Skip to content

Bump github.com/sigstore/fulcio from 1.8.5 to 1.8.6#426

Open
dependabot[bot] wants to merge 1 commit into
oadp-devfrom
dependabot/go_modules/github.com/sigstore/fulcio-1.8.6
Open

Bump github.com/sigstore/fulcio from 1.8.5 to 1.8.6#426
dependabot[bot] wants to merge 1 commit into
oadp-devfrom
dependabot/go_modules/github.com/sigstore/fulcio-1.8.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/sigstore/fulcio from 1.8.5 to 1.8.6.

Release notes

Sourced from github.com/sigstore/fulcio's releases.

v1.8.6

Changelog

  • 378c654f48c3bafdced04ead7010aab2cb4c6ca1 Block cross-host redirects and restrict bearer token to expected host (#2354)
  • 39b48e6a8f2efe1809a1b19b4301666c3fd36667 Include raw subject in certificates (#2307)
  • 80eaed06e911cdfd26dd18f02b8e862f7f6ee453 Update Azure AKS OIDC issuer URL regex (#2266)
  • 001376a50932095cf4b6e65299ed2d29abe83524 add support for new circleci root issuer (#2278)

Thanks for all contributors!

Changelog

Sourced from github.com/sigstore/fulcio's changelog.

v1.8.6

Features

  • Include raw subject in certificates (#2307)
Commits
  • 378c654 Block cross-host redirects and restrict bearer token to expected host (#2354)
  • 7a5d3e3 bump builder image to use go1.26.3 (#2353)
  • a05982e build(deps): bump go.step.sm/crypto from 0.75.0 to 0.81.0 (#2348)
  • dfa63a8 build(deps): bump golang from 313faae to 2d6c802 (#2344)
  • 7b3a344 build(deps): bump google.golang.org/api from 0.279.0 to 0.280.0 (#2349)
  • 9290f7f build(deps): bump the all group with 2 updates (#2350)
  • 423d535 build(deps): bump nginx from 1.31.0 to 1.31.1 in the all group (#2352)
  • 19a3f8e build(deps): bump the all group across 1 directory with 6 updates (#2337)
  • 6b597ce build(deps): bump google.golang.org/api from 0.276.0 to 0.279.0 (#2338)
  • 0d1dc79 build(deps): bump nginx from 1.29.8 to 1.31.0 in the all group (#2342)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

  • Chores
    • Updated the Go toolchain to 1.25.7.
    • Refreshed several indirect dependencies across cloud, container, security, and Go standard libraries.
    • Added a couple of new transitive packages and removed an unused one.

Bumps [github.com/sigstore/fulcio](https://github.com/sigstore/fulcio) from 1.8.5 to 1.8.6.
- [Release notes](https://github.com/sigstore/fulcio/releases)
- [Changelog](https://github.com/sigstore/fulcio/blob/main/CHANGELOG.md)
- [Commits](sigstore/fulcio@v1.8.5...v1.8.6)

---
updated-dependencies:
- dependency-name: github.com/sigstore/fulcio
  dependency-version: 1.8.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 1, 2026
@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 53c19297-862a-4230-a74e-9c7a684510a2

📥 Commits

Reviewing files that changed from the base of the PR and between 6ddb843 and 3302b9b.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Walkthrough

This PR updates go.mod to bump the Go toolchain from 1.25.0 to 1.25.7 and updates versions of multiple indirect dependencies, including Azure SDK, container registry, Google/Gorilla/Hashicorp libraries, golang.org/x packages, clipperhouse, fsnotify, go-containerregistry, and sigstore packages, plus a genproto pseudo-version bump.

Changes

Dependency version updates

Layer / File(s) Summary
Go toolchain bump
go.mod
Go directive updated from 1.25.0 to 1.25.7.
Indirect dependency bumps
go.mod
Azure SDK (azcore, internal), containerd/stargz-snapshotter/estargz, docker/go-connections, googleapis/enterprise-certificate-proxy, imdario/mergo, klauspost/compress, golang.org/x/* (crypto, net, sys, term, text), clipperhouse/uax29/v2 bumped and clipperhouse/stringish removed, fsnotify/fsnotify, google/go-containerregistry, sigstore/fulcio, sigstore/sigstore (with morikuni/aec and sergi/go-diff added), and genproto/googleapis/rpc updated.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes a real dependency update included in the PR and matches the stated objective.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR is dependency-only (go.mod/go.sum); no Ginkgo test titles were added or edited.
Test Structure And Quality ✅ Passed PASS: No Ginkgo *_test.go suites exist here, and this PR only bumps dependencies, so the listed test-structure issues aren’t implicated.
Microshift Test Compatibility ✅ Passed No touched test file contained Ginkgo e2e specs or MicroShift-unsupported APIs; this PR is a dependency bump, so the check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only updates go.mod/go.sum dependency versions; no new Ginkgo e2e tests or SNO-sensitive test logic were added.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: This PR only bumps go.mod/go.sum dependencies (fulcio) and doesn’t touch manifests, controllers, affinity, node selectors, or other scheduling logic.
Ote Binary Stdout Contract ✅ Passed Only go.mod/go.sum changed; no process-level stdout writes or startup setup code was modified.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR only changes go.mod/go.sum; no new Ginkgo e2e tests or IPv4/external connectivity assumptions were added.
No-Weak-Crypto ✅ Passed Only go.mod/go.sum changed; diff is dependency/version bumps and shows no MD5/SHA1/DES/RC4/ECB or custom crypto code.
Container-Privileges ✅ Passed Changed Dockerfiles run as non-root (USER 65534) and no diff file contains privileged/hostPID/hostNetwork/hostIPC/allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs ✅ Passed PASS: The PR only updates go.mod dependency versions; no logging code or string literals were changed, so it can't introduce sensitive data in logs.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/go_modules/github.com/sigstore/fulcio-1.8.6

Comment @coderabbitai help to get the list of available commands.

@kaovilai kaovilai left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unfortunately this contain go bump from fulcio from googleapis/enterprise-certificate-proxy#195

if not urgent i would wait for new fulcio.

but low risk as this is not lib repo in general.. we ship built binary.

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dependabot[bot], Joeavaikath

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dependencies Pull requests that update a dependency file go Pull requests that update go code needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants