[Upstream Sync] Merge v1.8.7 into main by securesign-upstream-sync[bot] · Pull Request #402 · securesign/fulcio

securesign-upstream-sync · 2026-06-15T11:41:38Z

Upstream Sync: `v1.8.7` into `main`

Merges upstream sigstore/fulcio@v1.8.7 into main.

Upstream Changes (68 commits)

Showing first 50 of 68 commits:

8254f95 Allow directly-configured Kubernetes issuers to use in-cluster auth path (#2356)
d614dd4 build(deps): bump cloud.google.com/go/security from 1.19.2 to 1.24.0 (#2346)
92cfd93 build(deps): bump protocolbuffers/protobuf from 34.1 to 35.0 (#2351)
378c654 Block cross-host redirects and restrict bearer token to expected host (#2354)
7a5d3e3 bump builder image to use go1.26.3 (#2353)
a05982e build(deps): bump go.step.sm/crypto from 0.75.0 to 0.81.0 (#2348)
dfa63a8 build(deps): bump golang from `313faae` to `2d6c802` (#2344)
7b3a344 build(deps): bump google.golang.org/api from 0.279.0 to 0.280.0 (#2349)
9290f7f build(deps): bump the all group with 2 updates (#2350)
423d535 build(deps): bump nginx from 1.31.0 to 1.31.1 in the all group (#2352)
19a3f8e build(deps): bump the all group across 1 directory with 6 updates (#2337)
6b597ce build(deps): bump google.golang.org/api from 0.276.0 to 0.279.0 (#2338)
0d1dc79 build(deps): bump nginx from 1.29.8 to 1.31.0 in the all group (#2342)
373c23e build(deps): bump github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1 (#2340)
99be49c build(deps): bump go.uber.org/zap from 1.27.1 to 1.28.0 (#2341)
6c316a5 build(deps): bump github.com/grpc-ecosystem/grpc-gateway/v2 (#2339)
82f3bc7 build(deps): bump golang from `2981696` to `313faae` (#2336)
eef2661 build(deps): bump github.com/tink-crypto/tink-go-awskms/v2 to v3 (#2335)
4793d58 build(deps): bump the all group across 1 directory with 4 updates (#2330)
0fd2957 build(deps): bump codecov/codecov-action from 5.5.2 to 6.0.0 (#2321)
4c22880 build(deps): bump golang in the all group across 1 directory (#2323)
0db8cf4 build(deps): bump nginx in the all group across 1 directory (#2326)
ac26d59 Update crypto11 dependency (#2331)
0df7844 build(deps): bump goa.design/goa/v3 from 3.24.1 to 3.26.0 (#2318)
7c15ea7 build(deps): bump the all group across 1 directory with 7 updates (#2333)
5614efa build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#2313)
7604ae0 build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#2314)
a754bd8 build(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#2322)
26b83c8 Update untrusted OIDC token for e2e testing (#2332)
4e2a4f5 Add changelog for v1.8.6 (#2312)
2e4e457 deps: Bump protobuf to 34.x (#2311)
a1a1fd5 build(deps): bump google.golang.org/grpc (#2302)
31bc2cb build(deps): bump the all group across 1 directory with 2 updates (#2293)
5710d13 build(deps): bump nginx from 1.29.6 to 1.29.7 in the all group (#2310)
ae4f457 build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#2296)
39b48e6 Include raw subject in certificates (#2307)
14bfd83 build(deps): bump the all group across 1 directory with 13 updates (#2308)
f7893ad build(deps): bump the all group across 1 directory with 3 updates (#2309)
b683519 build(deps): bump nginx from 1.29.5 to 1.29.6 in the all group (#2301)
39df9f9 Run go fix on codebase (#2299)
b0b3140 build(deps): bump chainguard-dev/actions in the all group (#2291)
3ad38b6 build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#2289)
b71c80a build(deps): bump chainguard-dev/actions in the all group (#2288)
3ea8aa1 update golang builder to use go1.25.7 (#2285)
2e38d4e build(deps): bump nginx from 1.29.4 to 1.29.5 in the all group (#2284)
26bfdcc build(deps): bump chainguard-dev/actions in the all group (#2283)
4561132 build(deps): bump golang from 1.25.6 to 1.25.7 in the all group (#2282)
72f44c5 build(deps): bump the all group across 1 directory with 4 updates (#2277)
4afd3f3 build(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 (#2274)
0fb4c12 build(deps): bump goa.design/goa/v3 from 3.23.4 to 3.24.1 (#2270)

