chore(deps): bump the all group with 14 updates

[dependabot]

Bumps the all group with 14 updates:

Package	From	To
cloud.google.com/go/storage	1.57.1	1.57.2
github.com/google/go-containerregistry	0.20.7	0.20.8
github.com/in-toto/go-witness	0.9.1	0.9.2
github.com/sigstore/cosign/v2	2.6.2	2.6.3
github.com/sigstore/sigstore	1.10.5	1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/aws	1.10.5	1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/azure	1.10.5	1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/gcp	1.10.5	1.10.8
github.com/sigstore/sigstore/pkg/signature/kms/hashivault	1.10.5	1.10.8
github.com/tektoncd/pipeline	1.9.3	1.9.4
k8s.io/api	0.34.1	0.34.9
k8s.io/apimachinery	0.34.1	0.34.9
k8s.io/client-go	0.34.1	0.34.9
k8s.io/code-generator	0.33.4	0.33.13

Updates cloud.google.com/go/storage from 1.57.1 to 1.57.2

Commits

• 54f5f63 chore: librarian release pull request: 20251114T145800Z (#13361)
• 315f65b fix(spanner): decoding spanner rows using SelectAll should map values in corr...
• d1224e8 test(spanner): additional tests for SelectAll() (#13360)
• b9196cf feat: Add grpc.xds.resource_type label to xDS client metrics (#13358)
• b0f1362 fix(storage): Handle redirect on takeover. (#13354)
• 5574f5b chore: librarian update image pull request: 20251113T211851Z (#13355)
• 3fef58b chore(internal/librariangen): bump gapic-generator-go to 0.55.1 (#13352)
• e978a68 chore: update the go version in renovate.json (#13348)
• 29b6c97 chore: librarian update image pull request: 20251112T170525Z (#13346)
• 1f4da37 chore(internal/librariangen): bump gapic-generator-go to 0.55.0 (#13345)
• Additional commits viewable in compare view

Updates github.com/google/go-containerregistry from 0.20.7 to 0.20.8

Commits

• b58334f Disable taint gosec lints (#2215)
• 88b39ed Bump the go-deps group across 3 directories with 3 updates (#2213)
• 102ac75 join go.mod dependency updates (#2212)
• d5817d5 Bump go version across packages to 1.25.6 (#2211)
• 23f0632 Fix error messages in crane_test.go (#2189)
• 438abde Bump the root-deps group across 1 directory with 7 updates (#2195)
• b6eadd8 Bump the actions group across 1 directory with 4 updates (#2207)
• 93aa273 Improve performance of v1.NewHash (#2194)
• 795787c mutate: don't skip dir replacements via whiteout in export (#2191)
• See full diff in compare view

Updates github.com/in-toto/go-witness from 0.9.1 to 0.9.2

Release notes

Sourced from github.com/in-toto/go-witness's releases.

v0.9.2

What's Changed

• Fix/window unit test by @​manzil-infinity180 in in-toto/go-witness#583
• fix(attestation/secretscan): demo script by @​manzil-infinity180 in in-toto/go-witness#597
• fix: panic in IsSPDXJson & IsCycloneDXJson when SBOM file (<500 bytes) by @​manzil-infinity180 in in-toto/go-witness#608
• feat: support Sigstore encrypted PEM keys by @​fkautz in in-toto/go-witness#614
• fix: handle cosign encrypted keys with empty passphrase by @​fkautz in in-toto/go-witness#632

