kubernetes-sigs/promo-tools

📋 What's Changed

• build(deps): bump google.golang.org/api from 0.277.0 to 0.278.0 by @dependabot[bot] in https://github.com/kubernetes-sigs/promo-tools/pull/1837
• build(deps): bump the gomod group with 2 updates by @dependabot[bot] in https://github.com/kubernetes-sigs/promo-tools/pull/1838
• build(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 by @dependabot[bot] in https://github.com/kubernetes-sigs/promo-tools/pull/1839
• build(deps): bump cloud.google.com/go/iam from 1.10.0 to 1.11.0 by @dependabot[bot] in https://github.com/kubernetes-sigs/promo-tools/pull/1840
• build(deps): bump cloud.google.com/go/containeranalysis from 0.18.0 to 0.19.0 by @dependabot[bot] in https://github.com/kubernetes-sigs/promo-tools/pull/1841
• build(deps): bump github.com/in-toto/in-toto-golang from 0.9.0 to 0.11.0 by @dependabot[bot] in https://github.com/kubernetes-sigs/promo-tools/pull/1842
• build(deps): bump k8s.io/apimachinery from 0.36.0 to 0.36.1 in the gomod group by @dependabot[bot] in https://github.com/kubernetes-sigs/promo-tools/pull/1843
• build(deps): bump google.golang.org/api from 0.278.0 to 0.279.0 by @dependabot[bot] in https://github.com/kubernetes-sigs/promo-tools/pull/1844
• + 16 more

✨ Feature

• Add --staging-repo flag to kpromo pr to support Artifact Registry staging repos (#1830, @saschagrunert) [SIG Release]

🐛 Bug or Regression

• Fix a regression where S3-backed file promotions only listed the first page of destination objects, which could trigger unnecessary re-uploads and timeouts. (#1802, @dims) [SIG Release]

📦 Other (Cleanup or Flake)

• The `kpromo cip replicate-signatures` subcommand and `--max-signature-copies` flag have been removed. Signature replication is no longer needed as archeio now routes signature requests to a canonical upstream. Signatures are explicitly written to `us-central1-docker.pkg.dev` to match archeio's `SIGNATURE_UPSTREAM_ENDPOINT`. (#1829, @saschagrunert) [SIG Release]

✨ Added

• k8s.io/streaming: [v0.36.0](https://github.com/kubernetes/streaming/commit/fbcf184e52bfd8a40d46311b494493c287fd6d05)

📋 Changed

• cloud.google.com/go/auth: [87cdcc9 → v0.20.0](https://github.com/googleapis/google-cloud-go/compare/87cdcc9f756881f90337d222fe3707234d1a2c71...auth/v0.20.0)
• cloud.google.com/go/containeranalysis: [v0.14.2 → v0.18.0](https://github.com/googleapis/google-cloud-go/compare/containeranalysis/v0.14.2...containeranalysis/v0.18.0)
• cloud.google.com/go/grafeas: [v0.3.16 → v0.3.17](https://github.com/googleapis/google-cloud-go/compare/grafeas/v0.3.16...grafeas/v0.3.17)
• cloud.google.com/go/iam: [v1.6.0 → v1.10.0](https://github.com/googleapis/google-cloud-go/compare/iam/v1.6.0...iam/v1.10.0)
• cloud.google.com/go/longrunning: [v0.8.0 → v0.9.0](https://github.com/googleapis/google-cloud-go/compare/longrunning/v0.8.0...longrunning/v0.9.0)
• cloud.google.com/go/storage: [v1.61.3 → v1.62.1](https://github.com/googleapis/google-cloud-go/compare/storage/v1.61.3...storage/v1.62.1)
• filippo.io/edwards25519: [v1.1.1 → v1.2.0](https://github.com/FiloSottile/edwards25519/compare/v1.1.1...v1.2.0)
• github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: [v1.30.0 → v1.31.0](https://github.com/GoogleCloudPlatform/opentelemetry-operations-go/compare/v1.30.0...v1.31.0)
• + 82 more

🗑️ Removed

• github.com/go-task/slim-sprig/v3: [v3.0.0](https://github.com/go-task/slim-sprig/commit/b05cce61fffa5c6dea6ac8b9a1f12b6e3fb7c894)

✨ Feature

• Reduce peak memory usage during edge grouping by ~50% (#1772, @saschagrunert) [SIG Release]

🐛 Bug or Regression

• Fix a regression where S3-backed file promotions only listed the first page of destination objects, which could trigger unnecessary re-uploads and timeouts. (#1802, @dims) [SIG Release]
• Fix promotion timeout when prow diff contains no image digests (#1798, @saschagrunert) [SIG Release]
• Increase retry budget for transient Artifact Registry rate limits during signature replication. (#1784, @saschagrunert) [SIG Release]

✨ Added

• github.com/google/go-github/v84: [v84.0.0](https://github.com/google/go-github/commit/2830c69e81ae2b8f809ba498c09071d093585908)
• github.com/moby/moby/api: [v1.54.0](https://github.com/moby/moby/commit/7f1a670667e186baf2839a42a78ba2acad4f8852)
• github.com/moby/moby/client: [v0.3.0](https://github.com/moby/moby/commit/c2f80b072ca4754a19b721e9a4d75ab851cac925)
• github.com/oklog/ulid/v2: [v2.1.1](https://github.com/oklog/ulid/commit/96c4edf226ef639c92f96f42c7c2a161ae0e1a66)
• github.com/pborman/getopt: [7148bc3](https://github.com/pborman/getopt/tree/7148bc3)

📋 Changed

• cloud.google.com/go/aiplatform: [v1.114.0 → v1.120.0](https://github.com/googleapis/google-cloud-go/compare/aiplatform/v1.114.0...aiplatform/v1.120.0)
• cloud.google.com/go/area120: [v0.9.7 → v0.10.0](https://github.com/googleapis/google-cloud-go/compare/area120/v0.9.7...area120/v0.10.0)
• cloud.google.com/go/artifactregistry: [v1.19.0 → v1.20.0](https://github.com/googleapis/google-cloud-go/compare/artifactregistry/v1.19.0...artifactregistry/v1.20.0)
• cloud.google.com/go/asset: [v1.22.0 → v1.22.1](https://github.com/googleapis/google-cloud-go/compare/asset/v1.22.0...asset/v1.22.1)
• cloud.google.com/go/auth: [v0.18.2 → 87cdcc9](https://github.com/googleapis/google-cloud-go/compare/auth/v0.18.2...87cdcc9f756881f90337d222fe3707234d1a2c71)
• cloud.google.com/go/bigquery: [v1.72.0 → v1.74.0](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.72.0...bigquery/v1.74.0)
• cloud.google.com/go/bigtable: [v1.41.0 → v1.42.0](https://github.com/googleapis/google-cloud-go/compare/bigtable/v1.41.0...bigtable/v1.42.0)
• cloud.google.com/go/container: [v1.45.0 → v1.46.0](https://github.com/googleapis/google-cloud-go/compare/container/v1.45.0...container/v1.46.0)
• + 113 more

🗑️ Removed

• github.com/docker/docker: [v28.5.2](https://github.com/docker/docker/commit/89c5e8fd66634b6128fc4c0e6f1236e2540e46e0)
• github.com/google/go-github/v55: [v55.0.0](https://github.com/google/go-github/commit/99ee29e326a0b3d5e09982f3de2101ba70613808)
• github.com/google/go-github/v75: [v75.0.0](https://github.com/google/go-github/commit/f42c5ec00b7420d326d14c479d2fb3db824acc38)
• github.com/moby/sys/atomicwriter: [v0.1.0](https://github.com/moby/sys/commit/4a75548218baa36bdbaaed1371a3e8a9cdfcffa0)
• github.com/montanaflynn/stats: [v0.7.1](https://github.com/montanaflynn/stats/commit/249b5aaa10484bb7e8f3b866b0925aaebdac8170)
• github.com/morikuni/aec: [v1.0.0](https://github.com/morikuni/aec/tree/v1.0.0)
• github.com/xdg-go/pbkdf2: [v1.0.0](https://github.com/xdg-go/pbkdf2/tree/v1.0.0)
• github.com/xdg-go/scram: [v1.1.2](https://github.com/xdg-go/scram/commit/17629a50d5ce12875d83f9095809ae43b765c303)
• + 3 more

✨ Feature

• Add progress logging and bound goroutine concurrency in signature replication phase (#1748, @saschagrunert) [SIG Release]
• Give full rate limit budget to the active pipeline phase, increasing promotion throughput from 35 to 50 req/sec. (#1735, @saschagrunert) [SIG Release]
• Improve standalone signature replication throughput by using the full rate budget and skipping unsigned images early (#1727, @saschagrunert) [SIG Release]
• Optimize standalone signature replication by batch-listing tags and copying only missing signatures, reducing API calls significantly. (#1749, @saschagrunert) [SIG Release]
• Parallelize signature replication, increase default threads to 20 (#1737, @saschagrunert) [SIG Release]
• Parallelize registry reads, reducing the plan phase from ~19 minutes to ~2 minutes for large promotions. (#1736, @saschagrunert) [SIG Release]
• Provenance attestations are now always generated and verified using verify-if-present semantics. (#1754, @saschagrunert) [SIG Release]
• Provenance attestations use cosign OCI APIs with predicate-type-aware idempotency. SBOM promotion is removed. (#1764, @saschagrunert) [SIG Release]

📝 Documentation

• Fix outdated documentation including missing sigcheck command, incorrect install paths, and stale version examples (#1747, @saschagrunert) [SIG Release]

🐛 Bug or Regression

• Add retry logic for all pipeline network operations including registry reads, signature copies, and attestation writes (#1742, @saschagrunert) [SIG Release]
• Fix FixMissingSignatures panic on empty check results and mirrorsList race condition (#1738, @saschagrunert) [SIG Release]
• Fix default promotion threads being zero, which caused image promotion to hang indefinitely. (#1733, @saschagrunert) [SIG Release]
• Fix empty version fields in pipeline log output (#1743, @saschagrunert) [SIG Release]
• Fix regression where image promotion marked all source images as _LOST_ due to registry inventory key mismatch. (#1731, @saschagrunert) [SIG Release]
• Fix signature replication failing on images without signatures (#1726, @saschagrunert) [SIG Release]
• Fixed intermittent hangs in signature replication by adding per-request
• timeouts and automatic retry on deadline exceeded errors. (#1763, @saschagrunert) [SIG Release]
• + 3 more

📦 Other (Cleanup or Flake)

• Give the full rate limit budget to all pipeline phases instead of splitting between promotion and signing (#1741, @saschagrunert) [SIG Release]
• Improve promotion logging with per-image progress counters and copy timing (#1732, @saschagrunert) [SIG Release]
• Reduce rate limiter log spam by removing per-request backoff warnings (#1745, @saschagrunert) [SIG Release]
• Remove deprecated --key-files, --use-service-account, --json-log-summary, and --snapshot-service-account flags from kpromo; use Application Default Credentials instead (#1758, @saschagrunert) [SIG Release]
• Remove inline signature replication from the promotion pipeline in favor of the dedicated periodic ci-k8sio-image-signature-replication Prow job. (#1750, @saschagrunert) [SIG Release]
• The promotion record attestation is no longer wrapped in a slsa build predicate. It is its own predicate type. (#1767, @puerco) [SIG Release]

✨ Added

• golang.org/x/tools/go/expect: v0.1.0-deprecated
• golang.org/x/tools/go/packages/packagestest: v0.1.1-deprecated

📋 Changed

• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: [v1.7.5 → v1.7.6](https://github.com/aws/aws-sdk-go-v2/compare/aws/protocol/eventstream/v1.7.5...aws/protocol/eventstream/v1.7.6)
• github.com/aws/aws-sdk-go-v2/config: [v1.32.10 → v1.32.11](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.32.10...config/v1.32.11)
• github.com/aws/aws-sdk-go-v2/credentials: [v1.19.10 → v1.19.11](https://github.com/aws/aws-sdk-go-v2/compare/credentials/v1.19.10...credentials/v1.19.11)
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds: [v1.18.18 → v1.18.19](https://github.com/aws/aws-sdk-go-v2/compare/feature/ec2/imds/v1.18.18...feature/ec2/imds/v1.18.19)
• github.com/aws/aws-sdk-go-v2/feature/s3/manager: [v1.22.3 → v1.22.5](https://github.com/aws/aws-sdk-go-v2/compare/feature/s3/manager/v1.22.3...feature/s3/manager/v1.22.5)
• github.com/aws/aws-sdk-go-v2/internal/configsources: [v1.4.18 → v1.4.19](https://github.com/aws/aws-sdk-go-v2/compare/internal/configsources/v1.4.18...internal/configsources/v1.4.19)
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: [v2.7.18 → v2.7.19](https://github.com/aws/aws-sdk-go-v2/compare/internal/endpoints/v2/v2.7.18...internal/endpoints/v2/v2.7.19)
• github.com/aws/aws-sdk-go-v2/internal/ini: [v1.8.4 → v1.8.5](https://github.com/aws/aws-sdk-go-v2/compare/internal/ini/v1.8.4...internal/ini/v1.8.5)
• + 27 more

🗑️ Removed

• _Nothing has changed._

✨ Feature

• Add `kpromo cip replicate-signatures` subcommand for standalone signature replication to mirror registries. (#1715, @saschagrunert) [SIG Release]

📦 Other (Cleanup or Flake)

• Remove deprecated `cip audit` subcommand and legacy e2e test infrastructure (#1716, @saschagrunert) [SIG Release]
• Remove deprecated `kpromo mm` (cip-mm) subcommand (#1721, @saschagrunert) [SIG Release]
• Remove legacy image promoter internals (inventory, gcloud, stream, json, reqcounter, container, timewrapper packages) (#1718, @saschagrunert) [SIG Release]
• Remove deprecated `--use-legacy-pipeline` flag and legacy sequential promotion code path. The new pipeline engine is now the only code path. (#1712, @saschagrunert) [SIG Release]

✨ Added

• _Nothing has changed._

📋 Changed

• cel.dev/expr: v0.24.0 → v0.25.1
• cloud.google.com/go/auth: v0.18.1 → v0.18.2
• github.com/cncf/xds/go: [0feb691 → ee656c7](https://github.com/cncf/xds/compare/0feb691...ee656c7)
• github.com/envoyproxy/go-control-plane/envoy: [v1.35.0 → v1.36.0](https://github.com/envoyproxy/go-control-plane/compare/envoy/v1.35.0...envoy/v1.36.0)
• github.com/envoyproxy/go-control-plane: [75eaa19 → v0.14.0](https://github.com/envoyproxy/go-control-plane/compare/75eaa19...v0.14.0)
• github.com/envoyproxy/protoc-gen-validate: [v1.2.1 → v1.3.0](https://github.com/envoyproxy/protoc-gen-validate/compare/v1.2.1...v1.3.0)
• github.com/google/go-containerregistry: [v0.21.0 → v0.21.1](https://github.com/google/go-containerregistry/compare/v0.21.0...v0.21.1)
• github.com/googleapis/enterprise-certificate-proxy: [v0.3.11 → v0.3.12](https://github.com/googleapis/enterprise-certificate-proxy/compare/v0.3.11...v0.3.12)
• + 5 more

🗑️ Removed

• _Nothing has changed._

🗑️ Deprecation

• The image promoter now uses the new pipeline engine by default. The legacy
• sequential code path is deprecated and available via `--use-legacy-pipeline`.
• New CLI flags: `--require-provenance`, `--allowed-builders`,
• `--allowed-source-repos`. Pre-generated SBOMs are now automatically copied
• from staging to production registries during promotion. (#1709, @saschagrunert) [SIG Release]

✨ Feature

• Bump to go 1.25 and update tools deps (#1652, @cpanato) [SIG Release]
• Rewrite image promoter rate limiter with per-operation budget allocation and adaptive 429 backoff. (#1702, @saschagrunert) [SIG Release]

