Skip to content

chore: Update unsupported v2 of go-jose to supported v4#4439

Merged
ianlewis merged 2 commits into
slsa-framework:mainfrom
macrael:wml-update-go-jose
Oct 20, 2025
Merged

chore: Update unsupported v2 of go-jose to supported v4#4439
ianlewis merged 2 commits into
slsa-framework:mainfrom
macrael:wml-update-go-jose

Conversation

@macrael

@macrael macrael commented Oct 6, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

We're getting Dependabot warnings about using go-jose v2 in our repo b/c we import slsa-github-generator. This PR updates the import to use the supported v4 of the library and updates go mod. All go tests pass, it looks like go-jose is only used in one line of the tests for GitHub biz.

...

Testing Process

  • ran make go-test and everything was clean. This change only affected tests so that feels sufficient.

...

Checklist

  • Review the contributing guidelines
  • Add a reference to related issues in the PR description.
  • Update documentation if applicable.
  • Add unit tests if applicable.
  • Add changes to the CHANGELOG if applicable.

@macrael macrael requested a review from a team as a code owner October 6, 2025 21:26
@macrael macrael requested a review from a team October 6, 2025 21:26
macrael added 2 commits October 6, 2025 14:26
@macrael
Update unsupported v2 of go-jose to supported v4
a1c31c3 
Signed-off-by: MacRae Linton <macrael@confidentsecurity.com>
@macrael
add allow the new package
bdafc6d 
Signed-off-by: MacRae Linton <macrael@confidentsecurity.com>
ianlewis
ianlewis approved these changes Oct 6, 2025
View reviewed changes

@ianlewis ianlewis left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread .golangci.yml
# Approved packages.
- "github.com/spf13/cobra" # For CLI
- "github.com/coreos/go-oidc" # For verifying OIDC tokens.
- "github.com/go-jose/go-jose/v4" # For testing OIDC tokens

@ianlewis ianlewis Oct 6, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm. How was depguard allowing gopkg.in/square/go-jose.v2 before? 🤔

@macrael macrael Oct 7, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my guess is it was an old line, never linted? but I really don't know

@sgreene570

sgreene570 commented Oct 20, 2025
edited
Loading

Copy link
Copy Markdown

xref #408

@sgreene570

sgreene570 commented Oct 20, 2025

Copy link
Copy Markdown

@ianlewis looks like this PR is ready to go? Can you help with merging it?

@ianlewis ianlewis merged commit a09dd8c into slsa-framework:main Oct 20, 2025
74 checks passed
@ianlewis

ianlewis commented Oct 20, 2025

Copy link
Copy Markdown
Member

@sgreene570 Yeah, looks fine. This won't show up on a proper tag until we do a tagged release, which is a bit complicated. Given that no one is really working on this much anymore it might be a while.

I think you could import it from latest if you're ok doing that.

@macrael macrael deleted the wml-update-go-jose branch October 21, 2025 00:12
@sgreene570

sgreene570 commented Oct 21, 2025

Copy link
Copy Markdown

I think you could import it from latest if you're ok doing that.

Yup, this is just fine, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianlewis ianlewis ianlewis approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@macrael @sgreene570 @ianlewis