Full Changelog: in-toto/go-witness@v0.9.1...v0.9.2

Commits

• 1b6dcd7 chore: bump github.com/aws/aws-sdk-go-v2/config from 1.31.20 to 1.31.21 (#638)
• e03e418 chore: bump github.com/aws/aws-sdk-go-v2/service/kms from 1.48.2 to 1.48.3 (#...
• b27326c chore: bump github/codeql-action from 4.31.9 to 4.31.10 (#635)
• d999c86 chore: bump github.com/aws/aws-sdk-go-v2/feature/ec2/imds from 1.18.13 to 1.1...
• df5f3b3 chore: bump github.com/sigstore/sigstore from 1.10.0 to 1.10.3 (#633)
• 220bcf5 fix: handle cosign encrypted keys with empty passphrase (#632)
• ea9777b chore: bump github.com/sigstore/fulcio from 1.6.6 to 1.8.3 in the go_modules ...
• ea8e8b7 chore: bump github.com/spdx/tools-golang from 0.5.5 to 0.5.6 (#630)
• a21b507 chore: bump github/codeql-action from 4.31.8 to 4.31.9 (#626)
• 19c07c1 feat: support Sigstore encrypted PEM keys (#614)
• Additional commits viewable in compare view

Updates github.com/sigstore/cosign/v2 from 2.6.2 to 2.6.3

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.6.3

Changelog

v2.6.3 resolves GHSA-w6c6-c85g-mmv6.

• fecddd3c22045a39f52392e71e79f66854b41352 Fix DSSE predicate check (#4802)
• 564c5b1b0bed7bd991910774c47df1150ffb8aa8 Backport bundle detection to sign and attest (#4727)

Thanks to all contributors!

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v3.0.5

Deprecations

• Deprecate rekor-entry-type flag (#4691)
• Deprecate cosign triangulate (#4676)
• Deprecate cosign copy (#4681)

Features

• Automatically require signed timestamp with Rekor v2 entries (#4666)
• Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)
• Add mTLS support for TSA client connections when signing with a signing config (#4620)
• Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)

Bug Fixes

• Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)
• fix: avoid panic on malformed attestation payload (#4651)
• fix: avoid panic on malformed tlog entries (#4649)
• fix: avoid panic on malformed replace payload (#4653)
• Gracefully fail if bundle payload body is not a string (#4648)
• Verify validity of chain rather than just certificate (#4663)
• fix: avoid panic on malformed tlog entry body (#4652)

Documentation

• docs(cosign): clarify RFC3161 revocation semantics (#4642)
• Fix typo in CLI help (#4701)

v3.0.4

v3.0.4 resolves GHSA-whqx-f9j3-ch6m.

Changes

• Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4623)
• Optimize cosign tree performance by caching digest resolution (#4612)
• Don't require a trusted root to verify offline with a key (#4613)
• Support default services for trusted-root and signing-config creation (#4592)

Commits

• fecddd3 Fix DSSE predicate check (#4802)
• 564c5b1 Backport bundle detection to sign and attest (#4727)
• See full diff in compare view

Updates github.com/sigstore/sigstore from 1.10.5 to 1.10.8

Release notes

Sourced from github.com/sigstore/sigstore's releases.

v1.10.8

What's Changed

• Support standard PKCS#8 encrypted private key decryption in sigstore/sigstore#2333

Full Changelog: sigstore/sigstore@v1.10.7...v1.10.8

v1.10.7

What's Changed

• add functional options to DSSE to improve memory usage, validation in sigstore/sigstore#2326
• Extend PEM private key unmarshalling to support legacy format in sigstore/sigstore#2332

Full Changelog: sigstore/sigstore@v1.10.6...v1.10.7

v1.10.6

What's Changed

• fix: remove leftover Go template syntax from success page by @​imjasonh in sigstore/sigstore#2324

