Bump github.com/sigstore/cosign from 1.12.1 to 1.13.0

[dependabot]

Bumps github.com/sigstore/cosign from 1.12.1 to 1.13.0.

Release notes

Sourced from github.com/sigstore/cosign's releases.

v1.13.0

Highlights

• For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version."

What's Changed

• add changelog for v1.12.1 by @​cpanato in sigstore/cosign#2270
• deps: update sigstore/sigstore by @​asraa in sigstore/cosign#2271
• chore(deps): bump github/codeql-action from 2.1.24 to 2.1.25 by @​dependabot in sigstore/cosign#2274
• feat: use stdin as an input for predicate by @​developer-guy in sigstore/cosign#2269
• feat: improve the verification message by @​developer-guy in sigstore/cosign#2268
• use scaffolding 0.4.8 for tests. by @​vaikas in sigstore/cosign#2280
• chore(deps): bump actions/dependency-review-action from 2.3.0 to 2.4.0 by @​dependabot in sigstore/cosign#2281
• fix pivtool generate key touch policy by @​cpanato in sigstore/cosign#2282
• Check error on chain verification failure by @​haydentherapper in sigstore/cosign#2284
• Fix: Remove an extra registry request from verification path. by @​mattmoor in sigstore/cosign#2285
• Fix: Create a static copy of signatures as part of verification. by @​mattmoor in sigstore/cosign#2287
• Data race in FetchSignaturesForReference by @​RTann in sigstore/cosign#2283
• Add support for Fulcio username identity in SAN by @​haydentherapper in sigstore/cosign#2291
• fix: make tlog entry lookups for online verification shard-aware by @​asraa in sigstore/cosign#2297
• Better help text to sign and verify SBOM by @​ChristianCiach in sigstore/cosign#2308
• Adding warning to pin to digest by @​ChaosInTheCRD in sigstore/cosign#2311
• Add annotations for upload blob. by @​cldmnky in sigstore/cosign#2188
• replace deprecate package by @​cpanato in sigstore/cosign#2314
• update release images to use go1.19.2 and cosign v1.12.1 by @​cpanato in sigstore/cosign#2315

New Contributors

• @​RTann made their first contribution in sigstore/cosign#2283
• @​ChristianCiach made their first contribution in sigstore/cosign#2308
• @​ChaosInTheCRD made their first contribution in sigstore/cosign#2311
• @​cldmnky made their first contribution in sigstore/cosign#2188

Full Changelog: sigstore/cosign@v1.12.1...v1.13.0

Changelog

Sourced from github.com/sigstore/cosign's changelog.

v1.13.0

Highlights

• For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version."

Enhancements

• Add support for Fulcio username identity in SAN (sigstore/cosign#2291)
• Data race in FetchSignaturesForReference (sigstore/cosign#2283)
• Check error on chain verification failure (sigstore/cosign#2284)
• feat: improve the verification message (sigstore/cosign#2268)
• feat: use stdin as an input for predicate (sigstore/cosign#2269)

Bug Fixes

• fix: make tlog entry lookups for online verification shard-aware (sigstore/cosign#2297)
• Fix: Create a static copy of signatures as part of verification. (sigstore/cosign#2287)
• Fix: Remove an extra registry request from verification path. (sigstore/cosign#2285)
• fix pivtool generate key touch policy (sigstore/cosign#2282)

Others

• use scaffolding 0.4.8 for tests. (sigstore/cosign#2280)

Contributors

• Asra Ali (@​asraa)
• Batuhan Apaydın (@​developer-guy)
• Carlos Tadeu Panato Junior (@​cpanato)
• Hayden Blauzvern (@​haydentherapper)
• Matt Moore (@​mattmoor)
• Ross Tannenbaum (@​RTann)
• Ville Aikas (@​vaikas)

Commits

• 6b9820a chore(deps): bump github/codeql-action from 2.1.26 to 2.1.27 (#2317)
• d4459ef update release images to use go1.19.2 and cosign v1.12.1 (#2315)
• 7978172 chore(deps): bump mikefarah/yq from 4.27.5 to 4.28.1 (#2312)
• 58e0c0f replace deprecate package (#2314)
• dc40467 Add annotations for upload blob. (#2188)
• 91b03f2 adding warning to pin to digest (#2311)
• 4f82d96 Better help text to sign and verify SBOM (#2308)
• 693b545 chore(deps): bump actions/checkout from 3.0.2 to 3.1.0 (#2309)
• 1370afe chore(deps): bump github.com/sigstore/fulcio from 0.5.3 to 0.6.0 (#2301)
• d3f3d14 chore(deps): bump actions/github-script from 6.3.0 to 6.3.1 (#2303)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[imjasonh]

@dependabot rebase

[dependabot]

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[imjasonh]

@dependabot recreate