Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): bump github.com/sigstore/timestamp-authority from 1.2.3 to 1.2.4 in /.github in the actions group #1288

Merged
merged 5 commits into from
Jan 29, 2025
Merged

build(deps): bump github.com/sigstore/timestamp-authority from 1.2.3 to 1.2.4 in /.github in the actions group #1288

merged 5 commits into from
Jan 29, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 22, 2025
edited
Loading

Bumps the actions group in /.github with 1 update: github.com/sigstore/timestamp-authority.

Updates github.com/sigstore/timestamp-authority from 1.2.3 to 1.2.4

Release notes

Sourced from github.com/sigstore/timestamp-authority's releases.

v1.2.4

What's Changed

Full Changelog: sigstore/timestamp-authority@v1.2.3...v1.2.4

Commits
  • 1d583aa chore: relax go directive to permit 1.22.x (#927)
  • cd3eaef chore(deps): bump actions/setup-go in the actions group (#930)
  • aa7b685 chore(deps): bump golangci/golangci-lint-action in the actions group (#928)
  • 30a0423 chore(deps): bump golang from 1.23.4 to 1.23.5 in the docker group (#929)
  • 1cf6b78 chore(deps): bump google.golang.org/protobuf in the gomod group (#924)
  • 9a96076 chore(deps): bump imjasonh/setup-ko from 0.7 to 0.8 in the actions group (#926)
  • 6179dd7 chore(deps): bump golang from 585103a to 9820aca (#925)
  • 9723ea5 chore(deps): bump go.step.sm/crypto from 0.56.0 to 0.57.0 (#923)
  • 3e93955 chore(deps): bump golang from 3b1a7de to 585103a (#922)
  • 7704ad4 chore(deps): bump golang from 7ea4c9d to 3b1a7de (#921)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jan 22, 2025
@dependabot
build(deps): bump github.com/sigstore/timestamp-authority
e8e735d 
Bumps the actions group in /.github with 1 update: [github.com/sigstore/timestamp-authority](https://github.com/sigstore/timestamp-authority).


Updates `github.com/sigstore/timestamp-authority` from 1.2.3 to 1.2.4
- [Release notes](https://github.com/sigstore/timestamp-authority/releases)
- [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md)
- [Commits](sigstore/timestamp-authority@v1.2.3...v1.2.4)

---
updated-dependencies:
- dependency-name: github.com/sigstore/timestamp-authority
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/dot-github/actions-8710abec8f branch from 5997fe7 to e8e735d Compare January 23, 2025 19:49
@woodruffw
Copy link
Member

Looks like Dependabot generated a bad PR here: the dep has been removed entirely, instead of being bumped. Not sure why.

@woodruffw
bump dep correctly
cb978a4 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Copy link
Member

I've gone ahead and fixed it locally, adding a go.sum in the process. CC @DarkaMaul, curious if you have any thoughts on why this doesn't work -- it's possible Dependabot doesn't understand that we're doing something "weird" here by having dependencies without a real package.

@woodruffw
fix awk variable
6d90cb9 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Merge branch 'main' into dependabot/go_modules/dot-github/actions-871…
f24d5d0 
…0abec8f
@woodruffw
Copy link
Member

/gcbrun

@DarkaMaul
Copy link
Collaborator

DarkaMaul commented Jan 27, 2025
edited
Loading

Looks like Dependabot generated a bad PR here: the dep has been removed entirely, instead of being bumped. Not sure why.

I managed to replicate the issue locally and it comes from go mod tidy
The problem is that tidy will analyze the code and detect under-declared dependencies (dependencies used by the project and missing, and over declared ones).

From looking at dependabot core code, we have two options:

  • Continue to mock the state here a bit more and create a fake tools.go file that uses one component of timestamp-authority. The problem is that it will pull all dependencies from timestamp-authority in our go.mod ( see this PR )

  • Prevent go mod tidy to run:

    • By having a non empty substitution array ( to bypass this check
    • Find a way to surface the tidy option in dependabot itself.

@woodruffw
Copy link
Member

Hmm. On reconsideration, I think we aren't getting a ton out of the Dependabot updates here. I think we can probably just update this manually and add a comment in the CI workflow to that effect.

I'm going to merge here and open a second PR for removing these bits.

@woodruffw
Copy link
Member

/gcbrun

@woodruffw woodruffw merged commit 196ebd8 into main Jan 29, 2025
25 checks passed
@woodruffw woodruffw deleted the dependabot/go_modules/dot-github/actions-8710abec8f branch January 29, 2025 15:41
@woodruffw woodruffw mentioned this pull request Jan 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DarkaMaul DarkaMaul DarkaMaul approved these changes

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@woodruffw @DarkaMaul