Skip to content

build(deps): bump the dependencies group with 3 updates #1035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

build(deps): bump the dependencies group with 3 updates #1035

wants to merge 2 commits into from
+14 −7

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 13, 2025
edited
Loading

Updates the requirements on sigstore, boto3 and botocore to permit the latest version.
Updates sigstore from 3.6.6 to 4.1.0

Release notes

Sourced from sigstore's releases.

v4.1.0

Added

  • cli: Support using other Sigstore instances with --instance URL. New instances are trusted with new top level command trust-instance ROOTFILE. #1548

Changed

  • Added cryptography 46 to list of compatible cryptography releases (#1544)
  • Improved error message when verifying bundles with unsupported log entry versions (#1569)

Fixed

  • cli: Always read/write UTF-8. This fixes an issue on Windows where the platform default encoding was used: the issue has existed for a while, but became more visible with signature bundles that contain rekor2 entries. #1553

v4.0.0

This is a major release with a host of API and functionality changes. The major new feature is Rekor v2 support but many other changes are also included, see list below.

Added

  • cli: Add --rekor-version to sign command arguments: This can be useful if Sigstore instance provides multiple Rekor versions and user wants to override the default choice #1471
  • cli: Support parallel signing. When multiple artifacts are signed, the Rekor requests are submitted in parallel: this is especially useful with Rekor v2. #1468, #1478, #1485
  • oidc (API): Allow custom audience claims via API #1402
  • rekor (API): Support Rekor v2 (aka rekor-tiles) in both verification and signing. #1370, #1422, #1432
  • trust (API): Make TrustedRoot, SigningConfig and ClientTrustConfig public API #1496

Changed

  • cli: Improve verify UX when wrong instance is used #1510
  • deps: replace sigstore_protobuf_specs dependency with sigstore-models #1470

... (truncated)

Changelog

Sourced from sigstore's changelog.

[4.1.0]

Added

  • cli: Support using other Sigstore instances with --instance URL. New instances are trusted with new top level command trust-instance ROOTFILE. #1548

Changed

  • Added cryptography 46 to list of compatible cryptography releases (#1544)
  • Improved error message when verifying bundles with unsupported log entry versions (#1569)

Fixed

  • cli: Always read/write UTF-8. This fixes an issue on Windows where the platform default encoding was used: the issue has existed for a while, but became more visible with signature bundles that contain rekor2 entries. #1553

[4.0.0]

This is a major release with a host of API and functionality changes. The major new feature is Rekor v2 support but many other changes are also included, see list below.

Added

  • cli: Add --rekor-version to sign command arguments: This can be useful if Sigstore instance provides multiple Rekor versions and user wants to override the default choice #1471
  • cli: Support parallel signing. When multiple artifacts are signed, the Rekor requests are submitted in parallel: this is especially useful with Rekor v2. #1468, #1478, #1485
  • oidc (API): Allow custom audience claims via API #1402
  • rekor (API): Support Rekor v2 (aka rekor-tiles) in both verification and signing. #1370, #1422, #1432
  • trust (API): Make TrustedRoot, SigningConfig and ClientTrustConfig public API #1496

Changed

  • cli: Improve verify UX when wrong instance is used #1510
  • deps: replace sigstore_protobuf_specs dependency with sigstore-models

... (truncated)

Commits
  • 3447f96 Forward port entry kindversion error improvement, bump version to 4.1.0 (#1569)
  • 2dbe03a build(deps): bump github/codeql-action in the actions group (#1572)
  • 02daa69 build(deps): bump rich from 14.1.0 to 14.2.0 (#1571)
  • 1615939 build(deps): bump the actions group with 2 updates (#1568)
  • 72b6581 build(deps): update ruff requirement from <0.13.4 to <0.14.1 (#1567)
  • 64dbeba cli: Support using other Sigstore instances (#1548)
  • 508b0e7 build(deps): bump softprops/action-gh-release in the actions group (#1563)
  • e31f481 build(deps): update ruff requirement from <0.13.3 to <0.13.4 (#1562)
  • dec897b build(deps): bump github/codeql-action in the actions group (#1561)
  • 0a54b4f build(deps): bump cryptography from 46.0.1 to 46.0.2 (#1558)
  • Additional commits viewable in compare view

Updates boto3 to 1.40.51

Commits
  • 9200717 Merge branch 'release-1.40.51'
  • 1a2cda2 Bumping version to 1.40.51
  • b59d034 Add changelog entries from botocore
  • 045a9af Bump github/codeql-action from 3.30.0 to 4.30.8 (#4638)
  • d8b4186 Merge branch 'release-1.40.50'
  • f6c0e66 Merge branch 'release-1.40.50' into develop
  • 8fc5b24 Bumping version to 1.40.50
  • f4d0097 Add changelog entries from botocore
  • a5eec70 Merge branch 'release-1.40.49' into develop
  • See full diff in compare view

Updates botocore to 1.40.51

Commits
  • d275003 Merge branch 'release-1.40.51'
  • 60c4c5b Bumping version to 1.40.51
  • e55cf7c Update to latest models
  • 36e4545 Merge pull request #3576 from boto/dependabot/github_actions/github/codeql-ac...
  • 3dd950f Bump github/codeql-action from 3.30.1 to 4.30.8
  • 8d33050 remove License Classifier Deprecation and use up to date license setup (#3575)
  • c2ea08e Merge branch 'release-1.40.50'
  • 4fe0c4b Merge branch 'release-1.40.50' into develop
  • ccf712a Bumping version to 1.40.50
  • 9eae5df Update endpoints model
  • Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
sigstore [>= 4.0.dev0, < 4.1]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the dependencies group with 3 updates
f68ebd4 
Updates the requirements on [sigstore](https://github.com/sigstore/sigstore-python), [boto3](https://github.com/boto/boto3) and [botocore](https://github.com/boto/botocore) to permit the latest version.

Updates `sigstore` from 3.6.6 to 4.1.0
- [Release notes](https://github.com/sigstore/sigstore-python/releases)
- [Changelog](https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md)
- [Commits](sigstore/sigstore-python@v3.6.6...v4.1.0)

Updates `boto3` to 1.40.51
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.40.49...1.40.51)

Updates `botocore` to 1.40.51
- [Commits](boto/botocore@1.40.49...1.40.51)

---
updated-dependencies:
- dependency-name: sigstore
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: boto3
  dependency-version: 1.40.51
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: botocore
  dependency-version: 1.40.51
  dependency-type: direct:production
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Oct 13, 2025
@jku
Copy link
Collaborator

jku commented Oct 14, 2025

This needs a minor change to work with the new API.

@jku
sigstore: Update to new API
8e773d2 
Signed-off-by: Jussi Kukkonen <[email protected]>
@jku jku force-pushed the dependabot/pip/dependencies-f5e1ac28e1 branch from 5ce8941 to 8e773d2 Compare October 15, 2025 17:49
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 20, 2025

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Oct 20, 2025
@dependabot dependabot bot deleted the dependabot/pip/dependencies-f5e1ac28e1 branch October 20, 2025 22:02
@jku jku restored the dependabot/pip/dependencies-f5e1ac28e1 branch October 21, 2025 07:47
@jku jku reopened this Oct 21, 2025
@jku
Copy link
Collaborator

jku commented Oct 21, 2025

reopening, this has fixes for sigstoresigner upgrade

@jku jku mentioned this pull request Oct 21, 2025
Open
@jku

This comment has been minimized.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jku