Bump the all group in /acceptance with 7 updates

[dependabot]

Bumps the all group in /acceptance with 7 updates:

Package	From	To
github.com/enterprise-contract/enterprise-contract-controller/api	0.1.68	0.1.69
github.com/tektoncd/cli	0.38.0	0.39.0
github.com/tektoncd/pipeline	0.63.0	0.65.2
golang.org/x/exp	0.0.0-20240823005443-9b4947da3948	0.0.0-20240904232852-e7e105dedf7e
k8s.io/api	0.31.0	0.31.3
k8s.io/apimachinery	0.31.0	0.31.3
k8s.io/client-go	0.31.0	0.31.3

Updates github.com/enterprise-contract/enterprise-contract-controller/api from 0.1.68 to 0.1.69

Release notes

Sourced from github.com/enterprise-contract/enterprise-contract-controller/api's releases.

API Release api/v0.1.69

What's Changed

• Bump k8s.io/apimachinery from 0.29.10 to 0.29.11 by @​dependabot in enterprise-contract/enterprise-contract-controller#441
• Bump github.com/onsi/gomega from 1.35.1 to 1.36.0 by @​dependabot in enterprise-contract/enterprise-contract-controller#440
• Bump actions/setup-go from 5.0.0 to 5.1.0 by @​dependabot in enterprise-contract/enterprise-contract-controller#435
• Bump step-security/harden-runner from 2.10.1 to 2.10.2 by @​dependabot in enterprise-contract/enterprise-contract-controller#434
• Bump k8s.io/apiextensions-apiserver from 0.29.10 to 0.29.11 in /api by @​dependabot in enterprise-contract/enterprise-contract-controller#439
• Bump github/codeql-action from 3.27.4 to 3.27.5 by @​dependabot in enterprise-contract/enterprise-contract-controller#433
• Bump codecov/codecov-action from 5.0.2 to 5.0.7 by @​dependabot in enterprise-contract/enterprise-contract-controller#436

Full Changelog: enterprise-contract/enterprise-contract-controller@api/v0.1.68...api/v0.1.69

Commits

• 89e7fc7 Merge pull request #436 from enterprise-contract/dependabot/github_actions/co...
• 23db6a0 Merge pull request #433 from enterprise-contract/dependabot/github_actions/gi...
• 2e856da Merge pull request #439 from enterprise-contract/dependabot/go_modules/api/k8...
• 2d5eb3e Merge pull request #434 from enterprise-contract/dependabot/github_actions/st...
• 9938d9b Merge pull request #435 from enterprise-contract/dependabot/github_actions/ac...
• d0c1a11 Run go.mod tidy
• 874ed86 Bump k8s.io/apiextensions-apiserver from 0.29.10 to 0.29.11 in /api
• cca5b9f Merge pull request #440 from enterprise-contract/dependabot/go_modules/github...
• 7a4f793 Bump github.com/onsi/gomega from 1.35.1 to 1.36.0
• 742649a Merge pull request #441 from enterprise-contract/dependabot/go_modules/k8s.io...
• Additional commits viewable in compare view

Updates github.com/tektoncd/cli from 0.38.0 to 0.39.0

Release notes

Sourced from github.com/tektoncd/cli's releases.

v0.39.0 Release 🎉

This release comes with support for Pipelines LTS v0.65.0, Triggers v0.30.0, Chains v0.23.0 and Hub v1.19.0 CLI. This release contains bug fix around bundle and export commands, with UX improvements.

