From be4b875572be778e42ff87350761305ecb3d5e36 Mon Sep 17 00:00:00 2001
From: Junjie Gao <junjiegao@microsoft.com>
Date: Wed, 9 Oct 2024 00:54:26 +0800
Subject: [PATCH 01/34] fix: github actions permissions (#1059)

Fix:
- permission for `stale` and `license-checker`
- replace tagged version with pinned version for `stale` action

---------

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/license-checker.yml | 5 +----
 .github/workflows/stale.yml           | 9 +++++++--
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/license-checker.yml b/.github/workflows/license-checker.yml
index 54e121173..ead1dcdd3 100644
--- a/.github/workflows/license-checker.yml
+++ b/.github/workflows/license-checker.yml
@@ -28,7 +28,4 @@ permissions:
 
 jobs:
   check-license:
-    permissions:
-      contents: write
-      pull-requests: write
-    uses: notaryproject/notation-core-go/.github/workflows/reusable-license-checker.yml@main
\ No newline at end of file
+    uses: notaryproject/notation-core-go/.github/workflows/reusable-license-checker.yml@main
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 3bdbf430e..ea4d822c6 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -16,11 +16,17 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
         with:
           stale-issue-message: "This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days."
           stale-pr-message: "This PR is stale because it has been opened for 45 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days."
@@ -31,4 +37,3 @@ jobs:
           days-before-issue-close: 30
           days-before-pr-close: 30
           exempt-all-milestones: true
-

From 1b84cbaf2a411b7a58a9f5cf43ca1c30824e0c3a Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Tue, 15 Oct 2024 07:59:46 +0800
Subject: [PATCH 02/34] fix: fix debug log (#1061)

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 internal/trace/context.go        |  1 +
 internal/trace/transport.go      | 42 +++++++++++++++++++++++---------
 test/e2e/suite/command/verify.go |  2 +-
 test/e2e/suite/plugin/verify.go  | 10 ++++----
 4 files changed, 37 insertions(+), 18 deletions(-)

diff --git a/internal/trace/context.go b/internal/trace/context.go
index 8563d73ee..322696062 100644
--- a/internal/trace/context.go
+++ b/internal/trace/context.go
@@ -48,6 +48,7 @@ func WithLoggerLevel(ctx context.Context, level logrus.Level) context.Context {
 
 	// create logger
 	logger := logrus.New()
+	formatter.DisableQuote = true
 	logger.SetFormatter(&formatter)
 	logger.SetLevel(level)
 
diff --git a/internal/trace/transport.go b/internal/trace/transport.go
index 6d6f9546c..5c631c62b 100644
--- a/internal/trace/transport.go
+++ b/internal/trace/transport.go
@@ -31,13 +31,27 @@ package trace
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"strings"
+	"sync/atomic"
 
 	"github.com/notaryproject/notation-go/log"
 	"github.com/sirupsen/logrus"
 )
 
+var (
+	// requestCount records the number of logged request-response pairs and will
+	// be used as the unique id for the next pair.
+	requestCount uint64
+
+	// toScrub is a set of headers that should be scrubbed from the log.
+	toScrub = []string{
+		"Authorization",
+		"Set-Cookie",
+	}
+)
+
 // Transport is an http.RoundTripper that keeps track of the in-flight
 // request and add hooks to report HTTP tracing events.
 type Transport struct {
@@ -50,39 +64,43 @@ func NewTransport(base http.RoundTripper) *Transport {
 
 // RoundTrip calls base roundtrip while keeping track of the current request.
 func (t *Transport) RoundTrip(req *http.Request) (resp *http.Response, err error) {
+	id := atomic.AddUint64(&requestCount, 1) - 1
 	ctx := req.Context()
 	e := log.GetLogger(ctx)
 
-	e.Debugf("> Request: %q %q", req.Method, req.URL)
-	e.Debugf("> Request headers:")
-	logHeader(req.Header, e)
+	// log the request
+	e.Debugf("Request #%d\n> Request: %q %q\n> Request headers:\n%s",
+		id, req.Method, req.URL, logHeader(req.Header))
 
+	// log the response
 	resp, err = t.RoundTripper.RoundTrip(req)
 	if err != nil {
 		e.Errorf("Error in getting response: %w", err)
 	} else if resp == nil {
 		e.Errorf("No response obtained for request %s %q", req.Method, req.URL)
 	} else {
-		e.Debugf("< Response status: %q", resp.Status)
-		e.Debugf("< Response headers:")
-		logHeader(resp.Header, e)
+		e.Debugf("Response #%d\n< Response status: %q\n< Response headers:\n%s",
+			id, resp.Status, logHeader(resp.Header))
 	}
 	return resp, err
 }
 
 // logHeader prints out the provided header keys and values, with auth header
 // scrubbed.
-func logHeader(header http.Header, e log.Logger) {
+func logHeader(header http.Header) string {
 	if len(header) > 0 {
+		headers := []string{}
 		for k, v := range header {
-			if strings.EqualFold(k, "Authorization") {
-				v = []string{"*****"}
+			for _, h := range toScrub {
+				if strings.EqualFold(k, h) {
+					v = []string{"*****"}
+				}
 			}
-			e.Debugf("   %q: %q", k, strings.Join(v, ", "))
+			headers = append(headers, fmt.Sprintf("   %q: %q", k, strings.Join(v, ", ")))
 		}
-	} else {
-		e.Debugf("   Empty header")
+		return strings.Join(headers, "\n")
 	}
+	return "   Empty header"
 }
 
 // SetHTTPDebugLog sets up http debug log with logrus.Logger
diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go
index 239b363b2..b0efdceee 100644
--- a/test/e2e/suite/command/verify.go
+++ b/test/e2e/suite/command/verify.go
@@ -253,7 +253,7 @@ var _ = Describe("notation verify", func() {
 
 			notation.Exec("verify", artifact.ReferenceWithDigest(), "-v").
 				MatchKeyWords(VerifySuccessfully).
-				MatchErrKeyWords("Timestamp verification disabled: verifyTimestamp is set to \\\"afterCertExpiry\\\" and signing cert chain unexpired")
+				MatchErrKeyWords("Timestamp verification disabled: verifyTimestamp is set to \"afterCertExpiry\" and signing cert chain unexpired")
 		})
 	})
 })
diff --git a/test/e2e/suite/plugin/verify.go b/test/e2e/suite/plugin/verify.go
index 51b76f7a7..520d5cf0b 100644
--- a/test/e2e/suite/plugin/verify.go
+++ b/test/e2e/suite/plugin/verify.go
@@ -46,7 +46,7 @@ var _ = Describe("notation plugin verify", func() {
 				MatchErrKeyWords(
 					"Plugin verify-signature request",
 					"Plugin verify-signature response",
-					`{\"verificationResults\":{\"SIGNATURE_VERIFIER.REVOCATION_CHECK\":{\"success\":true},\"SIGNATURE_VERIFIER.TRUSTED_IDENTITY\":{\"success\":true}},\"processedAttributes\":null}`).
+					`{"verificationResults":{"SIGNATURE_VERIFIER.REVOCATION_CHECK":{"success":true},"SIGNATURE_VERIFIER.TRUSTED_IDENTITY":{"success":true}},"processedAttributes":null}`).
 				MatchKeyWords(VerifySuccessfully)
 		})
 	})
@@ -77,7 +77,7 @@ var _ = Describe("notation plugin verify", func() {
 				MatchErrKeyWords(
 					"Plugin verify-signature request",
 					"Plugin verify-signature response",
-					`revocation check by verification plugin \"e2e-plugin\" failed with reason \"revocation check failed\"`,
+					`revocation check by verification plugin "e2e-plugin" failed with reason "revocation check failed"`,
 					VerifyFailed)
 		})
 	})
@@ -108,7 +108,7 @@ var _ = Describe("notation plugin verify", func() {
 				MatchErrKeyWords(
 					"Plugin verify-signature request",
 					"Plugin verify-signature response",
-					`trusted identify verification by plugin \"e2e-plugin\" failed with reason \"trusted identity check failed\"`,
+					`trusted identify verification by plugin "e2e-plugin" failed with reason "trusted identity check failed"`,
 					VerifyFailed)
 		})
 	})
@@ -138,7 +138,7 @@ var _ = Describe("notation plugin verify", func() {
 				MatchErrKeyWords(
 					"Plugin verify-signature request",
 					"Plugin verify-signature response",
-					`{\"verificationResults\":{\"SIGNATURE_VERIFIER.REVOCATION_CHECK\":{\"success\":true},\"SIGNATURE_VERIFIER.TRUSTED_IDENTITY\":{\"success\":true}},\"processedAttributes\":null}`).
+					`{"verificationResults":{"SIGNATURE_VERIFIER.REVOCATION_CHECK":{"success":true},"SIGNATURE_VERIFIER.TRUSTED_IDENTITY":{"success":true}},"processedAttributes":null}`).
 				MatchKeyWords(VerifySuccessfully)
 		})
 	})
@@ -197,7 +197,7 @@ var _ = Describe("notation plugin verify", func() {
 				MatchErrKeyWords(
 					"Plugin verify-signature request",
 					"Plugin verify-signature response",
-					`{\"verificationResults\":{\"SIGNATURE_VERIFIER.REVOCATION_CHECK\":{\"success\":true},\"SIGNATURE_VERIFIER.TRUSTED_IDENTITY\":{\"success\":true}},\"processedAttributes\":null}`).
+					`{"verificationResults":{"SIGNATURE_VERIFIER.REVOCATION_CHECK":{"success":true},"SIGNATURE_VERIFIER.TRUSTED_IDENTITY":{"success":true}},"processedAttributes":null}`).
 				MatchKeyWords(VerifySuccessfully)
 		})
 	})

From 43219ae4b925836e27e7cf3faeb78b52595fd4c0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 15 Oct 2024 11:44:13 -0700
Subject: [PATCH 03/34] build(deps): Bump github.com/onsi/gomega from 1.34.1 to
 1.34.2 in /test/e2e (#1049)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from
1.34.1 to 1.34.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/onsi/gomega/releases">github.com/onsi/gomega's
releases</a>.</em></p>
<blockquote>
<h2>v1.34.2</h2>
<h2>1.34.2</h2>
<p>Require Go 1.22+</p>
<h3>Maintenance</h3>
<ul>
<li>bump ginkgo as well [c59c6dc]</li>
<li>bump to go 1.22 - remove x/exp dependency [8158b99]</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/onsi/gomega/blob/master/CHANGELOG.md">github.com/onsi/gomega's
changelog</a>.</em></p>
<blockquote>
<h2>1.34.2</h2>
<p>Require Go 1.22+</p>
<h3>Maintenance</h3>
<ul>
<li>bump ginkgo as well [c59c6dc]</li>
<li>bump to go 1.22 - remove x/exp dependency [8158b99]</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/onsi/gomega/commit/7cabed651e981da0c7d0219ad7208626cef58016"><code>7cabed6</code></a>
v1.34.2</li>
<li><a
href="https://github.com/onsi/gomega/commit/c59c6dc63a29a3a824329d4e5df245c3b82eb1eb"><code>c59c6dc</code></a>
bump ginkgo as well</li>
<li><a
href="https://github.com/onsi/gomega/commit/8158b9979e6e5272ded30720f9458d03a81e91f1"><code>8158b99</code></a>
bump to go 1.22 - remove x/exp dependency</li>
<li>See full diff in <a
href="https://github.com/onsi/gomega/compare/v1.34.1...v1.34.2">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/onsi/gomega&package-manager=go_modules&previous-version=1.34.1&new-version=1.34.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 test/e2e/go.mod | 3 +--
 test/e2e/go.sum | 6 ++----
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/test/e2e/go.mod b/test/e2e/go.mod
index 8eb559a31..9a4c19a23 100644
--- a/test/e2e/go.mod
+++ b/test/e2e/go.mod
@@ -5,7 +5,7 @@ go 1.23
 require (
 	github.com/notaryproject/notation-core-go v1.2.0-rc.1
 	github.com/onsi/ginkgo/v2 v2.20.2
-	github.com/onsi/gomega v1.34.1
+	github.com/onsi/gomega v1.34.2
 	github.com/opencontainers/image-spec v1.1.0
 	oras.land/oras-go/v2 v2.5.0
 )
@@ -20,7 +20,6 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/veraison/go-cose v1.1.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.28.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.24.0 // indirect
diff --git a/test/e2e/go.sum b/test/e2e/go.sum
index 5b9cd34bb..d423acdd3 100644
--- a/test/e2e/go.sum
+++ b/test/e2e/go.sum
@@ -16,8 +16,8 @@ github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8
 github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4=
 github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag=
-github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
-github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
+github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
+github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -32,8 +32,6 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
 golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
 golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=

From 4190c31a777be2ab360e79399e3c95f8f86ddf34 Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Sat, 2 Nov 2024 01:39:43 +0800
Subject: [PATCH 04/34] test: add unit tests (#1075)

This PR intends to add more unit tests to increase the code coverage.

---------

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/.codecov.yml                          |   5 +-
 .../truststore/testdata/NotationTestRoot.pem  |  27 +++++
 .../internal/truststore/testdata/invalid.txt  |   1 +
 .../truststore/testdata/self-signed.crt       |  20 ++++
 .../truststore/x509/ca/test/self-signed.crt   |  20 ++++
 .../internal/truststore/truststore.go         |   2 +-
 .../internal/truststore/truststore_test.go    | 106 ++++++++++++++++--
 cmd/notation/plugin/install.go                |   2 +-
 cmd/notation/plugin/install_test.go           |  96 ++++++++++++++++
 9 files changed, 269 insertions(+), 10 deletions(-)
 create mode 100644 cmd/notation/internal/truststore/testdata/NotationTestRoot.pem
 create mode 100644 cmd/notation/internal/truststore/testdata/invalid.txt
 create mode 100644 cmd/notation/internal/truststore/testdata/self-signed.crt
 create mode 100644 cmd/notation/internal/truststore/testdata/truststore/x509/ca/test/self-signed.crt
 create mode 100644 cmd/notation/plugin/install_test.go

diff --git a/.github/.codecov.yml b/.github/.codecov.yml
index f1f634615..5cb09045b 100644
--- a/.github/.codecov.yml
+++ b/.github/.codecov.yml
@@ -15,4 +15,7 @@ coverage:
   status:
     project:
       default:
-        target: 70%
\ No newline at end of file
+        target: 70%
+    patch:
+      default:
+        target: 80%
diff --git a/cmd/notation/internal/truststore/testdata/NotationTestRoot.pem b/cmd/notation/internal/truststore/testdata/NotationTestRoot.pem
new file mode 100644
index 000000000..aa23820da
--- /dev/null
+++ b/cmd/notation/internal/truststore/testdata/NotationTestRoot.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEb
+MBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIx
+MjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNV
+BAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24g
+VGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZe
+gqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2o
+bqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B
+7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCk
+LkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz
+6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nb
+cWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7
+Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXg
+NQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGj
+WjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMB
+Af8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkq
+hkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6Lu
+Hf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+0
+5iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLO
+WXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gj
+mhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08L
+DL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8
+NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8
+BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r58
+3OtFLmywl1HRgQkobGgw
+-----END CERTIFICATE-----
diff --git a/cmd/notation/internal/truststore/testdata/invalid.txt b/cmd/notation/internal/truststore/testdata/invalid.txt
new file mode 100644
index 000000000..98eea0a15
--- /dev/null
+++ b/cmd/notation/internal/truststore/testdata/invalid.txt
@@ -0,0 +1 @@
+invalid test cert
diff --git a/cmd/notation/internal/truststore/testdata/self-signed.crt b/cmd/notation/internal/truststore/testdata/self-signed.crt
new file mode 100644
index 000000000..dd0094e90
--- /dev/null
+++ b/cmd/notation/internal/truststore/testdata/self-signed.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIBeTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEP
+MA0GA1UEAxMGYWxwaW5lMB4XDTIzMDUwOTA0NTUxMloXDTMzMDUxMDA0NTUxMlow
+TjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8w
+DQYDVQQKEwZOb3RhcnkxDzANBgNVBAMTBmFscGluZTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAK5hpq1229GGLjMK6i9KZhuUO+SV7rUFnWIDiIPO5yWx
+YDkl+bGroeAvJYu6MVCMQ6FMRXD9jhnG6R+sAHwY7gVgcJ1OXak87PkLp/Ii1Cr7
+XkkySZeD+Br1vSQzfxs3pFG+iBCeVVkeZdsg+xqwnAlqAILXwIbTGRyJP1Xiu9nw
+OeuX1YmxPl2m29Pt1EtfVCL9COsVKt5LgOVyWP/9ISWevOBqSCU9bk35HFo9VTeU
+f6+ffhSMjv0Y9uwkFFOKXpcV8Sa3ArqyBmgQlUfGg1iwYlqiDE0fTYxiB3gLgETA
+lmTm50J+WB9LoDrnrQpbXFLoegm+JV+uSD8J8H7DL2sCAwEAAaMnMCUwDgYDVR0P
+AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IB
+AQAt0Nvna1c4pPn8kzoN5VvmFmeIgdO/BJpmdhdg0WIQ9aeN/xPXXaVjPp1Mk7ed
+XHAvBwQr0Gyzqyy7g/h0gdnAFG7f6blrRNzbrRBCq6cNqX8iwgK/9+2OYKxk1QWj
+8Gx0cvu1DN1aXjPPGgQ2j3tHjJvJv32J/zuZa8gU40RPPSLaBlc5ZjpFmyi29sKl
+TeeZ+F/Ssic51qXXw2CsYGGWK5yQ3xSCxbw6bb2G/s/YI7/KlWg9BktBJHzRu04Z
+NR77W7/dyJ3Lj17PlW1XKmMOFHsQivagXeRCbmYZ43fX4ugFRFKL7KE0EgmGOWpJ
+0xv+6ig93sqHzQ/0uv1YgFov
+-----END CERTIFICATE-----
diff --git a/cmd/notation/internal/truststore/testdata/truststore/x509/ca/test/self-signed.crt b/cmd/notation/internal/truststore/testdata/truststore/x509/ca/test/self-signed.crt
new file mode 100644
index 000000000..dd0094e90
--- /dev/null
+++ b/cmd/notation/internal/truststore/testdata/truststore/x509/ca/test/self-signed.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIBeTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEP
+MA0GA1UEAxMGYWxwaW5lMB4XDTIzMDUwOTA0NTUxMloXDTMzMDUxMDA0NTUxMlow
+TjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8w
+DQYDVQQKEwZOb3RhcnkxDzANBgNVBAMTBmFscGluZTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAK5hpq1229GGLjMK6i9KZhuUO+SV7rUFnWIDiIPO5yWx
+YDkl+bGroeAvJYu6MVCMQ6FMRXD9jhnG6R+sAHwY7gVgcJ1OXak87PkLp/Ii1Cr7
+XkkySZeD+Br1vSQzfxs3pFG+iBCeVVkeZdsg+xqwnAlqAILXwIbTGRyJP1Xiu9nw
+OeuX1YmxPl2m29Pt1EtfVCL9COsVKt5LgOVyWP/9ISWevOBqSCU9bk35HFo9VTeU
+f6+ffhSMjv0Y9uwkFFOKXpcV8Sa3ArqyBmgQlUfGg1iwYlqiDE0fTYxiB3gLgETA
+lmTm50J+WB9LoDrnrQpbXFLoegm+JV+uSD8J8H7DL2sCAwEAAaMnMCUwDgYDVR0P
+AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IB
+AQAt0Nvna1c4pPn8kzoN5VvmFmeIgdO/BJpmdhdg0WIQ9aeN/xPXXaVjPp1Mk7ed
+XHAvBwQr0Gyzqyy7g/h0gdnAFG7f6blrRNzbrRBCq6cNqX8iwgK/9+2OYKxk1QWj
+8Gx0cvu1DN1aXjPPGgQ2j3tHjJvJv32J/zuZa8gU40RPPSLaBlc5ZjpFmyi29sKl
+TeeZ+F/Ssic51qXXw2CsYGGWK5yQ3xSCxbw6bb2G/s/YI7/KlWg9BktBJHzRu04Z
+NR77W7/dyJ3Lj17PlW1XKmMOFHsQivagXeRCbmYZ43fX4ugFRFKL7KE0EgmGOWpJ
+0xv+6ig93sqHzQ/0uv1YgFov
+-----END CERTIFICATE-----
diff --git a/cmd/notation/internal/truststore/truststore.go b/cmd/notation/internal/truststore/truststore.go
index 39edb0658..c2365a18f 100644
--- a/cmd/notation/internal/truststore/truststore.go
+++ b/cmd/notation/internal/truststore/truststore.go
@@ -194,7 +194,7 @@ func DeleteCert(storeType, namedStore, cert string, confirmed bool) error {
 	return nil
 }
 
-// CheckNonErrNotExistError returns nil when no err or err is fs.ErrNotExist
+// CheckNonErrNotExistError returns nil when err is nil or err is fs.ErrNotExist
 func CheckNonErrNotExistError(err error) error {
 	if err != nil && !errors.Is(err, fs.ErrNotExist) {
 		return err
diff --git a/cmd/notation/internal/truststore/truststore_test.go b/cmd/notation/internal/truststore/truststore_test.go
index 2693fb4c9..b8aab3635 100644
--- a/cmd/notation/internal/truststore/truststore_test.go
+++ b/cmd/notation/internal/truststore/truststore_test.go
@@ -15,15 +15,107 @@ package truststore
 
 import (
 	"errors"
+	"os"
 	"path/filepath"
+	"runtime"
+	"strings"
 	"testing"
+
+	"github.com/notaryproject/notation-go/dir"
 )
 
-func TestEmptyCertFile(t *testing.T) {
-	path := filepath.FromSlash("../../../../internal/testdata/Empty.txt")
-	expectedErr := errors.New("no valid certificate found in the empty file")
-	err := AddCert(path, "ca", "test", false)
-	if err == nil || err.Error() != "no valid certificate found in the file" {
-		t.Fatalf("expected err: %v, got: %v", expectedErr, err)
-	}
+func TestAddCert(t *testing.T) {
+	defer func(oldDir string) {
+		dir.UserConfigDir = oldDir
+	}(dir.UserConfigDir)
+
+	t.Run("empty store type", func(t *testing.T) {
+		expectedErrMsg := "store type cannot be empty"
+		err := AddCert("", "", "test", false)
+		if err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected err: %v, but got: %v", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("invalid store type", func(t *testing.T) {
+		expectedErrMsg := "unsupported store type: invalid"
+		err := AddCert("", "invalid", "test", false)
+		if err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected err: %v, but got: %v", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("invalid store name", func(t *testing.T) {
+		expectedErrMsg := "named store name needs to follow [a-zA-Z0-9_.-]+ format"
+		err := AddCert("", "ca", "test%", false)
+		if err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected err: %v, but got: %v", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("no valid certificate in file", func(t *testing.T) {
+		path := filepath.FromSlash("testdata/invalid.txt")
+		expectedErrMsg := "x509: malformed certificate"
+		err := AddCert(path, "ca", "test", false)
+		if err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected err: %v, but got: %v", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("cert already exists", func(t *testing.T) {
+		dir.UserConfigDir = "testdata"
+		path := filepath.FromSlash("testdata/self-signed.crt")
+		expectedErrMsg := "certificate already exists in the Trust Store"
+		err := AddCert(path, "ca", "test", false)
+		if err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected err: %v, but got: %v", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("empty file", func(t *testing.T) {
+		path := filepath.FromSlash("../../../../internal/testdata/Empty.txt")
+		expectedErr := errors.New("no valid certificate found in the empty file")
+		err := AddCert(path, "ca", "test", false)
+		if err == nil || err.Error() != "no valid certificate found in the file" {
+			t.Fatalf("expected err: %v, but got: %v", expectedErr, err)
+		}
+	})
+
+	t.Run("failed to add cert to store", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping test on Windows")
+		}
+
+		dir.UserConfigDir = t.TempDir()
+		if err := os.Chmod(dir.UserConfigDir, 0000); err != nil {
+			t.Fatal(err)
+		}
+		defer os.Chmod(dir.UserConfigDir, 0700)
+
+		path := filepath.FromSlash("testdata/NotationTestRoot.pem")
+		expectedErrMsg := "permission denied"
+		err := AddCert(path, "ca", "test", false)
+		if err == nil || !strings.Contains(err.Error(), expectedErrMsg) {
+			t.Fatalf("expected err: %v, but got: %v", expectedErrMsg, err)
+		}
+	})
+}
+
+func TestDeleteAllCerts(t *testing.T) {
+	defer func(oldDir string) {
+		dir.UserConfigDir = oldDir
+	}(dir.UserConfigDir)
+
+	t.Run("store does not exist", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping test on Windows")
+		}
+
+		dir.UserConfigDir = "testdata"
+		expectedErrMsg := `stat testdata/truststore/x509/tsa/test: no such file or directory`
+		err := DeleteAllCerts("tsa", "test", true)
+		if err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected err: %v, but got: %v", expectedErrMsg, err)
+		}
+	})
 }
diff --git a/cmd/notation/plugin/install.go b/cmd/notation/plugin/install.go
index b7538fc16..d79924e10 100644
--- a/cmd/notation/plugin/install.go
+++ b/cmd/notation/plugin/install.go
@@ -132,7 +132,7 @@ func install(command *cobra.Command, opts *pluginInstallOpts) error {
 		}
 		pluginURL, err := url.Parse(opts.pluginSource)
 		if err != nil {
-			return fmt.Errorf("failed to parse plugin download URL %s with error: %w", pluginURL, err)
+			return fmt.Errorf("failed to parse plugin download URL %s with error: %w", opts.pluginSource, err)
 		}
 		if pluginURL.Scheme != "https" {
 			return fmt.Errorf("failed to download plugin from URL: only the HTTPS scheme is supported, but got %s", pluginURL.Scheme)
diff --git a/cmd/notation/plugin/install_test.go b/cmd/notation/plugin/install_test.go
new file mode 100644
index 000000000..6f583d7ed
--- /dev/null
+++ b/cmd/notation/plugin/install_test.go
@@ -0,0 +1,96 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package plugin
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	notationplugin "github.com/notaryproject/notation/cmd/notation/internal/plugin"
+	"github.com/notaryproject/notation/internal/osutil"
+	"github.com/spf13/cobra"
+)
+
+func TestInstall(t *testing.T) {
+	t.Run("invalid plugin source url", func(t *testing.T) {
+		opts := &pluginInstallOpts{
+			pluginSourceType: notationplugin.PluginSourceTypeURL,
+			inputChecksum:    "dummy",
+			pluginSource:     "http://[::1]/%",
+		}
+		expectedErrMsg := `failed to parse plugin download URL http://[::1]/% with error: parse "http://[::1]/%": invalid URL escape "%"`
+		err := install(&cobra.Command{}, opts)
+		if err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected error %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("unknown plugin source type", func(t *testing.T) {
+		opts := &pluginInstallOpts{
+			pluginSourceType: -1,
+		}
+		expectedErrMsg := `plugin installation failed: unknown plugin source type`
+		err := install(&cobra.Command{}, opts)
+		if err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected error %s, but got %s", expectedErrMsg, err)
+		}
+	})
+}
+
+func TestInstallPlugin(t *testing.T) {
+	ctx := context.Background()
+	t.Run("input path does not exist", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping test on Windows")
+		}
+		expectedErrMsg := `stat invalid: no such file or directory`
+		err := installPlugin(ctx, "invalid", "", false)
+		if err == nil || err.Error() != expectedErrMsg {
+			t.Fatalf("expected error %s, but got %s", expectedErrMsg, err)
+		}
+	})
+
+	t.Run("failed to get file type", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping test on Windows")
+		}
+
+		tempDir := t.TempDir()
+		data := []byte("data")
+		filename := filepath.Join(tempDir, "a", "file.txt")
+		if err := osutil.WriteFile(filename, data); err != nil {
+			t.Fatal(err)
+		}
+		err := os.Chmod(tempDir, 0)
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer func() {
+			err := os.Chmod(tempDir, 0700)
+			if err != nil {
+				t.Fatal(err)
+			}
+		}()
+
+		expectedErrMsg := `permission denied`
+		err = installPlugin(ctx, filename, "", false)
+		if err == nil || !strings.Contains(err.Error(), expectedErrMsg) {
+			t.Fatalf("expected permission denied error, but got %s", err)
+		}
+	})
+}

From 88f39d261a36743e327aaebc1d95a319dbc2ca39 Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Tue, 5 Nov 2024 11:35:24 +0800
Subject: [PATCH 05/34] fix: discard crl cache error (#1076)

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 cmd/notation/verify.go      |  1 +
 cmd/notation/verify_test.go | 40 +++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go
index 96b1ee123..5258f36f1 100644
--- a/cmd/notation/verify.go
+++ b/cmd/notation/verify.go
@@ -246,6 +246,7 @@ func getVerifier(ctx context.Context) (notation.Verifier, error) {
 	if err != nil {
 		return nil, err
 	}
+	crlFetcher.DiscardCacheError = true // discard cache error
 	revocationCodeSigningValidator, err := revocation.NewWithOptions(revocation.Options{
 		OCSPHTTPClient:   ocspHttpClient,
 		CRLFetcher:       crlFetcher,
diff --git a/cmd/notation/verify_test.go b/cmd/notation/verify_test.go
index 23954e11f..4eb5e0e41 100644
--- a/cmd/notation/verify_test.go
+++ b/cmd/notation/verify_test.go
@@ -15,11 +15,15 @@ package main
 
 import (
 	"context"
+	"encoding/json"
+	"os"
+	"path/filepath"
 	"reflect"
 	"runtime"
 	"testing"
 
 	"github.com/notaryproject/notation-go/dir"
+	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 )
 
 func TestVerifyCommand_BasicArgs(t *testing.T) {
@@ -86,6 +90,27 @@ func TestVerifyCommand_MissingArgs(t *testing.T) {
 }
 
 func TestGetVerifier(t *testing.T) {
+	defer func(oldConfiDir, oldCacheDir string) {
+		dir.UserConfigDir = oldConfiDir
+		dir.UserCacheDir = oldCacheDir
+	}(dir.UserConfigDir, dir.UserCacheDir)
+
+	t.Run("success", func(t *testing.T) {
+		tempRoot := t.TempDir()
+		dir.UserConfigDir = tempRoot
+		path := filepath.Join(tempRoot, "trustpolicy.json")
+		policyJson, _ := json.Marshal(dummyOCIPolicyDocument())
+		if err := os.WriteFile(path, policyJson, 0600); err != nil {
+			t.Fatalf("TestLoadOCIDocument write policy file failed. Error: %v", err)
+		}
+		t.Cleanup(func() { os.RemoveAll(tempRoot) })
+
+		_, err := getVerifier(context.Background())
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
+
 	t.Run("non-existing trust policy", func(t *testing.T) {
 		dir.UserConfigDir = "/"
 		expectedErrMsg := "trust policy is not present. To create a trust policy, see: https://notaryproject.dev/docs/quickstart/#create-a-trust-policy"
@@ -107,3 +132,18 @@ func TestGetVerifier(t *testing.T) {
 		}
 	})
 }
+
+func dummyOCIPolicyDocument() trustpolicy.OCIDocument {
+	return trustpolicy.OCIDocument{
+		Version: "1.0",
+		TrustPolicies: []trustpolicy.OCITrustPolicy{
+			{
+				Name:                  "test-statement-name",
+				RegistryScopes:        []string{"registry.acme-rockets.io/software/net-monitor"},
+				SignatureVerification: trustpolicy.SignatureVerification{VerificationLevel: "strict"},
+				TrustStores:           []string{"ca:valid-trust-store", "signingAuthority:valid-trust-store"},
+				TrustedIdentities:     []string{"x509.subject:CN=Notation Test Root,O=Notary,L=Seattle,ST=WA,C=US"},
+			},
+		},
+	}
+}

From cfc9ff68fe5a4c0155a7897949c4fb14b4b05991 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 5 Nov 2024 06:54:19 +0000
Subject: [PATCH 06/34] build(deps): Bump codecov/codecov-action from 4.5.0 to
 4.6.0 (#1054)

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a53ff7df9..4f16795ef 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -59,6 +59,6 @@ jobs:
             make e2e-covdata
           fi
       - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

From 86c2a59c006dca8614b6565ad8df5c747e66191e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 5 Nov 2024 06:58:07 +0000
Subject: [PATCH 07/34] build(deps): Bump github.com/spf13/cobra from 1.7.0 to
 1.8.1 in /test/e2e/plugin (#1050)

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 test/e2e/plugin/go.mod | 2 +-
 test/e2e/plugin/go.sum | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod
index 7524d77b7..86c8e3d58 100644
--- a/test/e2e/plugin/go.mod
+++ b/test/e2e/plugin/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/notaryproject/notation-core-go v1.2.0-rc.1
 	github.com/notaryproject/notation-go v1.3.0-rc.1
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.1
 )
 
 require (
diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum
index e9735eacc..c10a93932 100644
--- a/test/e2e/plugin/go.sum
+++ b/test/e2e/plugin/go.sum
@@ -2,7 +2,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -52,8 +52,8 @@ github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2sz
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

From 511841f9b6c0513d872db3c67b3d5e1b621b514f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 5 Nov 2024 06:58:23 +0000
Subject: [PATCH 08/34] build(deps): Bump golang.org/x/term from 0.24.0 to
 0.25.0 (#1055)

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 go.mod | 4 ++--
 go.sum | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 7da3817e2..4e710143f 100644
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	golang.org/x/net v0.29.0
-	golang.org/x/term v0.24.0
+	golang.org/x/term v0.25.0
 	oras.land/oras-go/v2 v2.5.0
 )
 
@@ -30,5 +30,5 @@ require (
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
 )
diff --git a/go.sum b/go.sum
index d21c731f2..a0f517f60 100644
--- a/go.sum
+++ b/go.sum
@@ -107,16 +107,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM=
-golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
+golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
+golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

From 5e8ba7c50699f13de925388e30cd4787d552f830 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Nov 2024 09:49:43 -0800
Subject: [PATCH 09/34] build(deps): Bump actions/cache from 4.0.2 to 4.1.2
 (#1073)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps [actions/cache](https://github.com/actions/cache) from 4.0.2 to
4.1.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/cache/releases">actions/cache's
releases</a>.</em></p>
<blockquote>
<h2>v4.1.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Add Bun example by <a
href="https://github.com/idleberg"><code>@​idleberg</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1456">actions/cache#1456</a></li>
<li>Revise <code>isGhes</code> logic by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1474">actions/cache#1474</a></li>
<li>Bump braces from 3.0.2 to 3.0.3 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1475">actions/cache#1475</a></li>
<li>Add dependabot.yml to enable automatic dependency upgrades by <a
href="https://github.com/Link"><code>@​Link</code></a>- in <a
href="https://redirect.github.com/actions/cache/pull/1476">actions/cache#1476</a></li>
<li>Bump actions/checkout from 3 to 4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1478">actions/cache#1478</a></li>
<li>Bump actions/stale from 3 to 9 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1479">actions/cache#1479</a></li>
<li>Bump github/codeql-action from 2 to 3 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1483">actions/cache#1483</a></li>
<li>Bump actions/setup-node from 3 to 4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1481">actions/cache#1481</a></li>
<li>Prepare <code>4.1.2</code> release by <a
href="https://github.com/Link"><code>@​Link</code></a>- in <a
href="https://redirect.github.com/actions/cache/pull/1477">actions/cache#1477</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/idleberg"><code>@​idleberg</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1456">actions/cache#1456</a></li>
<li><a href="https://github.com/jww3"><code>@​jww3</code></a> made their
first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1474">actions/cache#1474</a></li>
<li><a href="https://github.com/Link"><code>@​Link</code></a>- made
their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1476">actions/cache#1476</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/cache/compare/v4...v4.1.2">https://github.com/actions/cache/compare/v4...v4.1.2</a></p>
<h2>v4.1.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Restore original behavior of <code>cache-hit</code> output by <a
href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1467">actions/cache#1467</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/cache/compare/v4.1.0...v4.1.1">https://github.com/actions/cache/compare/v4.1.0...v4.1.1</a></p>
<h2>v4.1.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Fix cache-hit output when cache missed by <a
href="https://github.com/fchimpan"><code>@​fchimpan</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1404">actions/cache#1404</a></li>
<li>Deprecate <code>save-always</code> input by <a
href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a
href="https://redirect.github.com/actions/cache/pull/1452">actions/cache#1452</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/ottlinger"><code>@​ottlinger</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1437">actions/cache#1437</a></li>
<li><a href="https://github.com/Olegt0rr"><code>@​Olegt0rr</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1377">actions/cache#1377</a></li>
<li><a href="https://github.com/fchimpan"><code>@​fchimpan</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1404">actions/cache#1404</a></li>
<li><a href="https://github.com/x612skm"><code>@​x612skm</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1434">actions/cache#1434</a></li>
<li><a href="https://github.com/todgru"><code>@​todgru</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1311">actions/cache#1311</a></li>
<li><a href="https://github.com/Jcambass"><code>@​Jcambass</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1463">actions/cache#1463</a></li>
<li><a
href="https://github.com/mackey0225"><code>@​mackey0225</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1462">actions/cache#1462</a></li>
<li><a href="https://github.com/quatquatt"><code>@​quatquatt</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/cache/pull/1445">actions/cache#1445</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/cache/compare/v4.0.2...v4.1.0">https://github.com/actions/cache/compare/v4.0.2...v4.1.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's
changelog</a>.</em></p>
<blockquote>
<h1>Releases</h1>
<h3>4.1.2</h3>
<ul>
<li>Add GitHub Enterprise Cloud instances hostname filters to inform API
endpoint choices - <a
href="https://redirect.github.com/actions/cache/pull/1474">#1474</a></li>
<li>Security fix: Bump braces from 3.0.2 to 3.0.3 - <a
href="https://redirect.github.com/actions/cache/pull/1475">#1475</a></li>
</ul>
<h3>4.1.1</h3>
<ul>
<li>Restore original behavior of <code>cache-hit</code> output - <a
href="https://redirect.github.com/actions/cache/pull/1467">#1467</a></li>
</ul>
<h3>4.1.0</h3>
<ul>
<li>Ensure <code>cache-hit</code> output is set when a cache is missed -
<a
href="https://redirect.github.com/actions/cache/pull/1404">#1404</a></li>
<li>Deprecate <code>save-always</code> input - <a
href="https://redirect.github.com/actions/cache/pull/1452">#1452</a></li>
</ul>
<h3>4.0.2</h3>
<ul>
<li>Fixed restore <code>fail-on-cache-miss</code> not working.</li>
</ul>
<h3>4.0.1</h3>
<ul>
<li>Updated <code>isGhes</code> check</li>
</ul>
<h3>4.0.0</h3>
<ul>
<li>Updated minimum runner version support from node 12 -&gt; node
20</li>
</ul>
<h3>3.3.3</h3>
<ul>
<li>Updates <code>@​actions/cache</code> to v3.2.3 to fix accidental
mutated path arguments to <code>getCacheVersion</code> <a
href="https://redirect.github.com/actions/toolkit/pull/1378">actions/toolkit#1378</a></li>
<li>Additional audit fixes of npm package(s)</li>
</ul>
<h3>3.3.2</h3>
<ul>
<li>Fixes bug with Azure SDK causing blob downloads to get stuck.</li>
</ul>
<h3>3.3.1</h3>
<ul>
<li>Reduced segment size to 128MB and segment timeout to 10 minutes to
fail fast in case the cache download is stuck.</li>
</ul>
<h3>3.3.0</h3>
<ul>
<li>Added option to lookup cache without downloading it.</li>
</ul>
<h3>3.2.6</h3>
<ul>
<li>Fix zstd not being used after zstd version upgrade to 1.5.4 on
hosted runners.</li>
</ul>
<h3>3.2.5</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/cache/commit/6849a6489940f00c2f30c0fb92c6274307ccb58a"><code>6849a64</code></a>
Release 4.1.2 <a
href="https://redirect.github.com/actions/cache/issues/1477">#1477</a></li>
<li><a
href="https://github.com/actions/cache/commit/5a1720c49e91718f5d0ce7f154997c93e0f6159a"><code>5a1720c</code></a>
Merge branch 'Link-/prep-4.1.2' of <a
href="https://github.com/actions/cache">https://github.com/actions/cache</a>
into Link...</li>
<li><a
href="https://github.com/actions/cache/commit/d9fef48d24d529bac46adcc1e42f49649de07ca9"><code>d9fef48</code></a>
Merge branch 'main' into Link-/prep-4.1.2</li>
<li><a
href="https://github.com/actions/cache/commit/a50e8d027b022a55ef85ffa721ebd97d2b22bcda"><code>a50e8d0</code></a>
Merge branch 'main' into Link-/prep-4.1.2</li>
<li><a
href="https://github.com/actions/cache/commit/acc9ae5c1401b6c072a7c89ff4c48ea7e30f4dbf"><code>acc9ae5</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/cache/issues/1481">#1481</a>
from actions/dependabot/github_actions/actions/setup...</li>
<li><a
href="https://github.com/actions/cache/commit/1ea5f18c31265ef251b3eb51ce8b857be5e7b044"><code>1ea5f18</code></a>
Merge branch 'main' into Link-/prep-4.1.2</li>
<li><a
href="https://github.com/actions/cache/commit/cc679ff3baee71867c711040a5c21af61b262806"><code>cc679ff</code></a>
Merge branch 'main' into
dependabot/github_actions/actions/setup-node-4</li>
<li><a
href="https://github.com/actions/cache/commit/366d43d6f8aa1f3e5d28b2c98959d557d78ffa3f"><code>366d43d</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/cache/issues/1483">#1483</a>
from actions/dependabot/github_actions/github/codeql...</li>
<li><a
href="https://github.com/actions/cache/commit/02bf31969bcc471fd5f91b5896ae17beb0973413"><code>02bf319</code></a>
Bump github/codeql-action from 2 to 3</li>
<li><a
href="https://github.com/actions/cache/commit/6f6220be5af96ba6940aca960265218cae17e8fd"><code>6f6220b</code></a>
Merge branch 'main' into
dependabot/github_actions/actions/setup-node-4</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/cache/compare/0c45773b623bea8c8e75f6c82b208c3cf94ea4f9...6849a6489940f00c2f30c0fb92c6274307ccb58a">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/cache&package-manager=github_actions&previous-version=4.0.2&new-version=4.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4f16795ef..e30f5b6d6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -38,7 +38,7 @@ jobs:
       - name: Check out code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Cache Go modules
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         id: go-mod-cache
         with:
           path: ~/go/pkg/mod

From 6c94fc5b8696f1cdfa3dd041358093506017c632 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Nov 2024 09:49:52 -0800
Subject: [PATCH 10/34] build(deps): Bump actions/upload-artifact from 4.4.0 to
 4.4.3 (#1066)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[actions/upload-artifact](https://github.com/actions/upload-artifact)
from 4.4.0 to 4.4.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's
releases</a>.</em></p>
<blockquote>
<h2>v4.4.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Undo indirect dependency updates from <a
href="https://redirect.github.com/actions/upload-artifact/issues/627">#627</a>
by <a href="https://github.com/joshmgross"><code>@​joshmgross</code></a>
in <a
href="https://redirect.github.com/actions/upload-artifact/pull/632">actions/upload-artifact#632</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3">https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3</a></p>
<h2>v4.4.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Bump <code>@actions/artifact</code> to 2.1.11 by <a
href="https://github.com/robherley"><code>@​robherley</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/627">actions/upload-artifact#627</a>
<ul>
<li>Includes fix for relative symlinks not resolving properly</li>
</ul>
</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2">https://github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2</a></p>
<h2>v4.4.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Add a section about hidden files by <a
href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/607">actions/upload-artifact#607</a></li>
<li>Add workflow file for publishing releases to immutable action
package by <a
href="https://github.com/Jcambass"><code>@​Jcambass</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/621">actions/upload-artifact#621</a></li>
<li>Update <code>@​actions/artifact</code> to latest version, includes
symlink and timeout fixes by <a
href="https://github.com/robherley"><code>@​robherley</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/625">actions/upload-artifact#625</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/Jcambass"><code>@​Jcambass</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/upload-artifact/pull/621">actions/upload-artifact#621</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1">https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/upload-artifact/commit/b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882"><code>b4b15b8</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/632">#632</a>
from actions/joshmgross/undo-dependency-changes</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/92b01ebffaf2e2520c64ab2845d3f9bd5c06941a"><code>92b01eb</code></a>
Undo indirect dependency updates from <a
href="https://redirect.github.com/actions/upload-artifact/issues/627">#627</a></li>
<li><a
href="https://github.com/actions/upload-artifact/commit/84480863f228bb9747b473957fcc9e309aa96097"><code>8448086</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/627">#627</a>
from actions/robherley/v4.4.2</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/b1d4642b699cfe7e338a864cc36849b29ad04a75"><code>b1d4642</code></a>
add explicit relative and absolute symlinks to workflow</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/d50e66084c4d29dc5d3326b7a0e67bed9ef4bb1e"><code>d50e660</code></a>
bump version</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/aabe6f8050b860cae7a9065282dde2b3227836aa"><code>aabe6f8</code></a>
build with <code>@​actions/artifact</code> v2.1.11</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/604373da6381bf24206979c74d06a550515601b9"><code>604373d</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/625">#625</a>
from actions/robherley/artifact-2.1.10</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/0150148bdf458be2451ee90b000ecdcca8216ed8"><code>0150148</code></a>
paste right core version</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/a009b25faa61b2b26de294984570f1371b13a895"><code>a009b25</code></a>
update licenses</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/9f6f6f402e14cb0fe462513c8fa31e6ec061e8b5"><code>9f6f6f4</code></a>
update <code>@​actions/core</code> and <code>@​actions/artifact</code>
to latest versions</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/upload-artifact/compare/50769540e7f4bd5e21e526ee35c689e35e0d6874...b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=4.4.0&new-version=4.4.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/scorecard.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 7618d5ece..a364da078 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -54,7 +54,7 @@ jobs:
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # tag=v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # tag=v4.4.3
         with:
           name: SARIF file
           path: results.sarif

From 986f8ae82727ae3b6c4ec1c182b7175b79f8f560 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Nov 2024 09:50:02 -0800
Subject: [PATCH 11/34] build(deps): Bump actions/checkout from 4.1.7 to 4.2.2
 (#1074)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7
to 4.2.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v4.2.2</h2>
<h2>What's Changed</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3"><code>@​jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4.2.1...v4.2.2">https://github.com/actions/checkout/compare/v4.2.1...v4.2.2</a></p>
<h2>v4.2.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy"><code>@​orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/Jcambass"><code>@​Jcambass</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1919">actions/checkout#1919</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4.2.0...v4.2.1">https://github.com/actions/checkout/compare/v4.2.0...v4.2.1</a></p>
<h2>v4.2.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add Ref and Commit outputs by <a
href="https://github.com/lucacome"><code>@​lucacome</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li>
<li>Dependabot updates in <a
href="https://redirect.github.com/actions/checkout/pull/1777">actions/checkout#1777</a>
&amp; <a
href="https://redirect.github.com/actions/checkout/pull/1872">actions/checkout#1872</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/yasonk"><code>@​yasonk</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1869">actions/checkout#1869</a></li>
<li><a href="https://github.com/lucacome"><code>@​lucacome</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4.1.7...v4.2.0">https://github.com/actions/checkout/compare/v4.1.7...v4.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v4.2.2</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3"><code>@​jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li>
</ul>
<h2>v4.2.1</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy"><code>@​orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li>
</ul>
<h2>v4.2.0</h2>
<ul>
<li>Add Ref and Commit outputs by <a
href="https://github.com/lucacome"><code>@​lucacome</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li>
<li>Dependency updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>- <a
href="https://redirect.github.com/actions/checkout/pull/1777">actions/checkout#1777</a>,
<a
href="https://redirect.github.com/actions/checkout/pull/1872">actions/checkout#1872</a></li>
</ul>
<h2>v4.1.7</h2>
<ul>
<li>Bump the minor-npm-dependencies group across 1 directory with 4
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1739">actions/checkout#1739</a></li>
<li>Bump actions/checkout from 3 to 4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1697">actions/checkout#1697</a></li>
<li>Check out other refs/* by commit by <a
href="https://github.com/orhantoy"><code>@​orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1774">actions/checkout#1774</a></li>
<li>Pin actions/checkout's own workflows to a known, good, stable
version. by <a href="https://github.com/jww3"><code>@​jww3</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1776">actions/checkout#1776</a></li>
</ul>
<h2>v4.1.6</h2>
<ul>
<li>Check platform to set archive extension appropriately by <a
href="https://github.com/cory-miller"><code>@​cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1732">actions/checkout#1732</a></li>
</ul>
<h2>v4.1.5</h2>
<ul>
<li>Update NPM dependencies by <a
href="https://github.com/cory-miller"><code>@​cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1703">actions/checkout#1703</a></li>
<li>Bump github/codeql-action from 2 to 3 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1694">actions/checkout#1694</a></li>
<li>Bump actions/setup-node from 1 to 4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1696">actions/checkout#1696</a></li>
<li>Bump actions/upload-artifact from 2 to 4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1695">actions/checkout#1695</a></li>
<li>README: Suggest <code>user.email</code> to be
<code>41898282+github-actions[bot]@users.noreply.github.com</code> by <a
href="https://github.com/cory-miller"><code>@​cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1707">actions/checkout#1707</a></li>
</ul>
<h2>v4.1.4</h2>
<ul>
<li>Disable <code>extensions.worktreeConfig</code> when disabling
<code>sparse-checkout</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1692">actions/checkout#1692</a></li>
<li>Add dependabot config by <a
href="https://github.com/cory-miller"><code>@​cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1688">actions/checkout#1688</a></li>
<li>Bump the minor-actions-dependencies group with 2 updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1693">actions/checkout#1693</a></li>
<li>Bump word-wrap from 1.2.3 to 1.2.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1643">actions/checkout#1643</a></li>
</ul>
<h2>v4.1.3</h2>
<ul>
<li>Check git version before attempting to disable
<code>sparse-checkout</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1656">actions/checkout#1656</a></li>
<li>Add SSH user parameter by <a
href="https://github.com/cory-miller"><code>@​cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1685">actions/checkout#1685</a></li>
<li>Update <code>actions/checkout</code> version in
<code>update-main-version.yml</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1650">actions/checkout#1650</a></li>
</ul>
<h2>v4.1.2</h2>
<ul>
<li>Fix: Disable sparse checkout whenever <code>sparse-checkout</code>
option is not present <a
href="https://github.com/dscho"><code>@​dscho</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1598">actions/checkout#1598</a></li>
</ul>
<h2>v4.1.1</h2>
<ul>
<li>Correct link to GitHub Docs by <a
href="https://github.com/peterbe"><code>@​peterbe</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li>
<li>Link to release page from what's new section by <a
href="https://github.com/cory-miller"><code>@​cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1514">actions/checkout#1514</a></li>
</ul>
<h2>v4.1.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1396">Add
support for partial checkout filters</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/checkout/commit/11bd71901bbe5b1630ceea73d27597364c9af683"><code>11bd719</code></a>
Prepare 4.2.2 Release (<a
href="https://redirect.github.com/actions/checkout/issues/1953">#1953</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/e3d2460bbb42d7710191569f88069044cfb9d8cf"><code>e3d2460</code></a>
Expand unit test coverage (<a
href="https://redirect.github.com/actions/checkout/issues/1946">#1946</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/163217dfcd28294438ea1c1c149cfaf66eec283e"><code>163217d</code></a>
<code>url-helper.ts</code> now leverages well-known environment
variables. (<a
href="https://redirect.github.com/actions/checkout/issues/1941">#1941</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871"><code>eef6144</code></a>
Prepare 4.2.1 release (<a
href="https://redirect.github.com/actions/checkout/issues/1925">#1925</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/6b42224f41ee5dfe5395e27c8b2746f1f9955030"><code>6b42224</code></a>
Add workflow file for publishing releases to immutable action package
(<a
href="https://redirect.github.com/actions/checkout/issues/1919">#1919</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/de5a000abf73b6f4965bd1bcdf8f8d94a56ea815"><code>de5a000</code></a>
Check out other refs/* by commit if provided, fall back to ref (<a
href="https://redirect.github.com/actions/checkout/issues/1924">#1924</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/d632683dd7b4114ad314bca15554477dd762a938"><code>d632683</code></a>
Prepare 4.2.0 release (<a
href="https://redirect.github.com/actions/checkout/issues/1878">#1878</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/6d193bf28034eafb982f37bd894289fe649468fc"><code>6d193bf</code></a>
Bump braces from 3.0.2 to 3.0.3 (<a
href="https://redirect.github.com/actions/checkout/issues/1777">#1777</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/db0cee9a514becbbd4a101a5fbbbf47865ee316c"><code>db0cee9</code></a>
Bump the minor-npm-dependencies group across 1 directory with 4 updates
(<a
href="https://redirect.github.com/actions/checkout/issues/1872">#1872</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/b6849436894e144dbce29d7d7fda2ae3bf9d8365"><code>b684943</code></a>
Add Ref and Commit outputs (<a
href="https://redirect.github.com/actions/checkout/issues/1180">#1180</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...11bd71901bbe5b1630ceea73d27597364c9af683">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=4.1.7&new-version=4.2.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/build.yml          | 2 +-
 .github/workflows/codeql.yml         | 2 +-
 .github/workflows/release-github.yml | 2 +-
 .github/workflows/scorecard.yml      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e30f5b6d6..a13358aa0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -36,7 +36,7 @@ jobs:
           go-version: ${{ matrix.go-version }}
           check-latest: true
       - name: Check out code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Cache Go modules
         uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         id: go-mod-cache
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 53fec1f03..d3ae94772 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -42,7 +42,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go ${{ matrix.go-version }} environment
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml
index eaa77dc0e..2bc1b058b 100644
--- a/.github/workflows/release-github.yml
+++ b/.github/workflows/release-github.yml
@@ -38,7 +38,7 @@ jobs:
           go-version: ${{ matrix.go-version }}
           check-latest: true
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - name: Set GoReleaser Previous Tag To Be Last Non Weekly Release
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index a364da078..5d8ceee57 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -41,7 +41,7 @@ jobs:
     
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=4.2.2
         with:
           persist-credentials: false
 

From faf439a9da0d898346745ce2881c8e38bd252487 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Nov 2024 09:50:19 -0800
Subject: [PATCH 12/34] build(deps): Bump github.com/golang-jwt/jwt/v4 from
 4.5.0 to 4.5.1 in /test/e2e/plugin (#1077)

Bumps [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt)
from 4.5.0 to 4.5.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/golang-jwt/jwt/releases">github.com/golang-jwt/jwt/v4's
releases</a>.</em></p>
<blockquote>
<h2>v4.5.1</h2>
<h1>Security</h1>
<p>Unclear documentation of the error behavior in
<code>ParseWithClaims</code> in &lt;= 4.5.0 could lead to situation
where users are potentially not checking errors in the way they should
be. Especially, if a token is both expired and invalid, the errors
returned by <code>ParseWithClaims</code> return both error codes. If
users only check for the <code>jwt.ErrTokenExpired </code> using
<code>error.Is</code>, they will ignore the embedded
<code>jwt.ErrTokenSignatureInvalid</code> and thus potentially accept
invalid tokens.</p>
<p>This issue was documented in <a
href="https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r">https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r</a>
and fixed in this release.</p>
<p>Note: <code>v5</code> was not affected by this issue. So upgrading to
this release version is also recommended.</p>
<h1>What's Changed</h1>
<ul>
<li>Back-ported error-handling logic in <code>ParseWithClaims</code>
from <code>v5</code> branch. This fixes <a
href="https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r">https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r</a>.</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/golang-jwt/jwt/compare/v4.5.0...v4.5.1">https://github.com/golang-jwt/jwt/compare/v4.5.0...v4.5.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c"><code>7b1c1c0</code></a>
Merge commit from fork</li>
<li>See full diff in <a
href="https://github.com/golang-jwt/jwt/compare/v4.5.0...v4.5.1">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/golang-jwt/jwt/v4&package-manager=go_modules&previous-version=4.5.0&new-version=4.5.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/notaryproject/notation/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 test/e2e/plugin/go.mod | 2 +-
 test/e2e/plugin/go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod
index 86c8e3d58..daab39766 100644
--- a/test/e2e/plugin/go.mod
+++ b/test/e2e/plugin/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.8 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/notaryproject/tspclient-go v0.2.0 // indirect
diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum
index c10a93932..b805bb0b5 100644
--- a/test/e2e/plugin/go.sum
+++ b/test/e2e/plugin/go.sum
@@ -14,8 +14,8 @@ github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ
 github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
+github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=

From f8c8112de0a509ac4e6eaa4aa8c1a50c4e0d4f48 Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Tue, 12 Nov 2024 09:10:11 +0800
Subject: [PATCH 13/34] feat: crl cache with log (#1078)

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 cmd/notation/verify.go   |   9 ++-
 internal/crl/crl.go      |  80 +++++++++++++++++++++++
 internal/crl/crl_test.go | 135 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 222 insertions(+), 2 deletions(-)
 create mode 100644 internal/crl/crl.go
 create mode 100644 internal/crl/crl_test.go

diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go
index 5258f36f1..03d1224c5 100644
--- a/cmd/notation/verify.go
+++ b/cmd/notation/verify.go
@@ -39,6 +39,7 @@ import (
 	"github.com/spf13/cobra"
 
 	corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
+	clicrl "github.com/notaryproject/notation/internal/crl"
 )
 
 type verifyOpts struct {
@@ -238,15 +239,19 @@ func getVerifier(ctx context.Context) (notation.Verifier, error) {
 	if err != nil {
 		return nil, err
 	}
+	crlFetcher.DiscardCacheError = true // discard crl cache error
 	cacheRoot, err := dir.CacheFS().SysPath(dir.PathCRLCache)
 	if err != nil {
 		return nil, err
 	}
-	crlFetcher.Cache, err = crl.NewFileCache(cacheRoot)
+	fileCache, err := crl.NewFileCache(cacheRoot)
 	if err != nil {
 		return nil, err
 	}
-	crlFetcher.DiscardCacheError = true // discard cache error
+	crlFetcher.Cache = &clicrl.CacheWithLog{
+		Cache:             fileCache,
+		DiscardCacheError: crlFetcher.DiscardCacheError,
+	}
 	revocationCodeSigningValidator, err := revocation.NewWithOptions(revocation.Options{
 		OCSPHTTPClient:   ocspHttpClient,
 		CRLFetcher:       crlFetcher,
diff --git a/internal/crl/crl.go b/internal/crl/crl.go
new file mode 100644
index 000000000..e5dfb489f
--- /dev/null
+++ b/internal/crl/crl.go
@@ -0,0 +1,80 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package crl
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"sync"
+
+	corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
+	"github.com/notaryproject/notation-go/log"
+)
+
+// CacheWithLog implements corecrl.Cache with logging
+type CacheWithLog struct {
+	corecrl.Cache
+
+	//DiscardCacheError is set to true to enable logging the discard cache error
+	//warning
+	DiscardCacheError bool
+
+	// logDiscardCrlCacheErrorOnce guarantees the discard cache error
+	// warning is logged only once
+	logDiscardCrlCacheErrorOnce sync.Once
+}
+
+// Get retrieves the CRL bundle with the given url
+func (c *CacheWithLog) Get(ctx context.Context, url string) (*corecrl.Bundle, error) {
+	if c.Cache == nil {
+		return nil, errors.New("cache cannot be nil")
+	}
+	logger := log.GetLogger(ctx)
+
+	bundle, err := c.Cache.Get(ctx, url)
+	if err != nil && !errors.Is(err, corecrl.ErrCacheMiss) {
+		if c.DiscardCacheError {
+			c.logDiscardCrlCacheErrorOnce.Do(c.logDiscardCrlCacheError)
+		}
+		logger.Debug(err.Error())
+		return nil, err
+	}
+	return bundle, err
+}
+
+// Set stores the CRL bundle with the given url
+func (c *CacheWithLog) Set(ctx context.Context, url string, bundle *corecrl.Bundle) error {
+	if c.Cache == nil {
+		return errors.New("cache cannot be nil")
+	}
+	logger := log.GetLogger(ctx)
+
+	err := c.Cache.Set(ctx, url, bundle)
+	if err != nil {
+		if c.DiscardCacheError {
+			c.logDiscardCrlCacheErrorOnce.Do(c.logDiscardCrlCacheError)
+		}
+		logger.Debug(err.Error())
+		return err
+	}
+	return nil
+}
+
+// logDiscardCrlCacheError logs the warning when CRL cache error is
+// discarded
+func (c *CacheWithLog) logDiscardCrlCacheError() {
+	fmt.Fprintln(os.Stderr, "Warning: CRL cache error discarded. Enable debug log through '-d' for error details.")
+}
diff --git a/internal/crl/crl_test.go b/internal/crl/crl_test.go
new file mode 100644
index 000000000..a81ba6c58
--- /dev/null
+++ b/internal/crl/crl_test.go
@@ -0,0 +1,135 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package crl
+
+import (
+	"context"
+	"errors"
+	"os"
+	"sync"
+	"testing"
+
+	corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
+)
+
+func TestGet(t *testing.T) {
+	cache := &CacheWithLog{}
+	expectedErrMsg := "cache cannot be nil"
+	_, err := cache.Get(context.Background(), "")
+	if err == nil || err.Error() != expectedErrMsg {
+		t.Fatalf("expected error %q, but got %q", expectedErrMsg, err)
+	}
+
+	cache = &CacheWithLog{
+		Cache: &dummyCache{},
+	}
+	expectedErrMsg = "cache get failed"
+	_, err = cache.Get(context.Background(), "")
+	if err == nil || err.Error() != expectedErrMsg {
+		t.Fatalf("expected error %q, but got %q", expectedErrMsg, err)
+	}
+
+	cache = &CacheWithLog{
+		Cache: &dummyCache{
+			cacheMiss: true,
+		},
+	}
+	_, err = cache.Get(context.Background(), "")
+	if err == nil || !errors.Is(err, corecrl.ErrCacheMiss) {
+		t.Fatalf("expected error %q, but got %q", corecrl.ErrCacheMiss, err)
+	}
+}
+
+func TestSet(t *testing.T) {
+	cache := &CacheWithLog{}
+	expectedErrMsg := "cache cannot be nil"
+	err := cache.Set(context.Background(), "", nil)
+	if err == nil || err.Error() != expectedErrMsg {
+		t.Fatalf("expected error %q, but got %q", expectedErrMsg, err)
+	}
+
+	cache = &CacheWithLog{
+		Cache: &dummyCache{},
+	}
+	expectedErrMsg = "cache set failed"
+	err = cache.Set(context.Background(), "", nil)
+	if err == nil || err.Error() != expectedErrMsg {
+		t.Fatalf("expected error %q, but got %q", expectedErrMsg, err)
+	}
+
+	cache = &CacheWithLog{
+		Cache: &dummyCache{
+			setSuccess: true,
+		},
+	}
+	err = cache.Set(context.Background(), "", nil)
+	if err != nil {
+		t.Fatalf("expected nil error, but got %q", err)
+	}
+}
+
+func TestLogDiscardErrorOnce(t *testing.T) {
+	cache := &CacheWithLog{
+		Cache:             &dummyCache{},
+		DiscardCacheError: true,
+	}
+	oldStderr := os.Stderr
+	defer func() {
+		os.Stderr = oldStderr
+	}()
+	testFile, err := os.CreateTemp(t.TempDir(), "testNotation")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer testFile.Close()
+	os.Stderr = testFile
+	var wg sync.WaitGroup
+	for i := 0; i < 3; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			cache.Get(context.Background(), "")
+			cache.Set(context.Background(), "", nil)
+		}()
+	}
+	wg.Wait()
+
+	b, err := os.ReadFile(testFile.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedMsg := "Warning: CRL cache error discarded. Enable debug log through '-d' for error details.\n"
+	if string(b) != expectedMsg {
+		t.Fatalf("expected to get %q, but got %q", expectedMsg, string(b))
+	}
+}
+
+type dummyCache struct {
+	cacheMiss  bool
+	setSuccess bool
+}
+
+func (d *dummyCache) Get(ctx context.Context, url string) (*corecrl.Bundle, error) {
+	if d.cacheMiss {
+		return nil, corecrl.ErrCacheMiss
+	}
+	return nil, errors.New("cache get failed")
+}
+
+func (d *dummyCache) Set(ctx context.Context, url string, bundle *corecrl.Bundle) error {
+	if d.setSuccess {
+		return nil
+	}
+	return errors.New("cache set failed")
+}

From 4dff08d8d0602f8a7de1e4a69c11ab0d0b81ff7b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 12 Nov 2024 16:22:18 +0800
Subject: [PATCH 14/34] build(deps): Bump golang.org/x/term from 0.25.0 to
 0.26.0 (#1081)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 go.mod | 4 ++--
 go.sum | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 4e710143f..4b8d6cbf6 100644
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	golang.org/x/net v0.29.0
-	golang.org/x/term v0.25.0
+	golang.org/x/term v0.26.0
 	oras.land/oras-go/v2 v2.5.0
 )
 
@@ -30,5 +30,5 @@ require (
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/sys v0.27.0 // indirect
 )
diff --git a/go.sum b/go.sum
index a0f517f60..8ffbafa5f 100644
--- a/go.sum
+++ b/go.sum
@@ -107,16 +107,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
+golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

From e279f4e8bcabdf99428c5bbd6249723b3d16f3b7 Mon Sep 17 00:00:00 2001
From: Junjie Gao <junjiegao@microsoft.com>
Date: Wed, 13 Nov 2024 10:55:39 +0800
Subject: [PATCH 15/34] fix&test: discard error for NewFileCache & E2E test for
 CRL with cache (#1079)

Fix:
- discard error when NewFileCache failed: any cache errors should not
block the verification process

Test:
- added `crl_server.py` script to run in the background as a mock CRL
server
- added a `gen_crl_testing_certs.sh` script for generating required
certificate chain for testing CRL
- added 8 E2E test cases for CRL and CRL cache
- refactored E2E framework to allow add test key from different folders

Bump:
- updated ginkgo to v2.21.0

Resolves #1068

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 cmd/notation/verify.go                        |  12 +-
 cmd/notation/verify_test.go                   |  13 -
 test/e2e/go.mod                               |  13 +-
 test/e2e/go.sum                               |  30 +-
 test/e2e/internal/notation/host.go            |  21 +-
 test/e2e/internal/notation/key.go             |  20 +-
 test/e2e/internal/utils/crl.go                |  79 +++++
 test/e2e/internal/utils/host.go               |  10 +-
 test/e2e/run.sh                               |  11 +-
 test/e2e/scripts/crl_server.py                |  81 +++++
 test/e2e/scripts/gen_crl_testing_certs.sh     | 231 +++++++++++++
 test/e2e/suite/plugin/install.go              |   4 +-
 test/e2e/suite/scenario/crl.go                | 315 ++++++++++++++++++
 test/e2e/suite/trustpolicy/trust_store.go     |   2 +-
 .../e2e/suite/trustpolicy/trusted_identity.go |   2 +-
 .../config/crl/certchain_with_crl.pem         |  76 +++++
 test/e2e/testdata/config/crl/intermediate.crl | Bin 0 -> 487 bytes
 .../config/crl/intermediate_revoked.crl       | Bin 0 -> 510 bytes
 test/e2e/testdata/config/crl/leaf.crl         | Bin 0 -> 495 bytes
 test/e2e/testdata/config/crl/leaf.key         |  28 ++
 test/e2e/testdata/config/crl/leaf_expired.crl | Bin 0 -> 493 bytes
 test/e2e/testdata/config/crl/leaf_revoked.crl | Bin 0 -> 518 bytes
 test/e2e/testdata/config/crl/root.crt         |  25 ++
 23 files changed, 910 insertions(+), 63 deletions(-)
 create mode 100644 test/e2e/internal/utils/crl.go
 create mode 100644 test/e2e/scripts/crl_server.py
 create mode 100755 test/e2e/scripts/gen_crl_testing_certs.sh
 create mode 100644 test/e2e/suite/scenario/crl.go
 create mode 100644 test/e2e/testdata/config/crl/certchain_with_crl.pem
 create mode 100644 test/e2e/testdata/config/crl/intermediate.crl
 create mode 100644 test/e2e/testdata/config/crl/intermediate_revoked.crl
 create mode 100644 test/e2e/testdata/config/crl/leaf.crl
 create mode 100644 test/e2e/testdata/config/crl/leaf.key
 create mode 100644 test/e2e/testdata/config/crl/leaf_expired.crl
 create mode 100644 test/e2e/testdata/config/crl/leaf_revoked.crl
 create mode 100644 test/e2e/testdata/config/crl/root.crt

diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go
index 03d1224c5..933d41661 100644
--- a/cmd/notation/verify.go
+++ b/cmd/notation/verify.go
@@ -246,11 +246,13 @@ func getVerifier(ctx context.Context) (notation.Verifier, error) {
 	}
 	fileCache, err := crl.NewFileCache(cacheRoot)
 	if err != nil {
-		return nil, err
-	}
-	crlFetcher.Cache = &clicrl.CacheWithLog{
-		Cache:             fileCache,
-		DiscardCacheError: crlFetcher.DiscardCacheError,
+		// discard NewFileCache error as cache errors are not critical
+		fmt.Fprintf(os.Stderr, "Warning: %v\n", err)
+	} else {
+		crlFetcher.Cache = &clicrl.CacheWithLog{
+			Cache:             fileCache,
+			DiscardCacheError: crlFetcher.DiscardCacheError,
+		}
 	}
 	revocationCodeSigningValidator, err := revocation.NewWithOptions(revocation.Options{
 		OCSPHTTPClient:   ocspHttpClient,
diff --git a/cmd/notation/verify_test.go b/cmd/notation/verify_test.go
index 4eb5e0e41..b68796436 100644
--- a/cmd/notation/verify_test.go
+++ b/cmd/notation/verify_test.go
@@ -19,7 +19,6 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
-	"runtime"
 	"testing"
 
 	"github.com/notaryproject/notation-go/dir"
@@ -119,18 +118,6 @@ func TestGetVerifier(t *testing.T) {
 			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
 		}
 	})
-
-	t.Run("failed to new crl file cache", func(t *testing.T) {
-		if runtime.GOOS == "windows" {
-			t.Skip("skipping test on Windows")
-		}
-		dir.UserCacheDir = "/cache"
-		expectedErrMsg := "failed to create crl file cache: mkdir /cache: permission denied"
-		_, err := getVerifier(context.Background())
-		if err == nil || err.Error() != expectedErrMsg {
-			t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
-		}
-	})
 }
 
 func dummyOCIPolicyDocument() trustpolicy.OCIDocument {
diff --git a/test/e2e/go.mod b/test/e2e/go.mod
index 9a4c19a23..1e0b2fd02 100644
--- a/test/e2e/go.mod
+++ b/test/e2e/go.mod
@@ -4,7 +4,8 @@ go 1.23
 
 require (
 	github.com/notaryproject/notation-core-go v1.2.0-rc.1
-	github.com/onsi/ginkgo/v2 v2.20.2
+	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240926015724-84c2ec076201
+	github.com/onsi/ginkgo/v2 v2.21.0
 	github.com/onsi/gomega v1.34.2
 	github.com/opencontainers/image-spec v1.1.0
 	oras.land/oras-go/v2 v2.5.0
@@ -15,16 +16,16 @@ require (
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect
+	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
 	github.com/notaryproject/tspclient-go v0.2.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/veraison/go-cose v1.1.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.24.0 // indirect
-	golang.org/x/text v0.17.0 // indirect
-	golang.org/x/tools v0.24.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/tools v0.26.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
diff --git a/test/e2e/go.sum b/test/e2e/go.sum
index d423acdd3..707618328 100644
--- a/test/e2e/go.sum
+++ b/test/e2e/go.sum
@@ -8,14 +8,16 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA=
-github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/notaryproject/notation-core-go v1.2.0-rc.1 h1:VMFlG+9a1JoNAQ3M96g8iqCq0cDRtE7XBaiTD8Ouvqw=
 github.com/notaryproject/notation-core-go v1.2.0-rc.1/go.mod h1:b/70rA4OgOHlg0A7pb8zTWKJadFO6781zS3a37KHEJQ=
+github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240926015724-84c2ec076201 h1:2QBYa9Df+vMwMiaHaFqPoUiwfx5vcPEgM7KbusivTpw=
+github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240926015724-84c2ec076201/go.mod h1:F6zMQl3PhVdCsI1xlIjK66kCorUQhWkoMtlZdvJWxFI=
 github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ=
 github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
-github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4=
-github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag=
+github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
+github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
 github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -30,18 +32,18 @@ github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4
 github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
+golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
 golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
-golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
+golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
 google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
diff --git a/test/e2e/internal/notation/host.go b/test/e2e/internal/notation/host.go
index 168015a2b..0ad17854f 100644
--- a/test/e2e/internal/notation/host.go
+++ b/test/e2e/internal/notation/host.go
@@ -123,7 +123,7 @@ func Opts(options ...utils.HostOption) []utils.HostOption {
 func BaseOptions() []utils.HostOption {
 	return Opts(
 		AuthOption("", ""),
-		AddKeyOption("e2e.key", "e2e.crt"),
+		AddKeyOption(filepath.Join(NotationE2ELocalKeysDir, "e2e.key"), filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")),
 		AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")),
 		AddTrustPolicyOption("trustpolicy.json"),
 	)
@@ -141,7 +141,7 @@ func TimestampOptions(verifyTimestamp string) []utils.HostOption {
 
 	return Opts(
 		AuthOption("", ""),
-		AddKeyOption("e2e.key", "e2e.crt"),
+		AddKeyOption(filepath.Join(NotationE2ELocalKeysDir, "e2e.key"), filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")),
 		AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")),
 		AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer")),
 		AddTimestampTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer")),
@@ -149,10 +149,19 @@ func TimestampOptions(verifyTimestamp string) []utils.HostOption {
 	)
 }
 
+func CRLOptions() []utils.HostOption {
+	return Opts(
+		AuthOption("", ""),
+		AddKeyOption(filepath.Join(NotationE2EConfigPath, "crl", "leaf.key"), filepath.Join(NotationE2EConfigPath, "crl", "certchain_with_crl.pem")),
+		AddTrustStoreOption("e2e", filepath.Join(NotationE2EConfigPath, "crl", "root.crt")),
+		AddTrustPolicyOption("trustpolicy.json"),
+	)
+}
+
 func BaseOptionsWithExperimental() []utils.HostOption {
 	return Opts(
 		AuthOption("", ""),
-		AddKeyOption("e2e.key", "e2e.crt"),
+		AddKeyOption(filepath.Join(NotationE2ELocalKeysDir, "e2e.key"), filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")),
 		AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")),
 		AddTrustPolicyOption("trustpolicy.json"),
 		EnableExperimental(),
@@ -163,7 +172,7 @@ func BaseOptionsWithExperimental() []utils.HostOption {
 // testing environment.
 func TestLoginOptions() []utils.HostOption {
 	return Opts(
-		AddKeyOption("e2e.key", "e2e.crt"),
+		AddKeyOption(filepath.Join(NotationE2ELocalKeysDir, "e2e.key"), filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")),
 		AddTrustStoreOption("e2e", filepath.Join(NotationE2ELocalKeysDir, "e2e.crt")),
 		AddTrustPolicyOption("trustpolicy.json"),
 		AddConfigJsonOption("pass_credential_helper_config.json"),
@@ -193,9 +202,9 @@ func AuthOption(username, password string) utils.HostOption {
 
 // AddKeyOption adds the test signingkeys.json, key and cert files to
 // the notation directory.
-func AddKeyOption(keyName, certName string) utils.HostOption {
+func AddKeyOption(keyPath, certPath string) utils.HostOption {
 	return func(vhost *utils.VirtualHost) error {
-		return AddKeyPairs(vhost.AbsolutePath(NotationDirName), keyName, certName)
+		return AddKeyPairs(vhost.AbsolutePath(NotationDirName), keyPath, certPath)
 	}
 }
 
diff --git a/test/e2e/internal/notation/key.go b/test/e2e/internal/notation/key.go
index d05003039..fd11a3852 100644
--- a/test/e2e/internal/notation/key.go
+++ b/test/e2e/internal/notation/key.go
@@ -53,35 +53,37 @@ type SigningKeys struct {
 
 // AddKeyPairs creates the signingkeys.json file and the localkeys directory
 // with e2e.key and e2e.crt
-func AddKeyPairs(dir, keyName, certName string) error {
+func AddKeyPairs(destNotationConfigDir, srcKeyPath, srcCertPath string) error {
+	keyName := filepath.Base(srcKeyPath)
+	certName := filepath.Base(srcCertPath)
 	// create signingkeys.json files
 	if err := saveJSON(
-		generateSigningKeys(dir),
-		filepath.Join(dir, SigningKeysFileName)); err != nil {
+		generateSigningKeys(destNotationConfigDir, keyName, certName),
+		filepath.Join(destNotationConfigDir, SigningKeysFileName)); err != nil {
 		return err
 	}
 
 	// create localkeys directory
-	localKeysDir := filepath.Join(dir, LocalKeysDirName)
+	localKeysDir := filepath.Join(destNotationConfigDir, LocalKeysDirName)
 	os.MkdirAll(localKeysDir, 0700)
 
 	// copy key and cert files
-	if err := copyFile(filepath.Join(NotationE2ELocalKeysDir, keyName), filepath.Join(localKeysDir, "e2e.key")); err != nil {
+	if err := copyFile(srcKeyPath, filepath.Join(localKeysDir, keyName)); err != nil {
 		return err
 	}
-	return copyFile(filepath.Join(NotationE2ELocalKeysDir, certName), filepath.Join(localKeysDir, "e2e.crt"))
+	return copyFile(srcCertPath, filepath.Join(localKeysDir, certName))
 }
 
 // generateSigningKeys generates the signingkeys.json for notation.
-func generateSigningKeys(dir string) *SigningKeys {
+func generateSigningKeys(dir, keyName, certName string) *SigningKeys {
 	return &SigningKeys{
 		Default: "e2e",
 		Keys: []KeySuite{
 			{
 				Name: "e2e",
 				X509KeyPair: &X509KeyPair{
-					KeyPath:         filepath.Join(dir, "localkeys", "e2e.key"),
-					CertificatePath: filepath.Join(dir, "localkeys", "e2e.crt"),
+					KeyPath:         filepath.Join(dir, "localkeys", keyName),
+					CertificatePath: filepath.Join(dir, "localkeys", certName),
 				},
 			},
 		},
diff --git a/test/e2e/internal/utils/crl.go b/test/e2e/internal/utils/crl.go
new file mode 100644
index 000000000..36bc8d0f8
--- /dev/null
+++ b/test/e2e/internal/utils/crl.go
@@ -0,0 +1,79 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"fmt"
+	"net/http"
+)
+
+// LeafCRLRevoke sends http post request to http://localhost:10086/leaf/revoke
+func LeafCRLRevoke() error {
+	url := "http://localhost:10086/leaf/revoke"
+	resp, err := http.Post(url, "application/json", nil)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	fmt.Printf("CRL of leaf certificate revoked with status code: %d\n", resp.StatusCode)
+	return nil
+}
+
+// LeafCRLUnrevoke sends http post request to http://localhost:10086/leaf/unrevoke
+func LeafCRLUnrevoke() error {
+	url := "http://localhost:10086/leaf/unrevoke"
+	resp, err := http.Post(url, "application/json", nil)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	fmt.Printf("CRL of leaf certificate unrevoked with status code: %d\n", resp.StatusCode)
+	return nil
+}
+
+// LeafCRLExpired sends http post request to http://localhost:10086/leaf/expired
+func LeafCRLExpired() error {
+	url := "http://localhost:10086/leaf/expired"
+	resp, err := http.Post(url, "application/json", nil)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	fmt.Printf("CRL of leaf certificate expired with status code: %d\n", resp.StatusCode)
+	return nil
+}
+
+// IntermediateCRLRevoke sends http post request to http://localhost:10086/intermediate/revoke
+func IntermediateCRLRevoke() error {
+	url := "http://localhost:10086/intermediate/revoke"
+	resp, err := http.Post(url, "application/json", nil)
+	if err != nil {
+		return nil
+	}
+	defer resp.Body.Close()
+	fmt.Printf("CRL of intermediate certificate revoked with status code: %d\n", resp.StatusCode)
+	return nil
+}
+
+// IntermediateCRLUnrevoke sends http post request to http://localhost:10086/intermediate/unrevoke
+func IntermediateCRLUnrevoke() error {
+	url := "http://localhost:10086/intermediate/unrevoke"
+	resp, err := http.Post(url, "application/json", nil)
+	if err != nil {
+		return nil
+	}
+	defer resp.Body.Close()
+	fmt.Printf("CRL of intermediate certificate unrevoked with status code: %d\n", resp.StatusCode)
+	return nil
+}
diff --git a/test/e2e/internal/utils/host.go b/test/e2e/internal/utils/host.go
index f5a336856..605032767 100644
--- a/test/e2e/internal/utils/host.go
+++ b/test/e2e/internal/utils/host.go
@@ -38,7 +38,7 @@ func NewVirtualHost(binPath string, options ...HostOption) (*VirtualHost, error)
 	vhost.userDir = ginkgo.GinkgoT().TempDir()
 
 	// set user dir environment variables
-	vhost.UpdateEnv(UserConfigEnv(vhost.userDir))
+	vhost.UpdateEnv(UserEnv(vhost.userDir))
 
 	// set options
 	vhost.SetOption(options...)
@@ -77,11 +77,13 @@ func (h *VirtualHost) SetOption(options ...HostOption) {
 // HostOption is a function to set the host configuration.
 type HostOption func(vhost *VirtualHost) error
 
-// UserConfigEnv creates environment variable for changing
-// user config dir (By setting $XDG_CONFIG_HOME).
-func UserConfigEnv(dir string) map[string]string {
+// UserEnv creates environment variable for changing
+// user config dir by setting $XDG_CONFIG_HOME and user cache dir by
+// setting $NOTATION_CACHE.
+func UserEnv(dir string) map[string]string {
 	// create and set user dir for linux
 	return map[string]string{
 		"XDG_CONFIG_HOME": dir,
+		"NOTATION_CACHE":  filepath.Join(dir, ".cache"),
 	}
 }
diff --git a/test/e2e/run.sh b/test/e2e/run.sh
index 1d3559788..4a8e28f05 100755
--- a/test/e2e/run.sh
+++ b/test/e2e/run.sh
@@ -69,7 +69,7 @@ if [ ! -f "$NOTATION_E2E_OLD_BINARY_PATH" ]; then
 fi
 
 # install dependency
-go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.11.0
+go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.21.0
 
 # build e2e plugin and tar.gz
 PLUGIN_NAME=notation-e2e-plugin
@@ -95,9 +95,16 @@ esac
 
 setup_registry
 
+# run the CRL server in the background
+python3 ./scripts/crl_server.py &
+CRL_SERVER_PID=$!
+
 # defer cleanup registry
 function cleanup {
+    echo "Cleaning up..."
     cleanup_registry
+    echo "Stopping CRL server..."
+    kill $CRL_SERVER_PID
 }
 trap cleanup EXIT
 
@@ -111,4 +118,4 @@ export NOTATION_E2E_PLUGIN_TAR_GZ_PATH=$CWD/plugin/bin/$PLUGIN_NAME.tar.gz
 export NOTATION_E2E_MALICIOUS_PLUGIN_ARCHIVE_PATH=$CWD/testdata/malicious-plugin
 
 # run tests
-ginkgo -r -p -v
+ginkgo -r -p -v
\ No newline at end of file
diff --git a/test/e2e/scripts/crl_server.py b/test/e2e/scripts/crl_server.py
new file mode 100644
index 000000000..dea91d699
--- /dev/null
+++ b/test/e2e/scripts/crl_server.py
@@ -0,0 +1,81 @@
+# Copyright The Notary Project Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import http.server
+import socketserver
+import os
+
+PORT = 10086
+DATA_DIR = './testdata/config/crl'
+leaf_crl = 'leaf.crl'
+intermediate_crl = 'intermediate.crl'
+
+
+class CRLRequestHandler(http.server.SimpleHTTPRequestHandler):
+    def do_GET(self):
+        global leaf_crl
+        global intermediate_crl
+        if self.path == '/leaf.crl':
+            file_path = os.path.join(DATA_DIR, leaf_crl)
+            self.crl_response(file_path)
+        elif self.path == '/intermediate.crl':
+            file_path = os.path.join(DATA_DIR, intermediate_crl)
+            self.crl_response(file_path)
+        else:
+            self.send_error(404, 'Not Found')
+    
+    def crl_response(self, file_path):
+        if os.path.exists(file_path):
+            self.send_response(200)
+            self.send_header('Content-Type', 'application/pkix-crl')
+            self.end_headers()
+            with open(file_path, 'rb') as f:
+                self.wfile.write(f.read())
+        else:
+            self.send_error(404, 'File Not Found')
+
+    def do_POST(self):
+        global leaf_crl
+        global intermediate_crl
+        if self.path == '/leaf/revoke':
+            leaf_crl = 'leaf_revoked.crl'
+            self.post_response()
+        elif self.path == '/leaf/unrevoke':
+            leaf_crl = 'leaf.crl'
+            self.post_response()
+        elif self.path == '/leaf/expired':
+            leaf_crl = 'leaf_expired.crl'
+            self.post_response()
+        elif self.path == '/intermediate/revoke':
+            intermediate_crl = 'intermediate_revoked.crl'
+            self.post_response()
+        elif self.path == '/intermediate/unrevoke':
+            intermediate_crl = 'intermediate.crl'
+            self.post_response()
+        else:
+            self.send_error(404, 'Not Found')
+    
+    def post_response(self):
+        self.send_response(201)
+        self.end_headers()
+        self.wfile.write(b'ok')
+
+class ReusableTCPServer(socketserver.TCPServer):
+    allow_reuse_address = True
+
+with ReusableTCPServer(('', PORT), CRLRequestHandler) as httpd:
+    print(f"Serving at port {PORT}")
+    try:
+        httpd.serve_forever()
+    finally:
+        httpd.server_close()
\ No newline at end of file
diff --git a/test/e2e/scripts/gen_crl_testing_certs.sh b/test/e2e/scripts/gen_crl_testing_certs.sh
new file mode 100755
index 000000000..59d3a1457
--- /dev/null
+++ b/test/e2e/scripts/gen_crl_testing_certs.sh
@@ -0,0 +1,231 @@
+#!/bin/bash -ex
+# Copyright The Notary Project Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file include the script to generate testing certificates for CRL testing.
+# The generated files are:
+# - certchain_with_crl.pem: the fullchain file that includes the leaf 
+#   certificate with CRL, intermediate certificate with invalid OCSP and valid 
+#   CRL, and the root certificate.
+# - leaf.crl: the CRL file that includes the revoked leaf certificate.
+# - leaf.key: the private key of the leaf certificate.
+# - leaf_revoked.crl: the CRL file that includes the revoked leaf certificate.
+# - intermediate.crl: the CRL file that includes the intermediate certificate.
+# - intermediate_revoked.crl: the CRL file that includes the revoked intermediate
+# - root.crt: the root certificate.
+#
+# Note: The script will not run in the pipeline, but we need to keep it for
+# future maintenance because generating those test certificates with CRL is not
+# easy.
+
+# Create root CA configuration file
+cat > root.cnf <<EOF
+[ req ]
+default_bits       = 2048
+prompt             = no
+distinguished_name = root_distinguished_name
+x509_extensions    = v3_ca
+
+[ root_distinguished_name ]
+C  = US
+ST = State
+L  = City
+O  = Organization
+OU = OrgUnit
+CN = RootCA
+
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir               = ./demoCA
+new_certs_dir     = \$dir/newcerts
+database          = \$dir/index.txt
+serial            = \$dir/serial
+private_key       = ./root.key
+certificate       = ./root.crt
+default_md        = sha256
+policy            = policy_any
+x509_extensions   = usr_cert
+copy_extensions   = copy
+default_days      = 36500
+default_crl_days  = 36500
+crlnumber         = \$dir/crlnumber
+crl_extensions    = crl_ext
+
+[ policy_any ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+
+[ v3_ca ]
+basicConstraints       = critical,CA:TRUE
+keyUsage               = critical,keyCertSign,cRLSign
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
+EOF
+
+# Set up OpenSSL CA directory structure
+mkdir -p demoCA/newcerts
+touch demoCA/index.txt
+echo '1002' > demoCA/serial
+echo '1002' > demoCA/crlnumber
+
+# Generate root private key
+openssl genrsa -out root.key 2048
+
+# Generate self-signed root certificate with extensions
+openssl req -x509 -new -key root.key -sha256 -days 36500 -out root.crt \
+  -config root.cnf -extensions v3_ca
+
+# Update intermediate.cnf to include [ca] and [CA_default] sections
+cat > intermediate.cnf <<EOF
+[ req ]
+default_bits       = 2048
+prompt             = no
+distinguished_name = intermediate_distinguished_name
+x509_extensions    = v3_intermediate_ca
+
+[ intermediate_distinguished_name ]
+C  = US
+ST = State
+L  = City
+O  = Organization
+OU = OrgUnit
+CN = IntermediateCA
+
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir               = ./intermediateCA
+new_certs_dir     = \$dir/newcerts
+database          = \$dir/index.txt
+serial            = \$dir/serial
+private_key       = ./intermediate.key
+certificate       = ./intermediate.crt
+default_md        = sha256
+policy            = policy_any
+x509_extensions   = usr_cert
+copy_extensions   = copy
+default_days      = 36500
+default_crl_days  = 36500
+crlnumber         = \$dir/crlnumber
+crl_extensions    = crl_ext
+
+[ policy_any ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+
+[ v3_intermediate_ca ]
+basicConstraints       = critical,CA:TRUE,pathlen:0
+keyUsage               = critical,keyCertSign,cRLSign
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+crlDistributionPoints  = URI:http://localhost:10086/intermediate.crl
+authorityInfoAccess    = OCSP;URI:http://localhost.test/ocsp
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
+EOF
+
+# Set up OpenSSL CA directory structure for intermediate CA
+mkdir -p intermediateCA/newcerts
+touch intermediateCA/index.txt
+echo '1000' > intermediateCA/serial
+echo '1000' > intermediateCA/crlnumber
+
+# Generate intermediate private key
+openssl genrsa -out intermediate.key 2048
+
+# Generate intermediate CSR
+openssl req -new -key intermediate.key -out intermediate.csr -config intermediate.cnf
+
+# Sign intermediate certificate with root CA
+openssl ca -config root.cnf -in intermediate.csr -out intermediate.crt -batch -extensions v3_intermediate_ca -extfile intermediate.cnf -notext
+
+# Update leaf.cnf to remove OCSP server
+cat > leaf.cnf <<EOF
+[ req ]
+default_bits       = 2048
+prompt             = no
+distinguished_name = req_distinguished_name
+req_extensions     = v3_req
+
+[ req_distinguished_name ]
+C  = US
+ST = State
+L  = City
+O  = Organization
+OU = OrgUnit
+CN = LeafCert
+
+[ v3_req ]
+basicConstraints = critical,CA:FALSE
+keyUsage = critical,digitalSignature
+crlDistributionPoints = URI:http://localhost:10086/leaf.crl
+EOF
+
+# Generate leaf private key
+openssl genrsa -out leaf.key 2048
+
+# Generate leaf certificate signing request (CSR)
+openssl req -new -key leaf.key -out leaf.csr -config leaf.cnf
+
+# Sign leaf certificate with intermediate CA
+openssl ca -config intermediate.cnf -in leaf.csr -out leaf.crt -batch -extensions v3_req -extfile leaf.cnf -notext
+
+# Generate intermediate CRL using root.cnf (before revocation)
+openssl ca -config root.cnf -gencrl -out intermediate.crl
+
+# Convert root CRL to DER format
+openssl crl -in intermediate.crl -outform der -out intermediate.crl
+
+# Revoke intermediate certificate using root CA
+openssl ca -config root.cnf -revoke intermediate.crt
+
+# Generate intermediate CRL including revoked intermediate certificate
+openssl ca -config root.cnf -gencrl -out intermediate_revoked.crl
+
+# Convert intermediate CRL to DER format
+openssl crl -in intermediate_revoked.crl -outform der -out intermediate_revoked.crl
+
+# Generate leaf CRL
+openssl ca -config intermediate.cnf -gencrl -out leaf.crl
+
+# Convert leaf CRL to DER format
+openssl crl -in leaf.crl -outform der -out leaf.crl
+
+# Revoke leaf certificate
+openssl ca -config intermediate.cnf -revoke leaf.crt
+
+# Generate leaf CRL including revoked leaf certificate
+openssl ca -config intermediate.cnf -gencrl -out leaf_revoked.crl
+
+# Convert leaf CRL to DER format
+openssl crl -in leaf_revoked.crl -outform der -out leaf_revoked.crl
+
+# merge leaf cert and root cert to create fullchain file
+cat leaf.crt intermediate.crt root.crt > certchain_with_crl.pem
+
+rm -rf leaf.csr leaf.crt leaf.cnf root.srl root.cnf root.key root.crl demoCA intermediate.csr intermediate.cnf intermediate.key intermediate.crt intermediateCA
diff --git a/test/e2e/suite/plugin/install.go b/test/e2e/suite/plugin/install.go
index 363801d44..746babf6a 100644
--- a/test/e2e/suite/plugin/install.go
+++ b/test/e2e/suite/plugin/install.go
@@ -154,8 +154,8 @@ var _ = Describe("notation plugin install", func() {
 
 	It("with invalid plugin URL", func() {
 		Host(nil, func(notation *utils.ExecOpts, _ *Artifact, vhost *utils.VirtualHost) {
-			notation.ExpectFailure().Exec("plugin", "install", "--url", "https://invalid", "--sha256sum", "abcd").
-				MatchErrKeyWords("failed to download plugin from URL https://invalid")
+			notation.ExpectFailure().Exec("plugin", "install", "--url", "https://invalid.test", "--sha256sum", "abcd").
+				MatchErrKeyWords("failed to download plugin from URL https://invalid.test")
 		})
 	})
 })
diff --git a/test/e2e/suite/scenario/crl.go b/test/e2e/suite/scenario/crl.go
new file mode 100644
index 000000000..0c09850ba
--- /dev/null
+++ b/test/e2e/suite/scenario/crl.go
@@ -0,0 +1,315 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package scenario_test
+
+import (
+	"context"
+	"net/http"
+	"os"
+
+	crlcore "github.com/notaryproject/notation-core-go/revocation/crl"
+	"github.com/notaryproject/notation-go/verifier/crl"
+	. "github.com/notaryproject/notation/test/e2e/internal/notation"
+	"github.com/notaryproject/notation/test/e2e/internal/utils"
+	. "github.com/notaryproject/notation/test/e2e/suite/common"
+	. "github.com/onsi/ginkgo/v2"
+)
+
+var _ = Describe("notation CRL revocation check", Serial, func() {
+	It("successfully completed with cache", func() {
+		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.Exec("sign", artifact.ReferenceWithDigest()).
+				MatchKeyWords(SignSuccessfully)
+
+			utils.LeafCRLUnrevoke()
+			utils.IntermediateCRLUnrevoke()
+
+			// verify without cache
+			notation.Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchKeyWords(
+					VerifySuccessfully,
+				).
+				MatchErrKeyWords(
+					"CRL file cache miss",
+					"Retrieving crl bundle from file cache with key",
+					"Storing crl bundle to file cache with key",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+				).
+				NoMatchErrKeyWords(
+					"is revoked",
+				)
+
+			// verify with cache
+			notation.Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchKeyWords(
+					VerifySuccessfully,
+				).
+				MatchErrKeyWords(
+					"Retrieving crl bundle from file cache with key",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+				).
+				NoMatchErrKeyWords(
+					"CRL file cache miss",
+					"Storing crl bundle to file cache with key",
+					"is revoked",
+				)
+		})
+	})
+
+	It("failed with revoked leaf certificate", func() {
+		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.Exec("sign", artifact.ReferenceWithDigest()).
+				MatchKeyWords(SignSuccessfully)
+
+			utils.LeafCRLRevoke()
+			utils.IntermediateCRLUnrevoke()
+
+			// verify without cache
+			notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchErrKeyWords(
+					VerifyFailed,
+					"CRL file cache miss",
+					"Retrieving crl bundle from file cache with key",
+					"Storing crl bundle to file cache with key",
+					"is revoked",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+				)
+
+			// verify with cache
+			notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchErrKeyWords(
+					VerifyFailed,
+					"Retrieving crl bundle from file cache with key",
+					"is revoked",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+				).
+				NoMatchErrKeyWords(
+					"CRL file cache miss",
+					"Storing crl bundle to file cache with key",
+				)
+		})
+	})
+
+	It("failed with revoked intermediate certificate", func() {
+		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.Exec("sign", artifact.ReferenceWithDigest()).
+				MatchKeyWords(SignSuccessfully)
+
+			utils.LeafCRLUnrevoke()
+			utils.IntermediateCRLRevoke()
+
+			// verify without cache
+			notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchErrKeyWords(
+					VerifyFailed,
+					"CRL file cache miss",
+					"Retrieving crl bundle from file cache with key",
+					"Storing crl bundle to file cache with key",
+					"is revoked",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+				)
+
+			// verify with cache
+			notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchErrKeyWords(
+					VerifyFailed,
+					"Retrieving crl bundle from file cache with key",
+					"is revoked",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+				).
+				NoMatchErrKeyWords(
+					"CRL file cache miss",
+					"Storing crl bundle to file cache with key",
+				)
+		})
+	})
+
+	It("successfully completed with cache creation error in warning message", func() {
+		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.Exec("sign", artifact.ReferenceWithDigest()).
+				MatchKeyWords(SignSuccessfully)
+
+			utils.LeafCRLUnrevoke()
+			utils.IntermediateCRLUnrevoke()
+
+			if err := os.MkdirAll(vhost.AbsolutePath(".cache"), 0500); err != nil {
+				Fail(err.Error())
+			}
+			defer os.Chmod(vhost.AbsolutePath(".cache"), 0700)
+
+			// verify without cache
+			notation.Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchKeyWords(
+					VerifySuccessfully,
+				).
+				MatchErrKeyWords(
+					"Warning: failed to create crl file cache",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+					`"GET" "http://localhost:10086/intermediate.crl"`,
+					`"GET" "http://localhost:10086/leaf.crl"`,
+				).
+				NoMatchErrKeyWords(
+					"is revoked",
+				)
+		})
+	})
+
+	It("failed with revoked leaf certificate and cache creation error in warning message", func() {
+		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.Exec("sign", artifact.ReferenceWithDigest()).
+				MatchKeyWords(SignSuccessfully)
+
+			utils.LeafCRLRevoke()
+			utils.IntermediateCRLUnrevoke()
+
+			if err := os.MkdirAll(vhost.AbsolutePath(".cache"), 0500); err != nil {
+				Fail(err.Error())
+			}
+			defer os.Chmod(vhost.AbsolutePath(".cache"), 0700)
+
+			// verify without cache
+			notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchErrKeyWords(
+					VerifyFailed,
+					"Warning: failed to create crl file cache",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+					`"GET" "http://localhost:10086/intermediate.crl"`,
+					`"GET" "http://localhost:10086/leaf.crl"`,
+					"is revoked",
+				)
+		})
+	})
+
+	It("successfully completed with cache get and set error in debug log", func() {
+		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.Exec("sign", artifact.ReferenceWithDigest()).
+				MatchKeyWords(SignSuccessfully)
+
+			utils.LeafCRLUnrevoke()
+			utils.IntermediateCRLUnrevoke()
+
+			// verify without cache
+			notation.Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchKeyWords(
+					VerifySuccessfully,
+				).
+				MatchErrKeyWords(
+					"CRL file cache miss",
+					"Retrieving crl bundle from file cache with key",
+					"Storing crl bundle to file cache with key",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+				).
+				NoMatchErrKeyWords(
+					"is revoked",
+				)
+
+			utils.LeafCRLRevoke()
+			if err := os.Chmod(vhost.AbsolutePath(".cache", "crl"), 0000); err != nil {
+				Fail(err.Error())
+			}
+			defer os.Chmod(vhost.AbsolutePath(".cache", "crl"), 0700)
+
+			// verify with cache error
+			notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchErrKeyWords(
+					VerifyFailed,
+					"failed to get crl bundle from file cache with key",
+					"failed to store crl bundle in file cache",
+					"/.cache/crl/eaf8bbfe35f6c2c8b136081de9a994f9515752b2e30b9a6889ae3128ea97656c: permission denied",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+					`"GET" "http://localhost:10086/intermediate.crl"`,
+					`"GET" "http://localhost:10086/leaf.crl"`,
+					"is revoked",
+				)
+		})
+	})
+
+	It("succesfully completed with the crl in the cache expired and a roundtrip", func() {
+		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			ctx := context.Background()
+			notation.Exec("sign", artifact.ReferenceWithDigest()).
+				MatchKeyWords(SignSuccessfully)
+
+			utils.LeafCRLExpired()
+			// write expired CRL cache
+			fetcher, err := crlcore.NewHTTPFetcher(http.DefaultClient)
+			if err != nil {
+				Fail(err.Error())
+			}
+			fetcher.Cache, err = crl.NewFileCache(vhost.AbsolutePath(".cache", "crl"))
+			if err != nil {
+				Fail(err.Error())
+			}
+			_, err = fetcher.Fetch(ctx, "http://localhost:10086/leaf.crl")
+			if err != nil {
+				Fail(err.Error())
+			}
+
+			utils.LeafCRLUnrevoke()
+			utils.IntermediateCRLUnrevoke()
+			// verify without cache
+			notation.Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchKeyWords(
+					VerifySuccessfully,
+				).
+				MatchErrKeyWords(
+					"CRL bundle retrieved from file cache has expired at 2023-12-25",
+					`"GET" "http://localhost:10086/leaf.crl"`,
+					"Retrieving crl bundle from file cache with key",
+					"Storing crl bundle to file cache with key",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+				).
+				NoMatchErrKeyWords(
+					"is revoked",
+				)
+		})
+	})
+
+	It("failed with crl in the cache expired and a roundtrip to download a revoked crl", func() {
+		Host(CRLOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			ctx := context.Background()
+			notation.Exec("sign", artifact.ReferenceWithDigest()).
+				MatchKeyWords(SignSuccessfully)
+
+			utils.LeafCRLExpired()
+			// write expired CRL cache
+			fetcher, err := crlcore.NewHTTPFetcher(http.DefaultClient)
+			if err != nil {
+				Fail(err.Error())
+			}
+			fetcher.Cache, err = crl.NewFileCache(vhost.AbsolutePath(".cache", "crl"))
+			if err != nil {
+				Fail(err.Error())
+			}
+			_, err = fetcher.Fetch(ctx, "http://localhost:10086/leaf.crl")
+			if err != nil {
+				Fail(err.Error())
+			}
+
+			utils.LeafCRLRevoke()
+			utils.IntermediateCRLUnrevoke()
+			// verify without cache
+			notation.ExpectFailure().Exec("verify", artifact.ReferenceWithDigest(), "-d").
+				MatchErrKeyWords(
+					VerifyFailed,
+					"CRL bundle retrieved from file cache has expired at 2023-12-25",
+					`"GET" "http://localhost:10086/leaf.crl"`,
+					"Retrieving crl bundle from file cache with key",
+					"Storing crl bundle to file cache with key",
+					"OCSP check failed with unknown error and fallback to CRL check for certificate #2",
+					"is revoked",
+				)
+		})
+	})
+})
diff --git a/test/e2e/suite/trustpolicy/trust_store.go b/test/e2e/suite/trustpolicy/trust_store.go
index 736917493..d01a2fae0 100644
--- a/test/e2e/suite/trustpolicy/trust_store.go
+++ b/test/e2e/suite/trustpolicy/trust_store.go
@@ -70,7 +70,7 @@ var _ = Describe("notation trust policy trust store test", func() {
 	It("multiple trust stores", func() {
 		Host(nil, func(notation *utils.ExecOpts, artifact1 *Artifact, vhost *utils.VirtualHost) {
 			// artifact1 signed with new_e2e.crt
-			OldNotation(AuthOption("", ""), AddKeyOption("e2e.key", "new_e2e.crt")).
+			OldNotation(AuthOption("", ""), AddKeyOption(filepath.Join(NotationE2ELocalKeysDir, "e2e.key"), filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt"))).
 				Exec("sign", artifact1.ReferenceWithDigest(), "-v").
 				MatchKeyWords(SignSuccessfully)
 
