chore(deps): update dependency sigstore/cosign to v3.0.4

2026-02-02 20:04:10 +00:00
10 changed files with 33 additions and 39 deletions
@@ -10,19 +10,22 @@ jobs:
    name: "Upload artifacthub-repo.yml to OCI registry"
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.3
+    - uses: actions/checkout@v6.0.2
-    - uses: docker/login-action@v4.2.0
+    - uses: sigstore/cosign-installer@v4.0.0
      with:
-        registry: ${{ github.server_url }}
+        cosign-release: "v3.0.4" # renovate: datasource=github-tags depName=sigstore/cosign
    - uses: docker/login-action@v3.7.0
      with:
        registry: git.cryptic.systems
        username: ${{ github.repository_owner }}
        password: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
-    - uses: docker/login-action@v4.2.0
+    - uses: docker/login-action@v3.7.0
      with:
        username: ${{ secrets.DOCKER_IO_USERNAME }}
        password: ${{ secrets.DOCKER_IO_PASSWORD }}
-    - uses: oras-project/setup-oras@v2.0.0
+    - uses: oras-project/setup-oras@v1.2.4
      with:
-        version: 1.3.2 # renovate: datasource=github-tags depName=oras-project/oras extractVersion='^v?(?<version>.*)$'
+        version: 1.3.0 # renovate: datasource=github-tags depName=oras-project/oras extractVersion='^v?(?<version>.*)$'
    - name: Push artifacthub-repo.yml to git.cryptic.systems
      run: |
        oras push git.cryptic.systems/volker.raschek/dcmerge:artifacthub.io \
@@ -35,7 +38,6 @@ jobs:
        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
        oras push git.cryptic.systems/volker.raschek/dcmerge:cosign.pub \
          --artifact-type application/vnd.dev.cosign.public-key.v1 \
          --annotation org.opencontainers.image.title=cosign.pub \
          cosign.pub:application/vnd.dev.cosign.public-key.v1
    - name: Push artifacthub-repo.yml to docker.io
@@ -50,4 +52,4 @@ jobs:
        echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
        oras push docker.io/volkerraschek/dcmerge:cosign.pub \
          --artifact-type application/vnd.dev.cosign.public-key.v1 \
-          cosign.pub:application/vnd.dev.cosign.public-key.v1
+          cosign.pub:application/vnd.dev.cosign.public-key.v1
@@ -20,10 +20,10 @@ jobs:
        go: [ stable ]
        os: [ ubuntu-latest-amd64, ubuntu-latest-arm64 ]
    steps:
-    - uses: actions/checkout@v6.0.3
+    - uses: actions/checkout@v6.0.2
-    - uses: actions/setup-go@v6.4.0
+    - uses: actions/setup-go@v6.2.0
      with:
        go-version: ${{ matrix.go }}
-    - uses: golangci/golangci-lint-action@v9.2.1
+    - uses: golangci/golangci-lint-action@v9.2.0
      with:
-        version: v2.12.2 # renovate: datasource=github-releases depName=golangci/golangci-lint
+        version: v2.8.0 # renovate: datasource=github-releases depName=golangci/golangci-lint
@@ -33,8 +33,8 @@ jobs:
        go: [ stable ]
        os: [ ubuntu-latest-amd64, ubuntu-latest-arm64 ]
    steps:
-    - uses: actions/checkout@v6.0.3
+    - uses: actions/checkout@v6.0.2
-    - uses: actions/setup-go@v6.4.0
+    - uses: actions/setup-go@v6.2.0
      with:
        go-version: ${{ matrix.go }}
    - env:
@@ -13,7 +13,7 @@ jobs:
    name: "Run markdown linter"
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.3
+    - uses: actions/checkout@v6.0.2
-    - uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23.2.0
+    - uses: DavidAnson/markdownlint-cli2-action@v21.0.0
      with:
        globs: '**/*.md'
@@ -12,14 +12,14 @@ jobs:
    name: "Release application"
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.3
+    - uses: actions/checkout@v6.0.2
      with:
        fetch-depth: 0
    - name: Install curl
      run: apt-get update && apt-get install --yes curl
    - name: Install syft
      env:
-        SYFT_VERSION: "1.45.1" # renovate: datasource=github-releases depName=anchore/syft
+        SYFT_VERSION: "1.41.1" # renovate: datasource=github-releases depName=anchore/syft