Full Changelog: sigstore/sigstore@v1.10.5...v1.10.6

Commits

• c761681 Support standard PKCS#8 encrypted private key decryption (#2333)
• 005faf9 Extend PEM private key unmarshalling to support legacy format (#2332)
• e70e4ed add functional options to DSSE to improve memory usage, validation (#2326)
• 899684d build(deps): Bump github.com/letsencrypt/boulder (#2307)
• 181dc40 build(deps): Bump golang.org/x/crypto in /pkg/signature/kms/azure (#2308)
• 2c141a7 build(deps): Bump golangci/golangci-lint-action in the all group (#2328)
• b6c0214 build(deps): Bump actions/upload-artifact from 6.0.0 to 7.0.1 (#2329)
• 2ff50c9 build(deps): Bump actions/dependency-review-action from 4.8.3 to 5.0.0 (#2330)
• d0204c3 build(deps): Bump hashicorp/vault from 1.21.4 to 2.0.1 in /test/e2e (#2331)
• afdf897 build(deps): Bump google.golang.org/grpc in /pkg/signature/kms/gcp (#2312)
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.10.5 to 1.10.8

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/aws's releases.

v1.10.8

What's Changed

• Support standard PKCS#8 encrypted private key decryption in sigstore/sigstore#2333

Full Changelog: sigstore/sigstore@v1.10.7...v1.10.8

v1.10.7

What's Changed

• add functional options to DSSE to improve memory usage, validation in sigstore/sigstore#2326
• Extend PEM private key unmarshalling to support legacy format in sigstore/sigstore#2332

Full Changelog: sigstore/sigstore@v1.10.6...v1.10.7

v1.10.6

What's Changed

• fix: remove leftover Go template syntax from success page by @​imjasonh in sigstore/sigstore#2324

Full Changelog: sigstore/sigstore@v1.10.5...v1.10.6

Commits

• c761681 Support standard PKCS#8 encrypted private key decryption (#2333)
• 005faf9 Extend PEM private key unmarshalling to support legacy format (#2332)
• e70e4ed add functional options to DSSE to improve memory usage, validation (#2326)
• 899684d build(deps): Bump github.com/letsencrypt/boulder (#2307)
• 181dc40 build(deps): Bump golang.org/x/crypto in /pkg/signature/kms/azure (#2308)
• 2c141a7 build(deps): Bump golangci/golangci-lint-action in the all group (#2328)
• b6c0214 build(deps): Bump actions/upload-artifact from 6.0.0 to 7.0.1 (#2329)
• 2ff50c9 build(deps): Bump actions/dependency-review-action from 4.8.3 to 5.0.0 (#2330)
• d0204c3 build(deps): Bump hashicorp/vault from 1.21.4 to 2.0.1 in /test/e2e (#2331)
• afdf897 build(deps): Bump google.golang.org/grpc in /pkg/signature/kms/gcp (#2312)
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.10.5 to 1.10.8

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/azure's releases.

v1.10.8

What's Changed

• Support standard PKCS#8 encrypted private key decryption in sigstore/sigstore#2333

Full Changelog: sigstore/sigstore@v1.10.7...v1.10.8

v1.10.7

What's Changed

• add functional options to DSSE to improve memory usage, validation in sigstore/sigstore#2326
• Extend PEM private key unmarshalling to support legacy format in sigstore/sigstore#2332

Full Changelog: sigstore/sigstore@v1.10.6...v1.10.7

v1.10.6

What's Changed

• fix: remove leftover Go template syntax from success page by @​imjasonh in sigstore/sigstore#2324

Full Changelog: sigstore/sigstore@v1.10.5...v1.10.6

Commits

• c761681 Support standard PKCS#8 encrypted private key decryption (#2333)
• 005faf9 Extend PEM private key unmarshalling to support legacy format (#2332)
• e70e4ed add functional options to DSSE to improve memory usage, validation (#2326)
• 899684d build(deps): Bump github.com/letsencrypt/boulder (#2307)
• 181dc40 build(deps): Bump golang.org/x/crypto in /pkg/signature/kms/azure (#2308)
• 2c141a7 build(deps): Bump golangci/golangci-lint-action in the all group (#2328)
• b6c0214 build(deps): Bump actions/upload-artifact from 6.0.0 to 7.0.1 (#2329)
• 2ff50c9 build(deps): Bump actions/dependency-review-action from 4.8.3 to 5.0.0 (#2330)
• d0204c3 build(deps): Bump hashicorp/vault from 1.21.4 to 2.0.1 in /test/e2e (#2331)
• afdf897 build(deps): Bump google.golang.org/grpc in /pkg/signature/kms/gcp (#2312)
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.10.5 to 1.10.8

