build(deps): bump github.com/sigstore/cosign/v2 from 2.1.1 to 2.2.0

[dependabot]

Bumps github.com/sigstore/cosign/v2 from 2.1.1 to 2.2.0.

Release notes

Sourced from github.com/sigstore/cosign/v2's releases.

v2.2.0

Enhancements

• switch to uploading DSSE types to rekor instead of intoto (#3113)
• add 'cosign sign' command-line parameters for mTLS (#3052)
• improve error messages around bundle != payload hash (#3146)
• make VerifyImageAttestation function public (#3156)
• Switch to cryptoutils function for SANS (#3185)
• Handle HTTP_1_1_REQUIRED errors in github provider (#3172)

Bug Fixes

• Fix nondeterminsitic timestamps (#3121)

Documentation

• doc: Add example of sign-blob with key in env var (#3152)
• add deprecation notice for cosign-releases GCS bucket (#3148)
• update doc links (#3186)

Others

• Upgrade to go1.21 (#3188)
• Updates ci tests (#3142)
• test using latest release of scaffolding (#3187)
• ci: free up disk space for the gh runner (#3169)
• update go-github to v53 (#3116)
• call e2e test for cosign attach (#3112)
• bump build cross to use go1.20.6 and cosign image to 2.1.1 (#3108)

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v2.2.0

Enhancements

• switch to uploading DSSE types to rekor instead of intoto (#3113)
• add 'cosign sign' command-line parameters for mTLS (#3052)
• improve error messages around bundle != payload hash (#3146)
• make VerifyImageAttestation function public (#3156)
• Switch to cryptoutils function for SANS (#3185)
• Handle HTTP_1_1_REQUIRED errors in github provider (#3172)

Bug Fixes

• Fix nondeterminsitic timestamps (#3121)

Documentation

• doc: Add example of sign-blob with key in env var (#3152)
• add deprecation notice for cosign-releases GCS bucket (#3148)
• update doc links (#3186)

Others

• Upgrade to go1.21 (#3188)
• Updates ci tests (#3142)
• test using latest release of scaffolding (#3187)
• ci: free up disk space for the gh runner (#3169)
• update go-github to v53 (#3116)
• call e2e test for cosign attach (#3112)
• bump build cross to use go1.20.6 and cosign image to 2.1.1 (#3108)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Dmitry Savintsev
• Hayden B
• Hector Fernandez
• Jason Hall
• Jon Johnson
• Jubril Oyetunji
• Paulo Gomes
• Priya Wadhwa
• 张志强

Commits

• 546f1c5 add changelog for v2.2.0 (#3198)
• 126474c add mTLS to TSA for sign-blob command (#3200)
• 5f747c2 chore(deps): bump github.com/buildkite/agent/v3 from 3.52.0 to 3.52.1 (#3204)
• 2c5efb8 chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 (#3203)
• d557f47 Add SECURITY.md file (#3201)
• 1e9bac4 chore(deps): bump github.com/sigstore/timestamp-authority (#3199)
• beefa3b Docs/update links (#3196)
• b6c986f chore(deps): bump go.step.sm/crypto from 0.34.0 to 0.35.0 (#3194)
• 8df14d8 chore(deps): bump google.golang.org/api from 0.137.0 to 0.138.0 (#3195)
• fdb1496 chore(deps): bump github.com/buildkite/agent/v3 from 3.51.0 to 3.52.0 (#3193)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)