      run: |
        OS="$(uname | tr '[:upper:]' '[:lower:]')"
        ARCH="$(dpkg --print-architecture)"
@@ -31,17 +31,15 @@ jobs:
            "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_${OS}_${ARCH}.deb"
        dpkg -i syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
        rm syft_${SYFT_VERSION}_${OS}_${ARCH}.deb
-    - uses: volker-raschek/cosign-installer@v4.1.2-rc3
+    - uses: sigstore/cosign-installer@v4.0.0
      with:
-        cosign-release: "v3.1.0" # renovate: datasource=github-tags depName=sigstore/cosign
+        cosign-release: "v3.0.4" # renovate: datasource=github-tags depName=sigstore/cosign
-    - uses: docker/setup-qemu-action@v4.1.0
+    - uses: docker/setup-qemu-action@v3.7.0
-      with:
+    - uses: docker/setup-buildx-action@v3.12.0
-        image: harbor.cryptic.systems/docker/tonistiigi/binfmt:latest
+    - uses: actions/setup-go@v6.2.0
    - uses: docker/setup-buildx-action@v4.1.0
    - uses: actions/setup-go@v6.4.0
      with:
        go-version: stable
-    - uses: docker/login-action@v4.2.0
+    - uses: docker/login-action@v3.7.0
      with:
        registry: git.cryptic.systems
        username: ${{ github.repository_owner }}
@@ -52,9 +50,9 @@ jobs:
        GITEA_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
        GONOSUMDB: ${{ vars.GONOSUMDB }}
        GOPROXY: ${{ vars.GOPROXY }}
-      uses: goreleaser/goreleaser-action@v7.2.2
+      uses: goreleaser/goreleaser-action@v6.4.0
      with:
-        version: v2.16.0 # renovate: datasource=github-releases depName=goreleaser/goreleaser
+        version: v2.13.3 # renovate: datasource=github-releases depName=goreleaser/goreleaser
        args: release --clean
  sync-to-hub-docker-io:
@@ -74,6 +72,6 @@ jobs:
          --dest-password ${{ secrets.DOCKER_IO_PASSWORD }} \
          --dest-username ${{ secrets.DOCKER_IO_USERNAME }} \
          --src-password ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }} \
-          --src-username ${{ github.repository_owner }} \
+          --src-username volker.raschek \
            docker://git.cryptic.systems/volker.raschek/dcmerge:${TAG} \
            docker://docker.io/volkerraschek/dcmerge:${TAG}
@@ -10,7 +10,7 @@ jobs:
  update-description-on-hub-docker-io:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.3
+    - uses: actions/checkout@v6.0.2
    - uses: peter-evans/dockerhub-description@v5.0.0
      with:
        username: ${{ secrets.DOCKER_IO_USERNAME }}
@@ -1,4 +1,3 @@
 dcmerge
 cosign.*
 coverage.*
-dist
+dist
@@ -104,7 +104,6 @@ dockers_v2:
    io.artifacthub.package.alternative-locations: "docker.io/volkerraschek/{{ .ProjectName }}:{{ .Version }}"
    io.artifacthub.package.keywords: "docker,docker-compose,merge,ci"
    io.artifacthub.package.logo-url: "https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}/raw/tag/v{{ .Version }}/icons/icon.png"
    io.artifacthub.package.license: "MIT"
    io.artifacthub.package.readme-url: "https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}/raw/tag/v{{ .Version }}/README.md"
@@ -328,13 +327,11 @@ docker_signs:
  #
  # Default: ["sign", "--key=cosign.key", "${artifact}@${digest}", "--yes"].
  # Templates: allowed.
  # Note: Using --registry-referrers-mode=legacy ensures signature is stored as sha256-<digest>.sig tag
  # which is required by ArtifactHub to display the "Signed" badge
  args:
  - "sign"
  - "--key=env://COSIGN_PRIVATE_KEY"
  - "--yes"
  - "${artifact}@${digest}"
  - "--yes"
  # Which artifacts to sign.
  #
@@ -345,7 +342,7 @@ docker_signs:
  #   '':        images built by dockers_v2
  #
  # Default: ''.
-  artifacts: manifests
+  artifacts: all
  # IDs of the artifacts to sign.
  ids:
@@ -359,8 +356,6 @@ docker_signs:
  # StdinFile file to be given to the signature command as stdin.
  # stdin_file: ./passphrase.key
  output: true
 gitea_urls:
  api: https://git.cryptic.systems/api/v1
  download: https://git.cryptic.systems