ChangeLog 📋

Fixes 🐛

• Use io.ReadFull to read the bundle content by @​vdemeester in tektoncd/cli#2433
• refactor export function and add finalizers to be removed by @​chmouel in tektoncd/cli#2427
• Set status to succeeded when the reason is Completed by @​chmouel in tektoncd/cli#2420

Misc 🔨

• Bump github.com/golangci/golangci-lint from 1.60.1 to 1.60.2 in /tools by @​dependabot in tektoncd/cli#2380
• Move to goreleaser v2 by @​piyush-garg in tektoncd/cli#2382
• Update docs for 0.38.0 release by @​piyush-garg in tektoncd/cli#2383
• Bump github.com/golangci/golangci-lint from 1.60.2 to 1.60.3 in /tools by @​dependabot in tektoncd/cli#2384
• Bump github.com/tektoncd/pipeline from 0.62.1 to 0.62.2 by @​dependabot in tektoncd/cli#2385
• Fix ubuntu launchpad build by @​piyush-garg in tektoncd/cli#2387
• Remove hardcoded golangci-lint and go version by @​piyush-garg in tektoncd/cli#2386
• Bump the go-docker-dependencies group with 2 updates by @​dependabot in tektoncd/cli#2389
• Refactored delete.go file for customrun by @​Senjuti256 in tektoncd/cli#2390
• Bump tektoncd/pipeline to v0.62.3 by @​piyush-garg in tektoncd/cli#2392
• Bump github.com/tektoncd/triggers from 0.29.0 to 0.29.1 by @​dependabot in tektoncd/cli#2394
• Bump the go-docker-dependencies group with 2 updates by @​dependabot in tektoncd/cli#2396
• Bump github.com/sigstore/sigstore from 1.8.8 to 1.8.9 by @​dependabot in tektoncd/cli#2393
• Update docs for tkn 0.38.1 by @​vinamra28 in tektoncd/cli#2398
• Bump golang.org/x/term from 0.23.0 to 0.24.0 by @​dependabot in tektoncd/cli#2395
• Bump github.com/golangci/golangci-lint from 1.60.3 to 1.61.0 in /tools by @​dependabot in tektoncd/cli#2397
• Bump github.com/tektoncd/pipeline from 0.62.2 to 0.63.0 by @​dependabot in tektoncd/cli#2391
• Bump the go-k8s-dependencies group with 4 updates by @​dependabot in tektoncd/cli#2399
• Bump github.com/tektoncd/chains from 0.22.0 to 0.22.1 by @​dependabot in tektoncd/cli#2403
• Fix hard link for Mac by @​aungzanbaw in tektoncd/cli#2401
• Bump the go-docker-dependencies group with 2 updates by @​dependabot in tektoncd/cli#2404
• Bump the go-docker-dependencies group with 2 updates by @​dependabot in tektoncd/cli#2405
• Bump github.com/tektoncd/chains from 0.22.1 to 0.22.2 by @​dependabot in tektoncd/cli#2407
• Bump github.com/tektoncd/pipeline from 0.63.0 to 0.64.0 by @​dependabot in tektoncd/cli#2406
• Bump golang.org/x/term from 0.24.0 to 0.25.0 by @​dependabot in tektoncd/cli#2410
• Bump cosign to v2.4.1 by @​piyush-garg in tektoncd/cli#2409
• Bump github.com/fatih/color from 1.17.0 to 1.18.0 by @​dependabot in tektoncd/cli#2414
• Bump github.com/tektoncd/pipeline from 0.64.0 to 0.65.0 by @​dependabot in tektoncd/cli#2417
• Bump github.com/creack/pty from 1.1.23 to 1.1.24 by @​dependabot in tektoncd/cli#2418
• Bump the go-k8s-dependencies group with 4 updates by @​dependabot in tektoncd/cli#2415
• Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 by @​dependabot in tektoncd/cli#2419
• Bump github.com/tektoncd/pipeline from 0.65.0 to 0.65.1 by @​dependabot in tektoncd/cli#2423
• Bump github.com/tektoncd/hub from 1.18.0 to 1.19.0 by @​dependabot in tektoncd/cli#2424
• Bump github.com/tektoncd/triggers from 0.29.1 to 0.30.0 by @​dependabot in tektoncd/cli#2425
• Bump github.com/tektoncd/chains from 0.22.2 to 0.23.0 by @​dependabot in tektoncd/cli#2426
• Bump golang.org/x/term from 0.25.0 to 0.26.0 by @​dependabot in tektoncd/cli#2428

... (truncated)

Changelog

Sourced from github.com/tektoncd/cli's changelog.