✨ Added

• al.essio.dev/pkg/shellescape: v1.6.0
• buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go: 6c6e0d3
• buf.build/go/protovalidate: v0.14.0
• buf.build/go/protoyaml: v0.6.0
• github.com/DataDog/datadog-agent/comp/core/tagger/origindetection: [v0.67.0](https://github.com/DataDog/datadog-agent/tree/comp/core/tagger/origindetection/v0.67.0)
• github.com/DataDog/datadog-agent/pkg/version: [v0.67.0](https://github.com/DataDog/datadog-agent/tree/pkg/version/v0.67.0)
• github.com/DataDog/dd-trace-go/v2: [v2.2.2-rc.1](https://github.com/DataDog/dd-trace-go/tree/v2.2.2-rc.1)
• github.com/DataDog/go-libddwaf/v4: [v4.3.0](https://github.com/DataDog/go-libddwaf/tree/v4.3.0)
• + 54 more

📋 Changed

• chainguard.dev/go-grpc-kit: v0.17.7 → v0.17.15
• chainguard.dev/sdk: v0.1.29 → v0.1.45
• cloud.google.com/go/accessapproval: v1.8.6 → v1.8.8
• cloud.google.com/go/accesscontextmanager: v1.9.6 → v1.9.7
• cloud.google.com/go/aiplatform: v1.89.0 → v1.114.0
• cloud.google.com/go/analytics: v0.28.1 → v0.30.1
• cloud.google.com/go/apigateway: v1.7.6 → v1.7.7
• cloud.google.com/go/apigeeconnect: v1.7.6 → v1.7.7
• + 350 more

🗑️ Removed

• github.com/AdaLogics/go-fuzz-headers: [ced1acd](https://github.com/AdaLogics/go-fuzz-headers/tree/ced1acd)
• github.com/DataDog/go-libddwaf/v3: [v3.5.1](https://github.com/DataDog/go-libddwaf/tree/v3.5.1)
• github.com/OneOfOne/xxhash: [v1.2.8](https://github.com/OneOfOne/xxhash/tree/v1.2.8)
• github.com/containerd/containerd: [v1.7.27](https://github.com/containerd/containerd/tree/v1.7.27)
• github.com/goadesign/goa: [v2.2.5+incompatible](https://github.com/goadesign/goa/tree/v2.2.5)
• github.com/google/tink/go: [v1.7.0](https://github.com/google/tink/tree/go/v1.7.0)
• github.com/grpc-ecosystem/grpc-gateway: [v1.16.0](https://github.com/grpc-ecosystem/grpc-gateway/tree/v1.16.0)
• github.com/hashicorp/golang-lru: [v1.0.2](https://github.com/hashicorp/golang-lru/tree/v1.0.2)
• + 16 more

📋 What's Changed

• lots of dependency updates by @dependabot[bot]
• Upgrade go to 1.22 by @cpanato in https://github.com/kubernetes-sigs/promo-tools/pull/1262
• Updating promotion-pull-requests.md to reflect that build admins no longer need to cut packages for official releases by @marosset in https://github.com/kubernetes-sigs/promo-tools/pull/1279
• remove listx from OWNERS_ALIASES by @listx in https://github.com/kubernetes-sigs/promo-tools/pull/1282
• bump zeitgeist to v0.5.3 and golangci-lint to v1.58.2 by @cpanato in https://github.com/kubernetes-sigs/promo-tools/pull/1321
• Enable `gci`, `godot`, `duplword`, `testifylint` and `tparallel` linters by @saschagrunert in https://github.com/kubernetes-sigs/promo-tools/pull/1371
• Switch to go 1.23 by @saschagrunert in https://github.com/kubernetes-sigs/promo-tools/pull/1393
• kpromo: set git clone depth for pr subcommand to prevent downloading the whole repository by @chrischdi in https://github.com/kubernetes-sigs/promo-tools/pull/1409
• + 12 more

✨ New Contributors

• @marosset made their first contribution in https://github.com/kubernetes-sigs/promo-tools/pull/1279
• @chrischdi made their first contribution in https://github.com/kubernetes-sigs/promo-tools/pull/1409
• @mbianchidev made their first contribution in https://github.com/kubernetes-sigs/promo-tools/pull/1517
• Full Changelog: https://github.com/kubernetes-sigs/promo-tools/compare/v4.0.5...v4.1.0

✨ Feature

• Group dependabot updates
• use go1.21
• update dependecies
• update zeitgeist and golangci-lint ([#1099](https://github.com/kubernetes-sigs/promo-tools/pull/1099), [@cpanato](https://github.com/cpanato)) [SIG Release]
• Kpromo gh: use `--org/--repo` as new default for `--release-dir` ([#1043](https://github.com/kubernetes-sigs/promo-tools/pull/1043), [@saschagrunert](https://github.com/saschagrunert)) [SIG Release]

🐛 Bug or Regression

• Fixed regression to include digest for normalized edges on image signing. ([#940](https://github.com/kubernetes-sigs/promo-tools/pull/940), [@saschagrunert](https://github.com/saschagrunert)) [SIG Release]

📦 Other (Cleanup or Flake)

• Update release-sdk and update preparefork function ([#1172](https://github.com/kubernetes-sigs/promo-tools/pull/1172), [@cpanato](https://github.com/cpanato)) [SIG Release]

✨ Added

• cloud.google.com/go/dataproc/v2: v2.3.0
• dario.cat/mergo: v1.0.0
• github.com/AdaLogics/go-fuzz-headers: [ced1acd](https://github.com/AdaLogics/go-fuzz-headers/tree/ced1acd)
• github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: [v1.0.1](https://github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys/tree/v1.0.1)
• github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal: [v1.0.0](https://github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal/tree/v1.0.0)
• github.com/Azure/azure-sdk-for-go/sdk/storage/azblob: [v1.2.0](https://github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/tree/v1.2.0)
• github.com/DATA-DOG/go-sqlmock: [v1.5.0](https://github.com/DATA-DOG/go-sqlmock/tree/v1.5.0)
• github.com/DrJosh9000/zzglob: [v0.0.17](https://github.com/DrJosh9000/zzglob/tree/v0.0.17)
• + 51 more

📋 Changed

• chainguard.dev/go-grpc-kit: v0.16.0 → v0.17.1
• cloud.google.com/go/accessapproval: v1.6.0 → v1.7.4
• cloud.google.com/go/accesscontextmanager: v1.7.0 → v1.8.4
• cloud.google.com/go/aiplatform: v1.37.0 → v1.58.0
• cloud.google.com/go/analytics: v0.19.0 → v0.22.0
• cloud.google.com/go/apigateway: v1.5.0 → v1.6.4
• cloud.google.com/go/apigeeconnect: v1.5.0 → v1.6.4
• cloud.google.com/go/apigeeregistry: v0.6.0 → v0.8.2
• + 378 more

🗑️ Removed

• cloud.google.com/go/dataproc: v1.12.0
• cloud.google.com/go/gaming: v1.9.0
• github.com/Azure/go-autorest/autorest/to: [v0.4.0](https://github.com/Azure/go-autorest/autorest/to/tree/v0.4.0)
• github.com/Azure/go-autorest/autorest/validation: [v0.3.1](https://github.com/Azure/go-autorest/autorest/validation/tree/v0.3.1)
• github.com/Masterminds/semver: [v1.5.0](https://github.com/Masterminds/semver/tree/v1.5.0)
• github.com/Masterminds/sprig: [v2.22.0+incompatible](https://github.com/Masterminds/sprig/tree/v2.22.0)
• github.com/PuerkitoBio/purell: [v1.1.1](https://github.com/PuerkitoBio/purell/tree/v1.1.1)
• github.com/PuerkitoBio/urlesc: [de5bf2a](https://github.com/PuerkitoBio/urlesc/tree/de5bf2a)
• + 98 more

🐛 Bug or Regression

• Fixed regression to include digest for normalized edges on image signing. (#940, @saschagrunert) [SIG Release]

✨ Added

• _Nothing has changed._

📋 Changed

• github.com/aws/aws-sdk-go: [v1.44.286 → v1.44.287](https://github.com/aws/aws-sdk-go/compare/v1.44.286...v1.44.287)

