#8203;montag451](https://redirect.github.com/montag451) made their
first contribution in
[https://github.com/spf13/cobra/pull/2118](https://redirect.github.com/spf13/cobra/pull/2118)
- [@&#8203;cyrilico](https://redirect.github.com/cyrilico) made their
first contribution in
[https://github.com/spf13/cobra/pull/2113](https://redirect.github.com/spf13/cobra/pull/2113)
- [@&#8203;racerole](https://redirect.github.com/racerole) made their
first contribution in
[https://github.com/spf13/cobra/pull/2122](https://redirect.github.com/spf13/cobra/pull/2122)
- [@&#8203;pedromotita](https://redirect.github.com/pedromotita) made
their first contribution in
[https://github.com/spf13/cobra/pull/2120](https://redirect.github.com/spf13/cobra/pull/2120)
- [@&#8203;cubxxw](https://redirect.github.com/cubxxw) made their first
contribution in
[https://github.com/spf13/cobra/pull/2128](https://redirect.github.com/spf13/cobra/pull/2128)

***

Thank you everyone who contributed to this release and all your hard
work! Cobra and this community would never be possible without all of
you!!!! 🐍

**Full Changelog**:
spf13/cobra@v1.8.0...v1.8.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC45Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguMTMzLjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Signed-off-by: Mend Renovate <[email protected]>

Author: renovate-bot

go.mod

@@ -3,27 +3,29 @@ module github.com/slsa-framework/slsa-github-generator
 go 1.23.1
 
 require (
-	github.com/coreos/go-oidc/v3 v3.10.0
+	github.com/coreos/go-oidc/v3 v3.11.0
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-openapi/swag v0.23.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-github/v57 v57.0.0
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/pelletier/go-toml v1.9.5
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0
-	github.com/sigstore/cosign/v2 v2.2.4
+	github.com/sigstore/cosign/v2 v2.4.1
 	github.com/sigstore/rekor v1.3.6
-	github.com/sigstore/sigstore v1.8.3
-	github.com/spf13/cobra v1.8.0
-	golang.org/x/oauth2 v0.20.0
+	github.com/sigstore/sigstore v1.8.10
+	github.com/spf13/cobra v1.8.1
+	golang.org/x/oauth2 v0.23.0
 	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
-	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	cloud.google.com/go/auth v0.9.3 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
+	cloud.google.com/go/compute/metadata v0.5.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
-	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
@@ -33,7 +35,7 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
@@ -46,28 +48,29 @@ require (
 	github.com/alibabacloud-go/tea v1.2.1 // indirect
 	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
 	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
-	github.com/aliyun/credentials-go v1.3.1 // indirect
+	github.com/aliyun/credentials-go v1.3.2 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.9 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.9 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.33 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect
-	github.com/aws/smithy-go v1.20.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect
+	github.com/aws/smithy-go v1.20.4 // indirect
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/buildkite/agent/v3 v3.62.0 // indirect
-	github.com/buildkite/go-pipeline v0.3.2 // indirect
-	github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 // indirect
+	github.com/buildkite/agent/v3 v3.81.0 // indirect
+	github.com/buildkite/go-pipeline v0.13.1 // indirect
+	github.com/buildkite/interpolate v0.1.3 // indirect
+	github.com/buildkite/roko v1.2.0 // indirect
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
@@ -78,18 +81,17 @@ require (
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/docker/cli v24.0.7+incompatible // indirect
+	github.com/docker/cli v27.1.1+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v25.0.6+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
 	github.com/go-openapi/errors v0.22.0 // indirect
@@ -105,15 +107,15 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/certificate-transparency-go v1.1.8 // indirect
+	github.com/google/certificate-transparency-go v1.2.1 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
-	github.com/google/go-containerregistry v0.19.1 // indirect
+	github.com/google/go-containerregistry v0.20.2 // indirect
 	github.com/google/go-github/v55 v55.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.3 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
@@ -123,41 +125,42 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.17.4 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
+	github.com/mozillazg/docker-credential-acr-helper v0.4.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/oleiade/reflections v1.0.1 // indirect
+	github.com/oleiade/reflections v1.1.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/sigstore/fulcio v1.4.5 // indirect
+	github.com/sigstore/fulcio v1.6.3 // indirect
+	github.com/sigstore/protobuf-specs v0.3.2 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.18.2 // indirect
-	github.com/spiffe/go-spiffe/v2 v2.2.0 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.3.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
@@ -166,32 +169,31 @@ require (
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
-	github.com/xanzy/go-gitlab v0.102.0 // indirect
+	github.com/xanzy/go-gitlab v0.109.0 // indirect
 	github.com/zeebo/errs v1.3.0 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
-	go.opentelemetry.io/otel v1.24.0 // indirect
-	go.opentelemetry.io/otel/metric v1.24.0 // indirect
-	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	go.step.sm/crypto v0.44.2 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
+	go.opentelemetry.io/otel v1.29.0 // indirect
+	go.opentelemetry.io/otel/metric v1.29.0 // indirect
+	go.opentelemetry.io/otel/trace v1.29.0 // indirect
+	go.step.sm/crypto v0.51.2 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
-	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect
-	golang.org/x/mod v0.16.0 // indirect
-	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/term v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.19.0 // indirect
-	google.golang.org/api v0.172.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
-	google.golang.org/grpc v1.62.1 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
-	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
+	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
+	golang.org/x/mod v0.20.0 // indirect
+	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/term v0.25.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
+	google.golang.org/api v0.196.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/grpc v1.66.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
@@ -200,9 +202,9 @@ require (
 	k8s.io/client-go v0.28.3 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/release-utils v0.7.7 // indirect
+	sigs.k8s.io/release-utils v0.8.4 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )