Bump github.com/sigstore/cosign from 1.9.0 to 1.10.0

[dependabot]

Bumps github.com/sigstore/cosign from 1.9.0 to 1.10.0.

Release notes

Sourced from github.com/sigstore/cosign's releases.

v1.10.0

What's Changed

• Bump google.golang.org/api from 0.81.0 to 0.82.0 by @​dependabot in sigstore/cosign#1948
• Bump github/codeql-action from 2.1.11 to 2.1.12 by @​dependabot in sigstore/cosign#1951
• replace gcr.io/distroless/ to use ghcr.io/distroless/ by @​cpanato in sigstore/cosign#1961
• Bump github.com/hashicorp/go-secure-stdlib/parseutil from 0.1.5 to 0.1.6 by @​dependabot in sigstore/cosign#1958
• Bump google.golang.org/grpc from 1.46.2 to 1.47.0 by @​dependabot in sigstore/cosign#1943
• Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @​dependabot in sigstore/cosign#1963
• Separate RegExp matching of issuer/subject from strict by @​vaikas in sigstore/cosign#1956
• tuf: improve TUF client concurrency and caching by @​asraa in sigstore/cosign#1953
• Add Cloudsmith Container Registry to tested registry list by @​ciaracarey in sigstore/cosign#1966
• feat(fulcioroots): singleton error pattern by @​developer-guy in sigstore/cosign#1965
• Bump github.com/hashicorp/go-hclog from 1.2.0 to 1.2.1 by @​dependabot in sigstore/cosign#1968
• Bump actions/cache from 3.0.3 to 3.0.4 by @​dependabot in sigstore/cosign#1970
• Drop tuf client dependency on GCS client library by @​imjasonh in sigstore/cosign#1967
• Add spdxjson predicate type for attestations by @​jdolitsky in sigstore/cosign#1974
• Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 by @​dependabot in sigstore/cosign#1980
• Remove policy-controller now that it lives in sigstore/policy-controller by @​vaikas in sigstore/cosign#1976
• cleanup: unexport kubernetes.Client method by @​imjasonh in sigstore/cosign#1973
• Bump google.golang.org/api from 0.82.0 to 0.83.0 by @​dependabot in sigstore/cosign#1979
• cleanup ci job and remove policy-controller references by @​cpanato in sigstore/cosign#1981
• fix typos by @​cpanato in sigstore/cosign#1982
• fix/update post build job by @​cpanato in sigstore/cosign#1983
• docs: updated Azure kms commands. by @​JBrejnholt in sigstore/cosign#1972
• Add cyclonedx predicate type for attestations by @​jdolitsky in sigstore/cosign#1977
• Route deprecated -version to version subcommand by @​puerco in sigstore/cosign#1854
• docs(readme): add installation steps for container image for cosign binary by @​developer-guy in sigstore/cosign#1986
• Add --platform flag to cosign sbom download by @​puerco in sigstore/cosign#1975
• Bump github.com/hashicorp/vault/sdk from 0.5.0 to 0.5.1 by @​dependabot in sigstore/cosign#1988
• Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @​imjasonh in sigstore/cosign#1866
• Bump sigstore/sigstore to HEAD by @​puerco in sigstore/cosign#1995
• Add --oidc-provider flag to specify which provider to use for ambient credentials by @​priyawadhwa in sigstore/cosign#1998
• Bump google.golang.org/api from 0.83.0 to 0.84.0 by @​dependabot in sigstore/cosign#1999
• Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @​dependabot in sigstore/cosign#2000
• Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.2 by @​dependabot in sigstore/cosign#1996
• Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @​dependabot in sigstore/cosign#2001
• encrypt values to create the github action secret by @​cpanato in sigstore/cosign#1990
• Bump github.com/stretchr/testify from 1.7.2 to 1.7.3 by @​dependabot in sigstore/cosign#2009
• Bump github/codeql-action from 2.1.12 to 2.1.13 by @​dependabot in sigstore/cosign#2013
• Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 by @​dependabot in sigstore/cosign#2012
• Bump github.com/google/go-github/v45 from 45.1.0 to 45.2.0 by @​dependabot in sigstore/cosign#2011
• Bump github.com/stretchr/testify from 1.7.3 to 1.7.4 by @​dependabot in sigstore/cosign#2010
• Bump google.golang.org/api from 0.84.0 to 0.85.0 by @​dependabot in sigstore/cosign#2015
• sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @​Dentrax in sigstore/cosign#2016
• Bump mikefarah/yq from 4.25.2 to 4.25.3 by @​dependabot in sigstore/cosign#2022
• Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 by @​dependabot in sigstore/cosign#2021
• Bump github/codeql-action from 2.1.13 to 2.1.14 by @​dependabot in sigstore/cosign#2023
• Attempt to clean up pkg/cosign by @​imjasonh in sigstore/cosign#2018
• public-key: fix command description by @​Dentrax in sigstore/cosign#2024
• Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 by @​dependabot in sigstore/cosign#2026