🗑️ Removed

• _Nothing has changed._

🐛 Bug or Regression

• Fixed bug where kubernetes images have wrong `docker-reference`s in their signatures: https://github.com/kubernetes-sigs/promo-tools/issues/935 (#936, @saschagrunert) [SIG Release]

✨ Added

• _Nothing has changed._

📋 Changed

• cloud.google.com/go/containeranalysis: v0.10.0 → v0.10.1
• cloud.google.com/go/grafeas: v0.2.1 → v0.3.0
• cloud.google.com/go/iam: v1.1.0 → v1.1.1
• cloud.google.com/go/longrunning: v0.4.2 → v0.5.0
• github.com/aws/aws-sdk-go: [v1.44.284 → v1.44.286](https://github.com/aws/aws-sdk-go/compare/v1.44.284...v1.44.286)
• github.com/googleapis/gax-go/v2: [v2.10.0 → v2.11.0](https://github.com/googleapis/gax-go/v2/compare/v2.10.0...v2.11.0)

🗑️ Removed

• _Nothing has changed._

✨ Feature

• Use production registry `registry.k8s.io` as sign identity for container images if required. (#928, @saschagrunert) [SIG Release]

📦 Other (Cleanup or Flake)

• Module version updated to v4 (#919, @jeremyrickard) [SIG Release]

✨ Added

• github.com/DataDog/appsec-internal-go: [v1.0.0](https://github.com/DataDog/appsec-internal-go/tree/v1.0.0)
• github.com/DataDog/go-libddwaf: [v1.2.0](https://github.com/DataDog/go-libddwaf/tree/v1.2.0)
• github.com/outcaste-io/ristretto: [v0.2.1](https://github.com/outcaste-io/ristretto/tree/v0.2.1)

📋 Changed

• cloud.google.com/go/kms: v1.10.2 → v1.11.0
• github.com/DataDog/datadog-agent/pkg/obfuscate: [6491aa3 → v0.45.0-rc.1](https://github.com/DataDog/datadog-agent/pkg/obfuscate/compare/6491aa3...v0.45.0-rc.1)
• github.com/DataDog/datadog-agent/pkg/remoteconfig/state: [v0.42.0-rc.1 → v0.45.0-rc.1](https://github.com/DataDog/datadog-agent/pkg/remoteconfig/state/compare/v0.42.0-rc.1...v0.45.0-rc.1)
• github.com/andybalholm/brotli: [v1.0.3 → v1.0.1](https://github.com/andybalholm/brotli/compare/v1.0.3...v1.0.1)
• github.com/aws/aws-sdk-go-v2/config: [v1.18.23 → v1.18.26](https://github.com/aws/aws-sdk-go-v2/config/compare/v1.18.23...v1.18.26)
• github.com/aws/aws-sdk-go-v2/credentials: [v1.13.22 → v1.13.25](https://github.com/aws/aws-sdk-go-v2/credentials/compare/v1.13.22...v1.13.25)
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds: [v1.13.3 → v1.13.4](https://github.com/aws/aws-sdk-go-v2/feature/ec2/imds/compare/v1.13.3...v1.13.4)
• github.com/aws/aws-sdk-go-v2/internal/configsources: [v1.1.33 → v1.1.34](https://github.com/aws/aws-sdk-go-v2/internal/configsources/compare/v1.1.33...v1.1.34)
• + 59 more

🗑️ Removed

• github.com/DataDog/datadog-go: [v4.8.2+incompatible](https://github.com/DataDog/datadog-go/tree/v4.8.2)
• github.com/nightlyone/lockfile: [v1.0.0](https://github.com/nightlyone/lockfile/tree/v1.0.0)

📦 Other (Cleanup or Flake)

• Module version updated to v4 (#919, @jeremyrickard) [SIG Release]

✨ Added

• _Nothing has changed._

📋 Changed

• _Nothing has changed._

🗑️ Removed

• _Nothing has changed._

✨ Feature

• Add SignCheckIdentityRegexp and SignCheckIssuerRegexp options (#906, @cpanato) [SIG Release]
• Upgrade signing to use cosign v2 (#889, @cpanato) [SIG Release]

📦 Other (Cleanup or Flake)

• Increased sign timeout to 15 minutes to deflake recursive signing. (#900, @saschagrunert) [SIG Release]

✨ Added

• chainguard.dev/go-grpc-kit: v0.16.0
• cloud.google.com/go/profiler: v0.3.1
• github.com/AdamKorcz/go-fuzz-headers-1: [12e09ab](https://github.com/AdamKorcz/go-fuzz-headers-1/tree/12e09ab)
• github.com/Azure/azure-sdk-for-go/sdk/azcore: [v1.6.0](https://github.com/Azure/azure-sdk-for-go/sdk/azcore/tree/v1.6.0)
• github.com/Azure/azure-sdk-for-go/sdk/azidentity: [v1.3.0](https://github.com/Azure/azure-sdk-for-go/sdk/azidentity/tree/v1.3.0)
• github.com/Azure/azure-sdk-for-go/sdk/internal: [v1.3.0](https://github.com/Azure/azure-sdk-for-go/sdk/internal/tree/v1.3.0)
• github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys: [v0.10.0](https://github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys/tree/v0.10.0)
• github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal: [v0.7.1](https://github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal/tree/v0.7.1)
• + 76 more

📋 Changed

• cloud.google.com/go/compute: v1.19.1 → v1.19.3
• cloud.google.com/go/containeranalysis: v0.9.1 → v0.10.0
• cloud.google.com/go/grafeas: v0.2.0 → v0.2.1
• cloud.google.com/go/iam: v1.0.0 → v1.1.0
• cloud.google.com/go/kms: v1.10.1 → v1.10.2
• cloud.google.com/go/longrunning: v0.4.1 → v0.4.2
• cloud.google.com/go/security: v1.13.0 → v1.14.0
• cloud.google.com/go/spanner: v1.45.0 → v1.45.1
• + 177 more

🗑️ Removed

• bazil.org/fuse: 65cc252
• cloud.google.com/go/apikeys: v0.6.0
• cloud.google.com/go/servicecontrol: v1.11.1
• cloud.google.com/go/servicemanagement: v1.8.0
• cloud.google.com/go/serviceusage: v1.6.0
• code.gitea.io/sdk/gitea: v0.11.3
• contrib.go.opencensus.io/exporter/aws: 2befc13
• contrib.go.opencensus.io/exporter/ocagent: v0.5.0
• + 143 more

✨ Feature

• Upgrade to use go1.20 and fix lints (#863, @cpanato) [SIG Release]
• Use recursive signing for multi-arch images. (#868, @saschagrunert) [SIG Release]

🐛 Bug or Regression

• Fixed missing kpromo version in container images. (#848, @saschagrunert) [SIG Release]

✨ Added

• github.com/google/s2a-go: [v0.1.3](https://github.com/google/s2a-go/tree/v0.1.3)
• github.com/uwu-tools/magex: [v0.10.0](https://github.com/uwu-tools/magex/tree/v0.10.0)

📋 Changed

• cloud.google.com/go/aiplatform: v1.36.1 → v1.37.0
• cloud.google.com/go/appengine: v1.7.0 → v1.7.1
• cloud.google.com/go/artifactregistry: v1.12.0 → v1.13.0
• cloud.google.com/go/asset: v1.12.0 → v1.13.0
• cloud.google.com/go/bigquery: v1.49.0 → v1.50.0
• cloud.google.com/go/compute: v1.19.0 → v1.19.1
• cloud.google.com/go/container: v1.14.0 → v1.15.0
• cloud.google.com/go/containeranalysis: v0.9.0 → v0.9.1
• + 45 more

🗑️ Removed

• github.com/carolynvs/magex: [v0.9.0](https://github.com/carolynvs/magex/tree/v0.9.0)

✨ Feature

• Releng: Bump promoter to v3.5.1 (#779, @cpanato) [SIG Release]

📦 Other (Cleanup or Flake)

• Added the throttler to some HTTP requests in the promoter that were missed. (#803, @jonjohnsonjr) [SIG Release]
• Kpromo will now limit the concurrent calls to the registry to 50 qps where the rate limiter is instrumented (#817, @puerco) [SIG Release]
• `kpromo` no longer annotates the image signatures with the mirrors it used as the list is now too large to be useful. As we still need an annotation, it will add an annotation with its own version:
• `"org.kubernetes.kpromo.version": "kpromo-v3.5.1"` (#797, @puerco) [SIG Release]
• `kpromo` will now copy any signatures from the staging registries only once, sign them and then replicate. Before, we copied signatures to all mirrors before signing. (#809, @puerco) [SIG Release]

✨ Added

• github.com/google/go-github/v50: [v50.2.0](https://github.com/google/go-github/v50/tree/v50.2.0)
• github.com/mmcloughlin/avo: [v0.5.0](https://github.com/mmcloughlin/avo/tree/v0.5.0)
• golang.org/x/arch: v0.1.0
• rsc.io/pdf: v0.1.1

📋 Changed

• cloud.google.com/go/accesscontextmanager: v1.6.0 → v1.7.0
• cloud.google.com/go/aiplatform: v1.35.0 → v1.36.1
• cloud.google.com/go/analytics: v0.18.0 → v0.19.0
• cloud.google.com/go/apigeeregistry: v0.5.0 → v0.6.0
• cloud.google.com/go/apikeys: v0.5.0 → v0.6.0
• cloud.google.com/go/appengine: v1.6.0 → v1.7.0
• cloud.google.com/go/artifactregistry: v1.11.2 → v1.12.0
• cloud.google.com/go/asset: v1.11.1 → v1.12.0
• + 78 more

🗑️ Removed

• github.com/google/go-github/v48: [v48.2.0](https://github.com/google/go-github/v48/tree/v48.2.0)

✨ Feature

• Concurrent copy operations are now rate limited when promoting and replicating and mirroring signatures using a new `ratelimiter` package based on the [geranos rate limiter](https://github.com/kubernetes/registry.k8s.io/blob/main/cmd/geranos/ratelimitroundtrip.go) (Thanks @BenTheElder ) (#771, @puerco) [SIG Release]

📦 Others

• Releng: Bump promoter to v3.5.1 (#779, @cpanato) [SIG Release]

✨ Added

• _Nothing has changed._

📋 Changed

• cloud.google.com/go/analytics: v0.17.0 → v0.18.0
• cloud.google.com/go/area120: v0.7.0 → v0.7.1
• cloud.google.com/go/artifactregistry: v1.11.1 → v1.11.2
• cloud.google.com/go/bigquery: v1.47.0 → v1.48.0
• cloud.google.com/go/cloudbuild: v1.6.0 → v1.7.0
• cloud.google.com/go/containeranalysis: v0.7.0 → v0.8.0
• cloud.google.com/go/iam: v0.12.0 → v0.13.0
• cloud.google.com/go/kms: v1.8.0 → v1.9.0
• + 10 more

🗑️ Removed

• _Nothing has changed._
• Full Changelog: https://github.com/kubernetes-sigs/promo-tools/compare/v3.5.0...v3.5.1

✨ Feature

• Added all the Artifact Registry locations available in Feb 2023 to the docker credHelpers for future use. (#740, @upodroid) [SIG Release]
• New `kpromo sigcheck` subcommand to verify and optionally fix images that may hay missing or inconsistent signatures. (#745, @puerco) [SIG Release]
• Releng: Bump promoter to v3.5.0 (#753, @cpanato) [SIG Release]
• `kpromo sigcheck` now checks the certificate of the signatures and compares it against an expected identity. If an image is signed by a different service account or user, the promoter will now detect it. Both the expected identity and OIDC issuer default to the Kubernetes signer service account and they can be overridden using `--certificate-identity` and `--certificate-oidc-issuer`.
• `kpromo sigcheck` can now act on ranges of days by specifying `--from-days=n --to-days=m` still defaults to checking all images from 5 days ago to today. For debugging purposes, the number of checked images can now be limited used --limit . (#767, @puerco) [SIG Release]

📦 Other (Cleanup or Flake)

• Changed image.ProdRegistry to "registry.k8s.io" (#669, @upodroid) [SIG Release]

✨ Added

• cloud.google.com/go/apigeeregistry: v0.5.0
• cloud.google.com/go/apikeys: v0.5.0
• github.com/bwesterb/go-ristretto: [v1.2.0](https://github.com/bwesterb/go-ristretto/tree/v1.2.0)
• github.com/cloudflare/circl: [v1.1.0](https://github.com/cloudflare/circl/tree/v1.1.0)
• github.com/google/go-github/v48: [v48.2.0](https://github.com/google/go-github/v48/tree/v48.2.0)
• github.com/pjbgf/sha1cd: [v0.2.3](https://github.com/pjbgf/sha1cd/tree/v0.2.3)
• github.com/skeema/knownhosts: [v1.1.0](https://github.com/skeema/knownhosts/tree/v1.1.0)

📋 Changed

• cloud.google.com/go/accessapproval: v1.5.0 → v1.6.0
• cloud.google.com/go/accesscontextmanager: v1.4.0 → v1.6.0
• cloud.google.com/go/aiplatform: v1.27.0 → v1.35.0
• cloud.google.com/go/analytics: v0.12.0 → v0.17.0
• cloud.google.com/go/apigateway: v1.4.0 → v1.5.0
• cloud.google.com/go/apigeeconnect: v1.4.0 → v1.5.0
• cloud.google.com/go/appengine: v1.5.0 → v1.6.0
• cloud.google.com/go/area120: v0.6.0 → v0.7.0
• + 152 more

🗑️ Removed

• github.com/google/go-github/v47: [v47.1.0](https://github.com/google/go-github/v47/tree/v47.1.0)
• Full Changelog: https://github.com/kubernetes-sigs/promo-tools/compare/v3.4.12...v3.5.0

📦 Uncategorized

• Added initial support for kpromo file synchronization to S3 buckets. (#704, @justinsb) [SIG Release]
• Kpromo now uses the correct S3 regional endpoint for regional buckets (#718, @justinsb) [SIG Release]
• When --use-service-account=false (which is the default), we will issue anonymous requests to AWS and ignore any AWS credentials. This should be sufficient for dry-run, and ensures that dry-run is safe even if manifests are hostile. (#722, @justinsb) [SIG Release]

✨ Added

• cloud.google.com/go/maps: v0.1.0
• cloud.google.com/go/vmwareengine: v0.1.0
• github.com/go-jose/go-jose/v3: [v3.0.0](https://github.com/go-jose/go-jose/v3/tree/v3.0.0)

📋 Changed

• cloud.google.com/go/compute/metadata: v0.2.2 → v0.2.3
• cloud.google.com/go/compute: v1.13.0 → v1.18.0
• cloud.google.com/go/containeranalysis: v0.6.0 → v0.7.0
• cloud.google.com/go/iam: v0.8.0 → v0.10.0
• cloud.google.com/go/kms: v1.7.0 → v1.8.0
• cloud.google.com/go/storage: v1.28.1 → v1.29.0
• cloud.google.com/go: v0.105.0 → v0.107.0
• github.com/Azure/azure-sdk-for-go: [v67.1.0+incompatible → v67.3.0+incompatible](https://github.com/Azure/azure-sdk-for-go/compare/v67.1.0...v67.3.0)
• + 40 more

🗑️ Removed

• _Nothing has changed._

✨ Feature

• Add support for Batch ProwJobs ([#691](https://github.com/kubernetes-sigs/promo-tools/pull/691), [@xmudrii](https://github.com/xmudrii)) [SIG Release]

✨ Added

• cloud.google.com/go/pubsublite: v1.5.0

📋 Changed

• cloud.google.com/go/aiplatform: v1.24.0 → v1.27.0
• cloud.google.com/go/bigquery: v1.43.0 → v1.44.0
• cloud.google.com/go/compute/metadata: v0.2.1 → v0.2.2
• cloud.google.com/go/compute: v1.12.1 → v1.13.0
• cloud.google.com/go/datastore: v1.5.0 → v1.10.0
• cloud.google.com/go/firestore: v1.6.1 → v1.9.0
• cloud.google.com/go/iam: v0.7.0 → v0.8.0
• cloud.google.com/go/kms: v1.6.0 → v1.7.0
• + 30 more

🗑️ Removed

• _Nothing has changed._

🐛 Bug or Regression

• Create a new signer after getting the identity token (#681, @xmudrii) [SIG Release]

✨ Added

• _Nothing has changed._

📋 Changed

• cloud.google.com/go/accessapproval: v1.4.0 → v1.5.0
• cloud.google.com/go/accesscontextmanager: v1.3.0 → v1.4.0
• cloud.google.com/go/apigateway: v1.3.0 → v1.4.0
• cloud.google.com/go/apigeeconnect: v1.3.0 → v1.4.0
• cloud.google.com/go/appengine: v1.4.0 → v1.5.0
• cloud.google.com/go/artifactregistry: v1.8.0 → v1.9.0
• cloud.google.com/go/asset: v1.9.0 → v1.10.0
• cloud.google.com/go/assuredworkloads: v1.8.0 → v1.9.0
• + 113 more

🗑️ Removed

• _Nothing has changed._

🐛 Bug or Regression

• Fixed bug to dedup images list before verifying their signatures. (#674, @saschagrunert) [SIG Release]

📦 Other (Cleanup or Flake)

• Removed unused `kpromo cip --threads` flag (#665, @saschagrunert) [SIG Release]
• Updated golang to 1.19. (#666, @saschagrunert) [SIG Release]

✨ Added

• cloud.google.com/go/accessapproval: v1.4.0
• cloud.google.com/go/accesscontextmanager: v1.3.0
• cloud.google.com/go/apigateway: v1.3.0
• cloud.google.com/go/apigeeconnect: v1.3.0
• cloud.google.com/go/appengine: v1.4.0
• cloud.google.com/go/baremetalsolution: v0.3.0
• cloud.google.com/go/batch: v0.3.0
• cloud.google.com/go/beyondcorp: v0.2.0
• + 43 more

📋 Changed

• cloud.google.com/go/artifactregistry: v1.7.0 → v1.8.0
• cloud.google.com/go/asset: v1.8.0 → v1.9.0
• cloud.google.com/go/assuredworkloads: v1.7.0 → v1.8.0
• cloud.google.com/go/automl: v1.6.0 → v1.7.0
• cloud.google.com/go/billing: v1.5.0 → v1.6.0
• cloud.google.com/go/binaryauthorization: v1.2.0 → v1.3.0
• cloud.google.com/go/cloudtasks: v1.6.0 → v1.7.0
• cloud.google.com/go/compute: v1.10.0 → v1.12.1
• + 43 more

🗑️ Removed

• _Nothing has changed._

✨ Feature

• Filter digests if `--use-prow-manifest-diff` is used. (#661, @saschagrunert) [SIG Release]

✨ Added

• _Nothing has changed._

📋 Changed

• _Nothing has changed._

🗑️ Removed

• _Nothing has changed._

✨ Feature

• Added `kpromo cip --use-prow-manifest-diff` option. (#657, @saschagrunert) [SIG Release]
• Set useragent (#648, @cpanato) [SIG Release]

📦 Other (Cleanup or Flake)

• Display log timestamps and their diffs to the previous message during the promotion. (#640, @saschagrunert) [SIG Release]
• Speedup `FindSingedEdges` by using a new release-sdk API (#646, @saschagrunert) [SIG Release]

✨ Added

• github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper: [v0.2.0](https://github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper/tree/v0.2.0)
• github.com/alibabacloud-go/alibabacloud-gateway-spi: [v0.0.4](https://github.com/alibabacloud-go/alibabacloud-gateway-spi/tree/v0.0.4)
• github.com/alibabacloud-go/cr-20160607: [v1.0.1](https://github.com/alibabacloud-go/cr-20160607/tree/v1.0.1)
• github.com/alibabacloud-go/cr-20181201: [v1.0.10](https://github.com/alibabacloud-go/cr-20181201/tree/v1.0.10)
• github.com/alibabacloud-go/darabonba-openapi: [v0.1.18](https://github.com/alibabacloud-go/darabonba-openapi/tree/v0.1.18)
• github.com/alibabacloud-go/darabonba-string: [v1.0.0](https://github.com/alibabacloud-go/darabonba-string/tree/v1.0.0)
• github.com/alibabacloud-go/debug: [9472017](https://github.com/alibabacloud-go/debug/tree/9472017)
• github.com/alibabacloud-go/endpoint-util: [v1.1.1](https://github.com/alibabacloud-go/endpoint-util/tree/v1.1.1)
• + 13 more

📋 Changed

• bazil.org/fuse: 5883e5a → 65cc252
• cloud.google.com/go/asset: v1.7.0 → v1.8.0
• cloud.google.com/go/assuredworkloads: v1.6.0 → v1.7.0
• cloud.google.com/go/dialogflow: v1.16.1 → v1.17.0
• cloud.google.com/go/edgecontainer: v0.1.0 → v0.2.0
• cloud.google.com/go/iam: v0.5.0 → v0.6.0
• cloud.google.com/go/recaptchaenterprise/v2: v2.2.0 → v2.3.0
• cloud.google.com/go/spanner: v1.31.0 → v1.36.0
• + 82 more

🗑️ Removed

• 4d63.com/gochecknoglobals: v0.1.0
• github.com/AdaLogics/go-fuzz-headers: [6c3934b](https://github.com/AdaLogics/go-fuzz-headers/tree/6c3934b)
• github.com/Antonboom/errname: [v0.1.5](https://github.com/Antonboom/errname/tree/v0.1.5)
• github.com/Antonboom/nilnil: [v0.1.0](https://github.com/Antonboom/nilnil/tree/v0.1.0)
• github.com/Djarvur/go-err113: [aea10b5](https://github.com/Djarvur/go-err113/tree/aea10b5)
• github.com/Microsoft/hcsshim/test: [43a75bb](https://github.com/Microsoft/hcsshim/test/tree/43a75bb)
• github.com/Microsoft/hcsshim: [v0.9.3](https://github.com/Microsoft/hcsshim/tree/v0.9.3)
• github.com/OpenPeeDeeP/depguard: [v1.0.1](https://github.com/OpenPeeDeeP/depguard/tree/v1.0.1)
• + 216 more

✨ Feature

• Kpromo now logs timestamps before each step in the image promotion process (#638, @puerco) [SIG Release]

🐛 Bug or Regression

• Crane copy operations in kpromo now use `gcrane.Keychain` to authenticate. (#609, @upodroid) [SIG Release]

📦 Other (Cleanup or Flake)

• Display log timestamps and their diffs to the previous message during the promotion. (#640, @saschagrunert) [SIG Release]

✨ Added

• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: [v1.4.3](https://github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/tree/v1.4.3)
• github.com/aws/aws-sdk-go-v2/internal/v4a: [v1.0.5](https://github.com/aws/aws-sdk-go-v2/internal/v4a/tree/v1.0.5)
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: [v1.9.3](https://github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/tree/v1.9.3)
• github.com/aws/aws-sdk-go-v2/service/internal/checksum: [v1.1.9](https://github.com/aws/aws-sdk-go-v2/service/internal/checksum/tree/v1.1.9)
• github.com/aws/aws-sdk-go-v2/service/internal/s3shared: [v1.13.8](https://github.com/aws/aws-sdk-go-v2/service/internal/s3shared/tree/v1.13.8)
• github.com/aws/aws-sdk-go-v2/service/s3: [v1.27.1](https://github.com/aws/aws-sdk-go-v2/service/s3/tree/v1.27.1)
• github.com/vmihailenco/msgpack/v5: [v5.3.5](https://github.com/vmihailenco/msgpack/v5/tree/v5.3.5)
• github.com/vmihailenco/tagparser/v2: [v2.0.0](https://github.com/vmihailenco/tagparser/v2/tree/v2.0.0)

