fix: Bump Cosign to latest v2.2.3 (#3355)

Versions of Cosign before v2.2.0 are not compatible with the latest TUF
root.

Fixes
slsa-framework/slsa-github-generator#3350

...

...

- [ ] Review the contributing [guidelines](./../CONTRIBUTING.md)
- [ ] Add a reference to related issues in the PR description.
- [ ] Update documentation if applicable.
- [ ] Add unit tests if applicable.
- [ ] Add changes to the [CHANGELOG](./../CHANGELOG.md) if applicable.

---------

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Bob Callaway <bcallaway@google.com>
Co-authored-by: Bob Callaway <bcallaway@google.com>

.github/workflows/builder_container-based_slsa3.yml

@@ -201,7 +201,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: "1.20"
+          go-version: "1.21"
           # Note: This must be the non-randomized binary name, so that it can be downloaded from the release assets.
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-builder }}"

.github/workflows/builder_go_slsa3.yml

@@ -161,7 +161,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: "1.20"
+          go-version: "1.21"
           # Note: This must be the non-randomized binary name, so that it can be downloaded from the release assets.
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-builder }}"

.github/workflows/generator_container_slsa3.yml

@@ -130,7 +130,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: "1.20"
+          go-version: "1.21"
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-generator }}"
           # NOTE: We are using the generic generator.
@@ -147,9 +147,9 @@ jobs:
           service_account: ${{ inputs.gcp-service-account }}
 
       - id: cosign-install
-        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
         with:
-          cosign-release: v2.0.0
+          cosign-release: v2.2.3
         continue-on-error: true
 
       - name: Login

.github/workflows/generator_generic_slsa3.yml

@@ -167,7 +167,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: "1.20"
+          go-version: "1.21"
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-generator }}"
           directory: "${{ env.BUILDER_DIR }}"

.github/workflows/pre-submit.actions.yml

@@ -183,7 +183,7 @@ jobs:
         uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-project-checkout-go
         with:
           path: __PROJECT_CHECKOUT_DIR__
-          go-version: "1.20"
+          go-version: "1.21"
 
   secure-project-checkout-node:
     runs-on: ubuntu-latest
@@ -499,7 +499,7 @@ jobs:
           repository: "slsa-framework/slsa-github-generator"
           ref: "main"
           compile-builder: true
-          go-version: "1.20"
+          go-version: "1.21"
           binary: "slsa-generator-generic-linux-amd64"
           directory: "internal/builders/generic"
 
@@ -516,7 +516,7 @@ jobs:
           repository: ${{ steps.detect.outputs.repository }}
           ref: ${{ steps.detect.outputs.ref }}
           builder-ref: "refs/tags/v1.6.0"
-          go-version: "1.20"
+          go-version: "1.21"
           binary: "slsa-generator-generic-linux-amd64"
           directory: "internal/builders/generic"
           # NOTE: compile-builder explicitly set to false.

.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml

@@ -50,7 +50,7 @@ jobs:
       actions: read # For the entry point.
     uses: ./.github/workflows/builder_go_slsa3.yml
     with:
-      go-version: "1.20"
+      go-version: "1.21"
       config-file: .github/workflows/configs-go/config-ldflags-main-dir.yml
       evaluated-envs: "VERSION:${{needs.args.outputs.version}},COMMIT:${{needs.args.outputs.commit}},BRANCH:${{needs.args.outputs.branch}}"
       compile-builder: true

.github/workflows/pre-submit.lint.yml

@@ -58,8 +58,8 @@ jobs:
         with:
           go-version-file: "go.mod"
       - env:
-          GOLANGCI_LINT_VERSION: "1.53.2"
-          GOLANGCI_LINT_CHECKSUM: "2298f73b9bc03b88b91fee06c5d519fc7f9d7f328e2c388615bbd7e85a9d6cae"
+          GOLANGCI_LINT_VERSION: "1.57.0"
+          GOLANGCI_LINT_CHECKSUM: "fc7a9f73d2e3de6aa0ef8d8586906e0067fed577f704b3b0bc29cdd6ad0b74d8"
         run: |
           set -euo pipefail
 

.github/workflows/release.yml

@@ -62,7 +62,7 @@ jobs:
       actions: read # For the entrypoint.
     uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.9.0
     with:
-      go-version: "1.20"
+      go-version: "1.21"
       config-file: .github/workflows/configs-container/config-release.yml
       compile-builder: true
 
@@ -75,7 +75,7 @@ jobs:
       actions: read # For the entrypoint.
     uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.9.0
     with:
-      go-version: "1.20"
+      go-version: "1.21"
       config-file: .github/workflows/configs-generic/config-release.yml
       compile-builder: true
 
@@ -88,7 +88,7 @@ jobs:
       actions: read # For the entrypoint.
     uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.9.0
     with:
-      go-version: "1.20"
+      go-version: "1.21"
       config-file: .github/workflows/configs-go/config-release.yml
       compile-builder: true
 
@@ -101,6 +101,6 @@ jobs:
       actions: read # For the entrypoint.
     uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.9.0
     with:
-      go-version: "1.20"
+      go-version: "1.21"
       config-file: .github/workflows/configs-docker/config-release.yml
       compile-builder: true

.golangci.yml

@@ -16,6 +16,7 @@
 run:
   concurrency: 2
   deadline: 5m
+  timeout: 5m
 issues:
   # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): revive `package-comments` and `exported` rules.
   include:

github/oidctest.go

@@ -76,7 +76,7 @@ func NewTestOIDCServer(t *testing.T, now time.Time, token *OIDCToken) (*httptest
 
 	// FIXME: Fix creating a test server that can return tokens that can be verified.
 	var issuerURL string
-	s, c := newTestOIDCServer(t, now, func(w http.ResponseWriter, r *http.Request) {
+	s, c := newTestOIDCServer(t, now, func(w http.ResponseWriter, _ *http.Request) {
 		// Allow the token to override the issuer for verification testing.
 		issuer := issuerURL
 		if token.Issuer != "" {
@@ -116,7 +116,7 @@ func NewTestOIDCServer(t *testing.T, now time.Time, token *OIDCToken) (*httptest
 }
 
 func newRawTestOIDCServer(t *testing.T, now time.Time, status int, raw string) (*httptest.Server, *OIDCClient) {
-	return newTestOIDCServer(t, now, func(w http.ResponseWriter, r *http.Request) {
+	return newTestOIDCServer(t, now, func(w http.ResponseWriter, _ *http.Request) {
 		// Respond with a very basic 3-part JWT token.
 		w.WriteHeader(status)
 		fmt.Fprintln(w, raw)
@@ -144,7 +144,7 @@ func newTestOIDCServer(t *testing.T, now time.Time, f http.HandlerFunc) (*httpte
 	}
 	c := OIDCClient{
 		requestURL: requestURL,
-		verifierFunc: func(ctx context.Context) (*oidc.IDTokenVerifier, error) {
+		verifierFunc: func(_ context.Context) (*oidc.IDTokenVerifier, error) {
 			return oidc.NewVerifier(s.URL, &testKeySet{}, &oidc.Config{
 				Now:               func() time.Time { return now },
 				SkipClientIDCheck: true,