Tekton CLI Releases

Release Frequency

Tekton CLI follows the Tekton community [release policy][release-policy] as follows:

• Versions are numbered according to semantic versioning: vX.Y.Z
• A new release is produced on a monthly basis
• Four releases a year are chosen for long term support (LTS). All remaining releases are supported for approximately 1 month (until the next release is produced)
  • LTS releases take place in January, April, July and October every year
  • The first Tekton CLI LTS release will be v0.30.0 in January 2023
  • Releases happen towards the middle of the month, but the exact date may vary, depending on week-ends and readiness

Tekton CLI produces nightly builds, publicly available on gcr.io/tekton-nightly.

Transition Process

Before release v0.28 Tekton CLI has worked on the basis of an undocumented support period of four months, which will be maintained for the releases between v0.26 and v0.27.

Release Process

Read about releasing the Tekton CLI in the [release process documentation] [tekton-release-process].

Further documentation available:

• [Tekton resources][tekton-releases-docs]
• Standard for [release notes][release-notes-standards]

Releases

v0.39 (LTS)

• Latest Release: [v0.39.0][v0-39-0] (2024-11-26) ([docs][v0-39-0-docs])
• Initial Release: [v0.39.0][v0-39-0] (2024-11-26) ([docs][v0-39-0-docs])
• End of Life: 2025-11-25

v0.38 (LTS)

• Latest Release: [v0.38.1][v0-38-1] (2024-09-10) ([docs][v0-38-1-docs])
• Initial Release: [v0.38.0][v0-38-0] (2024-08-21) ([docs][v0-38-0-docs])
• End of Life: 2025-08-20

... (truncated)

Commits

• cb2f679 New version v0.39.0
• 5ab892f Use io.ReadFull to read the bundle content
• 9fe9255 Bump github.com/golangci/golangci-lint from 1.62.0 to 1.62.2 in /tools
• 19ab0ff Bump the go-k8s-dependencies group with 4 updates
• 49b8779 Bump github.com/tektoncd/pipeline from 0.65.1 to 0.65.2
• 1cbcc49 Bump github.com/golangci/golangci-lint from 1.61.0 to 1.62.0 in /tools
• 76dec09 Reword variable name to fix lint issues
• e6717bd Bump go to 1.22.8 and remove toolchain
• 61bf47b Bump golang.org/x/term from 0.25.0 to 0.26.0
• b4fedf2 Bump github.com/tektoncd/chains from 0.22.2 to 0.23.0
• Additional commits viewable in compare view

Updates github.com/tektoncd/pipeline from 0.63.0 to 0.65.2

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v0.65.2 "Sokoke Herbie"

-Docs @ v0.65.2 -Examples @ v0.65.2

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.65.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a153542f1de8a93c4ac314c1ca01c0ed45edf9ffac3faa701ddcd02600c3f452f

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a153542f1de8a93c4ac314c1ca01c0ed45edf9ffac3faa701ddcd02600c3f452f
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.65.2/release.yaml
REKOR_UUID=108e9186e8c5677a153542f1de8a93c4ac314c1ca01c0ed45edf9ffac3faa701ddcd02600c3f452f
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.65.2@sha256:" + .digest.sha256')
Download the release file
curl "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

... (truncated)

Changelog

Sourced from github.com/tektoncd/pipeline's changelog.

Tekton Pipeline Releases

Release Frequency

Tekton Pipelines follows the Tekton community [release policy][release-policy] as follows:

• Versions are numbered according to semantic versioning: vX.Y.Z
• A new release is produced on a monthly basis
• Four releases a year are chosen for long term support (LTS). All remaining releases are supported for approximately 1 month (until the next release is produced)
  • LTS releases take place in January, April, July and October every year
  • The first Tekton Pipelines LTS release will be v0.41.0 in October 2022
  • Releases happen towards the middle of the month, between the 13th and the 20th, depending on week-ends and readiness

Tekton Pipelines produces nightly builds, publicly available on gcr.io/tekton-nightly.

