Bump the go-deps group across 1 directory with 6 updates

[dependabot]

Bumps the go-deps group with 4 updates in the / directory: cloud.google.com/go/kms, github.com/fluxcd/cli-utils, github.com/getsops/sops/v3 and github.com/google/cel-go.

Updates cloud.google.com/go/kms from 1.25.0 to 1.29.0

Release notes

Sourced from cloud.google.com/go/kms's releases.

kms: v1.29.0

v1.29.0 (2026-04-13)

retail: v1.29.0

v1.29.0 (2026-04-13)

monitoring: v1.27.0

v1.27.0 (2026-04-13)

networkmanagement: v1.26.0

v1.26.0 (2026-04-13)

Changelog

Sourced from cloud.google.com/go/kms's changelog.

1.29.0 (2024-05-29)

Features

• documentai: Make Layout Parser generally available in V1 (#10277) (dafecc9)

1.28.1 (2024-05-16)

Documentation

• documentai: Clarify the unavailability of some features (652ba8f)
• documentai: Updated comments (292e812)

1.28.0 (2024-05-01)

Features

• documentai: A new message FoundationModelTuningOptions is added (1d757c6)
• documentai: Support Chunk header and footer in Doc AI external proto (1d757c6)

Bug Fixes

• documentai: Bump x/net to v0.24.0 (ba31ed5)

1.27.0 (2024-04-15)

Features

• documentai: Support a new Layout Processor in Document AI (2cdc40a)

1.26.1 (2024-03-14)

Bug Fixes

• documentai: Update protobuf dep to v1.33.0 (30b038d)

Documentation

• documentai: A comment for field processor_version_source in message .google.cloud.documentai.v1beta3.ImportProcessorVersionRequest is changed (25c3f2d)

1.26.0 (2024-02-21)

... (truncated)

Commits

• 664da02 chore: librarian release pull request: 20260326T071503Z (#14266)
• 0b388a0 chore: create empty README.md (#14263)
• 8d67792 feat(bigquery): add tracing telemetry to Table and Routine operations (#14216)
• 54f46f7 chore: format repo metadata (#14262)
• 9b18aaf chore: format snippet metadata (#14261)
• d5a18a4 feat(firestore): add raw execute options and move options (#14259)
• 18946f1 Fspq fix stages (#14253)
• 5bf0cf4 chore: update librarian-go image SHA (#14258)
• 009dc43 chore: update image SHA (#14256)
• 5e50d57 chore: librarian generate pull request: 20260325T071032Z (#14251)
• Additional commits viewable in compare view

Updates github.com/fluxcd/cli-utils from 0.37.2-flux.1 to 1.0.0

Release notes

Sourced from github.com/fluxcd/cli-utils's releases.

v1.0.0

What's Changed

• ⚠️ Breaking change: Reduce the project scope to kstatus only by @​stefanprodan in fluxcd/cli-utils#27
• Update controller-runtime to v0.23.3 by @​stefanprodan in fluxcd/cli-utils#28
• ci: Setup dependabot and govulncheck by @​stefanprodan in fluxcd/cli-utils#29

Full Changelog: fluxcd/cli-utils@v0.38.0-flux.1...v1.0.0

v0.38.0-flux.1

What's Changed

• Update readme to document the fork by @​stefanprodan in fluxcd/cli-utils#24
• Trigger tests on PRs by @​matheuscscp in fluxcd/cli-utils#25
• fix: async status computation in watcher to prevent multi-minute delays by @​mapleeit in fluxcd/cli-utils#20
• Update to Kubernetes v1.35.3 by @​stefanprodan in fluxcd/cli-utils#26

