Commit Graph

136 Commits

Author SHA1 Message Date
dependabot[bot]
326a0d0b7b build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
Bumps the go_modules group with 1 update in the / directory: [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go).


Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.42.0 to 1.43.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.42.0...v1.43.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  dependency-version: 1.43.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-14 15:30:39 +00:00
dependabot[bot]
567670f6eb build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
Bumps the go_modules group with 1 update in the / directory: [go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp](https://github.com/open-telemetry/opentelemetry-go).


Updates `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` from 0.18.0 to 0.19.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
  dependency-version: 0.19.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-08 19:27:49 +00:00
Milos Gajdos
078b0783f2 Merge commit from fork
fix redis repo-scoped blob descriptor revocation
2026-04-05 17:08:50 -07:00
dependabot[bot]
2bf6ae0065 build(deps): bump github.com/go-jose/go-jose/v4
Bumps the go_modules group with 1 update in the / directory: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose).


Updates `github.com/go-jose/go-jose/v4` from 4.1.3 to 4.1.4
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.4
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-03 04:02:21 +00:00
1seal
5cda72868f fix redis repo-scoped blob descriptor revocation 2026-04-01 18:38:38 +03:00
Milos Gajdos
fa05d6fa31 chore(deps): Bump Go to latest 1.25 in CI workflows and go.mod
In prep for release + fixing sec vulns
* https://github.com/distribution/distribution/security/dependabot/22
* https://github.com/distribution/distribution/security/dependabot/23

otel is particularly silly, especially the contrib deps.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2026-03-19 09:10:09 -07:00
Milos Gajdos
ab67ffa0bd vendor: github.com/go-jose/go-jose/v4 v4.1.3 (#4790) 2026-02-12 15:03:13 -08:00
Sebastiaan van Stijn
eba1fb4803 vendor: github.com/docker/go-events 605354379745
full diff: e31b211e4f...6053543797

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 19:21:25 +01:00
Sebastiaan van Stijn
01a853e429 go.mod: remove outdated comment
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 19:15:36 +01:00
Sebastiaan van Stijn
2a52e9015f vendor: github.com/go-jose/go-jose/v4 v4.1.3
No longer has dependencies

full diff: https://github.com/go-jose/go-jose/compare/v4.0.5...v4.1.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 19:12:01 +01:00
Milos Gajdos
1cc061570c vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0 (#4788) 2026-02-12 10:03:20 -08:00
Sebastiaan van Stijn
3e841a3d78 vendor: github.com/spf13/cobra v1.10.2
full diff:

- https://github.com/spf13/cobra/compare/v1.8.0...v1.10.2
- https://github.com/spf13/pflag/compare/v1.0.5...v1.0.10

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 18:45:18 +01:00
Sebastiaan van Stijn
10e0e8e4c0 vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0
- adds go.mod
- DefaultFormatter now uses RFC3339Nano as default