Transition Process

Before release v0.41 Tekton Pipelines has worked on the basis of an undocumented support period of four months, which will be maintained for the releases between v0.37 and v0.40.

Release Process

Tekton Pipeline releases are made of YAML manifests and container images. Manifests are published to cloud object-storage as well as [GitHub][tekton-pipeline-releases]. Container images are signed by [Sigstore][sigstore] via [Tekton Chains][tekton-chains]; signatures can be verified through the [public key][chains-public-key] hosted by the Tekton Chains project.

Further documentation available:

• The Tekton Pipeline [release process][tekton-releases-docs]
• [Installing Tekton][tekton-installation]
• Standard for [release notes][release-notes-standards]

Release

v0.66

• Latest Release: [v0.66.0][v0.66-0] (2024-12-04) ([docs][v0.66-0-docs], [examples][v0.66-0-examples])
• Initial Release: [v0.66.0][v0.66-0] (2024-12-04)
• Estimated End of Life: 2024-12-28
• Patch Releases: [v0.66.0][v0.66-0]

v0.65 (LTS)

... (truncated)

Commits

• 7b76131 Use io.ReadFull to read the bundle content
• 9664cb4 Fix StepAction support in Cluster resolver
• 58910a4 Fix number of completed and failed task in case of ValidationFailed
• f32544a Remove permanent error and improve skip logic
• b762df2 Exit reconcilation and markfailed if finally is not present
• 0f0eab9 Resolve review comments 1
• c6b45b8 Run finally pipeline even if task is failed at the validation
• eb1e38a Expose Resolvers Controller performance tuning configurations
• 96db451 Fix golangci-lint issues
• 82d2fe8 build(deps): bump github.com/golangci/golangci-lint in /tools
• Additional commits viewable in compare view

Updates golang.org/x/exp from 0.0.0-20240823005443-9b4947da3948 to 0.0.0-20240904232852-e7e105dedf7e

Commits

• See full diff in compare view

Updates k8s.io/api from 0.31.0 to 0.31.3

Commits

• b7783ab Update dependencies to v0.31.3 tag
• 46f6230 Merge pull request #126761thockin/automated-cherry-pick-of-#126749
• 1857695 fix v1a3 ResourceSliceList metadata field name
• See full diff in compare view

Updates k8s.io/apimachinery from 0.31.0 to 0.31.3

Commits

• See full diff in compare view

Updates k8s.io/client-go from 0.31.0 to 0.31.3

Commits

• ef98edc Update dependencies to v0.31.3 tag
• See full diff in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
github.com/tektoncd/pipeline	[>= 0.43.a, < 0.44]
k8s.io/api	[>= 0.30.a, < 0.31]
k8s.io/client-go	[>= 0.30.a, < 0.31]
k8s.io/apimachinery	[>= 0.30.a, < 0.31]
github.com/tektoncd/cli	[>= 0.37.a, < 0.38]
github.com/tektoncd/pipeline	[>= 0.61.a, < 0.62]
github.com/tektoncd/pipeline	[>= 0.62.a, < 0.63]
github.com/tektoncd/pipeline	[< 1, > 0.60.2]
k8s.io/api	[>= 0.31.a, < 0.32]
k8s.io/apimachinery	[>= 0.31.a, < 0.32]
k8s.io/client-go	[>= 0.31.a, < 0.32]
github.com/tektoncd/cli	[>= 0.38.a, < 0.39]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: Dependabot was ignoring updates to this dependency, but since you've updated it yourself we've started tracking it for you again. 🤖

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[simonbaird]

Acceptance test error says:

 go: updates to go.mod needed; to update it:
	go mod tidy
make: *** [Makefile:114: acceptance] Error 1

[zregvart]

Reverted the github.com/sigstore/sigstore@v1.8.10 update and got:

$ go mod tidy
go: github.com/tektoncd/cli@v0.39.0 requires go >= 1.22.8

[zregvart]

@dependabot ignore github.com/tektoncd/cli

[dependabot]

OK, I won't notify you about github.com/tektoncd/cli again, unless you unignore it.

[zregvart]

@dependabot rebase

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.