Full Changelog: https://github.com/fluxcd/cli-utils/commits/v0.38.0-flux.1

Commits

• e2a56bc Merge pull request #29 from fluxcd/ci-scan
• bc30a9f ci: Update actions with dependabot
• 4eb153e ci: Run govulncheck weekly
• d9baa70 Merge pull request #28 from fluxcd/controller-runtime-v0.23.3
• dc8ab9e Update controller-runtime to v0.23.3
• dfed73e Merge pull request #27 from fluxcd/prune-utils
• f88cf83 Add Flux DCO and Code of Conduct
• 13f2640 Refactor testing and CI
• 42cbfec Remove non-kstatus packages
• a158db5 Merge pull request #26 from fluxcd/k8s-1.35.3
• Additional commits viewable in compare view

Updates github.com/getsops/sops/v3 from 3.12.1 to 3.12.2

Release notes

Sourced from github.com/getsops/sops/v3's releases.

v3.12.2

Installation

To install sops, download one of the pre-built binaries provided for your platform from the artifacts attached to this release.

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.12.2/sops-v3.12.2.linux.amd64
Move the binary in to your PATH
mv sops-v3.12.2.linux.amd64 /usr/local/bin/sops
Make the binary executable
chmod +x /usr/local/bin/sops

Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/getsops/sops/releases/download/v3.12.2/sops-v3.12.2.checksums.txt
curl -LO https://github.com/getsops/sops/releases/download/v3.12.2/sops-v3.12.2.checksums.pem
curl -LO https://github.com/getsops/sops/releases/download/v3.12.2/sops-v3.12.2.checksums.sig
Verify the checksums file
cosign verify-blob sops-v3.12.2.checksums.txt 
--certificate sops-v3.12.2.checksums.pem 
--signature sops-v3.12.2.checksums.sig 
--certificate-identity-regexp=https://github.com/getsops 
--certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature:

# Verify the binary using the checksums file
sha256sum -c sops-v3.12.2.checksums.txt --ignore-missing

Verify artifact provenance

The SLSA provenance of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an in-toto link metadata file named sops-v3.12.2.intoto.jsonl. To verify the provenance of an artifact, you can utilize the slsa-verifier tool:

</tr></table> 

... (truncated)

Changelog

Sourced from github.com/getsops/sops/v3's changelog.

3.12.2

Improvements:

• Dependency updates (#2085, #2087, #2089, #2095).

Bugfixes:

• GCP: Revert the fix introduced in 3.12.0 that sets quota project to API project in GCP KMS. This change unintentionally resulted in requiring more permissions for GCP users. The original issue will be addressed in another way in a future release (#2099).
• Ensure to delete temporary file and directory when editing in more situations, like when user presses Ctrl+C or SOPS receives a SIGTERM (#2104).
• Fix message that you need to enter (and not any key) after SOPS rejects an edited file (#2098).
• Reject files with sops keys when editing files (#2098).
• Fix handling of --mac-only-encrypted option in subcommands (#2100).

Project changes:

• CI dependency updates (#2084, #2091, #2101, #2106).
• Rust dependency updates for functional tests (#2090, #2105).
• Improve CI workflows (#2081).

Commits

• 4f2cc16 Merge pull request #2109 from felixfontein/release-3.12.2
• 5058042 Set version to 3.12.2.
• aa873eb Add 3.12.2 changelog entry.
• a594056 Merge pull request #2099 from felixfontein/gcp
• c8f175b Revert "Merge pull request #1697 from onjen/fix-1142"
• c48a98a Merge pull request #2105 from getsops/dependabot/cargo/functional-tests/rust-...
• f3cd56e build(deps): Bump tempfile in /functional-tests in the rust group
• 226e7f9 Merge pull request #2106 from getsops/dependabot/github_actions/ci-fed48c53ac
• 60c75fb build(deps): Bump the ci group with 4 updates
• 4009484 Merge pull request #2104 from felixfontein/ctrl-c
• Additional commits viewable in compare view

Updates github.com/google/cel-go from 0.26.1 to 0.28.0

Release notes

Sourced from github.com/google/cel-go's releases.