⚠️ Unresolved conflicts

The following files need manual resolution:

.github/workflows/verify.yml
pkg/config/config_test.go

Resolve locally

git fetch origin
git checkout sync-upstream/main/v1.8.7
git merge origin/main

# Auto-resolve Dockerfiles, go.mod, and workflow version bumps
go install github.com/securesign/actions/sync-upstream/resolve-conflicts@main
resolve-conflicts all

# Take upstream content
git checkout --ours CHANGELOG.md && git add CHANGELOG.md
git checkout --ours pkg/generated/protobuf/fulcio.pb.go && git add pkg/generated/protobuf/fulcio.pb.go
git checkout --ours pkg/generated/protobuf/fulcio_grpc.pb.go && git add pkg/generated/protobuf/fulcio_grpc.pb.go
git checkout --ours pkg/generated/protobuf/legacy/fulcio_legacy.pb.go && git add pkg/generated/protobuf/legacy/fulcio_legacy.pb.go
git checkout --ours pkg/generated/protobuf/legacy/fulcio_legacy_grpc.pb.go && git add pkg/generated/protobuf/legacy/fulcio_legacy_grpc.pb.go

# Resolve remaining conflicts manually
# .github/workflows/verify.yml
# pkg/config/config_test.go

git add -A && git commit
git push origin sync-upstream/main/v1.8.7

Generated by Sync Upstream action

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

* Switch to go.yaml.in/yaml/v3 This seems to be a drop-in replacement for the now-unmaintained gopkg.in/yaml.v3. Note that this is still pulled in as an indirect dependency. Also replace the deprecated kubeval util with kubeconform. Fixes sigstore#2015 Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

TesseraCT is a write-only service, it needs a separate web server to serve tiles and checkpoints. Add an nginx container to the dev environment to support the read path for monitoring. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

TesseraCT is producing its own images so we don't need to maintain our own in scaffolding. This also updates the image to v0.1.1. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

…tore#2252) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.257.0 to 0.258.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.257.0...v0.258.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.258.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…gstore#2259) Bumps the all group with 2 updates in the / directory: [github.com/grpc-ecosystem/grpc-gateway/v2](https://github.com/grpc-ecosystem/grpc-gateway) and [github.com/prometheus/common](https://github.com/prometheus/common). Updates `github.com/grpc-ecosystem/grpc-gateway/v2` from 2.27.3 to 2.27.4 - [Release notes](https://github.com/grpc-ecosystem/grpc-gateway/releases) - [Commits](grpc-ecosystem/grpc-gateway@v2.27.3...v2.27.4) Updates `github.com/prometheus/common` from 0.67.4 to 0.67.5 - [Release notes](https://github.com/prometheus/common/releases) - [Changelog](https://github.com/prometheus/common/blob/main/CHANGELOG.md) - [Commits](prometheus/common@v0.67.4...v0.67.5) Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20251022142026-3a174f9686a8 to 0.0.0-20251222181119-0a764e51fe1b - [Commits](https://github.com/googleapis/go-genproto/commits) Updates `google.golang.org/grpc` from 1.77.0 to 1.78.0 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.77.0...v1.78.0) --- updated-dependencies: - dependency-name: github.com/grpc-ecosystem/grpc-gateway/v2 dependency-version: 2.27.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/prometheus/common dependency-version: 0.67.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: google.golang.org/genproto/googleapis/api dependency-version: 0.0.0-20251222181119-0a764e51fe1b dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: google.golang.org/grpc dependency-version: 1.78.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…re#2253) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5.0.0 to 6.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@330a01c...b7c566a) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from `a22b2e6` to `36b4f45`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…tore#2260)

Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>

…igstore#2263) Without these anchors, URLs where the issuer is not the host could be matched. This can result in server side request forgery, where the OIDC library will query the well-known or JWKS URIs. Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

* feat: add new root issuer for circleci Signed-off-by: meeech <4623+meeech@users.noreply.github.com> * Update the info to take into account new easier to work with redirect Before we were pointing to an API endpoint where you would get all the jobs in that workflow, and then you could manually find the job in the list. We've since introduced an easier redirect way of going via the front end. I think this is better. Nothing changes about the other API based info to lookup https://app.circleci.com/workflow/{workflow-uuid}/job/{job-uuid} Signed-off-by: meeech <4623+meeech@users.noreply.github.com> --------- Signed-off-by: meeech <4623+meeech@users.noreply.github.com>

yq is already installed on GHA ubuntu runners Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

…tore#2275) Bumps the all group with 1 update: golang. Updates `golang` from 1.25.5 to 1.25.6 --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Previously, as long as any part of the string matched the regex, it would pass. Because of the recently reported SSRF, we added anchors to require that the regex match the full string. This configuration update will match what's rolled out to prod, and adds tests to demonstrate everything is working as intended. Ref sigstore#2265 Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

Bumps nginx from 1.29.4 to 1.29.4. --- updated-dependencies: - dependency-name: nginx dependency-version: 1.29.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) Bumps goa.design/goa/v3 from 3.23.4 to 3.24.1. --- updated-dependencies: - dependency-name: goa.design/goa/v3 dependency-version: 3.24.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#2274) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.10.3 to 1.10.4. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.3...v1.10.4) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-version: 1.10.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…gstore#2277) Bumps the all group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [actions/setup-go](https://github.com/actions/setup-go), [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `actions/checkout` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8e8c483...de0fac2) Updates `actions/setup-go` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4dc6199...7a3fe6c) Updates `protocolbuffers/protobuf` from 33.2 to 33.4 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](protocolbuffers/protobuf@v33.2...v33.4) Updates `chainguard-dev/actions` from 1.5.10 to 1.5.13 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@3e8a2a2...18e5e34) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: actions/setup-go dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: protocolbuffers/protobuf dependency-version: '33.4' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: chainguard-dev/actions dependency-version: 1.5.13 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…tore#2282)

)

…ore#2284) Bumps the all group with 1 update: nginx. Updates `nginx` from 1.29.4 to 1.29.5 --- updated-dependencies: - dependency-name: nginx dependency-version: 1.29.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

) Bumps the all group with 1 update: [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `chainguard-dev/actions` from 1.5.16 to 1.6.1 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@eba358c...0cf1221) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.6.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…re#2289)

)

Just some stylistic cleanup. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

…ore#2301) Bumps the all group with 1 update: nginx. Updates `nginx` from 1.29.5 to 1.29.6 --- updated-dependencies: - dependency-name: nginx dependency-version: 1.29.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

The GHA-based token fetcher has unfortunately become unstable and doesn't run as frequently as needed. We've moved to a Cloud Run-based generator. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

…igstore#2322) Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.42.0 to 1.43.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.42.0...v1.43.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.43.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#2314) Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.1.3 to 4.1.4. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.1.3...v4.1.4) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#2313) Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v3.0.4...v3.0.5) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v3 dependency-version: 3.0.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…gstore#2333) Bumps the all group with 3 updates in the / directory: [chainguard.dev/sdk](https://github.com/chainguard-dev/sdk), [github.com/sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs) and [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils). Updates `chainguard.dev/sdk` from 0.1.52 to 0.1.54 - [Release notes](https://github.com/chainguard-dev/sdk/releases) - [Commits](chainguard-dev/sdk@v0.1.52...v0.1.54) Updates `github.com/coreos/go-oidc/v3` from 3.17.0 to 3.18.0 - [Release notes](https://github.com/coreos/go-oidc/releases) - [Commits](coreos/go-oidc@v3.17.0...v3.18.0) Updates `github.com/sigstore/protobuf-specs` from 0.5.0 to 0.5.1 - [Release notes](https://github.com/sigstore/protobuf-specs/releases) - [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md) - [Commits](sigstore/protobuf-specs@v0.5.0...v0.5.1) Updates `google.golang.org/api` from 0.272.0 to 0.276.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.272.0...v0.276.0) Updates `google.golang.org/genproto/googleapis/api` from 0.0.0-20260311181403-84a4fc48630c to 0.0.0-20260319201613-d00831a3d3e7 - [Commits](https://github.com/googleapis/go-genproto/commits) Updates `google.golang.org/grpc` from 1.79.3 to 1.80.0 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.79.3...v1.80.0) Updates `sigs.k8s.io/release-utils` from 0.12.3 to 0.12.4 - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](kubernetes-sigs/release-utils@v0.12.3...v0.12.4) --- updated-dependencies: - dependency-name: chainguard.dev/sdk dependency-version: 0.1.54 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/coreos/go-oidc/v3 dependency-version: 3.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: github.com/sigstore/protobuf-specs dependency-version: 0.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: google.golang.org/api dependency-version: 0.276.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: google.golang.org/genproto/googleapis/api dependency-version: 0.0.0-20260319201613-d00831a3d3e7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: google.golang.org/grpc dependency-version: 1.80.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: sigs.k8s.io/release-utils dependency-version: 0.12.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) Bumps goa.design/goa/v3 from 3.24.1 to 3.26.0. --- updated-dependencies: - dependency-name: goa.design/goa/v3 dependency-version: 3.25.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Dependency github.com/ThalesIgnite/crypto11 is now github.com/ThalesGroup/crypto11 Fixes sigstore#2329 Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

…#2326) Bumps the all group with 1 update in the / directory: nginx. Updates `nginx` from 1.29.7 to 1.29.8 --- updated-dependencies: - dependency-name: nginx dependency-version: 1.29.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…e#2323) Bumps the all group with 1 update in the / directory: golang. Updates `golang` from 1.26.1 to 1.26.3 --- updated-dependencies: - dependency-name: golang dependency-version: 1.26.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…e#2321) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.2 to 6.0.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@671740a...57e3a13) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…gstore#2330) Bumps the all group with 4 updates in the / directory: [actions/setup-go](https://github.com/actions/setup-go), [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [chainguard-dev/actions](https://github.com/chainguard-dev/actions). Updates `actions/setup-go` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4b73464...4a36011) Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@cad07c2...6f9f177) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `chainguard-dev/actions` from 1.6.11 to 1.6.19 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Commits](chainguard-dev/actions@8bb24c2...c69a264) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: chainguard-dev/actions dependency-version: 1.6.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…store#2335)