diff --git a/test/e2e/suite/trustpolicy/trusted_identity.go b/test/e2e/suite/trustpolicy/trusted_identity.go
index 80ca06214..e37637340 100644
--- a/test/e2e/suite/trustpolicy/trusted_identity.go
+++ b/test/e2e/suite/trustpolicy/trusted_identity.go
@@ -77,7 +77,7 @@ var _ = Describe("notation trust policy trusted identity test", func() {
 	It("with multiple trusted identity", func() {
 		Host(nil, func(notation *utils.ExecOpts, artifact1 *Artifact, vhost *utils.VirtualHost) {
 			// artifact1 signed with new_e2e.crt
-			OldNotation(AuthOption("", ""), AddKeyOption("e2e.key", "new_e2e.crt")).
+			OldNotation(AuthOption("", ""), AddKeyOption(filepath.Join(NotationE2ELocalKeysDir, "e2e.key"), filepath.Join(NotationE2ELocalKeysDir, "new_e2e.crt"))).
 				Exec("sign", artifact1.ReferenceWithDigest(), "-v").
 				MatchKeyWords(SignSuccessfully)
 
diff --git a/test/e2e/testdata/config/crl/certchain_with_crl.pem b/test/e2e/testdata/config/crl/certchain_with_crl.pem
new file mode 100644
index 000000000..e9acff468
--- /dev/null
+++ b/test/e2e/testdata/config/crl/certchain_with_crl.pem
@@ -0,0 +1,76 @@
+-----BEGIN CERTIFICATE-----
+MIID6DCCAtCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwbjELMAkGA1UEBhMCVVMx
+DjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYDVQQKDAxPcmdhbml6
+YXRpb24xEDAOBgNVBAsMB09yZ1VuaXQxFzAVBgNVBAMMDkludGVybWVkaWF0ZUNB
+MCAXDTI0MTExMTA1MzA1MVoYDzIxMjQxMDE4MDUzMDUxWjBoMQswCQYDVQQGEwJV
+UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNVBAoMDE9yZ2Fu
+aXphdGlvbjEQMA4GA1UECwwHT3JnVW5pdDERMA8GA1UEAwwITGVhZkNlcnQwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJEFmIvqnUe3iwJ7HFrgCAbnEf
+dGG/8yRuPWxTDkeHYQl8pMag5ZeytvTJalO8gba3oK6QRxPYhlzM8i7Ik/R6FXf6
+ZhTGzO8rIRe4Sc5ibO5TJeyfxciwtWnK6RtQwDZu4fb4tNmqUg6ZqqPnq1K8ieZf
+ROVWs9zglJj37SoLY+Caxj2VOm8/aB/2mF46kqGUCb56RRk1q87x8U8wOSNW6ono
+XVu6zBqLNwx2RcqKdKApYtaitwKz9cuWPTDrUe4OfCWDSYiB48YY0jDcV27ed+K8
+VKy6jgUAsKkzPIf3RbEBuMD2mUybC0o0D9t0h/R7h0f8zXgkxkP4KXwmPRPvAgMB
+AAGjgZMwgZAwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwMAYDVR0fBCkw
+JzAloCOgIYYfaHR0cDovL2xvY2FsaG9zdDoxMDA4Ni9sZWFmLmNybDAdBgNVHQ4E
+FgQU/kBZC5X59h9/r/npEe2JYotqXbYwHwYDVR0jBBgwFoAUbCnIbIecdpvXQrcQ
+okSpumRjw+IwDQYJKoZIhvcNAQELBQADggEBAMlLKGXxQ9ENqG2+h83toBJvOmPs
+iEOLIcgaIvbvrnIPjZNDDiLar5hX1LPhnj5yvjy7XzHGfmFJg2lP1wYpqfCXdX/4
+P0Yfl1iy6ELf2z+QzKSd0njnc3kIrb7S1yLmrtkFY75vBxnJlUUA7q05Qy95jcDZ
+fIuH8kFKaLVoXbbkonSzz01tW7PNsYqrZXmXfacrLLH66B3rscJFsu0oruy25Opj
++yS+ySlp1aEdWURI6WBd/8P6wEvbqZP+wXJVsEEp21mX050J1ycmDOPExcYetUSN
+rglPBogxoOZqU3IGx7SVq5ze8l1hepKULMjACqHgu9klGos64E4f+LMGcFs=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEszCCA5ugAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwZjELMAkGA1UEBhMCVVMx
+DjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYDVQQKDAxPcmdhbml6
+YXRpb24xEDAOBgNVBAsMB09yZ1VuaXQxDzANBgNVBAMMBlJvb3RDQTAgFw0yNDEx
+MTEwNTMwNTFaGA8yMTI0MTAxODA1MzA1MVowbjELMAkGA1UEBhMCVVMxDjAMBgNV
+BAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYDVQQKDAxPcmdhbml6YXRpb24x
+EDAOBgNVBAsMB09yZ1VuaXQxFzAVBgNVBAMMDkludGVybWVkaWF0ZUNBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2O2N81+L0bel+CkBWeBBMh8Z/BRs
+NBAsHlake1UlnJ12z0slRaSQfBK0cAHeRDAqBO/VkTF7bwsRR/Ypu8FAc64ayTUq
+wWjNq5MU0HW80CmjyrYeXIC/BfzIOZC50IoGbQKrfbeJyP5qDWc41mOeZdyJbXtA
+si17Ilwj/Q+seA58HSyZU1Iop4NDktsQpOr+XE9IWauu8xGy+ScQ92/3p4tNXYGI
+7mZ1d/gD0KXs9sQ2klhmaH5OvubCQUGi7OX/yQWtJOmLUW7t7Ha4gmQYSG8jxOeT
+vlt9Gv0OdiSA/ZvGn7qJfZ9NrjVQtw5j3sAxepNmoe3oh8lMZ/0ACevtcwIDAQAB
+o4IBXzCCAVswEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwHQYD
+VR0OBBYEFGwpyGyHnHab10K3EKJEqbpkY8PiMIGjBgNVHSMEgZswgZiAFKytgq/A
+6Ar+6PeejGL+3SunIW8QoWqkaDBmMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFU3Rh
+dGUxDTALBgNVBAcMBENpdHkxFTATBgNVBAoMDE9yZ2FuaXphdGlvbjEQMA4GA1UE
+CwwHT3JnVW5pdDEPMA0GA1UEAwwGUm9vdENBghQzVmwrGMBu11fJ0xRPTvXlgfJL
+MzA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vbG9jYWxob3N0OjEwMDg2L2ludGVy
+bWVkaWF0ZS5jcmwwNgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzABhhpodHRwOi8v
+bG9jYWxob3N0LnRlc3Qvb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEAHu/rr14Eo/GT
+Hhcj10SL4wjXkKAMsXva6oUrD/z8nqRiFDy9pIavvQwdfeAVris9QcV+Z48Vl28w
+OLH8AMahfNsQhjKxLB2ME1lJ3F6kMbnd4za4ZeeXykd5eswGD0PKnJb5aRYSHc5+
+OtS072Nt9qiyKtU++s0GAStx+0KnQ3r/3uTGpFgZNH+UKI5GxehW3v0iBlB/bZIP
+YRCnhY82aDnR7ZEVXARyXDFX7obw4IBS3IqjnKndYtKwQOPKUzDTVPUhs7e9oetI
+Y1YlZH3FJ9lBV+MxEEsmEu+TPhy+qRaqr0QHz/7tebdsMEB+v2ile7Y704AJVGnh
+6g0n6AsHBQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIERjCCAy6gAwIBAgIUM1ZsKxjAbtdXydMUT0715YHySzMwDQYJKoZIhvcNAQEL
+BQAwZjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRUwEwYDVQQKDAxPcmdhbml6YXRpb24xEDAOBgNVBAsMB09yZ1VuaXQxDzANBgNV
+BAMMBlJvb3RDQTAgFw0yNDExMTEwNTMwNTFaGA8yMTI0MTAxODA1MzA1MVowZjEL
+MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYD
+VQQKDAxPcmdhbml6YXRpb24xEDAOBgNVBAsMB09yZ1VuaXQxDzANBgNVBAMMBlJv
+b3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ46Go+Lo6yva6ZY
+5N8UCkSt1nxnSfvwmSd358owqi6jO+hwv0jvrxSjzQyfke+tlfm3U/DLisyFOxny
+RAYbhuM8PN5Fp3W5/og7nl5grhBQC3sps26QPVO7IvZBgfbkRCnC/LMdx4eeiUGZ
+wc254KAh4/qYHMK+iqkAYg8DqLiWEhi1knYjNEWHCbeCnpj2vC+VhFNeTamR8bPd
+U03xrZV9v/gZc3F+Ivwlxwb0QxDbXrYPc/5lixkQMYKQt8jzDl14TWeDbU589P31
+E3Y0CJSSDKczHXhh/cpN4lEGKircQynOdEEKf2z7FhvNVPH3tRh4ISmtl1lKrDk8
+drLBhKECAwEAAaOB6TCB5jAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+BjAdBgNVHQ4EFgQUrK2Cr8DoCv7o956MYv7dK6chbxAwgaMGA1UdIwSBmzCBmIAU
+rK2Cr8DoCv7o956MYv7dK6chbxChaqRoMGYxCzAJBgNVBAYTAlVTMQ4wDAYDVQQI
+DAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEVMBMGA1UECgwMT3JnYW5pemF0aW9uMRAw
+DgYDVQQLDAdPcmdVbml0MQ8wDQYDVQQDDAZSb290Q0GCFDNWbCsYwG7XV8nTFE9O
+9eWB8kszMA0GCSqGSIb3DQEBCwUAA4IBAQArRoUqzUCjNaZWwtz8hhJYpKxrXK/M
+MFsfj4FF6F9UgEZh+j9lAhQ1K9IoDKFKzcur3fO6dAPoWJm0P1vthCLMtFgeP7mm
+d1H4BdtIiqWYTPtee8JgG2Mw8QdWaafb6WAdCOlAM01CWgR7aeL1cYDrarQLLXQ0
+KmbqNt4sPyv5orf/FjgHN8tUH2IKJo1NTrICmdP63Bal5kehh6lQYKytpmkqwcpA
+HcagiCEvx5xWsZ/Mgnln8K8cg5xdV54bPssvxVPPKmLg/YzsqohjEiwsYoRBt4em
+8Ul9fbaLugkoXtk7eCLpg7BJhhOOUZkiYjnmxZbkmVl7U79iFKrz73c5
+-----END CERTIFICATE-----
diff --git a/test/e2e/testdata/config/crl/intermediate.crl b/test/e2e/testdata/config/crl/intermediate.crl
new file mode 100644
index 0000000000000000000000000000000000000000..9f71b046c69f56b77ca115ba64fd56ba103d45e1
GIT binary patch
literal 487
zcmXqLVtj1Sc!r6Q(SVnYQ>)FR?K>|cBR4C9L7E}A0Vf-CC<~h~Q)sXup8*eu!@<KE
zT#{IlYRGHA4dS!&usCOyR2qsJ2!ps>JUsqI>4|xnRf#2;`FVx{27Dl4ZXR}^aA;m;
zi6KAG9-s&_4_i=veu=ZAIIoe3ArKgt8XK4zMoI7+83F|i3@xAn3k(eO4CH}YWR+PY
z48$5l)~sz>f8YhzzZc)<^(6hftG!$?UjXbDSrHZ%CME$UG><ShF)}hFzI3<}v|IcE
z6K9lK<K@fWcx%@beTjE_)XZ?p(ro9hYOCD6XN|g|P3#`HzFT4UZTsYz-rt)gR~o%G
z%sIb&?jO$S+r$>8b|}PU+^gK<HA^Ebi)+)`#6}m{`)2x+wZ8_%v$-05n;}r2VQ73H
zqh-Nn^T*Z=y?ZV>aWYEf981ez-nn2(RSipu`<JCpC%?+#jniFy;H&u6R@)6p8_!J>
zIOfRs#9w4-%)hx0Wb}ky6gbTae7rt3wl2a{IH5spZ=2Mq9c@Z;RK%qk&oG9Dy-Qta
z+c~YbGUnVyZI|cf@Bi2eKY6<3$>z)QR~7%|O%(3ry)nzUabwildX186-kFAT&OUCJ
F002WYuaf`(

literal 0
HcmV?d00001

diff --git a/test/e2e/testdata/config/crl/intermediate_revoked.crl b/test/e2e/testdata/config/crl/intermediate_revoked.crl
new file mode 100644
index 0000000000000000000000000000000000000000..b0bd1b6e57585aeec0de9888fe2bf5f0d7a47f79
GIT binary patch
literal 510
zcmXqLV*F*$_?U^2(SVnYQ>)FR?K>|cBR4C9L7E}A0Vf-CC<~h~Q)sXup8*eu!@<KE
zT#{IlYRGHA4dS!&usCOyR2qsJ2!ps>JUsqI>4|xnRf#2;`FVx{27Dl4ZXR}^aA;m;
zi6KAG9-s&_4_i=veu=ZAIIoe3ArKgt8XK4zMoI7+83F|i3@xAn20)XUm;{*6)GaVD
z&@+$+nk1{tB4HrbAhKp{)A|E1xc<HPKCdU~-(BtHiunRyC(4SjumBBUM)MzY6C)!-
zLsh7&;P)#Mi|S1LKg{_0;I2vB<(D&Zo|L^TJ)hvUev-$BmiQCRMd3HYj6(8fJ)05m
za)GYjkvz$Z=QSJJrzo3BdCy+^%9``H_o28$hU@=uZYa6g=Q-uJRYBsS#<KSUmo`tW
z*#GYG9b=2#(yziNEvs{${xko#WYCipQ7+rOqxa;kesOJf8&hle!R~o)Gs0H?czEao
z^UsM25;=$0zdK&*tj5N*=jraeFL92NHx{MObI*FVE>HRR{;UO?P8gk-etN#^xtUWp
zMny5CtlL-gv9RQ9z(u#e4+Q-_AKg>@tZ%hYzzf!s;tK^{1uHsieE-fS`{Lb7|2<W8
QOZin<*Q~7j*|_;20BN+r*Z=?k

literal 0
HcmV?d00001

diff --git a/test/e2e/testdata/config/crl/leaf.crl b/test/e2e/testdata/config/crl/leaf.crl
new file mode 100644
index 0000000000000000000000000000000000000000..4bff05c646ebb9bd44a862b080ec6b2949816c1c
GIT binary patch
literal 495
zcmXqLVtj4Tc!i0P(SVnYQ>)FR?K>|cBR4C9L7pME0Vf-CC<~h~Q)sXup8*eu!@<KE
zT#{IlYRGHA4dS!&usCOyR2qsJ2!ps>JUsqI>4|xnRf#2;`FVx{27Dl4ZXR}^aA;m;
ziJ`cGC`g2vhtD&wB(*3vH6;^hoU@}iuaSu%5Ez&m8<-kJN$?vP0tE~VEuaDm3=H%P
z<bhgcm02VV#2Q3$G*9HT&ncUI-D$hPBA1oBQj!lp0=r38goTBPNq_;(L(EN#j0~Kg
zE#eK!r@697ny&ClagTC*)5RBc?eS&p;}+KfKN_qlDLW(}q0P^ql;!IAC_QvfyWrs`
z>uR4~@o*DRdUNdQPKkoUXHQPOn%pADeyQWi?4_*px7}a%BO}R!{Q<M=JJzoD=eE0~
z(i-EsPUXJtU9fNUNx|%d>>cWBCgwZFR?DA=47wv6J<aOZk_-Q@)Xs7dZd<FmoHzKG
z?S$RFZ9BJ%tGqXKVmw_OV)_2*T2YBzRgw|+v;$Nm0;{FUI1SWY)?I8laXabD+E@++
z<G3>{wvCQgJ+H{_xBUAx@8_FUv9Vj$AAWyZJKOtGW}UE9C-*&>&Xz?d_i3}gnwnL~
L*vIipYLhzv5ofQM

literal 0
HcmV?d00001

diff --git a/test/e2e/testdata/config/crl/leaf.key b/test/e2e/testdata/config/crl/leaf.key
new file mode 100644
index 000000000..f986032f6
--- /dev/null
+++ b/test/e2e/testdata/config/crl/leaf.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJEFmIvqnUe3iw
+J7HFrgCAbnEfdGG/8yRuPWxTDkeHYQl8pMag5ZeytvTJalO8gba3oK6QRxPYhlzM
+8i7Ik/R6FXf6ZhTGzO8rIRe4Sc5ibO5TJeyfxciwtWnK6RtQwDZu4fb4tNmqUg6Z
+qqPnq1K8ieZfROVWs9zglJj37SoLY+Caxj2VOm8/aB/2mF46kqGUCb56RRk1q87x
+8U8wOSNW6onoXVu6zBqLNwx2RcqKdKApYtaitwKz9cuWPTDrUe4OfCWDSYiB48YY
+0jDcV27ed+K8VKy6jgUAsKkzPIf3RbEBuMD2mUybC0o0D9t0h/R7h0f8zXgkxkP4
+KXwmPRPvAgMBAAECggEAG511wUzNPuRNzAVKVX1pDzqxVHcjx9J+we9eFeg5AHSI
+8jLKydAkLi+9CNQ5jQNUflMA4XW0WZcBXvAHvJUUTReZbhhK0+UowjKI3fmxHB6c
+UGo93icy7GZLkfVt7YDWLmjgXAIG1ULw7hUcREDpG6u7ACxnwqlFyx34W9uZ3Iy3
+AICABJISJdxs7SGceFgmDUQluCQGeSA7Ma7ye3wEb9TqGcCwJyA/Ny2D3y9lztjB
+CE/obwKVbWLAMRwHo/K/bhNR1A/HjfZVcWfA4TPlmpTTtnJjN/wipzLPBDqA77YW
+YbASsCRD7rroQDfB0/kAQKq463/ckGQafaugx/zsWQKBgQDtRAOlWh4Dji4Py8Qf
+DBvEcYfR41xYlJ9tV1LN4mWip8fujYRK2nExglpb0s7VqqNEhb0YhK8soMnR7DYE
+Whd7wGfkCw0RJRbkQcKs0ZgHJSQDH6C8QPLjFx8sJ8y1gdgF5KapF1SZ22dEiA4F
+zRB6u2M2Mhq+O0WSRuU8qj271wKBgQDY8JFUeAJ3jdSH7MtC6cps+yinXucCdKa5
+ktw8XF5wIZNWpZAkSuDKSZ14Mmet5yTvP+hKsVzbXtfDw3Ay3he23dD8khEa4p87
+k/3hED9yO8ERcl7myjJwKFo1LbZLKiZXUbrjT/APqPHeqqWChSEdElI4vWYZq3Ho
+hLhh6JolqQKBgQC5ehHfkTMlVGBtuLz4CF8skhO64CGwnX6D21+/0tvg64g/1CE2
+4szaByzb21AVd+9qAaJxKEhIeulKUX1oqYTyGNceTgVJAdWDWmT09GQEMeSVDIR6
+pcs5+zlDK1m8CmT1NmmShcp8/CceS72qi0P2rcZA96owS+V3FDTf17WqwQKBgQCU
+mCNTsmguL8311LJdgPoQr/BmxFCDlBdnYTrNdY+SSs07OmiDE27p4IamABCYQ40+
++41HLDmoYUx1YPcHQK0JquItPnfM7JGZI4Nwl8p9moRiSO7MMo9d16YCau9EiPh+
+MxNKBEUw1M3ncQexYTMPUK9VAhZfWtnJJK+PEN4VEQKBgQCqF68DEkLQPwZaf9WE
+zMprwZZ6bUhQmwp1TqKgW7OcgHCDzbMnYGRMgChtg6hZkFyyQN9aFj0ki66XI449
+DSH8fb4mIkdL1pP4FkHClKyTYE6SbMYWhFEJrUdrZ4QwktUm/e68w/op2B7v2fup
+q9wlKAeblH73bGWHEs6+QfMVLA==
+-----END PRIVATE KEY-----
diff --git a/test/e2e/testdata/config/crl/leaf_expired.crl b/test/e2e/testdata/config/crl/leaf_expired.crl
new file mode 100644
index 0000000000000000000000000000000000000000..8e526887d7a681696a21a4ad4ffe4af2be009c63
GIT binary patch
literal 493
zcmXqLVti@Pc!`OT(SVnYQ>)FR?K>|cBR4C9L7pME0Vf-CC<~h~Q)sXup8*eu!@<KE
zT#{IlYRGHA4dS!&usCOyR2qsJ2!ps>JUsqI>4|xnRf#2;`FVx{27Dl4ZXR}^aA;m;
ziJ`cGC`g2vhtD&wB(*3vH6;^hoU@}iuaU8#k&%gkg`ug5Q52MG3gs>^FwirQ2Wpg6
zW|1%uYY-{abB#0V(c5=>$*MioOilamh&P6TT_h{Q!otKPz<}l*<|al)hVq5wQOjSq
z{xaIz@44ZR>C2>f-CFGzKLsaDd*uD4YUKp)itmAbE>Al?zPK86#VVKceO2!y9{b;2
zyX)3BhRD=DyJ#ekS^DSxf1A{$weL=Mi|+YTr)E;{|FtjwhaC6W&!x`s_&1#4Wn299
z|0UgM?P3Alh3_jlS4y_0Sq7!PVz`=hX2Z+#tg5xV+1^Rs0qYKJdA~pP=!}I|-6n<|
zF=uJ0RlD<D_q8nZHHjZx3D1PXp7hjyFMVm>c<tj6$zZibS2ZHEmgYEWJUtw@eiCyb
z`?jEjFTXCBq@I1WcUsrf0}9=T52$E;toNPpevMAiKR=0*z4N4UCALOSjh<~P%q_?x
H<KzJVP{+26

