chore(deps): update sigstore/cosign-installer action to v3.10.1 #159

Merged
james merged 1 commit from renovate-sigstore-cosign-installer-3.x into main 2026-06-20 01:25:26 +00:00
Collaborator

This PR contains the following updates:

Package Type Update Change
sigstore/cosign-installer action minor v3.9.2v3.10.1

Release Notes

sigstore/cosign-installer (sigstore/cosign-installer)

v3.10.1

Compare Source

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

  • Bump default Cosign to v2.6.1 (#​203)

v3.10.0

Compare Source

What's Changed

  • Bump default Cosign to v2.6.0 in #​200

Full Changelog: https://github.com/sigstore/cosign-installer/compare/v3.9.2...v3.10.0


Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • Between 12:00 AM and 06:59 AM (* 0-6 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | action | minor | `v3.9.2` → `v3.10.1` | --- ### Release Notes <details> <summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary> ### [`v3.10.1`](https://github.com/sigstore/cosign-installer/releases/tag/v3.10.1) [Compare Source](https://github.com/sigstore/cosign-installer/compare/v3.10.0...v3.10.1) #### What's Changed? **Note:** cosign-installer v3.x cannot be used to install [Cosign v3.x](https://blog.sigstore.dev/cosign-3-0-available/). You must upgrade to cosign-installer v4 in order to use Cosign v3. **Note:** This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to [Cosign v3](https://blog.sigstore.dev/cosign-3-0-available/). - Bump default Cosign to v2.6.1 ([#&#8203;203](https://github.com/sigstore/cosign-installer/issues/203)) ### [`v3.10.0`](https://github.com/sigstore/cosign-installer/releases/tag/v3.10.0) [Compare Source](https://github.com/sigstore/cosign-installer/compare/v3.9.2...v3.10.0) #### What's Changed - Bump default Cosign to v2.6.0 in [#&#8203;200](https://github.com/sigstore/cosign-installer/pull/200) **Full Changelog**: <https://github.com/sigstore/cosign-installer/compare/v3.9.2...v3.10.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone UTC) - Branch creation - Between 12:00 AM and 06:59 AM (`* 0-6 * * *`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzMuMyIsInVwZGF0ZWRJblZlciI6IjQzLjIzMy4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJuZWVkcy1odW1hbi1yZXZpZXciXX0=-->
chore(deps): update sigstore/cosign-installer action to v3.10.1
Some checks failed
renovate/stability-days Updates have met minimum release age requirement
Commits / Conventional Commits (pull_request) Successful in 14s
PR / OSV-Scanner (pull_request) Successful in 26s
PR / Trivy (image) (pull_request) Failing after 44s
PR / Package age policy (soft) (pull_request) Successful in 22s
PR / Static analysis (pull_request) Successful in 54s
Secrets / gitleaks (pull_request) Successful in 17s
PR / Lint (pull_request) Successful in 1m22s
PR / Typecheck (pull_request) Successful in 1m53s
PR / npm audit (pull_request) Successful in 2m3s
PR / Test (postgres) (pull_request) Successful in 2m12s
PR / Build (pull_request) Successful in 2m55s
PR / Test (sqlite) (pull_request) Successful in 3m1s
PR / Coverage (soft) (pull_request) Successful in 3m36s
0af2c12ffd

Trivy (container image)

Threshold: high  ·  Total findings: 121  ·  At/above threshold: 1

critical high medium low
0 1 50 70
severity id package installed / range fix
high CVE-2026-12151 undici 6.25.0 6.27.0, 7.28.0, 8.5.0
<!-- scanner-comment: trivy --> ### Trivy (container image) **Threshold:** `high` &nbsp;·&nbsp; **Total findings:** 121 &nbsp;·&nbsp; **At/above threshold:** 1 | critical | high | medium | low | |---:|---:|---:|---:| | 0 | 1 | 50 | 70 | | severity | id | package | installed / range | fix | |---|---|---|---|---| | high | [CVE-2026-12151](https://avd.aquasec.com/nvd/cve-2026-12151) | undici | 6.25.0 | `6.27.0, 7.28.0, 8.5.0` |

📊 Test coverage

Patch coverage: no testable lines changed.

Overall (app/, lib/, db/, excluding UI per ADR-0019):

Metric Value Soft target
Lines 85.5% ≥ 50%
Branches 81.2% ≥ 75%
Functions 90.0% informational

Soft thresholds per ADR-0019. Coverage is informational and does not block merge.

<!-- coverage-comment --> ## 📊 Test coverage **Patch coverage:** no testable lines changed. **Overall** (`app/`, `lib/`, `db/`, excluding UI per ADR-0019): | Metric | Value | Soft target | |---|---|---| | Lines | 85.5% ✅ | ≥ 50% | | Branches | 81.2% ✅ | ≥ 75% | | Functions | 90.0% | informational | Soft thresholds per [ADR-0019](docs/adr/0019-coverage-soft-targets.md). Coverage is informational and does not block merge.
james merged commit eae5b94cac into main 2026-06-20 01:25:26 +00:00
james deleted branch renovate-sigstore-cosign-installer-3.x 2026-06-20 01:25:27 +00:00
Sign in to join this conversation.
No description provided.