... (truncated)

Changelog

Sourced from github.com/sigstore/cosign's changelog.

v1.10.0

Enhancements

• Add env subcommand. (sigstore/cosign#2051)
• feat: cert-extensions verify (sigstore/cosign#1626)
• sign-blob: bundle should work independently (sigstore/cosign#2016)
• Add --oidc-provider flag to specify which provider to use for ambient credentials (sigstore/cosign#1998)
• Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore (sigstore/cosign#1866)
• Add --platform flag to cosign sbom download (sigstore/cosign#1975)
• Route deprectated -version to subcommand (sigstore/cosign#1854)
• Add cyclonedx predicate type for attestations (sigstore/cosign#1977)
• Updated Azure kms commands. (sigstore/cosign#1972)
• Add spdxjson predicate type for attestations (sigstore/cosign#1974)
• Drop tuf client dependency on GCS client library (sigstore/cosign#1967)
• feat(fulcioroots): singleton error pattern (sigstore/cosign#1965)
• tuf: improve TUF client concurrency and caching (sigstore/cosign#1953)
• Separate RegExp matching of issuer/subject from strict (sigstore/cosign#1956)

Documention

• update design doc link (sigstore/cosign#2077)
• specs: fix list formatting on SIGNATURE_SPEC (sigstore/cosign#2030)
• public-key: fix command description (sigstore/cosign#2024)
• docs(readme): add installation steps for container image for cosign binary (sigstore/cosign#1986)
• Add Cloudsmith Container Registry to tested registry list (sigstore/cosign#1966)

Bug Fixes

• Fix OIDC test (sigstore/cosign#2050)
• Use cosign.ConfirmPrompt more consistently (sigstore/cosign#2039)
• chore: add note about SIGSTORE_REKOR_PUBLIC_KEY (sigstore/cosign#2040)
• Fix #1378 create new attestation signature in replace mode if not existent (sigstore/cosign#2014)
• encrypt values to create the github action secret (sigstore/cosign#1990)
• fix/update post build job (sigstore/cosign#1983)
• fix typos (sigstore/cosign#1982)

Others

• Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 (sigstore/cosign#2079)
• Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (sigstore/cosign#2078)
• Bump google.golang.org/api from 0.87.0 to 0.88.0 (sigstore/cosign#2081)
• Remove hack/tools.go (sigstore/cosign#2080)
• Remove replace directives in go.mod. (sigstore/cosign#2070)
• Bump mikefarah/yq from 4.25.3 to 4.26.1 (sigstore/cosign#2076)
• Bump github.com/xanzy/go-gitlab from 0.68.2 to 0.69.0 (sigstore/cosign#2075)
• Bump actions/dependency-review-action from 2.0.2 to 2.0.4 (sigstore/cosign#2073)
• Bump google.golang.org/api from 0.86.0 to 0.87.0 (sigstore/cosign#2064)
• chore(deps): CycloneDX PredicateType changed to use in-toto-golang (sigstore/cosign#2067)

... (truncated)

Commits

• 3a6088d fix missing quote (#2090)
• 6a902ec add changelog for v1.10.0 release (#2087)
• 00b1c2c update builder image to use go1.18.4 (#2086)
• 3e49138 Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 (#2079)
• 51ac3ec Bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (#2078)
• cd39e55 Bump google.golang.org/api from 0.87.0 to 0.88.0 (#2081)
• 96613ae Remove hack/tools.go (#2080)
• 8f2c36d update design doc link (#2077)
• e088f46 Remove replace directives in go.mod. (#2070)
• 560c50d Bump mikefarah/yq from 4.25.3 to 4.26.1 (#2076)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov-commenter]

Codecov Report

Merging #781 (44eaeb1) into main (d71c0df) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #781   +/-   ##
=======================================
  Coverage   51.40%   51.40%           
=======================================
  Files          44       44           
  Lines        3336     3336           
=======================================
  Hits         1715     1715           
  Misses       1403     1403           
  Partials      218      218           

Help us with your feedback. Take ten seconds to tell us how you rate us.