deps(actions)(deps): bump sigstore/cosign-installer from 3.9.1 to 4.1.2#7
Conversation
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.9.1 to 4.1.2. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@398d4b0...6f9f177) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
The "Run module-level tests" step in ci.yml referenced tests/test_wl_hmac_key.py — a file that never existed. The result was every Unit Tests run on main red since the workflow landed (verified via gh run list --workflow=ci.yml -- 5+ consecutive failures on commits a48f6c2 / 4330149 / ab53066 / 91d9d22 / b14b3c9 all citing "ERROR: file or directory not found: tests/test_wl_hmac_key.py", exit code 4). HMAC coverage is already provided by tests/unit/test_hmac_key.py + tests/unit/test_hmac_sig_fuzz.py, both of which run via the prior `pytest tests/unit/` step. So removing the broken line loses zero coverage — it just unblocks the workflow. Same shape of fix as the round-7-B4 cleanup that removed a stale tests/test_wl_filelock.py reference. Updated the preamble comment to document BOTH missing-file gotchas so they don't get re-added by a future contributor reading the old comment as a TODO. Side benefit: this also unblocks the Unit Tests check on every open Dependabot PR (#7-#16), which were all red on the same missing-file error.
|
Closing per locked decision in
The 2026-05-13 / 2026-05-20 Sigstore §8 dry-runs are our authoritative supply-chain verification artifact. Bumping cosign-installer without re-running §8 would invalidate them. This is a dedicated cycle scheduled separately; please don't re-propose without the §8 re-run plan. If a security advisory against cosign-installer v3 forces our hand, see the same DECISION_LOG row for the cosign-release v2.x ↔ v3+ |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
1 participant
Bumps sigstore/cosign-installer from 3.9.1 to 4.1.2.
Release notes
Sourced from sigstore/cosign-installer's releases.
... (truncated)
Commits
6f9f177Bump cosign to 3.0.6 (#232)b5e753aBump actions/github-script from 8.0.0 to 9.0.0 (#230)115e4ceBump actions/setup-go from 6.3.0 to 6.4.0 (#226)cad07c2chore: update default cosign-release to v3.0.5 (#223)ba7bc0afix: add retry to curl downloads for transient network failures (#210)5a292e1Bump cosign to 3.0.5 (#220)351ea76Bump actions/checkout from 6.0.1 to 6.0.2 (#217)c17565ftest with go 1.26 too (#221)a6fdd19Bump actions/setup-go from 6.1.0 to 6.3.0 (#218)430b6a7docs: fix registry from gcr.io to ghcr.io (#213)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)