Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update aqua-installer (#175)
[](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [aquaproj/aqua](https://togithub.com/aquaproj/aqua) | minor | `v2.21.3` -> `v2.23.1` | | [aquaproj/aqua-installer](https://togithub.com/aquaproj/aqua-installer) | minor | `v2.2.0` -> `v2.3.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>aquaproj/aqua (aquaproj/aqua)</summary> ### [`v2.23.1`](https://togithub.com/aquaproj/aqua/releases/tag/v2.23.1) [Compare Source](https://togithub.com/aquaproj/aqua/compare/v2.23.0...v2.23.1-1) [Pull Requests](https://togithub.com/aquaproj/aqua/pulls?q=is%3Apr+milestone%3Av2.23.1) | [Issues](https://togithub.com/aquaproj/aqua/issues?q=is%3Aissue+milestone%3Av2.23.1) | aquaproj/aqua@v2.23.0...v2.23.1 ##### Bug Fixes [#​2661](https://togithub.com/aquaproj/aqua/issues/2661) [#​2662](https://togithub.com/aquaproj/aqua/issues/2662) update-checksum: Fix a bug that `update-checksum` doesn't work well if packages use both `cargo` or `go_install` types and other types For example, the package `eza-community/eza` uses `cargo` type for darwin and windows/arm64 and `github_relaese` type for other platforms. In this case, aqua update-checksum didn't work well. https://github.com/aquaproj/aqua-registry/blob/15d67414625ea37e68ea8436dba9413d9bd9b540/pkgs/eza-community/eza/registry.yaml#L2 https://github.com/aquaproj/aqua-registry/blob/15d67414625ea37e68ea8436dba9413d9bd9b540/pkgs/eza-community/eza/registry.yaml#L54-L57 This release fixed the issue. ### [`v2.23.0`](https://togithub.com/aquaproj/aqua/releases/tag/v2.23.0) [Compare Source](https://togithub.com/aquaproj/aqua/compare/v2.22.0-1...v2.23.0) [Pull Requests](https://togithub.com/aquaproj/aqua/pulls?q=is%3Apr+milestone%3Av2.23.0) | [Issues](https://togithub.com/aquaproj/aqua/issues?q=is%3Aissue+milestone%3Av2.23.0) | aquaproj/aqua@v2.22.0...v2.23.0 ##### Features [#​2649](https://togithub.com/aquaproj/aqua/issues/2649) [#​2652](https://togithub.com/aquaproj/aqua/issues/2652) cargo: Trim a prefix from `cargo` package's version ##### Bug Fixes [#​2642](https://togithub.com/aquaproj/aqua/issues/2642) info: Output `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA` https://aquaproj.github.io/docs/reference/security/cosign-slsa/#disable-the-verification-with-cosign-and-slsa-provenance [#​2654](https://togithub.com/aquaproj/aqua/issues/2654) generate-registry: Fix a bug that same version_overrides aren't merged properly ##### Others [#​2644](https://togithub.com/aquaproj/aqua/issues/2644) Update aqua-proxy to [v1.2.5](https://togithub.com/aquaproj/aqua-proxy/releases/tag/v1.2.5) [#​2653](https://togithub.com/aquaproj/aqua/issues/2653) Update [JSON Schema](https://togithub.com/aquaproj/aqua/tree/main/json-schema) ### [`v2.22.0`](https://togithub.com/aquaproj/aqua/releases/tag/v2.22.0) [Compare Source](https://togithub.com/aquaproj/aqua/compare/v2.21.3...v2.22.0-1) [Pull Requests](https://togithub.com/aquaproj/aqua/pulls?q=is%3Apr+milestone%3Av2.22.0) | [Issues](https://togithub.com/aquaproj/aqua/issues?q=is%3Aissue+milestone%3Av2.22.0) | aquaproj/aqua@v2.21.3...v2.22.0 ##### Features [#​2631](https://togithub.com/orgs/aquaproj/discussions/2631) [#​2633](https://togithub.com/aquaproj/aqua/issues/2633) [#​2634](https://togithub.com/aquaproj/aqua/issues/2634) Support disabling the verification with Cosign and SLSA Provenance You can disable the verification with Cosign and SLSA Provenance if you can't use them. ##### Why is the feature needed? > \[!CAUTION] > This feature is for users who can't use Cosign and slsa-verifier. > Most users can use them, so most users don't need this feature. > aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself. > If you can use Cosign and slsa-verifier, you should not disable them because they are important for security. Cosign and sla-verifier access some endpoints such as `oauth2.sigstore.dev` and `fulcio.sigstore.dev`. So to use them you need to allow the access to these endpoints. But in some use cases you can't or don't want to do that. For example, your company's network policy might not allow the access to these endpoints. To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier. ##### How to use You can use command line options `-disable-cosign` and `-disable-slsa` or environment variables `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA`. e.g. ```sh aqua [-disable-cosign] [-disable-slsa] i ``` ```sh env AQUA_DISABLE_COSIGN=true AQUA_DISABLE_SLSA=true aqua i ``` ##### Update dependencies - Go 1.21.5 to 1.21.6 - goreleaser v1.22.1 to v1.23.0 - [go.mod](https://togithub.com/aquaproj/aqua/compare/v2.21.3...v2.22.0#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6) </details> <details> <summary>aquaproj/aqua-installer (aquaproj/aqua-installer)</summary> ### [`v2.3.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.0) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.2.0...v2.3.0) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.3.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.3.0) | aquaproj/aqua-installer@v2.2.0...v2.3.0 ##### Features [#​580](https://togithub.com/aquaproj/aqua-installer/issues/580) Support disabling the verification with Cosign and SLSA Provenance > \[!CAUTION] > This feature is for users who can't use Cosign and slsa-verifier. > Most users can use them, so most users don't need this feature. > aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself. > If you can use Cosign and slsa-verifier, you should not disable them because they are important for security. The bootstrap version is updated to [aqua v2.22.0](https://togithub.com/aquaproj/aqua/releases/tag/v2.22.0). From this version, [aqua supports disabling the verification with Cosign and SLSA Provenance](https://aquaproj.github.io/docs/reference/security/cosign-slsa#disable-the-verification-with-cosign-and-slsa-provenance). To disable the verification with Cosign and SLSA Provenance when you install aqua with aqua-installer, please set the environment variables `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA`. ```sh export AQUA_DISABLE_COSIGN=true export AQUA_DISABLE_SLSA=true ./aqua-installer ``` ```yaml - uses: aquaproj/[email protected] with: aqua_version: v2.22.0 env: AQUA_DISABLE_COSIGN: "true" AQUA_DISABLE_SLSA: "true" ``` </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 4pm on thursday" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/scottames/dots). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Scott Ames <[email protected]>
](https://renovatebot.com){kind=link}
- Loading branch information
1 parent
f76762c
commit 7868f42