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/gcp's releases.

v1.10.8

What's Changed

• Support standard PKCS#8 encrypted private key decryption in sigstore/sigstore#2333

Full Changelog: sigstore/sigstore@v1.10.7...v1.10.8

v1.10.7

What's Changed

• add functional options to DSSE to improve memory usage, validation in sigstore/sigstore#2326
• Extend PEM private key unmarshalling to support legacy format in sigstore/sigstore#2332

Full Changelog: sigstore/sigstore@v1.10.6...v1.10.7

v1.10.6

What's Changed

• fix: remove leftover Go template syntax from success page by @​imjasonh in sigstore/sigstore#2324

Full Changelog: sigstore/sigstore@v1.10.5...v1.10.6

Commits

• c761681 Support standard PKCS#8 encrypted private key decryption (#2333)
• 005faf9 Extend PEM private key unmarshalling to support legacy format (#2332)
• e70e4ed add functional options to DSSE to improve memory usage, validation (#2326)
• 899684d build(deps): Bump github.com/letsencrypt/boulder (#2307)
• 181dc40 build(deps): Bump golang.org/x/crypto in /pkg/signature/kms/azure (#2308)
• 2c141a7 build(deps): Bump golangci/golangci-lint-action in the all group (#2328)
• b6c0214 build(deps): Bump actions/upload-artifact from 6.0.0 to 7.0.1 (#2329)
• 2ff50c9 build(deps): Bump actions/dependency-review-action from 4.8.3 to 5.0.0 (#2330)
• d0204c3 build(deps): Bump hashicorp/vault from 1.21.4 to 2.0.1 in /test/e2e (#2331)
• afdf897 build(deps): Bump google.golang.org/grpc in /pkg/signature/kms/gcp (#2312)
• Additional commits viewable in compare view

Updates github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.10.5 to 1.10.8

Release notes

Sourced from github.com/sigstore/sigstore/pkg/signature/kms/hashivault's releases.

v1.10.8

What's Changed

• Support standard PKCS#8 encrypted private key decryption in sigstore/sigstore#2333

Full Changelog: sigstore/sigstore@v1.10.7...v1.10.8

v1.10.7

What's Changed

• add functional options to DSSE to improve memory usage, validation in sigstore/sigstore#2326
• Extend PEM private key unmarshalling to support legacy format in sigstore/sigstore#2332

Full Changelog: sigstore/sigstore@v1.10.6...v1.10.7

v1.10.6

What's Changed

• fix: remove leftover Go template syntax from success page by @​imjasonh in sigstore/sigstore#2324

Full Changelog: sigstore/sigstore@v1.10.5...v1.10.6

Commits

• c761681 Support standard PKCS#8 encrypted private key decryption (#2333)
• 005faf9 Extend PEM private key unmarshalling to support legacy format (#2332)
• e70e4ed add functional options to DSSE to improve memory usage, validation (#2326)
• 899684d build(deps): Bump github.com/letsencrypt/boulder (#2307)
• 181dc40 build(deps): Bump golang.org/x/crypto in /pkg/signature/kms/azure (#2308)
• 2c141a7 build(deps): Bump golangci/golangci-lint-action in the all group (#2328)
• b6c0214 build(deps): Bump actions/upload-artifact from 6.0.0 to 7.0.1 (#2329)
• 2ff50c9 build(deps): Bump actions/dependency-review-action from 4.8.3 to 5.0.0 (#2330)
• d0204c3 build(deps): Bump hashicorp/vault from 1.21.4 to 2.0.1 in /test/e2e (#2331)
• afdf897 build(deps): Bump google.golang.org/grpc in /pkg/signature/kms/gcp (#2312)
• Additional commits viewable in compare view