literal 0
HcmV?d00001

diff --git a/test/e2e/testdata/config/crl/leaf_revoked.crl b/test/e2e/testdata/config/crl/leaf_revoked.crl
new file mode 100644
index 0000000000000000000000000000000000000000..a7ee7ff48ab644c23163cdc2e5a03ad481e992f4
GIT binary patch
literal 518
zcmXqLVq!9Ae9gqjXu!+HsnzDu_MMlJk(-slAkUE7fRl|ml!Z;0DKyxS&wvNS;oxBn
zE=ep&HRLtm2JzW>Se!FUDh)*qgh5;`9v=Uq^u)Z(s>G7a{5(Se13r*2HxD~dI5aP_
z#8BKo6ePmT!{?b-l3J9Tnvw}L&e>6%*T}>W2n<Y(4NQ%qB>0UCfdU4G7El2Lpbbn+
z0t{&C78n@l8OQ@olvQStFc51H$<aKK(>|wc_I0Q20*hQ$?n+5M{0Qt+SrHZ%paJOq
zWNu<)Wa$5W-AmtacbMjx)yt~{cRydfWZlIQHJw+7|Cc!)erx_Y(e(C1o=>;FFId{^
zmQfX<dqk<cL}M<ShLQOG`zp^2J1zLuU0*FG^6wtQs!MvA973}hxGqVrj_nIS(ptgz
zRo-Cs?G5K0Ehg+rVVJno)GO7@eb0s>UX^AWE4Mt)OYz>z9{tU3&91AzY8du>V_MY?
zze9!P$L;hN>KuD*z-^Js_P2EX<BusU1u<5?j_mpV?^C(^w|C1gZ<DZX;R*fkZ8<SO
zZDYpa`Soog&l5c77j`}tuGVV%%9}LNso$tdqVc+p3X@&-Ta5!1NjJF{6}{|S*ZsXF
Tec3!K<5f;9ZkFv2cI*KF*1ol>

literal 0
HcmV?d00001

diff --git a/test/e2e/testdata/config/crl/root.crt b/test/e2e/testdata/config/crl/root.crt
new file mode 100644
index 000000000..a3008bfff
--- /dev/null
+++ b/test/e2e/testdata/config/crl/root.crt
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIERjCCAy6gAwIBAgIUM1ZsKxjAbtdXydMUT0715YHySzMwDQYJKoZIhvcNAQEL
+BQAwZjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRUwEwYDVQQKDAxPcmdhbml6YXRpb24xEDAOBgNVBAsMB09yZ1VuaXQxDzANBgNV
+BAMMBlJvb3RDQTAgFw0yNDExMTEwNTMwNTFaGA8yMTI0MTAxODA1MzA1MVowZjEL
+MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYD
+VQQKDAxPcmdhbml6YXRpb24xEDAOBgNVBAsMB09yZ1VuaXQxDzANBgNVBAMMBlJv
+b3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ46Go+Lo6yva6ZY
+5N8UCkSt1nxnSfvwmSd358owqi6jO+hwv0jvrxSjzQyfke+tlfm3U/DLisyFOxny
+RAYbhuM8PN5Fp3W5/og7nl5grhBQC3sps26QPVO7IvZBgfbkRCnC/LMdx4eeiUGZ
+wc254KAh4/qYHMK+iqkAYg8DqLiWEhi1knYjNEWHCbeCnpj2vC+VhFNeTamR8bPd
+U03xrZV9v/gZc3F+Ivwlxwb0QxDbXrYPc/5lixkQMYKQt8jzDl14TWeDbU589P31
+E3Y0CJSSDKczHXhh/cpN4lEGKircQynOdEEKf2z7FhvNVPH3tRh4ISmtl1lKrDk8
+drLBhKECAwEAAaOB6TCB5jAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+BjAdBgNVHQ4EFgQUrK2Cr8DoCv7o956MYv7dK6chbxAwgaMGA1UdIwSBmzCBmIAU
+rK2Cr8DoCv7o956MYv7dK6chbxChaqRoMGYxCzAJBgNVBAYTAlVTMQ4wDAYDVQQI
+DAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEVMBMGA1UECgwMT3JnYW5pemF0aW9uMRAw
+DgYDVQQLDAdPcmdVbml0MQ8wDQYDVQQDDAZSb290Q0GCFDNWbCsYwG7XV8nTFE9O
+9eWB8kszMA0GCSqGSIb3DQEBCwUAA4IBAQArRoUqzUCjNaZWwtz8hhJYpKxrXK/M
+MFsfj4FF6F9UgEZh+j9lAhQ1K9IoDKFKzcur3fO6dAPoWJm0P1vthCLMtFgeP7mm
+d1H4BdtIiqWYTPtee8JgG2Mw8QdWaafb6WAdCOlAM01CWgR7aeL1cYDrarQLLXQ0
+KmbqNt4sPyv5orf/FjgHN8tUH2IKJo1NTrICmdP63Bal5kehh6lQYKytpmkqwcpA
+HcagiCEvx5xWsZ/Mgnln8K8cg5xdV54bPssvxVPPKmLg/YzsqohjEiwsYoRBt4em
+8Ul9fbaLugkoXtk7eCLpg7BJhhOOUZkiYjnmxZbkmVl7U79iFKrz73c5
+-----END CERTIFICATE-----

From 5e5685d42ae43634437d4be14a055dc312c6e3f8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Nov 2024 11:10:17 -0800
Subject: [PATCH 16/34] build(deps): Bump github.com/golang-jwt/jwt/v4 from
 4.5.0 to 4.5.1 (#1086)

Bumps [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt)
from 4.5.0 to 4.5.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/golang-jwt/jwt/releases">github.com/golang-jwt/jwt/v4's
releases</a>.</em></p>
<blockquote>
<h2>v4.5.1</h2>
<h1>Security</h1>
<p>Unclear documentation of the error behavior in
<code>ParseWithClaims</code> in &lt;= 4.5.0 could lead to situation
where users are potentially not checking errors in the way they should
be. Especially, if a token is both expired and invalid, the errors
returned by <code>ParseWithClaims</code> return both error codes. If
users only check for the <code>jwt.ErrTokenExpired </code> using
<code>error.Is</code>, they will ignore the embedded
<code>jwt.ErrTokenSignatureInvalid</code> and thus potentially accept
invalid tokens.</p>
<p>This issue was documented in <a
href="https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r">https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r</a>
and fixed in this release.</p>
<p>Note: <code>v5</code> was not affected by this issue. So upgrading to
this release version is also recommended.</p>
<h1>What's Changed</h1>
<ul>
<li>Back-ported error-handling logic in <code>ParseWithClaims</code>
from <code>v5</code> branch. This fixes <a
href="https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r">https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r</a>.</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/golang-jwt/jwt/compare/v4.5.0...v4.5.1">https://github.com/golang-jwt/jwt/compare/v4.5.0...v4.5.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c"><code>7b1c1c0</code></a>
Merge commit from fork</li>
<li>See full diff in <a
href="https://github.com/golang-jwt/jwt/compare/v4.5.0...v4.5.1">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/golang-jwt/jwt/v4&package-manager=go_modules&previous-version=4.5.0&new-version=4.5.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/notaryproject/notation/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 4b8d6cbf6..feed8aadf 100644
--- a/go.mod
+++ b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.8 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect
diff --git a/go.sum b/go.sum
index 8ffbafa5f..39a110606 100644
--- a/go.sum
+++ b/go.sum
@@ -12,8 +12,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
 github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
+github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=

From be0bd93759c9544fa6ffc037e13299663cac8480 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Nov 2024 11:10:47 -0800
Subject: [PATCH 17/34] build(deps): Bump github/codeql-action from 3.26.8 to
 3.27.1 (#1085)

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 3.26.8 to 3.27.1.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/codeql.yml    | 4 ++--
 .github/workflows/scorecard.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d3ae94772..9fb291aa8 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -49,8 +49,8 @@ jobs:
           go-version: ${{ matrix.go-version }}
           check-latest: true
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
+        uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           languages: go
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
+        uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 5d8ceee57..9e0dd1037 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -61,6 +61,6 @@ jobs:
           retention-days: 5
       
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
+        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           sarif_file: results.sarif

From dfeaeeb2e0ca4e18f9b76e6643f612e051da574b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Nov 2024 11:11:32 -0800
Subject: [PATCH 18/34] build(deps): Bump goreleaser/goreleaser-action from
 6.0.0 to 6.1.0 (#1084)

Bumps
[goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 6.0.0 to 6.1.0.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/release-github.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml
index 2bc1b058b..470ae257b 100644
--- a/.github/workflows/release-github.yml
+++ b/.github/workflows/release-github.yml
@@ -46,7 +46,7 @@ jobs:
           pre_tag=`git tag --sort=-creatordate --list 'v*' | grep -v dev | head -2 | tail -1`
           echo "GORELEASER_PREVIOUS_TAG=$pre_tag" >> $GITHUB_ENV
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
         with:
           distribution: goreleaser
           version: latest

From afd5918be949a989b34d9f14b16e0ee03b0e5dd2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Nov 2024 11:12:13 -0800
Subject: [PATCH 19/34] build(deps): Bump golang.org/x/net from 0.29.0 to
 0.31.0 (#1082)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.29.0 to 0.31.0.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 go.mod | 4 ++--
 go.sum | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index feed8aadf..6d67dbd9d 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/net v0.29.0
+	golang.org/x/net v0.31.0
 	golang.org/x/term v0.26.0
 	oras.land/oras-go/v2 v2.5.0
 )
@@ -27,7 +27,7 @@ require (
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect
 	github.com/veraison/go-cose v1.1.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/crypto v0.29.0 // indirect
 	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.27.0 // indirect
diff --git a/go.sum b/go.sum
index 39a110606..b98b45acd 100644
--- a/go.sum
+++ b/go.sum
@@ -75,8 +75,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
@@ -90,8 +90,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

From b14d9abb3c4358d54c63f586e4b7258812d2da5f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 Nov 2024 06:56:44 -0800
Subject: [PATCH 20/34] build(deps): Bump github.com/onsi/gomega from 1.34.2 to
 1.35.1 in /test/e2e (#1087)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from
1.34.2 to 1.35.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/onsi/gomega/releases">github.com/onsi/gomega's
releases</a>.</em></p>
<blockquote>
<h2>v1.35.1</h2>
<h2>1.35.1</h2>
<h3>Fixes</h3>
<ul>
<li>Export EnforceDefaultTimeoutsWhenUsingContexts and
DisableDefaultTimeoutsWhenUsingContext [ca36da1]</li>
</ul>
<h2>v1.35.0</h2>
<h2>1.35.0</h2>
<h3>Features</h3>
<ul>
<li>You can now call
<code>EnforceDefaultTimeoutsWhenUsingContexts()</code> to have
<code>Eventually</code> honor the default timeout when passed a context.
(prior to this you had to expclility add a timeout) [e4c4265]</li>
<li>You can call <code>StopTrying(message).Successfully()</code> to
abort a <code>Consistently</code> early without failure [eeca931]</li>
</ul>
<h3>Fixes</h3>
<ul>
<li>Stop memoizing the result of <code>HaveField</code> to avoid
unexpected errors when used with async assertions. [3bdbc4e]</li>
</ul>
<h3>Maintenance</h3>
<ul>
<li>Bump all dependencies [a05a416]</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/onsi/gomega/blob/master/CHANGELOG.md">github.com/onsi/gomega's
changelog</a>.</em></p>
<blockquote>
<h2>1.35.1</h2>
<h3>Fixes</h3>
<ul>
<li>Export EnforceDefaultTimeoutsWhenUsingContexts and
DisableDefaultTimeoutsWhenUsingContext [ca36da1]</li>
</ul>
<h2>1.35.0</h2>
<h3>Features</h3>
<ul>
<li>You can now call
<code>EnforceDefaultTimeoutsWhenUsingContexts()</code> to have
<code>Eventually</code> honor the default timeout when passed a context.
(prior to this you had to expclility add a timeout) [e4c4265]</li>
<li>You can call <code>StopTrying(message).Successfully()</code> to
abort a <code>Consistently</code> early without failure [eeca931]</li>
</ul>
<h3>Fixes</h3>
<ul>
<li>Stop memoizing the result of <code>HaveField</code> to avoid
unexpected errors when used with async assertions. [3bdbc4e]</li>
</ul>
<h3>Maintenance</h3>
<ul>
<li>Bump all dependencies [a05a416]</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/onsi/gomega/commit/9f5a208e8adf32c11daf594b3c98a513f13388dd"><code>9f5a208</code></a>
v1.35.1</li>
<li><a
href="https://github.com/onsi/gomega/commit/ca36da13f3000cac2fdf7bae45a03867715711a2"><code>ca36da1</code></a>
Export EnforceDefaultTimeoutsWhenUsingContexts and
DisableDefaultTimeoutsWhen...</li>
<li><a
href="https://github.com/onsi/gomega/commit/d6331f9125b3edd1f8afeb169b145f54104b2dde"><code>d6331f9</code></a>
v1.35.0</li>
<li><a
href="https://github.com/onsi/gomega/commit/5deaf2330c9e7dc4d78155bc92c04b5adc4bcc5e"><code>5deaf23</code></a>
fix tests, but like actually this time</li>
<li><a
href="https://github.com/onsi/gomega/commit/eeca931c42d3e00f631b64d883b8c103b414105a"><code>eeca931</code></a>
Add Successfully() to StopTrying() to signal that Consistently can end
early ...</li>
<li><a
href="https://github.com/onsi/gomega/commit/3bdbc4eef9a6fc310d82ffa5df7703ff934c9b1e"><code>3bdbc4e</code></a>
stop memoizing result of HaveField</li>
<li><a
href="https://github.com/onsi/gomega/commit/e35358dad436c910b14625bafffb8df584c7295b"><code>e35358d</code></a>
sheepishly fix broken test. thanks CI</li>
<li><a
href="https://github.com/onsi/gomega/commit/1b717d7bd4ebda3a51cd637390423da754f7a71e"><code>1b717d7</code></a>
grrr. go mod tidy</li>
<li><a
href="https://github.com/onsi/gomega/commit/a05a4168e1ea93d99d95d375bc088183ceb17104"><code>a05a416</code></a>
bump all dependencies</li>
<li><a
href="https://github.com/onsi/gomega/commit/e4c4265bd405e86ae80d3a65610604294f30f77e"><code>e4c4265</code></a>
Add EnforceDefaultTimeoutsWhenUsingContexts()</li>
<li>See full diff in <a
href="https://github.com/onsi/gomega/compare/v1.34.2...v1.35.1">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/onsi/gomega&package-manager=go_modules&previous-version=1.34.2&new-version=1.35.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 test/e2e/go.mod | 2 +-
 test/e2e/go.sum | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/test/e2e/go.mod b/test/e2e/go.mod
index 1e0b2fd02..5fe255001 100644
--- a/test/e2e/go.mod
+++ b/test/e2e/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/notaryproject/notation-core-go v1.2.0-rc.1
 	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240926015724-84c2ec076201
 	github.com/onsi/ginkgo/v2 v2.21.0
-	github.com/onsi/gomega v1.34.2
+	github.com/onsi/gomega v1.35.1
 	github.com/opencontainers/image-spec v1.1.0
 	oras.land/oras-go/v2 v2.5.0
 )
diff --git a/test/e2e/go.sum b/test/e2e/go.sum
index 707618328..e0f76124b 100644
--- a/test/e2e/go.sum
+++ b/test/e2e/go.sum
@@ -18,8 +18,8 @@ github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8
 github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
 github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
-github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
+github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
+github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -44,8 +44,8 @@ golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
 golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
 golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
+google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