…#2339) Bumps [github.com/grpc-ecosystem/grpc-gateway/v2](https://github.com/grpc-ecosystem/grpc-gateway) from 2.28.0 to 2.29.0. - [Release notes](https://github.com/grpc-ecosystem/grpc-gateway/releases) - [Commits](grpc-ecosystem/grpc-gateway@v2.28.0...v2.29.0) --- updated-dependencies: - dependency-name: github.com/grpc-ecosystem/grpc-gateway/v2 dependency-version: 2.29.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.27.1 to 1.28.0. - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](uber-go/zap@v1.27.1...v1.28.0) --- updated-dependencies: - dependency-name: go.uber.org/zap dependency-version: 1.28.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#2340) Bumps [github.com/fsnotify/fsnotify](https://github.com/fsnotify/fsnotify) from 1.9.0 to 1.10.1. - [Release notes](https://github.com/fsnotify/fsnotify/releases) - [Changelog](https://github.com/fsnotify/fsnotify/blob/main/CHANGELOG.md) - [Commits](fsnotify/fsnotify@v1.9.0...v1.10.1) --- updated-dependencies: - dependency-name: github.com/fsnotify/fsnotify dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ore#2342) Bumps the all group with 1 update: nginx. Updates `nginx` from 1.29.8 to 1.31.0 --- updated-dependencies: - dependency-name: nginx dependency-version: 1.31.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…tore#2338) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.276.0 to 0.279.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.276.0...v0.279.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.279.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…gstore#2337) Bumps the all group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [chainguard.dev/sdk](https://github.com/chainguard-dev/sdk) | `0.1.54` | `0.1.55` | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.10.5` | `1.10.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.10.5` | `1.10.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.10.5` | `1.10.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.10.5` | `1.10.6` | | [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.10.5` | `1.10.6` | Updates `chainguard.dev/sdk` from 0.1.54 to 0.1.55 - [Release notes](https://github.com/chainguard-dev/sdk/releases) - [Commits](chainguard-dev/sdk@v0.1.54...v0.1.55) Updates `github.com/sigstore/sigstore` from 1.10.5 to 1.10.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.5...v1.10.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.10.5 to 1.10.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.5...v1.10.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.10.5 to 1.10.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.5...v1.10.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.10.5 to 1.10.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.5...v1.10.6) Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.10.5 to 1.10.6 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.10.5...v1.10.6) --- updated-dependencies: - dependency-name: chainguard.dev/sdk dependency-version: 0.1.55 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore dependency-version: 1.10.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-version: 1.10.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-version: 1.10.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-version: 1.10.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-version: 1.10.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ore#2352) Bumps the all group with 1 update: nginx. Updates `nginx` from 1.31.0 to 1.31.1 --- updated-dependencies: - dependency-name: nginx dependency-version: 1.31.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the all group with 2 updates: [codecov/codecov-action](https://github.com/codecov/codecov-action) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action). Updates `codecov/codecov-action` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@57e3a13...e79a696) Updates `golangci/golangci-lint-action` from 9.2.0 to 9.2.1 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@1e7e51e...82606bf) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: golangci/golangci-lint-action dependency-version: 9.2.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…tore#2349) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.279.0 to 0.280.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.279.0...v0.280.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.280.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from `313faae` to `2d6c802`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.26.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.75.0 to 0.81.0. - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](smallstep/crypto@v0.75.0...v0.81.0) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-version: 0.81.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

…sigstore#2354) Secures the outbound OIDC discovery request flow against SSRF, JWKS substitution, and credential leakage. Blocks cross-host redirects: Configures a custom CheckRedirect callback on all OIDC discovery clients to reject redirects that attempt to leave the original issuer's host boundary. SSRF was previously mitigated by adding anchors to the meta issuer regex, but this was not a complete mitigation since a malicious meta issuer could specify an HTTP redirect, which the Go HTTP client would follow by default. Restricts bearer token injection: Updates bearerTokenTransport to only attach the Kubernetes service-account bearer token when the outgoing request destination host exactly matches the expected issuer's host. This prevents token leakage during both redirect scenarios and cross-host JWKS URIs. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

…e#2351) * build(deps): bump protocolbuffers/protobuf from 34.1 to 35.0 Bumps [protocolbuffers/protobuf](https://github.com/protocolbuffers/protobuf) from 34.1 to 35.0. - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](protocolbuffers/protobuf@v34.1...v35.0) --- updated-dependencies: - dependency-name: protocolbuffers/protobuf dependency-version: '35.0' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Update protobuf version from 34.1 to 35.0 Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>

…igstore#2346) Bumps [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go) from 1.19.2 to 1.24.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](googleapis/google-cloud-go@asset/v1.19.2...kms/v1.24.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/security dependency-version: 1.24.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ath (sigstore#2356) Gate the in-cluster CA + bearer-token attachment in httpClientForIssuer on the issuer being directly listed in OIDCIssuers, in addition to the existing match against k8sIssuerURL. Clusters whose --service-account-issuer is not literally https://kubernetes.default.svc (e.g. K3s, which uses https://kubernetes.default.svc.cluster.local) can again use the in-cluster auth path when their issuer URL is explicitly listed in OIDCIssuers. The SSRF/token-leak protection from sigstore#2354 is preserved: MetaIssuer wildcard matches against attacker-controlled hosts still do not receive the bearer token, because the new gate trusts only directly-listed OIDCIssuers entries (and the default k8sIssuerURL itself). Fixes sigstore#2355. Signed-off-by: Kevin Monroe <kevin.monroe@chainguard.dev>

Hayden and others added 30 commits December 16, 2025 17:15

Changelog for v1.8.4 (sigstore#2249)

9ef0dcf

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

Add read service for CT log (sigstore#2258)

9e26cb4

TesseraCT is a write-only service, it needs a separate web server to serve tiles and checkpoints. Add an nginx container to the dev environment to support the read path for monitoring. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

Use transparency-dev tesseract image (sigstore#2250)

f2e48e1

TesseraCT is producing its own images so we don't need to maintain our own in scaffolding. This also updates the image to v0.1.1. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

build(deps): bump google.golang.org/api from 0.258.0 to 0.259.0 (sigs…

b23705d

…tore#2260)

Update changelog for v1.8.5 (sigstore#2264)

9325775

Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>

Use a root with key usages specified (sigstore#2267)

a4265ac

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>

Don't install yq (sigstore#2279)

8807197

yq is already installed on GHA ubuntu runners Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

typo it should have been a plural (sigstore#2280)

d0002d0

build(deps): bump golang from 1.25.6 to 1.25.7 in the all group (sigs…

4561132

…tore#2282)

build(deps): bump chainguard-dev/actions in the all group (sigstore#2283

26bfdcc

)

update golang builder to use go1.25.7 (sigstore#2285)

3ea8aa1

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (sigsto…

3ad38b6

…re#2289)

build(deps): bump chainguard-dev/actions in the all group (sigstore#2291

b0b3140

)

Run go fix on codebase (sigstore#2299)

39df9f9

Just some stylistic cleanup. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

Hayden-IO and others added 29 commits May 11, 2026 23:06

Update untrusted OIDC token for e2e testing (sigstore#2332)

26b83c8

The GHA-based token fetcher has unfortunately become unstable and doesn't run as frequently as needed. We've moved to a Cloud Run-based generator. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

Update crypto11 dependency (sigstore#2331)

ac26d59

Dependency github.com/ThalesIgnite/crypto11 is now github.com/ThalesGroup/crypto11 Fixes sigstore#2329 Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>

build(deps): bump github.com/tink-crypto/tink-go-awskms/v2 to v3 (sig…

eef2661

…store#2335)

build(deps): bump golang from 2981696 to 313faae (sigstore#2336)

82f3bc7

bump builder image to use go1.26.3 (sigstore#2353)

7a5d3e3

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

securesign-upstream-sync Bot added the kind/sync-fork-to-upstream label Jun 15, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Upstream Sync] Merge v1.8.7 into main#402

[Upstream Sync] Merge v1.8.7 into main#402
securesign-upstream-sync[bot] wants to merge 68 commits into
mainfrom
sync-upstream/main/v1.8.7

securesign-upstream-sync Bot commented Jun 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

Uh oh!

Conversation

securesign-upstream-sync Bot commented Jun 15, 2026

Upstream Sync: v1.8.7 into main

Upstream Changes (68 commits)

⚠️ Unresolved conflicts

Resolve locally

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

Upstream Sync: `v1.8.7` into `main`