Updates github.com/tektoncd/pipeline from 1.9.3 to 1.9.4

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v1.9.4 "Devon Rex Dreadnought"

-Docs @ v1.9.4 -Examples @ v1.9.4

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.4/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a6caf9d3ec2c93e09453c4a1972c86e8e0de9df813bbc2d000e6c022c5d63b935

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a6caf9d3ec2c93e09453c4a1972c86e8e0de9df813bbc2d000e6c022c5d63b935
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.9.4/release.yaml
REKOR_UUID=108e9186e8c5677a6caf9d3ec2c93e09453c4a1972c86e8e0de9df813bbc2d000e6c022c5d63b935
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v1.9.4@sha256:" + .digest.sha256')
Download the release file
curl -L "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

... (truncated)

Commits

• 52d677f build(deps): bump the all group in /tekton with 4 updates
• 1eb2fe3 fix(resolvers): Allow ResolutionRequests to resolve all Tekton kinds
• b6b85c5 build(deps): bump the all group in /tekton with 4 updates
• 7237155 build(deps): bump the all group across 1 directory with 4 updates
• 9937571 fix: add automated draft release support to release pipeline
• 7666a7d build(deps): bump actions/checkout from 6.0.2 to 6.0.3
• 474b1c7 fix: prevent controller CPU variant from leaking into platform commands
• daf477c build(deps): bump github.com/spiffe/spire-api-sdk from 1.14.6 to 1.14.7
• 8528597 fix(pipelinerun): use generateName for anonymous pipeline label
• d343c6a build(deps): bump the all group in /tekton with 4 updates
• Additional commits viewable in compare view

Updates k8s.io/api from 0.34.1 to 0.34.9

Commits

• 65439ae Update dependencies to v0.34.9 tag
• ad42a1f Merge pull request #138357 from dims/update-moby-spdystream-v0.5.1-1.34
• f7287d9 Merge pull request #138349 from dashpole/update_prop_34
• 39fcc47 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• dfcdfcd update go.opentelemetry.io/otel to v1.41.0
• See full diff in compare view

Updates k8s.io/apimachinery from 0.34.1 to 0.34.9

Commits

• 454f531 Merge pull request #138357 from dims/update-moby-spdystream-v0.5.1-1.34
• e44e450 Merge pull request #138349 from dashpole/update_prop_34
• e2c5a26 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 03b02ab update go.opentelemetry.io/otel to v1.41.0
• See full diff in compare view

Updates k8s.io/client-go from 0.34.1 to 0.34.9

Commits

• 1976477 Update dependencies to v0.34.9 tag
• e4156f3 Merge pull request #138357 from dims/update-moby-spdystream-v0.5.1-1.34
• e7de3f2 Merge pull request #138349 from dashpole/update_prop_34
• 32b5239 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 3f8d3ef update go.opentelemetry.io/otel to v1.41.0
• 3a88ce1 Merge pull request #135716p0lyn0mial/automated-cherry-pick-of-#135591
• c80976c downgrade reflector watchlist fallback log to V(4)
• ab04e77 Merge pull request #135592serathius/automated-cherry-pick-of-#135580
• 25da701 Use transformer in consistency checker
• 0c76ee5 Add unit tests for Data Consistency Detector
• Additional commits viewable in compare view

Updates k8s.io/code-generator from 0.33.4 to 0.33.13

Commits

• 5288b09 Update dependencies to v0.33.13 tag
• 32553f2 Merge pull request #138358 from dims/update-moby-spdystream-v0.5.1-1.33
• c78d0c2 Merge pull request #138350 from dashpole/update_prop_33
• e3e80d4 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
• 8431104 update go.opentelemetry.io/otel to v1.41.0
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[anithapriyanatarajan]

/lgtm

[anithapriyanatarajan]

/approve

[jkhelil]

/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anithapriyanatarajan, jkhelil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jkhelil]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment