[PR #163] [MERGED] 🌱 bump sigstore/cosign-installer from 3.9.1 to 4.0.0 #157

New issue

Closed

opened 2026-03-03 16:29:28 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 16:29:28 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/natrontech/pbs-exporter/pull/163
Author: @dependabot[bot]
Created: 10/20/2025
Status: ✅ Merged
Merged: 11/28/2025
Merged by: @janfuhrer

Base: main ← Head: dependabot/github_actions/sigstore/cosign-installer-4.0.0

📝 Commits (1)

0000778 🌱 bump sigstore/cosign-installer from 3.9.1 to 4.0.0

📊 Changes

2 files changed (+4 additions, -4 deletions)

View changed files

📝 .github/workflows/release-verification.yml (+1 -1)
📝 .github/workflows/release.yml (+3 -3)

📄 Description

Bumps sigstore/cosign-installer from 3.9.1 to 4.0.0.

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.0.0

What's Changed?

Note: You must upgrade to cosign-installer v4 if you want to install Cosign v3+. You may still install Cosign v2.x with cosign-installer v4.

In version v3+, using cosign sign-blob requires adding the --bundle flag which may require you to update your signing command.

Add support for Cosign v3 releases (#201)

v3.10.1

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

Bump default Cosign to v2.6.1 (#203)

v3.10.0

What's Changed

Bump default Cosign to v2.6.0 in sigstore/cosign-installer#200

Full Changelog: https://github.com/sigstore/cosign-installer/compare/v3.9.2...v3.10.0

v3.9.2

What's Changed

not fail fast and setup permissions in sigstore/cosign-installer#195

drop old unsupported versions <v2.0.0 in sigstore/cosign-installer#192

Update default to v2.5.3 in sigstore/cosign-installer#196

Full Changelog: https://github.com/sigstore/cosign-installer/compare/v3.9.1...v3.9.2

