chore(deps): bump github.com/sigstore/cosign/v3 from 3.0.3 to 3.0.4 #18436

dependabot · 2026-01-12T06:21:24Z

Bumps github.com/sigstore/cosign/v3 from 3.0.3 to 3.0.4.

Release notes

Sourced from github.com/sigstore/cosign/v3's releases.

v3.0.4

v3.0.4 resolves GHSA-whqx-f9j3-ch6m.

Changes

Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4623)

Optimize cosign tree performance by caching digest resolution (#4612)

Don't require a trusted root to verify offline with a key (#4613)

Support default services for trusted-root and signing-config creation (#4592)

Full Changelog: sigstore/cosign@v3.0.3...v3.0.4

Changelog

Sourced from github.com/sigstore/cosign/v3's changelog.

v3.0.4

v3.0.4 resolves GHSA-whqx-f9j3-ch6m.

Changes

Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4623)

Optimize cosign tree performance by caching digest resolution (#4612)

Don't require a trusted root to verify offline with a key (#4613)

Support default services for trusted-root and signing-config creation (#4592)

v2.6.2

v2.6.2 resolves GHSA-whqx-f9j3-ch6m.

Changes

Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4624)

bump sigstore deps to resolve build errors (#4619)

Commits

6832fba Fix bundle verify path for old bundle/trusted root (#4623)
2655ca3 chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4616)
c94c0cf chore(deps): bump cuelang.org/go in the gomod group (#4615)
f924c89 Optimize cosign tree performance by caching digest resolution (#4612)
d8f7d86 Don't require a trusted root to verify offline with a key (#4613)
246945e Support default services for trusted-root and signing-config creation (#4592)
0faa2ad chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4602)
b8d5fd9 chore(deps): bump github.com/sigstore/sigstore-go (#4578)
b16ed6e chore(deps): bump github.com/buildkite/agent/v3 from 3.114.1 to 3.115.2 (#4601)
0ee257b chore(deps): bump google.golang.org/api from 0.257.0 to 0.258.0 (#4611)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @rhacs-bot.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

rhacs-bot

@dependabot squash and merge

dependabot · 2026-01-12T06:21:37Z

Beginning January 27, 2026, Dependabot will no longer support the @dependabot squash and merge command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details.

rhacs-bot

@dependabot squash and merge

dependabot · 2026-01-12T06:21:40Z

Beginning January 27, 2026, Dependabot will no longer support the @dependabot squash and merge command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details.

dependabot · 2026-01-12T06:41:55Z

One of your CI runs failed on this pull request, so Dependabot won't merge it.

Dependabot will still automatically merge this pull request if you amend it and your tests pass.

rhacs-bot · 2026-01-12T06:55:42Z

Images are ready for the commit at d44300d.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-744-gd44300d4c5.

codecov · 2026-01-12T11:38:38Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.93%. Comparing base (e358b34) to head (7b08cc0).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #18436   +/-   ##
=======================================
  Coverage   48.92%   48.93%           
=======================================
  Files        2629     2629           
  Lines      197814   197814           
=======================================
+ Hits        96786    96792    +6     
+ Misses      93644    93636    -8     
- Partials     7384     7386    +2

Flag	Coverage Δ
go-unit-tests	`48.93% <ø> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

rhacs-bot · 2026-01-12T12:41:43Z

/retest

rhacs-bot · 2026-01-12T13:32:19Z

/retest

rhacs-bot · 2026-01-12T13:51:57Z

/retest

rhacs-bot · 2026-01-12T14:16:55Z

Images are ready for the commit at 7b08cc0.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-766-g7b08cc01c2.

rhybrillou · 2026-01-13T08:36:00Z

@dependabot rebase

dependabot · 2026-01-13T08:36:04Z

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

Bumps [github.com/sigstore/cosign/v3](https://github.com/sigstore/cosign) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](sigstore/cosign@v3.0.3...v3.0.4) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign/v3 dependency-version: 3.0.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

…18436)

dependabot bot added auto-merge Auto-merge minor and patch version bumps auto-retest PRs with this label will be automatically retested if prow checks fails ci-all-qa-tests Tells CI to run all API tests (not just BAT). dependencies Pull requests that update a dependency file labels Jan 12, 2026

dependabot bot requested a review from a team as a code owner January 12, 2026 06:21

dependabot bot added dependencies Pull requests that update a dependency file ci-all-qa-tests Tells CI to run all API tests (not just BAT). auto-merge Auto-merge minor and patch version bumps auto-retest PRs with this label will be automatically retested if prow checks fails labels Jan 12, 2026

rhacs-bot approved these changes Jan 12, 2026

View reviewed changes

rhybrillou requested a review from a team as a code owner January 12, 2026 11:01

rhybrillou requested review from vladbologa and removed request for a team January 12, 2026 11:01

github-actions bot added the area/operator label Jan 12, 2026

rhybrillou force-pushed the dependabot/go_modules/github.com/sigstore/cosign/v3-3.0.4 branch from d44300d to 451a957 Compare January 13, 2026 10:08

dependabot bot and others added 2 commits January 13, 2026 15:35

re-generate files

7b08cc0

rhybrillou force-pushed the dependabot/go_modules/github.com/sigstore/cosign/v3-3.0.4 branch from 451a957 to 7b08cc0 Compare January 13, 2026 14:35

dependabot bot merged commit ddadd27 into master Jan 13, 2026
98 checks passed

dependabot bot deleted the dependabot/go_modules/github.com/sigstore/cosign/v3-3.0.4 branch January 13, 2026 18:22

ksurabhi91 pushed a commit that referenced this pull request Jan 13, 2026

chore(deps): bump github.com/sigstore/cosign/v3 from 3.0.3 to 3.0.4 (#…

c646abf

…18436)

chore(deps): bump github.com/sigstore/cosign/v3 from 3.0.3 to 3.0.4 #18436

chore(deps): bump github.com/sigstore/cosign/v3 from 3.0.3 to 3.0.4 #18436

Uh oh!

Conversation

dependabot bot commented on behalf of github Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v3.0.4

Changes

v3.0.4

Changes

v2.6.2

Changes

Uh oh!

rhacs-bot left a comment

Choose a reason for hiding this comment

Uh oh!

dependabot bot commented on behalf of github Jan 12, 2026

Uh oh!

rhacs-bot left a comment

Choose a reason for hiding this comment

Uh oh!

dependabot bot commented on behalf of github Jan 12, 2026

Uh oh!

dependabot bot commented on behalf of github Jan 12, 2026

Uh oh!

rhacs-bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

rhacs-bot commented Jan 12, 2026

Uh oh!

rhacs-bot commented Jan 12, 2026

Uh oh!

rhacs-bot commented Jan 12, 2026

Uh oh!

rhacs-bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rhybrillou commented Jan 13, 2026

Uh oh!

dependabot bot commented on behalf of github Jan 13, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot bot commented on behalf of github Jan 12, 2026 •

edited

Loading

rhacs-bot commented Jan 12, 2026 •

edited

Loading

codecov bot commented Jan 12, 2026 •

edited

Loading

rhacs-bot commented Jan 12, 2026 •

edited

Loading