Release v0.28.0

High-Level Changes

• Enhanced JSON Interoperability: New support for JSON names across the checker, AST, and runtime allows for more seamless data handling when working with JSON-native structures.
• Improved Developer Tooling: Integration is now smoother thanks to new utilities for converting Go errors into cel.Issues and more descriptive, context-aware error messages.
• Greater Environment Flexibility: You can now redeclare variables as constants and export parse limit options, providing finer control over how CEL environments are configured and constrained.
• Native Struct Improvements: Support for mixing CEL and native values within native structs simplifies the handling of complex, hybrid data types.

---

🚀 Features

• Add helper method to check whether a function has a singleton binding in google/cel-go#1266
• Helper utility for converting a Go error into cel.Issues in google/cel-go#1267
• Policy API improvements in google/cel-go#1268
• CEL Test usability requirements in google/cel-go#1269
• Better context-related error messages in google/cel-go#1271
• Sort env.Config values where reasonable in google/cel-go#1273
• Support redeclaring variables as constants in NewEnv in google/cel-go#1275
• Add support for exporting parse limit options in google/cel-go#1277
• Support mixing CEL values and native values in native structs in google/cel-go#1270
• Add checker, AST, and type-provider support for JSON names in google/cel-go#1283
• JSON field names runtime support in google/cel-go#1286
• Optionally include reachable fieldpaths in prompt in google/cel-go#1285
• REPL -- cel-spec pb2 and json name support google/cel-go#1294

🐞 Bug Fixes

• Fix support for config-based type references in google/cel-go#1265
• Check arg kinds in optional.or and .orValue impl in google/cel-go#1276
• Bazel fixes for import in google/cel-go#1278
• Support zero-value literals in presence test inlining google/cel-go#1280
• Cache concatList.Size() to prevent O(N^2) evaluation time google/cel-go#1291
• Preserve runtime error node IDs from Resolve google/cel-go#1290
• Default enable identifier escaping with backticks google/cel-go#1295
• Cap format string precision to prevent memory exhaustion google/cel-go#1292

🛠️ Maintenance & Internal

• chore: Migrate gsutil usage to gcloud storage in google/cel-go#1274
• Lint fixes for exported function/type comments in google/cel-go#1279
• Lint fixes for import in google/cel-go#1287

---

Full Changelog: https://github.com/google/cel-go/compare/v0.27.0...v0.28.0-alpha

Release v0.28.0-alpha

High-Level Changes

... (truncated)

Commits

• 6b8f6d6 fix: cap format string precision to prevent memory exhaustion (#1292)
• d942970 Default enable identifier escaping with backticks (#1295)
• 7114ed2 Preserve runtime error node IDs from Resolve (#1290)
• d91350b fix: cache concatList.Size() to prevent O(N^2) evaluation time (#1291)
• 68bdd8c REPL -- cel-spec pb2 and json name support (#1294)
• d19e782 Support zero-value literals in presence test inlining and fix shadowing bugs ...
• 7c461fc Lint fixes for import (#1287)
• 09e3119 Optionally include reachable fieldpaths in prompt (#1285)
• ae49cd0 Json field names runtime support (#1286)
• 3624b64 Add checker, ast, and type-provider support for JSON names (#1283)
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.50.0 to 0.52.0

Commits

• 316e20c go.mod: update golang.org/x dependencies
• 9767a42 internal/http3: add support for plugging into net/http
• 4a81284 http2: update docs to disrecommend this package
• dec6603 dns/dnsmessage: reject too large of names early during unpack
• 8afa12f http2: deprecate write schedulers
• 38019a2 http2: add missing copyright header to export_test.go
• 039b87f internal/http3: return error when Write is used after status 304 is set
• 6267c6c internal/http3: add HTTP 103 Early Hints support to ClientConn
• 591bdf3 internal/http3: add HTTP 103 Early Hints support to Server
• 1faa6d8 internal/http3: avoid potential race when aborting RoundTrip
• Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.35.0 to 0.36.0

Commits

• 4d954e6 all: upgrade go directive to at least 1.25.0 [generated]
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions