Skip to content

Bump sigs.k8s.io/promo-tools/v4 from 4.1.0 to 4.3.0#4290

Closed
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/sigs.k8s.io/promo-tools/v4-4.3.0
Closed

Bump sigs.k8s.io/promo-tools/v4 from 4.1.0 to 4.3.0#4290
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/sigs.k8s.io/promo-tools/v4-4.3.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 26, 2026
edited
Loading

Bumps sigs.k8s.io/promo-tools/v4 from 4.1.0 to 4.3.0.

Release notes

Sourced from sigs.k8s.io/promo-tools/v4's releases.

v4.3.0

Changes by Kind

Feature

  • Add kpromo cip replicate-signatures subcommand for standalone signature replication to mirror registries. (#1715, @​saschagrunert) [SIG Release]

Other (Cleanup or Flake)

  • Remove deprecated cip audit subcommand and legacy e2e test infrastructure (#1716, @​saschagrunert) [SIG Release]
  • Remove deprecated kpromo mm (cip-mm) subcommand (#1721, @​saschagrunert) [SIG Release]
  • Remove legacy image promoter internals (inventory, gcloud, stream, json, reqcounter, container, timewrapper packages) (#1718, @​saschagrunert) [SIG Release]
  • Remove deprecated --use-legacy-pipeline flag and legacy sequential promotion code path. The new pipeline engine is now the only code path. (#1712, @​saschagrunert) [SIG Release]

Dependencies

Added

Nothing has changed.

Changed

  • cel.dev/expr: v0.24.0 → v0.25.1
  • cloud.google.com/go/auth: v0.18.1 → v0.18.2
  • github.com/cncf/xds/go: 0feb691 → ee656c7
  • github.com/envoyproxy/go-control-plane/envoy: v1.35.0 → v1.36.0
  • github.com/envoyproxy/go-control-plane: 75eaa19 → v0.14.0
  • github.com/envoyproxy/protoc-gen-validate: v1.2.1 → v1.3.0
  • github.com/google/go-containerregistry: v0.21.0 → v0.21.1
  • github.com/googleapis/enterprise-certificate-proxy: v0.3.11 → v0.3.12
  • go.opentelemetry.io/contrib/detectors/gcp: v1.38.0 → v1.39.0
  • google.golang.org/api: v0.268.0 → v0.269.0
  • google.golang.org/genproto/googleapis/bytestream: 546029d → 42d3e9b
  • google.golang.org/genproto/googleapis/rpc: 546029d → 42d3e9b
  • google.golang.org/grpc: v1.78.0 → v1.79.1

Removed

Nothing has changed.

v4.2.0

Changes by Kind

Deprecation

  • The image promoter now uses the new pipeline engine by default. The legacy sequential code path is deprecated and available via --use-legacy-pipeline. New CLI flags: --require-provenance, --allowed-builders, --allowed-source-repos. Pre-generated SBOMs are now automatically copied from staging to production registries during promotion. (#1709, @​saschagrunert) [SIG Release]

... (truncated)

Commits
  • 18052b9 Merge pull request #1723 from saschagrunert/release/prep-v4.3.0
  • 05edd77 Merge pull request #1721 from saschagrunert/promoter/cleanup-deprecated-tools
  • 0d89ab7 Remove deprecated cip-mm, local-audit, and cip-auditor references
  • 987b04f Release prep: bump version to v4.3.0
  • cc815cf Merge pull request #1720 from kubernetes-sigs/dependabot/go_modules/google.go...
  • 29c58a8 Merge pull request #1719 from kubernetes-sigs/dependabot/go_modules/gomod-666...
  • 032c3a1 build(deps): bump github.com/google/go-containerregistry
  • 33d8247 Merge pull request #1718 from saschagrunert/promoter/phase-9-delete-legacy-mo...
  • 650d61b Delete legacy inventory monolith and supporting packages
  • d82ac43 build(deps): bump google.golang.org/api from 0.268.0 to 0.269.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added area/dependency Issues or PRs related to dependency changes ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. labels Feb 26, 2026
@dependabot dependabot bot mentioned this pull request Feb 26, 2026
Closed
@k8s-ci-robot k8s-ci-robot added the needs-kind Indicates a PR lacks a `kind/foo` label and requires one. label Feb 26, 2026
@k8s-ci-robot k8s-ci-robot added area/release-eng Issues or PRs related to the Release Engineering subproject needs-priority labels Feb 26, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 26, 2026

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added sig/release Categorizes an issue or PR as relevant to SIG Release. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 26, 2026
@dependabot dependabot bot force-pushed the dependabot/go_modules/sigs.k8s.io/promo-tools/v4-4.3.0 branch from 639ddfe to 720ada8 Compare February 27, 2026 12:44
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 27, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 27, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dependabot[bot], saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 27, 2026
@dependabot dependabot bot force-pushed the dependabot/go_modules/sigs.k8s.io/promo-tools/v4-4.3.0 branch from 720ada8 to 460a30a Compare March 2, 2026 07:39
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 2, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Mar 2, 2026

New changes are detected. LGTM label has been removed.

@dependabot
Bump sigs.k8s.io/promo-tools/v4 from 4.1.0 to 4.3.0
b99bc0c 
Bumps [sigs.k8s.io/promo-tools/v4](https://github.com/kubernetes-sigs/promo-tools) from 4.1.0 to 4.3.0.
- [Release notes](https://github.com/kubernetes-sigs/promo-tools/releases)
- [Changelog](https://github.com/kubernetes-sigs/promo-tools/blob/main/RELEASE.md)
- [Commits](kubernetes-sigs/promo-tools@v4.1.0...v4.3.0)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/promo-tools/v4
  dependency-version: 4.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/sigs.k8s.io/promo-tools/v4-4.3.0 branch from 460a30a to b99bc0c Compare March 3, 2026 08:17
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 5, 2026

Superseded by #4309.

@dependabot dependabot bot closed this Mar 5, 2026
@dependabot dependabot bot deleted the dependabot/go_modules/sigs.k8s.io/promo-tools/v4-4.3.0 branch March 5, 2026 01:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@jimangel jimangel Awaiting requested review from jimangel

@jrsapi jrsapi Awaiting requested review from jrsapi

Assignees

@saschagrunert saschagrunert

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/dependency Issues or PRs related to dependency changes area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. sig/release Categorizes an issue or PR as relevant to SIG Release. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@k8s-ci-robot @saschagrunert