Commits

faadad0 add support for cosign v3 releases (#201)
d7543c9 Bump default Cosign to v2.6.0 (#200)
920f20f Bump actions/setup-go from 5.5.0 to 6.0.0 (#199)
bb9dfc1 Bump actions/github-script from 7.0.1 to 8.0.0 (#198)
074636b Bump actions/checkout from 4.2.2 to 5.0.0 (#197)
d58896d Update default to v2.5.3 (#196)
e40248c drop old unsupported versions <v2.0.0 (#192)
d9374b9 not fail fast and setup permissions (#195)
See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/natrontech/pbs-exporter/pull/163 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 10/20/2025 **Status:** ✅ Merged **Merged:** 11/28/2025 **Merged by:** [@janfuhrer](https://github.com/janfuhrer) **Base:** `main` ← **Head:** `dependabot/github_actions/sigstore/cosign-installer-4.0.0` --- ### 📝 Commits (1) - [`0000778`](https://github.com/natrontech/pbs-exporter/commit/0000778ca2d2bac8c676b90ce815fc282402df22) :seedling: bump sigstore/cosign-installer from 3.9.1 to 4.0.0 ### 📊 Changes **2 files changed** (+4 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/release-verification.yml` (+1 -1) 📝 `.github/workflows/release.yml` (+3 -3) </details> ### 📄 Description Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.9.1 to 4.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sigstore/cosign-installer/releases">sigstore/cosign-installer's releases</a>.</em></p> <blockquote> <h2>v4.0.0</h2> <h2>What's Changed?</h2> <p><strong>Note:</strong> You must upgrade to cosign-installer v4 if you want to install <a href="https://blog.sigstore.dev/cosign-3-0-available/">Cosign v3+</a>. You may still install Cosign v2.x with cosign-installer v4.</p> <p>In version v3+, using <code>cosign sign-blob</code> requires adding the <code>--bundle</code> flag which may require you to update your signing command.</p> <ul> <li>Add support for Cosign v3 releases (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/201">#201</a>)</li> </ul> <h2>v3.10.1</h2> <h2>What's Changed?</h2> <p><strong>Note:</strong> cosign-installer v3.x cannot be used to install <a href="https://blog.sigstore.dev/cosign-3-0-available/">Cosign v3.x</a>. You must upgrade to cosign-installer v4 in order to use Cosign v3.</p> <p><strong>Note:</strong> This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to <a href="https://blog.sigstore.dev/cosign-3-0-available/">Cosign v3</a>.</p> <ul> <li>Bump default Cosign to v2.6.1 (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/203">#203</a>)</li> </ul> <h2>v3.10.0</h2> <h2>What's Changed</h2> <ul> <li>Bump default Cosign to v2.6.0 in <a href="https://redirect.github.com/sigstore/cosign-installer/pull/200">sigstore/cosign-installer#200</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/sigstore/cosign-installer/compare/v3.9.2...v3.10.0">https://github.com/sigstore/cosign-installer/compare/v3.9.2...v3.10.0</a></p> <h2>v3.9.2</h2> <h2>What's Changed</h2> <ul> <li>not fail fast and setup permissions in <a href="https://redirect.github.com/sigstore/cosign-installer/pull/195">sigstore/cosign-installer#195</a></li> <li>drop old unsupported versions <v2.0.0 in <a href="https://redirect.github.com/sigstore/cosign-installer/pull/192">sigstore/cosign-installer#192</a></li> <li>Update default to v2.5.3 in <a href="https://redirect.github.com/sigstore/cosign-installer/pull/196">sigstore/cosign-installer#196</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/sigstore/cosign-installer/compare/v3.9.1...v3.9.2">https://github.com/sigstore/cosign-installer/compare/v3.9.1...v3.9.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sigstore/cosign-installer/commit/faadad0cce49287aee09b3a48701e75088a2c6ad"><code>faadad0</code></a> add support for cosign v3 releases (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/201">#201</a>)</li> <li><a href="https://github.com/sigstore/cosign-installer/commit/d7543c93d881b35a8faa02e8e3605f69b7a1ce62"><code>d7543c9</code></a> Bump default Cosign to v2.6.0 (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/200">#200</a>)</li> <li><a href="https://github.com/sigstore/cosign-installer/commit/920f20f8c1514a0b54f0557e19ff74bfeb5f413d"><code>920f20f</code></a> Bump actions/setup-go from 5.5.0 to 6.0.0 (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/199">#199</a>)</li> <li><a href="https://github.com/sigstore/cosign-installer/commit/bb9dfc10d272e67bed086b504aaf14f8fe455b05"><code>bb9dfc1</code></a> Bump actions/github-script from 7.0.1 to 8.0.0 (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/198">#198</a>)</li> <li><a href="https://github.com/sigstore/cosign-installer/commit/074636bf86584fb361059563d092a9cfb6560f80"><code>074636b</code></a> Bump actions/checkout from 4.2.2 to 5.0.0 (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/197">#197</a>)</li> <li><a href="https://github.com/sigstore/cosign-installer/commit/d58896d6a1865668819e1d91763c7751a165e159"><code>d58896d</code></a> Update default to v2.5.3 (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/196">#196</a>)</li> <li><a href="https://github.com/sigstore/cosign-installer/commit/e40248c492a99ad409432e2ea978d7a2811f2e1f"><code>e40248c</code></a> drop old unsupported versions <v2.0.0 (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/192">#192</a>)</li> <li><a href="https://github.com/sigstore/cosign-installer/commit/d9374b96fed791ab117111a9a307a92b68bf3145"><code>d9374b9</code></a> not fail fast and setup permissions (<a href="https://redirect.github.com/sigstore/cosign-installer/issues/195">#195</a>)</li> <li>See full diff in <a href="https://github.com/sigstore/cosign-installer/compare/398d4b0eeef1380460a10c8013a76f728fb906ac...faadad0cce49287aee09b3a48701e75088a2c6ad">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sigstore/cosign-installer&package-manager=github_actions&previous-version=3.9.1&new-version=4.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>