build(deps): bump github.com/sigstore/cosign/v2 from 2.4.1 to 2.6.3 in /tools by dependabot[bot] · Pull Request #1753 · fastly/cli

dependabot · 2026-04-27T13:39:36Z

Bumps github.com/sigstore/cosign/v2 from 2.4.1 to 2.6.3.

Changelog

Sourced from github.com/sigstore/cosign/v2's changelog.

v3.0.5

Deprecations

Deprecate rekor-entry-type flag (#4691)

Deprecate cosign triangulate (#4676)

Deprecate cosign copy (#4681)

Features

Automatically require signed timestamp with Rekor v2 entries (#4666)

Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)

Add mTLS support for TSA client connections when signing with a signing config (#4620)

Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)

Bug Fixes

Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)

fix: avoid panic on malformed attestation payload (#4651)

fix: avoid panic on malformed tlog entries (#4649)

fix: avoid panic on malformed replace payload (#4653)

Gracefully fail if bundle payload body is not a string (#4648)

Verify validity of chain rather than just certificate (#4663)

fix: avoid panic on malformed tlog entry body (#4652)

Documentation

docs(cosign): clarify RFC3161 revocation semantics (#4642)

Fix typo in CLI help (#4701)

v3.0.4

v3.0.4 resolves GHSA-whqx-f9j3-ch6m.

Changes

Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4623)

Optimize cosign tree performance by caching digest resolution (#4612)

Don't require a trusted root to verify offline with a key (#4613)

Support default services for trusted-root and signing-config creation (#4592)

v2.6.2

v2.6.2 resolves GHSA-whqx-f9j3-ch6m.

Changes

Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m) (#4624)

bump sigstore deps to resolve build errors (#4619)

... (truncated)

Commits

fecddd3 Fix DSSE predicate check (#4802)
564c5b1 Backport bundle detection to sign and attest (#4727)
3ade80c Fix bundle verify path for old bundle/trusted root (#4624)
c4e6a78 v2.6 branch - bump sigstore deps (#4619)
634fabe Bump sigstore-go, move conformance back to tagged release
c5545ed Partially populate the output of cosign verify when working with new bundles ...
e191024 bump go builder to use 1.25.1 and cosign (#4417)
37fbfc7 Require exclusively a SigningConfig or service URLs when signing (#4403)
b1acaeb Add a terminal spinner while signing with sigstore-go (#4402)
2581dfd chore(deps): bump the gomod group across 1 directory with 8 updates (#4401)
Additional commits viewable in compare view

Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.4.1 to 2.6.3. - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](sigstore/cosign@v2.4.1...v2.6.3) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign/v2 dependency-version: 2.6.3 dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

### Change summary Reverts the transitive dependency bumps introduced by PRs #1739–#1753 which broke `go tool -modfile=tools/go.mod goreleaser check` due to an incompatibility between goreleaser v2.9.0 and the newer gitlab-org/api/client-go (v0.143.3) pulled in transitively by the sigstore/cosign bump (#1753). All Submissions: * [x] Have you followed the guidelines in our Contributing document? * [x] Have you checked to ensure there aren't other open [Pull Requests](https://github.com/fastly/cli/pulls) for the same update/change?  ### New Feature Submissions: * [x] Does your submission pass tests? ### Are there any considerations that need to be addressed for release? We'll need to do a fast follow up PR after this to correct the go-releaser format deprecations.

dependabot Bot requested a review from a team as a code owner April 27, 2026 13:39

dependabot Bot added the tools Indicates that a given PR updates the repo tooling. label Apr 27, 2026

dependabot Bot requested a review from philippschulte April 27, 2026 13:39

dependabot Bot added the tools Indicates that a given PR updates the repo tooling. label Apr 27, 2026

dependabot Bot force-pushed the dependabot/go_modules/tools/github.com/sigstore/cosign/v2-2.6.3 branch from cfe6a4d to 5647ffc Compare April 27, 2026 14:13

github-actions Bot added the Skip-Changelog do not add a changelog entry for this change label Apr 27, 2026

dependabot Bot force-pushed the dependabot/go_modules/tools/github.com/sigstore/cosign/v2-2.6.3 branch 9 times, most recently from c8c2d0f to f3b8b9a Compare April 27, 2026 16:31

dependabot Bot force-pushed the dependabot/go_modules/tools/github.com/sigstore/cosign/v2-2.6.3 branch from f3b8b9a to a744112 Compare April 27, 2026 16:46

rcaril approved these changes Apr 27, 2026

View reviewed changes

rcaril enabled auto-merge (squash) April 27, 2026 16:48

rcaril merged commit aa57d8a into main Apr 27, 2026
10 checks passed

rcaril deleted the dependabot/go_modules/tools/github.com/sigstore/cosign/v2-2.6.3 branch April 27, 2026 16:59

rcaril mentioned this pull request Apr 27, 2026

Revert Tool PRs #1762

Merged

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump github.com/sigstore/cosign/v2 from 2.4.1 to 2.6.3 in /tools#1753

build(deps): bump github.com/sigstore/cosign/v2 from 2.4.1 to 2.6.3 in /tools#1753
rcaril merged 1 commit intomainfrom
dependabot/go_modules/tools/github.com/sigstore/cosign/v2-2.6.3

dependabot Bot commented on behalf of github Apr 27, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v3.0.5

Deprecations

Features

Bug Fixes

Documentation

v3.0.4

Changes

v2.6.2

Changes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Apr 27, 2026 •

edited

Loading