build(deps): bump the actions group with 2 updates

[dependabot]

Bumps the actions group with 2 updates: sigstore/cosign-installer and fluxcd/flux2.

Updates sigstore/cosign-installer from 4.0.0 to 4.1.0

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.0

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

• Bump cosign to 3.0.5 in sigstore/cosign-installer#220
• fix: add retry to curl downloads for transient network failures in sigstore/cosign-installer#210

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

Commits

• ba7bc0a fix: add retry to curl downloads for transient network failures (#210)
• 5a292e1 Bump cosign to 3.0.5 (#220)
• 351ea76 Bump actions/checkout from 6.0.1 to 6.0.2 (#217)
• c17565f test with go 1.26 too (#221)
• a6fdd19 Bump actions/setup-go from 6.1.0 to 6.3.0 (#218)
• 430b6a7 docs: fix registry from gcr.io to ghcr.io (#213)
• 4d14d7f feat: update to v3.0.3 (#212)
• f148005 fix: use env vars for template expansions; show curl errors (#207)
• c3f2d79 Bump actions/checkout from 6.0.0 to 6.0.1 (#208)
• b9a9af4 drop tests with go1.24 as it cant build (#211)
• Additional commits viewable in compare view

Updates fluxcd/flux2 from 2.8.1 to 2.8.2

Release notes

Sourced from fluxcd/flux2's releases.

v2.8.2

Highlights

Flux v2.8.2 is a patch release that comes with various fixes. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Fix enqueuing new reconciliation requests for events on source Flux objects when they are already reconciling the revision present in the watch event (kustomize-controller, helm-controller)
• Fix the Go templates bug of YAML separator --- getting concatenated to apiVersion: by updating to Helm 4.1.3 (helm-controller)
• Fix canceled HelmReleases getting stuck when they don't have a retry strategy configured by introducing a new feature gate DefaultToRetryOnFailure that improves the experience when the CancelHealthCheckOnNewRevision is enabled (helm-controller)
• Fix the auth scope for Azure Container Registry to use the ACR-specific scope (source-controller, image-reflector-controller)
• Fix potential Denial of Service (DoS) during TLS handshakes (CVE-2026-27138) by building all controllers with Go 1.26.1

Components changelog

• source-controller v1.8.1
• kustomize-controller v1.8.2
• notification-controller v1.8.2
• helm-controller v1.5.2
• image-reflector-controller v1.1.1
• image-automation-controller v1.1.1
• source-watcher v2.1.1

CLI changelog

• [release/v2.8.x] build(deps): bump the ci group across 1 directory with 11 updates by @​fluxcdbot in fluxcd/flux2#5765
• Update fluxcd/pkg dependencies by @​fluxcdbot in fluxcd/flux2#5767
• Update toolkit components by @​matheuscscp in fluxcd/flux2#5770
• Update fluxcd/pkg dependencies by @​fluxcdbot in fluxcd/flux2#5771

Full Changelog: fluxcd/flux2@v2.8.1...v2.8.2

Commits

• bfa461e Merge pull request #5771 from fluxcd/update-pkg-deps/release/v2.8.x
• f11a921 Update fluxcd/pkg dependencies
• b248efa Merge pull request #5770 from fluxcd/backport-5769-to-release/v2.8.x
• 4d5e044 Update toolkit components
• 3c8917c Merge pull request #5767 from fluxcd/update-pkg-deps/release/v2.8.x
• c1f11bc Update fluxcd/pkg dependencies
• bc6aa47 Merge pull request #5765 from fluxcd/backport-5764-to-release/v2.8.x
• 0e7194c build(deps): bump the ci group across 1 directory with 11 updates
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.