chore(deps): bump sigstore/cosign-installer in the ci-dependencies group (#...

dependabot[bot]

2025-02-11 be846e6a5fc6af1084e2b7408dfc312061cc47f9

 .github/workflows/docker-build-push.yaml

@@ -3,7 +3,7 @@
on:
  push:
    branches: [v4]
  tags: ["v*"]
    tags: ["v*"]
  pull_request:
    branches: [v4]
    paths:
@@ -25,7 +25,7 @@
        with:
          fetch-depth: 1
      - name: Inject slug/short variables
        uses: rlespinasse/github-slug-action@v4.4.1
        uses: rlespinasse/github-slug-action@v5.0.0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
@@ -37,7 +37,7 @@
            network=host
      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@v3.7.0
        uses: sigstore/cosign-installer@v3.8.0
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        if: github.event_name != 'pull_request'
@@ -78,7 +78,7 @@
        id: build-and-push
        uses: docker/build-push-action@v6
        with:
          push: true
          push: ${{ github.event_name != 'pull_request' }}
          build-args: |
            GIT_SHA=${{ env.GITHUB_SHA }}
            DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
@@ -86,32 +86,3 @@
          labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha

      - name: Sign the released image
        if: ${{ github.event_name != 'pull_request' }}
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
        uses: aquasecurity/trivy-action@master
        if: ${{ github.event_name != 'pull_request' }}
        with:
          image-ref: "ghcr.io/${{ github.repository_owner }}/quartz:sha-${{ env.GITHUB_SHA_SHORT }}"
          format: "github"
          output: "dependency-results.sbom.json"
          github-pat: ${{ secrets.GITHUB_TOKEN }}
          scanners: "vuln"
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        if: ${{ github.event_name != 'pull_request' }}
        with:
          image-ref: "ghcr.io/${{ github.repository_owner }}/quartz:sha-${{ env.GITHUB_SHA_SHORT }}"
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL"
          scanners: "vuln"
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: ${{ github.event_name != 'pull_request' }}
        with:
          sarif_file: "trivy-results.sarif"