Upgrade: Bump sigstore/cosign-installer from 3.6.0 to 3.7.0

[dependabot]

Bumps sigstore/cosign-installer from 3.6.0 to 3.7.0.

Release notes

Sourced from sigstore/cosign-installer's releases.

v3.7.0

What's Changed

• Bump actions/checkout from 4.1.7 to 4.2.0 by @​dependabot in sigstore/cosign-installer#172
• bump for latest cosign v2.4.1 release by @​bobcallaway in sigstore/cosign-installer#173

Full Changelog: sigstore/cosign-installer@v3.6.0...v3.7.0

Commits

• dc72c7d bump for latest cosign v2.4.1 release (#173)
• 08bb361 Bump actions/checkout from 4.1.7 to 4.2.0 (#172)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

DryRun Security Summary

The provided code change updates the GitHub Actions workflow for the project's release process, focusing on improving the security and reliability of the release process by using Cosign for signing and verifying the released artifacts, generating a Software Bill of Materials (SBOM), and automating the release process with GoReleaser.

Expand for full summary

Summary:

The provided code change is related to the GitHub Actions workflow for the project's release process. The key updates include:

1. Updating the version of the sigstore/cosign-installer action, which suggests the project is using Cosign for signing and verifying the released artifacts - a good security practice.
2. Maintaining the use of the anchore/sbom-action/download-syft action, indicating the project is generating a Software Bill of Materials (SBOM) as part of the release process, providing visibility into the components and dependencies included in the released artifacts.
3. Continuing to use the goreleaser/goreleaser-action to automate the release process, ensuring consistency and reproducibility, which can help maintain the security of the released artifacts.

The workflow also includes a step to run a verification script (./.github/workflows/verify.sh), which should be reviewed to ensure it performs appropriate checks on the released artifacts, such as verifying the Cosign signatures and the SBOM.

Overall, the code changes appear to be focused on improving the security and reliability of the project's release process, which is a best practice for application security.

Files Changed:

• .github/workflows/release.yaml: This file contains the GitHub Actions workflow for the project's release process. The key changes include:
  • Updating the version of the sigstore/cosign-installer action, which suggests the project is using Cosign for signing and verifying the released artifacts.
  • Maintaining the use of the anchore/sbom-action/download-syft action, indicating the project is generating a Software Bill of Materials (SBOM) as part of the release process.
  • Continuing to use the goreleaser/goreleaser-action to automate the release process, ensuring consistency and reproducibility.
  • Including a step to run a verification script (./.github/workflows/verify.sh), which should be reviewed to ensure it performs appropriate checks on the released artifacts.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.