full diff: https://github.com/bshuster-repo/logrus-logstash-hook/compare/v1.0.0...v1.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 18:37:03 +01:00
Sebastiaan van Stijn
d2398c56f2 vendor: github.com/klauspost/compress v1.18.4
full diff: https://github.com/klauspost/compress/compare/v1.17.11...v1.18.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 09:35:31 -08:00
Sebastiaan van Stijn
c4a0bd3fe9 vendor: github.com/opencontainers/image-spec v1.1.1
full diff: https://github.com/opencontainers/image-spec/compare/v1.1.0...v1.1.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 09:34:56 -08:00
Sebastiaan van Stijn
abc9debf41 vendor: github.com/docker/docker-credential-helpers v0.9.5
full diff: https://github.com/docker/docker-credential-helpers/compare/v0.8.2...v0.9.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 09:21:36 -08:00
Sebastiaan van Stijn
9b79cf5105 vendor: golang.org/x/oauth2 v0.35.0
full diff: https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.28.0...refs/tags/v0.35.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:58:55 -08:00
Sebastiaan van Stijn
ae7c498d28 vendor: golang.org/x/time v0.14.0
full diff: https://cs.opensource.google/go/x/time/+/refs/tags/v0.6.0...refs/tags/v0.14.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:58:55 -08:00
Sebastiaan van Stijn
87a9711c88 vendor: golang.org/x/crypto v0.48.0, golang.org/x/net v0.50.0
full diff: https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.36.0...refs/tags/v0.48.0
full diff: https://cs.opensource.google/go/x/net/+/refs/tags/v0.38.0...refs/tags/v0.50.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:58:55 -08:00
Sebastiaan van Stijn
aebf0612ee vendor: golang.org/x/text v0.34.0
full diff: https://cs.opensource.google/go/x/text/+/refs/tags/v0.23.0...refs/tags/v0.34.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:58:55 -08:00
Sebastiaan van Stijn
3e3e153900 vendor: golang.org/x/sys v0.41.0
full diff: https://cs.opensource.google/go/x/sys/+/refs/tags/v0.31.0...refs/tags/v0.41.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:58:55 -08:00
Sebastiaan van Stijn
00464063d5 vendor: github.com/sirupsen/logrus v1.9.4
full diff: https://github.com/sirupsen/logrus/compare/v1.9.3...v1.9.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 08:57:45 -08:00
Sebastiaan van Stijn
f5d656e686 drop support for go1.23
go1.23 is EOL since August 2025 (when go1.25 was released), and (indirect)
dependencies start to require it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 04:22:51 -08:00
dependabot[bot]
5a71303e59 build(deps): bump golang.org/x/net
Bumps the go_modules group with 1 update in the / directory: [golang.org/x/net](https://github.com/golang/net).


Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](https://github.com/golang/net/compare/v0.37.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-16 23:33:39 +00:00
Milos Gajdos
52f0f6c45d Bump Azure deps
This pulls in go-redis update as well.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2025-03-27 22:44:26 -07:00
dependabot[bot]
05b308bc42 build(deps): bump github.com/golang-jwt/jwt/v5
Bumps the go_modules group with 1 update in the / directory: [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt).


Updates `github.com/golang-jwt/jwt/v5` from 5.2.1 to 5.2.2
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md)
- [Commits](https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2)

---
updated-dependencies:
- dependency-name: github.com/golang-jwt/jwt/v5
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-21 22:28:21 +00:00
dependabot[bot]
896fec507e build(deps): bump golang.org/x/net
Bumps the go_modules group with 1 update in the / directory: [golang.org/x/net](https://github.com/golang/net).


Updates `golang.org/x/net` from 0.33.0 to 0.36.0
- [Commits](https://github.com/golang/net/compare/v0.33.0...v0.36.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-19 14:59:20 +00:00
Milos Gajdos
d7b8fb6a0e Bump Go version in prep for the next release
This bumps the Go version in preparation for the next release.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2025-03-19 07:47:32 -07:00
dependabot[bot]
fc3dd55d3d build(deps): bump github.com/go-jose/go-jose/v4 in the go_modules group
Bumps the go_modules group with 1 update: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose).


Updates `github.com/go-jose/go-jose/v4` from 4.0.2 to 4.0.5
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.0.2...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-24 22:51:52 +00:00
Milos Gajdos
38fd91a49e (security): Bump golang.org/x/net module
Fixes: https://nvd.nist.gov/vuln/detail/CVE-2024-45338

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-12-20 06:21:59 +00:00
Milos Gajdos
96a3daafe9 Move a direct dependency to direct deps required modules
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-12-12 11:34:21 +00:00
Milos Gajdos
fb3ba302d2 chore: Bump alpine and Go versions
3.20 had a minor security vulnerability. Let's bump it.

