chore(deps): update dependency aquaproj/aqua to v2.23.0

[renovate]

This PR contains the following updates:

Package	Update	Change
aquaproj/aqua	minor	v2.21.0 -> v2.23.0

---

Release Notes

aquaproj/aqua (aquaproj/aqua)

v2.23.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.22.0...v2.23.0

Features

#​2649 #​2652 cargo: Trim a prefix from cargo package's version

Bug Fixes

#​2642 info: Output AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA

https://aquaproj.github.io/docs/reference/security/cosign-slsa/#disable-the-verification-with-cosign-and-slsa-provenance

#​2654 generate-registry: Fix a bug that same version_overrides aren't merged properly

Others

#​2644 Update aqua-proxy to v1.2.5
#​2653 Update JSON Schema

v2.22.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.21.3...v2.22.0

Features

#​2631 #​2633 #​2634 Support disabling the verification with Cosign and SLSA Provenance

You can disable the verification with Cosign and SLSA Provenance if you can't use them.

Why is the feature needed?

[!CAUTION]
This feature is for users who can't use Cosign and slsa-verifier.
Most users can use them, so most users don't need this feature.
aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself.
If you can use Cosign and slsa-verifier, you should not disable them because they are important for security.

Cosign and sla-verifier access some endpoints such as oauth2.sigstore.dev and fulcio.sigstore.dev.
So to use them you need to allow the access to these endpoints.

But in some use cases you can't or don't want to do that.
For example, your company's network policy might not allow the access to these endpoints.

To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier.

How to use

You can use command line options -disable-cosign and -disable-slsa or environment variables AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA.

e.g.

aqua [-disable-cosign] [-disable-slsa] i

env AQUA_DISABLE_COSIGN=true AQUA_DISABLE_SLSA=true aqua i

Update dependencies

• Go 1.21.5 to 1.21.6
• goreleaser v1.22.1 to v1.23.0
• go.mod

v2.21.3

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.21.2...v2.21.3

Bug Fixes

#​2585 #​2586 Update checksums of cosign

v2.21.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.21.1...v2.21.2

⚠️ This release has a bug

The bug was already fixed at v2.21.3

Others

#​2582 Fix a bug of release workflow

v2.21.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.21.0...v2.21.1

⚠️ The release failed

https://github.com/aquaproj/aqua/actions/runs/7260967360/job/19781204828#step:10:147

  ⨯ release failed after 2m26s               error=1 error occurred:
	* scoop manifests: could not update "aqua.json": PUT https://api.github.com/repos/aquaproj/scoop-bucket/contents/aqua.json: 403 Resource not accessible by integration []

We fixed the bug and release v2.21.2.

Bug Fixes

#​2534 Fix a bug of root dir on Windows
#​2580 #​2581 Fix a bug that validation fails even if no_asset or error_message is set https://github.com/aquaproj/aqua-registry/pull/18326#issuecomment-1862164476

---

Configuration

📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.