📋 Changed

• cloud.google.com/go/aiplatform: v1.22.0 → v1.24.0
• cloud.google.com/go/analytics: v0.11.0 → v0.12.0
• cloud.google.com/go/area120: v0.5.0 → v0.6.0
• cloud.google.com/go/artifactregistry: v1.6.0 → v1.7.0
• cloud.google.com/go/asset: v1.5.0 → v1.7.0
• cloud.google.com/go/assuredworkloads: v1.5.0 → v1.6.0
• cloud.google.com/go/automl: v1.5.0 → v1.6.0
• cloud.google.com/go/billing: v1.4.0 → v1.5.0
• + 81 more

🗑️ Removed

• github.com/vmihailenco/msgpack/v4: [v4.3.12](https://github.com/vmihailenco/msgpack/v4/tree/v4.3.12)
• github.com/vmihailenco/tagparser: [v0.1.1](https://github.com/vmihailenco/tagparser/tree/v0.1.1)
• go.opentelemetry.io/contrib/propagators: v0.19.0

📝 Documentation

• Added documentation about promoting the promoter container images (#592, @puerco) [SIG Release]

🐛 Bug or Regression

• Fixed a bug where the promoter would crash while filtering signed images due to concurrent RW access to the filtered list. (#594, @puerco) [SIG Release]

✨ Added

• cloud.google.com/go/aiplatform: v1.22.0
• cloud.google.com/go/analytics: v0.11.0
• cloud.google.com/go/area120: v0.5.0
• cloud.google.com/go/artifactregistry: v1.6.0
• cloud.google.com/go/asset: v1.5.0
• cloud.google.com/go/assuredworkloads: v1.5.0
• cloud.google.com/go/automl: v1.5.0
• cloud.google.com/go/billing: v1.4.0
• + 81 more

📋 Changed

• bazil.org/fuse: 65cc252 → 5883e5a
• bitbucket.org/creachadair/shell: v0.0.6 → v0.0.7
• cloud.google.com/go/bigquery: v1.8.0 → v1.42.0
• cloud.google.com/go/containeranalysis: v0.3.0 → v0.6.0
• cloud.google.com/go/datastore: v1.1.0 → v1.5.0
• cloud.google.com/go/grafeas: v0.1.0 → v0.2.0
• cloud.google.com/go/iam: v0.3.0 → v0.4.0
• cloud.google.com/go/pubsub: v1.17.1 → v1.11.0-beta.schemas
• + 199 more

🗑️ Removed

• bou.ke/monkey: v1.0.2
• contrib.go.opencensus.io/exporter/prometheus: v0.4.0
• contrib.go.opencensus.io/exporter/zipkin: v0.1.2
• github.com/Azure/azure-amqp-common-go/v3: [v3.2.2](https://github.com/Azure/azure-amqp-common-go/v3/tree/v3.2.2)
• github.com/Azure/go-amqp: [v0.16.4](https://github.com/Azure/go-amqp/tree/v0.16.4)
• github.com/DataDog/datadog-go: [v3.2.0+incompatible](https://github.com/DataDog/datadog-go/tree/v3.2.0)
• github.com/Masterminds/sprig/v3: [v3.2.2](https://github.com/Masterminds/sprig/v3/tree/v3.2.2)
• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: [v1.0.0](https://github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/tree/v1.0.0)
• + 55 more

🐛 Bug or Regression

• Fixed a bug where `kpromo pr` would not run correctly unless all command line parameters were specified (#585, @puerco) [SIG Release]
• Fixed a bug where the image promoter was verifying image references more than once (#576, @puerco) [SIG Release]

✨ Added

• github.com/googleapis/enterprise-certificate-proxy: [v0.1.0](https://github.com/googleapis/enterprise-certificate-proxy/tree/v0.1.0)

📋 Changed

• cloud.google.com/go/compute: v1.6.1 → v1.7.0
• cloud.google.com/go/logging: v1.4.2 → v1.5.0
• cloud.google.com/go/storage: v1.22.1 → v1.23.0
• cloud.google.com/go: v0.100.2 → v0.102.1
• github.com/google/go-containerregistry: [v0.9.0 → v0.10.0](https://github.com/google/go-containerregistry/compare/v0.9.0...v0.10.0)
• github.com/spf13/cobra: [v1.4.0 → v1.5.0](https://github.com/spf13/cobra/compare/v1.4.0...v1.5.0)
• github.com/stretchr/objx: [v0.3.0 → v0.4.0](https://github.com/stretchr/objx/compare/v0.3.0...v0.4.0)
• github.com/stretchr/testify: [v1.7.2 → v1.7.5](https://github.com/stretchr/testify/compare/v1.7.2...v1.7.5)
• + 6 more

🗑️ Removed

• _Nothing has changed._

🧪 Failing Test

• Added integration tests to `imagepromoter.PromoteImages()`. (#571, @puerco) [SIG Release]

📦 Other (Cleanup or Flake)

• Sign and verification operations at promotion time are now done in parallel (#568, @puerco) [SIG Release]

✨ Added

• github.com/google/go-github/v45: [v45.1.0](https://github.com/google/go-github/v45/tree/v45.1.0)
• github.com/nozzle/throttler: [2ea9822](https://github.com/nozzle/throttler/tree/2ea9822)

📋 Changed

• github.com/Azure/azure-sdk-for-go: [v63.3.0+incompatible → v65.0.0+incompatible](https://github.com/Azure/azure-sdk-for-go/compare/v63.3.0...v65.0.0)
• github.com/aws/aws-sdk-go-v2/config: [v1.14.0 → v1.15.10](https://github.com/aws/aws-sdk-go-v2/config/compare/v1.14.0...v1.15.10)
• github.com/aws/aws-sdk-go-v2/credentials: [v1.9.0 → v1.12.5](https://github.com/aws/aws-sdk-go-v2/credentials/compare/v1.9.0...v1.12.5)
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds: [v1.11.0 → v1.12.6](https://github.com/aws/aws-sdk-go-v2/feature/ec2/imds/compare/v1.11.0...v1.12.6)
• github.com/aws/aws-sdk-go-v2/internal/configsources: [v1.1.5 → v1.1.12](https://github.com/aws/aws-sdk-go-v2/internal/configsources/compare/v1.1.5...v1.1.12)
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: [v2.3.0 → v2.4.6](https://github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/compare/v2.3.0...v2.4.6)
• github.com/aws/aws-sdk-go-v2/internal/ini: [v1.3.6 → v1.3.13](https://github.com/aws/aws-sdk-go-v2/internal/ini/compare/v1.3.6...v1.3.13)
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: [v1.8.0 → v1.9.6](https://github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/compare/v1.8.0...v1.9.6)
• + 30 more

🗑️ Removed

• github.com/google/go-containerregistry/pkg/authn/k8schain: [f1b065c](https://github.com/google/go-containerregistry/pkg/authn/k8schain/tree/f1b065c)
• github.com/google/go-containerregistry/pkg/authn/kubernetes: [bfe2ffc](https://github.com/google/go-containerregistry/pkg/authn/kubernetes/tree/bfe2ffc)
• knative.dev/hack/schema: e178598

✨ Feature

• Replace version command to use the one from release-utils ([#554](https://github.com/kubernetes-sigs/promo-tools/pull/554), [@cpanato](https://github.com/cpanato)) [SIG Release]
• Update release-sdk/utils dependencies ([#564](https://github.com/kubernetes-sigs/promo-tools/pull/564), [@cpanato](https://github.com/cpanato)) [SIG Release]

✨ Added

• github.com/dsnet/compress: [f669936](https://github.com/dsnet/compress/tree/f669936)
• github.com/google/gnostic: [v0.5.7-v3refs](https://github.com/google/gnostic/tree/v0.5.7-v3refs)
• github.com/klauspost/pgzip: [v1.2.5](https://github.com/klauspost/pgzip/tree/v1.2.5)
• github.com/mholt/archiver/v3: [v3.5.1](https://github.com/mholt/archiver/v3/tree/v3.5.1)
• github.com/nwaples/rardecode: [v1.1.0](https://github.com/nwaples/rardecode/tree/v1.1.0)
• github.com/pelletier/go-toml/v2: [v2.0.1](https://github.com/pelletier/go-toml/v2/tree/v2.0.1)
• github.com/pierrec/lz4/v4: [v4.1.2](https://github.com/pierrec/lz4/v4/tree/v4.1.2)
• github.com/transparency-dev/merkle: [v0.0.1](https://github.com/transparency-dev/merkle/tree/v0.0.1)