Related:
* https://github.com/distribution/distribution-library-image/issues/171
* https://github.com/distribution/distribution/pull/4527

Bump Go version
* CI
* go.mod

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-12-12 11:29:11 +00:00
dependabot[bot]
6eba54be60 build(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.28.0 to 0.31.0.
- [Commits](https://github.com/golang/crypto/compare/v0.28.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-12-12 08:34:18 +00:00
krynju
abbe03efef Upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
Signed-off-by: krynju <krystian.gulinski@juliahub.com>
2024-11-13 18:27:43 +01:00
Milos Gajdos
d67b46a05b Bump dependencies (#4498) 2024-11-06 10:52:35 +00:00
Milos Gajdos
3ac2285631 Bump otel dependencies
We want to be consistent in our deps so tracking down issue does not end
up in a murder mystery hunt. This commit picks a specific otel versions
that are unified in this codebase.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-11-05 05:45:37 +00:00
Milos Gajdos
3996413f46 Bump google storage module
Also bump the golangci version

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-10-26 18:19:46 +01:00
Milos Gajdos
1c26d98fbe Bump dependencies
In preparation to the next release we're going to bump some deps such as
various cloud SDKs we can test i.e. AWS, Google Cloud, etc.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-10-26 17:52:35 +01:00
Chun-Hung Hsiao
eed9400d26 feat: support custom exec-based credential helper in proxy mode
This change allows users to run the registry as a pull-through cache
that can use a credential helper to authenticate against the upstream
registry.

Signed-off-by: Chun-Hung Hsiao <chhsiao@google.com>
2024-08-16 19:42:51 -07:00
Ismail Alidzhikov
ba8e539b03 Use x.y.0 format for the go module version
Signed-off-by: Ismail Alidzhikov <i.alidjikov@gmail.com>
2024-07-29 13:20:39 +03:00
Milos Gajdos
c345425ff5 ci:bump Go version
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-07-13 19:24:26 +01:00
Sebastiaan van Stijn
9ba7340601 vendor: github.com/opencontainers/image-spec v1.1.0
full diff: https://github.com/opencontainers/image-spec/compare/v1.0.2...v1.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-10 14:58:09 -05:00
Milos Gajdos
5316d3bda2 Bump Go and golang linter
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-06-30 16:50:09 +01:00
dependabot[bot]
050e1a3ee7 build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity
Bumps [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) from 1.3.0 to 1.6.0.
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.3.0...sdk/azcore/v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-06-11 20:09:16 +00:00
Milos Gajdos
675d7e27f5 feature: Bump go-jose and require signing algorithms in auth (#4349) 2024-05-30 20:54:20 +01:00
Milos Gajdos
52d68216c0 feature: Bump go-jose and require signing algorithms in auth
This bumps go-jose to the latest available version: v4.0.3.
This slightly breaks the backwards compatibility with the existing
registry deployments but brings more security with it.

We now require the users to specify the list of token signing algorithms in
the configuration. We do strive to maintain the b/w compat by providing
a list of supported algorithms, though, this isn't something we
recommend due to security issues, see:
* https://github.com/go-jose/go-jose/issues/64
* https://github.com/go-jose/go-jose/pull/69

As part of this change we now return to the original flow of the token
signature validation:
1. X2C (tls) headers
2. JWKS
3. KeyID

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-05-30 20:44:35 +01:00
James Hewitt
421a359b26 Add a go.mod toolchain version
go 1.21 added toolchain support. We should now specify a toolchain
version in go.mod.

https://go.dev/doc/toolchain

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
2024-05-13 14:47:07 +01:00
Liang Zheng
a5882d6646 vendor: update manifest dependencies
Signed-off-by: Liang Zheng <zhengliang0901@gmail.com>
2024-04-26 22:22:49 +08:00
dependabot[bot]
2db0a598cc build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.20.0 to 0.23.0.
- [Commits](https://github.com/golang/net/compare/v0.20.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-19 12:59:08 +00:00
Milos Gajdos
bc6e81e1b9 Add Go 1.22 support to CI (#4314) 2024-04-08 12:15:39 +01:00