📋 Changed

• cloud.google.com/go/compute: v1.5.0 → v1.6.1
• cloud.google.com/go/storage: v1.22.0 → v1.22.1
• cuelang.org/go: v0.4.2 → v0.4.3
• dmitri.shuralyov.com/gpu/mtl: 28db891 → 666a987
• github.com/Azure/azure-sdk-for-go: [v63.0.0+incompatible → v63.3.0+incompatible](https://github.com/Azure/azure-sdk-for-go/compare/v63.0.0...v63.3.0)
• github.com/Azure/go-autorest/autorest: [v0.11.25 → v0.11.27](https://github.com/Azure/go-autorest/autorest/compare/v0.11.25...v0.11.27)
• github.com/Microsoft/go-winio: [v0.5.1 → v0.5.2](https://github.com/Microsoft/go-winio/compare/v0.5.1...v0.5.2)
• github.com/armon/go-metrics: [v0.3.10 → v0.4.0](https://github.com/armon/go-metrics/compare/v0.3.10...v0.4.0)
• + 75 more

🗑️ Removed

• github.com/DATA-DOG/go-sqlmock: [v1.5.0](https://github.com/DATA-DOG/go-sqlmock/tree/v1.5.0)
• github.com/DataDog/zstd: [v1.4.5](https://github.com/DataDog/zstd/tree/v1.4.5)
• github.com/facebookgo/ensure: [63f1cf6](https://github.com/facebookgo/ensure/tree/63f1cf6)
• github.com/facebookgo/stack: [7517733](https://github.com/facebookgo/stack/tree/7517733)
• github.com/facebookgo/subset: [c811ad8](https://github.com/facebookgo/subset/tree/c811ad8)
• github.com/gobuffalo/fizz: [v1.10.0](https://github.com/gobuffalo/fizz/tree/v1.10.0)
• github.com/gobuffalo/genny/v2: [v2.0.5](https://github.com/gobuffalo/genny/v2/tree/v2.0.5)
• github.com/gobuffalo/github_flavored_markdown: [v1.1.0](https://github.com/gobuffalo/github_flavored_markdown/tree/v1.1.0)
• + 39 more

✨ New Contributors

• @matglas made their first contribution in https://github.com/kubernetes-sigs/promo-tools/pull/556
• @ameukam made their first contribution in https://github.com/kubernetes-sigs/promo-tools/pull/558
• Full Changelog: https://github.com/kubernetes-sigs/promo-tools/compare/v3.4.1...v3.4.2

✨ Feature

• The image promoter will now carry existing image signatures to the destination registries and append the new signatures to them when signing with the promoter idenity (#542, @puerco)

✨ Added

• github.com/googleapis/go-type-adapters: [v1.0.0](https://github.com/googleapis/go-type-adapters/tree/v1.0.0)

📋 Changed

• cloud.google.com/go/storage: v1.21.0 → v1.22.0
• github.com/cenkalti/backoff/v4: [v4.1.2 → v4.1.3](https://github.com/cenkalti/backoff/v4/compare/v4.1.2...v4.1.3)
• google.golang.org/genproto: acbaeb5 → 9d70989
• sigs.k8s.io/release-sdk: v0.8.0 → 3018c78

🗑️ Removed

• _Nothing has changed._
• Container image: `registry.k8s.io/artifact-promoter/kpromo:v3.4.1-1`
• Full Changelog: https://github.com/kubernetes-sigs/promo-tools/compare/v3.4.0...v3.4.1

🗑️ Deprecation

• cip-mm: Add deprecation notices in documentation and remove targets
• Move `cip-mm` to `kpromo mm` (#507, @justaugustus)

✨ Feature

• Add `--image` flag to `kpromo pr` to allow filtering by images (#482, @CecileRobertMichon)
• image/manifest: Support multiple images, tags, or digests in `Grow()` (#509, @justaugustus)
• The `bom` canary now promotes to two registries to test copying the signatures (#535, @puerco)
• The image promoter will now check for digital signatures in images considered
• for promotion. If signatures are found, they will be verified. If a manifest
• contains images with invalid signatures, the failed verification will cause
• the promotion to fail. All images without signatures are not be verified and
• are accepted for promotion as usual. (#498, @puerco)
• + 1 more

📦 Design

• Rename `filepromoter` package to `promoter/file` (#497, @justaugustus)
• The Big Image Promoter Refactor: The image promoter code (`kpromo cip`) code has been completely refactored to make it cleaner and to to get it ready for image signing and image mirroring to other projects (#494, @puerco)

🐛 Bug or Regression

• Fixed quoted build date in `version` subcommands. (#522, @saschagrunert)
• kpromo pr: Support non-SemVer image tags (#527, @wespanther)

📦 Other (Cleanup or Flake)

• dockerregistry: Initial refactor to reduce package complexity (#512, @justaugustus)
• Fixed a bug where the wrong identity was picked up when winning by bumping `release-sdk` to version v0.8.0 (#534, @puerco)
• internal: Prevent legacy packages from being consumed
• internal/legacy: Move basic image types into `types/image` (#511, @justaugustus)
• Non-recursive registry reads are now re-implemented in `go-containerregistry`.
• Registry reads during image promotion are now performed using the new GGCR implementation (#513, @puerco)
• There is a new implementation of the registry inventorying function using `google/go-containerregistry`. The snapshot code is now wired to use the new implementation. (#505, @puerco)

✨ Added

• 4d63.com/gochecknoglobals: v0.1.0
• bitbucket.org/creachadair/shell: v0.0.6
• bou.ke/monkey: v1.0.2
• cloud.google.com/go/compute: v1.5.0
• cloud.google.com/go/iam: v0.3.0
• cloud.google.com/go/kms: v1.4.0
• cloud.google.com/go/monitoring: v1.1.0
• cloud.google.com/go/secretmanager: v1.0.0
• + 576 more

📋 Changed

• bazil.org/fuse: 371fbbd → 65cc252
• cloud.google.com/go/containeranalysis: v0.1.0 → v0.3.0
• cloud.google.com/go/errorreporting: v0.1.0 → v0.2.0
• cloud.google.com/go/firestore: v1.1.0 → v1.6.1
• cloud.google.com/go/grafeas: 71387f0 → v0.1.0
• cloud.google.com/go/pubsub: v1.3.1 → v1.17.1
• cloud.google.com/go/storage: v1.18.2 → v1.21.0
• cloud.google.com/go: v0.98.0 → v0.100.2
• + 162 more

🗑️ Removed

• github.com/dsnet/compress: [v0.0.1](https://github.com/dsnet/compress/tree/v0.0.1)
• github.com/dsnet/golib: [1ea1667](https://github.com/dsnet/golib/tree/1ea1667)
• github.com/klauspost/cpuid: [v1.2.0](https://github.com/klauspost/cpuid/tree/v1.2.0)
• github.com/klauspost/pgzip: [v1.2.4](https://github.com/klauspost/pgzip/tree/v1.2.4)
• github.com/mholt/archiver/v3: [v3.5.0](https://github.com/mholt/archiver/v3/tree/v3.5.0)
• github.com/nwaples/rardecode: [v1.1.0](https://github.com/nwaples/rardecode/tree/v1.1.0)
• github.com/pierrec/lz4/v4: [v4.0.3](https://github.com/pierrec/lz4/v4/tree/v4.0.3)

✨ New Contributors

• @jimangel made their first contribution in https://github.com/kubernetes-sigs/promo-tools/pull/474
• @saschagrunert made their first contribution in https://github.com/kubernetes-sigs/promo-tools/pull/522
• @wespanther made their first contribution in https://github.com/kubernetes-sigs/promo-tools/pull/527
• Full Changelog: https://github.com/kubernetes-sigs/promo-tools/compare/v3.3.0...v3.4.0