From 9c60adcb4c87c5339d7f77e9e0715d747db84ee9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 Nov 2024 06:56:55 -0800
Subject: [PATCH 21/34] build(deps): Bump actions/setup-go from 5.0.2 to 5.1.0
 (#1090)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.2
to 5.1.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/setup-go/releases">actions/setup-go's
releases</a>.</em></p>
<blockquote>
<h2>v5.1.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add workflow file for publishing releases to immutable action
package by <a
href="https://github.com/Jcambass"><code>@​Jcambass</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/500">actions/setup-go#500</a></li>
<li>Upgrade IA Publish by <a
href="https://github.com/Jcambass"><code>@​Jcambass</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/502">actions/setup-go#502</a></li>
<li>Add architecture to cache key by <a
href="https://github.com/Zxilly"><code>@​Zxilly</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/493">actions/setup-go#493</a>
This addresses issues with caching by adding the architecture (arch) to
the cache key, ensuring that cache keys are accurate to prevent
conflicts.
Note: This change may break previous cache keys as they will no longer
be compatible with the new format.</li>
<li>Enhance workflows and Upgrade micromatch Dependency by <a
href="https://github.com/priyagupta108"><code>@​priyagupta108</code></a>
in <a
href="https://redirect.github.com/actions/setup-go/pull/510">actions/setup-go#510</a></li>
</ul>
<p><strong>Bug Fixes</strong></p>
<ul>
<li>Revise <code>isGhes</code> logic by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/511">actions/setup-go#511</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/Zxilly"><code>@​Zxilly</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/setup-go/pull/493">actions/setup-go#493</a></li>
<li><a href="https://github.com/Jcambass"><code>@​Jcambass</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/setup-go/pull/500">actions/setup-go#500</a></li>
<li><a href="https://github.com/jww3"><code>@​jww3</code></a> made their
first contribution in <a
href="https://redirect.github.com/actions/setup-go/pull/511">actions/setup-go#511</a></li>
<li><a
href="https://github.com/priyagupta108"><code>@​priyagupta108</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/setup-go/pull/510">actions/setup-go#510</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/setup-go/compare/v5...v5.1.0">https://github.com/actions/setup-go/compare/v5...v5.1.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/setup-go/commit/41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed"><code>41dfa10</code></a>
Enhance workflows and Upgrade micromatch Dependency (<a
href="https://redirect.github.com/actions/setup-go/issues/510">#510</a>)</li>
<li><a
href="https://github.com/actions/setup-go/commit/941977282cd715ac8e0b3adc8555bef6dc794b7e"><code>9419772</code></a>
Revise <code>isGhes</code> logic (<a
href="https://redirect.github.com/actions/setup-go/issues/511">#511</a>)</li>
<li><a
href="https://github.com/actions/setup-go/commit/d60b41a563a30eac31c3ec623e6ff0b3f16e1a06"><code>d60b41a</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/setup-go/issues/502">#502</a>
from actions/Jcambass-patch-1</li>
<li><a
href="https://github.com/actions/setup-go/commit/e09f57f6a9dc1a4c326dfc2aaf66b49f6c56f9f8"><code>e09f57f</code></a>
Upgrade IA Publish</li>
<li><a
href="https://github.com/actions/setup-go/commit/df1a11710ed378b187f40c71eb3d6c08d82e7108"><code>df1a117</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/setup-go/issues/500">#500</a>
from actions/Jcambass-patch-1</li>
<li><a
href="https://github.com/actions/setup-go/commit/49582f64768fe5808736e4f6d4a39b55b1d0ee52"><code>49582f6</code></a>
Add workflow file for publishing releases to immutable action
package</li>
<li><a
href="https://github.com/actions/setup-go/commit/b26d40294f8ad76fcc90b915dac85892322fe62d"><code>b26d402</code></a>
fix: add arch to cache key (<a
href="https://redirect.github.com/actions/setup-go/issues/493">#493</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/setup-go/compare/0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32...41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-go&package-manager=github_actions&previous-version=5.0.2&new-version=5.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/build.yml          | 2 +-
 .github/workflows/codeql.yml         | 2 +-
 .github/workflows/release-github.yml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a13358aa0..b199e430b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -31,7 +31,7 @@ jobs:
       fail-fast: true
     steps:
       - name: Set up Go ${{ matrix.go-version }}
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: ${{ matrix.go-version }}
           check-latest: true
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9fb291aa8..63859ac8d 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -44,7 +44,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go ${{ matrix.go-version }} environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: ${{ matrix.go-version }}
           check-latest: true
diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml
index 470ae257b..29ede3f55 100644
--- a/.github/workflows/release-github.yml
+++ b/.github/workflows/release-github.yml
@@ -33,7 +33,7 @@ jobs:
       fail-fast: true
     steps:
       - name: Set up Go ${{ matrix.go-version }}
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: ${{ matrix.go-version }}
           check-latest: true

From 9d0a5a5e577ca94a13f3863e34a9c261172ead4c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 Nov 2024 06:57:05 -0800
Subject: [PATCH 22/34] build(deps): Bump github/codeql-action from 3.27.1 to
 3.27.5 (#1091)

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 3.27.1 to 3.27.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v3.27.5</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>3.27.5 - 19 Nov 2024</h2>
<p>No user facing changes.</p>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.27.5/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v3.27.4</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>3.27.4 - 14 Nov 2024</h2>
<p>No user facing changes.</p>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.27.4/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v3.27.3</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>3.27.3 - 12 Nov 2024</h2>
<p>No user facing changes.</p>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.27.3/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v3.27.2</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>3.27.2 - 12 Nov 2024</h2>
<ul>
<li>Fixed an issue where setting up the CodeQL tools would sometimes
fail with the message &quot;Invalid value 'undefined' for header
'authorization'&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/2590">#2590</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.27.5 - 19 Nov 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.4 - 14 Nov 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.3 - 12 Nov 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.2 - 12 Nov 2024</h2>
<ul>
<li>Fixed an issue where setting up the CodeQL tools would sometimes
fail with the message &quot;Invalid value 'undefined' for header
'authorization'&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/2590">#2590</a></li>
</ul>
<h2>3.27.1 - 08 Nov 2024</h2>
<ul>
<li>The CodeQL Action now downloads bundles compressed using Zstandard
on GitHub Enterprise Server when using Linux or macOS runners. This
speeds up the installation of the CodeQL tools. This feature is already
available to GitHub.com users. <a
href="https://redirect.github.com/github/codeql-action/pull/2573">#2573</a></li>
<li>Update default CodeQL bundle version to 2.19.3. <a
href="https://redirect.github.com/github/codeql-action/pull/2576">#2576</a></li>
</ul>
<h2>3.27.0 - 22 Oct 2024</h2>
<ul>
<li>Bump the minimum CodeQL bundle version to 2.14.6. <a
href="https://redirect.github.com/github/codeql-action/pull/2549">#2549</a></li>
<li>Fix an issue where the <code>upload-sarif</code> Action would fail
with &quot;upload-sarif post-action step failed: Input required and not
supplied: token&quot; when called in a composite Action that had a
different set of inputs to the ones expected by the
<code>upload-sarif</code> Action. <a
href="https://redirect.github.com/github/codeql-action/pull/2557">#2557</a></li>
<li>Update default CodeQL bundle version to 2.19.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2552">#2552</a></li>
</ul>
<h2>3.26.13 - 14 Oct 2024</h2>
<p>No user facing changes.</p>
<h2>3.26.12 - 07 Oct 2024</h2>
<ul>
<li>
<p><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.14.5 and earlier. These versions of
CodeQL were discontinued on 24 September 2024 alongside GitHub
Enterprise Server 3.10, and will be unsupported by CodeQL Action
versions 3.27.0 and later and versions 2.27.0 and later. <a
href="https://redirect.github.com/github/codeql-action/pull/2520">#2520</a></p>
<ul>
<li>
<p>If you are using one of these versions, please update to CodeQL CLI
version 2.14.6 or later. For instance, if you have specified a custom
version of the CLI using the 'tools' input to the 'init' Action, you can
remove this input to use the default version.</p>
</li>
<li>
<p>Alternatively, if you want to continue using a version of the CodeQL
CLI between 2.13.5 and 2.14.5, you can replace
<code>github/codeql-action/*@v3</code> by
<code>github/codeql-action/*@v3.26.11</code> and
<code>github/codeql-action/*@v2</code> by
<code>github/codeql-action/*@v2.26.11</code> in your code scanning
workflow to ensure you continue using this version of the CodeQL
Action.</p>
</li>
</ul>
</li>
</ul>
<h2>3.26.11 - 03 Oct 2024</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/f09c1c0a94de965c15400f5634aa42fac8fb8f88"><code>f09c1c0</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2616">#2616</a>
from github/update-v3.27.5-a6c8729a5</li>
<li><a
href="https://github.com/github/codeql-action/commit/67b73eaba559c7e6913377065b0362ccbfc94e87"><code>67b73ea</code></a>
Update changelog for v3.27.5</li>
<li><a
href="https://github.com/github/codeql-action/commit/a6c8729a5d7573eb8d440e52a9645ce4db61d97c"><code>a6c8729</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2614">#2614</a>
from github/marcogario/per-platform-proxy</li>
<li><a
href="https://github.com/github/codeql-action/commit/8f3b48727ff1b076c28967a258b95fcee30a3a48"><code>8f3b487</code></a>
Start-proxy: Fetch OS specific binary</li>
<li><a
href="https://github.com/github/codeql-action/commit/cba5fb58d4f85affaf03eb9da32f5b6c9d76838b"><code>cba5fb5</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2613">#2613</a>
from github/dependabot/npm_and_yarn/npm_and_yarn-018...</li>
<li><a
href="https://github.com/github/codeql-action/commit/e782c3a145d9946aba8fa390e406acbe4e4c05c5"><code>e782c3a</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2612">#2612</a>
from github/angelapwen/report-linux-runner-release</li>
<li><a
href="https://github.com/github/codeql-action/commit/db6788195b646f87b3d1c616b0c14a6d5b7fa9a6"><code>db67881</code></a>
Update checked-in dependencies</li>
<li><a
href="https://github.com/github/codeql-action/commit/ecde4d232d18cf2dba6c1a6b76810332abff736f"><code>ecde4d2</code></a>
Bump cross-spawn from 7.0.3 to 7.0.6 in the npm_and_yarn group</li>
<li><a
href="https://github.com/github/codeql-action/commit/e3c67a01d31d9c173ba5ffccc9d0f275540d99de"><code>e3c67a0</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2610">#2610</a>
from github/dependabot/npm_and_yarn/npm-d2ca52e617</li>
<li><a
href="https://github.com/github/codeql-action/commit/f9ada54538b47b6db28c4d11f53848689968909e"><code>f9ada54</code></a>
Telemetry: report OS release for GitHub-hosted Linux runners</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/4f3212b61783c3c68e8309a0f18a699764811cda...f09c1c0a94de965c15400f5634aa42fac8fb8f88">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=3.27.1&new-version=3.27.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/codeql.yml    | 4 ++--
 .github/workflows/scorecard.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 63859ac8d..26ff7c8b6 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -49,8 +49,8 @@ jobs:
           go-version: ${{ matrix.go-version }}
           check-latest: true
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           languages: go
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 9e0dd1037..08435f65b 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -61,6 +61,6 @@ jobs:
           retention-days: 5
       
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           sarif_file: results.sarif

From 701e9068d8c3ea4a8d7eb3c943773f4c213e03a2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 Nov 2024 06:57:18 -0800
Subject: [PATCH 23/34] build(deps): Bump codecov/codecov-action from 4.6.0 to
 5.0.7 (#1092)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[codecov/codecov-action](https://github.com/codecov/codecov-action) from
4.6.0 to 5.0.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/codecov/codecov-action/releases">codecov/codecov-action's
releases</a>.</em></p>
<blockquote>
<h2>v5.0.7</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: use HEAD_REPO by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1690">codecov/codecov-action#1690</a></li>
<li>chore(release): 5.0.7 by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1691">codecov/codecov-action#1691</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.6...v5.0.7">https://github.com/codecov/codecov-action/compare/v5.0.6...v5.0.7</a></p>
<h2>v5.0.6</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: update CODECOV_TOKEN and fix tokenless by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1688">codecov/codecov-action#1688</a></li>
<li>chore(release): 5.0.6 by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1689">codecov/codecov-action#1689</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.5...v5.0.6">https://github.com/codecov/codecov-action/compare/v5.0.5...v5.0.6</a></p>
<h2>v5.0.5</h2>
<h2>What's Changed</h2>
<ul>
<li>chore(release): wrapper-0.0.27 by <a
href="https://github.com/codecov-releaser-app"><code>@​codecov-releaser-app</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1685">codecov/codecov-action#1685</a></li>
<li>chore(release): 5.0.5 by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1686">codecov/codecov-action#1686</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/codecov-releaser-app"><code>@​codecov-releaser-app</code></a>
made their first contribution in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1685">codecov/codecov-action#1685</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.4...v5.0.5">https://github.com/codecov/codecov-action/compare/v5.0.4...v5.0.5</a></p>
<h2>v5.0.4</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: add action version by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1678">codecov/codecov-action#1678</a></li>
<li>fix: strip out a trailing /n from input tokens by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1679">codecov/codecov-action#1679</a></li>
<li>chore(deps): bump wrapper to 0.0.26 by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1681">codecov/codecov-action#1681</a></li>
<li>chore(release): 5.0.4 by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1682">codecov/codecov-action#1682</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.3...v5.0.4">https://github.com/codecov/codecov-action/compare/v5.0.3...v5.0.4</a></p>
<h2>v5.0.3</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: typo in <code>inputs.disable_safe_directory</code> by <a
href="https://github.com/mkroening"><code>@​mkroening</code></a> in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1666">codecov/codecov-action#1666</a></li>
<li>build(deps): bump github/codeql-action from 3.27.0 to 3.27.4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1665">codecov/codecov-action#1665</a></li>
<li>fix: bump to v5 and update README by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1655">codecov/codecov-action#1655</a></li>
<li>fix: update CHANGELOG and automate by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1674">codecov/codecov-action#1674</a></li>
<li>fix: prevent always setting tokenless to be true by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1673">codecov/codecov-action#1673</a></li>
<li>fix: use double-quotes for OIDC by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1669">codecov/codecov-action#1669</a></li>
<li>fix: update OIDC audience by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1675">codecov/codecov-action#1675</a></li>
<li>chore(release): 5.0.3 by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1676">codecov/codecov-action#1676</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.2...v5.0.3">https://github.com/codecov/codecov-action/compare/v5.0.2...v5.0.3</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md">codecov/codecov-action's
changelog</a>.</em></p>
<blockquote>
<h2>v5.0.7</h2>
<h3>What's Changed</h3>
<ul>
<li>fix: use HEAD_REPO by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1690">codecov/codecov-action#1690</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.6..v5.0.7">https://github.com/codecov/codecov-action/compare/v5.0.6..v5.0.7</a></p>
<h2>v5.0.6</h2>
<h3>What's Changed</h3>
<ul>
<li>fix: update CODECOV_TOKEN and fix tokenless by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1688">codecov/codecov-action#1688</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.5..v5.0.6">https://github.com/codecov/codecov-action/compare/v5.0.5..v5.0.6</a></p>
<h2>v5.0.5</h2>
<h3>What's Changed</h3>
<ul>
<li>chore(release): wrapper-0.0.27 by
<code>@​app/codecov-releaser-app</code> in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1685">codecov/codecov-action#1685</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.4..v5.0.5">https://github.com/codecov/codecov-action/compare/v5.0.4..v5.0.5</a></p>
<h2>v5.0.4</h2>
<h3>What's Changed</h3>
<ul>
<li>chore(deps): bump wrapper to 0.0.26 by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1681">codecov/codecov-action#1681</a></li>
<li>fix: strip out a trailing /n from input tokens by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1679">codecov/codecov-action#1679</a></li>
<li>fix: add action version by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1678">codecov/codecov-action#1678</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.3..v5.0.4">https://github.com/codecov/codecov-action/compare/v5.0.3..v5.0.4</a></p>
<h2>v5.0.3</h2>
<h3>What's Changed</h3>
<ul>
<li>fix: update OIDC audience by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1675">codecov/codecov-action#1675</a></li>
<li>fix: use double-quotes for OIDC by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1669">codecov/codecov-action#1669</a></li>
<li>fix: prevent always setting tokenless to be true by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1673">codecov/codecov-action#1673</a></li>
<li>fix: update CHANGELOG and automate by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1674">codecov/codecov-action#1674</a></li>
<li>fix: bump to v5 and update README by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1655">codecov/codecov-action#1655</a></li>
<li>build(deps): bump github/codeql-action from 3.27.0 to 3.27.4 by
<code>@​app/dependabot</code> in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1665">codecov/codecov-action#1665</a></li>
<li>fix: typo in <code>inputs.disable_safe_directory</code> by <a
href="https://github.com/mkroening"><code>@​mkroening</code></a> in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1666">codecov/codecov-action#1666</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.2..v5.0.3">https://github.com/codecov/codecov-action/compare/v5.0.2..v5.0.3</a></p>
<h2>v5.0.2</h2>
<h3>What's Changed</h3>
<ul>
<li>fix: override commit and pr values for PR cases by <a
href="https://github.com/thomasrockhu-codecov"><code>@​thomasrockhu-codecov</code></a>
in <a
href="https://redirect.github.com/codecov/codecov-action/pull/1657">codecov/codecov-action#1657</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/codecov/codecov-action/compare/v5.0.1...v5.0.2">https://github.com/codecov/codecov-action/compare/v5.0.1...v5.0.2</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/codecov/codecov-action/commit/015f24e6818733317a2da2edd6290ab26238649a"><code>015f24e</code></a>
chore(release): 5.0.7 (<a
href="https://redirect.github.com/codecov/codecov-action/issues/1691">#1691</a>)</li>
<li><a
href="https://github.com/codecov/codecov-action/commit/a76271d95946adc3b90b6bab0bb870368626d618"><code>a76271d</code></a>
fix: use HEAD_REPO (<a
href="https://redirect.github.com/codecov/codecov-action/issues/1690">#1690</a>)</li>
<li><a
href="https://github.com/codecov/codecov-action/commit/d168679d447a7d9f9917d4b26caf2cfbf080cfb4"><code>d168679</code></a>
chore(release): 5.0.6 (<a
href="https://redirect.github.com/codecov/codecov-action/issues/1689">#1689</a>)</li>
<li><a
href="https://github.com/codecov/codecov-action/commit/373fd71a645bc4bb6a527a2225d0db67206bf786"><code>373fd71</code></a>
fix: update CODECOV_TOKEN and fix tokenless (<a
href="https://redirect.github.com/codecov/codecov-action/issues/1688">#1688</a>)</li>
<li><a
href="https://github.com/codecov/codecov-action/commit/288befbd1044bd1756afb0bdae077549e0ddb31f"><code>288befb</code></a>
chore(release): 5.0.5 (<a
href="https://redirect.github.com/codecov/codecov-action/issues/1686">#1686</a>)</li>
<li><a
href="https://github.com/codecov/codecov-action/commit/7e69d37f7e784d6f57e82f0ad50ad9b1f7993974"><code>7e69d37</code></a>
chore(release): wrapper-0.0.27 (<a
href="https://redirect.github.com/codecov/codecov-action/issues/1685">#1685</a>)</li>
<li><a
href="https://github.com/codecov/codecov-action/commit/985343d70564a82044c1b7fcb84c2fa05405c1a2"><code>985343d</code></a>
chore(release): 5.0.4 (<a
href="https://redirect.github.com/codecov/codecov-action/issues/1682">#1682</a>)</li>
<li><a
href="https://github.com/codecov/codecov-action/commit/31d19009808eced04a37b82636957c08462c8a27"><code>31d1900</code></a>
chore(deps): bump wrapper to 0.0.26 (<a
href="https://redirect.github.com/codecov/codecov-action/issues/1681">#1681</a>)</li>
<li><a
href="https://github.com/codecov/codecov-action/commit/095cfe09c682a0e3d0a2d2ed15de74b77b568f20"><code>095cfe0</code></a>
fix: strip out a trailing /n from input tokens (<a
href="https://redirect.github.com/codecov/codecov-action/issues/1679">#1679</a>)</li>
<li><a
href="https://github.com/codecov/codecov-action/commit/b542d5a35cdb78f4b6ee83df70403b7fa1508ff0"><code>b542d5a</code></a>
fix: add action version (<a
href="https://redirect.github.com/codecov/codecov-action/issues/1678">#1678</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/codecov/codecov-action/compare/b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238...015f24e6818733317a2da2edd6290ab26238649a">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=codecov/codecov-action&package-manager=github_actions&previous-version=4.6.0&new-version=5.0.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b199e430b..323efeab0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -59,6 +59,6 @@ jobs:
             make e2e-covdata
           fi
       - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v5.0.7
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

From 7eccb42cd12c8e402331840dc84290a2b581d9ab Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Fri, 6 Dec 2024 08:43:31 +0800
Subject: [PATCH 24/34] for v1.3.0-rc.2 release, backport from main

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 cmd/notation/sign.go                      |  7 +++
 cmd/notation/verify.go                    | 40 +-----------
 cmd/notation/verify_test.go               |  6 +-
 go.mod                                    | 10 +--
 go.sum                                    | 20 +++---
 internal/{ => revocation}/crl/crl.go      |  0
 internal/{ => revocation}/crl/crl_test.go |  0
 internal/revocation/revocation.go         | 54 ++++++++++++++++
 internal/revocation/revocation_test.go    | 75 +++++++++++++++++++++++
 test/e2e/go.mod                           | 15 ++---
 test/e2e/go.sum                           | 32 +++++-----
 test/e2e/plugin/go.mod                    | 12 ++--
 test/e2e/plugin/go.sum                    | 24 ++++----
 test/e2e/suite/command/verify.go          |  6 +-
 14 files changed, 202 insertions(+), 99 deletions(-)
 rename internal/{ => revocation}/crl/crl.go (100%)
 rename internal/{ => revocation}/crl/crl_test.go (100%)
 create mode 100644 internal/revocation/revocation.go
 create mode 100644 internal/revocation/revocation_test.go

diff --git a/cmd/notation/sign.go b/cmd/notation/sign.go
index 30b4e0a69..7e88cde5b 100644
--- a/cmd/notation/sign.go
+++ b/cmd/notation/sign.go
@@ -22,6 +22,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/notaryproject/notation-core-go/revocation/purpose"
 	corex509 "github.com/notaryproject/notation-core-go/x509"
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/log"
@@ -29,6 +30,7 @@ import (
 	"github.com/notaryproject/notation/internal/cmd"
 	"github.com/notaryproject/notation/internal/envelope"
 	"github.com/notaryproject/notation/internal/httputil"
+	clirev "github.com/notaryproject/notation/internal/revocation"
 	nx509 "github.com/notaryproject/notation/internal/x509"
 	"github.com/notaryproject/tspclient-go"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -251,6 +253,11 @@ func prepareSigningOpts(ctx context.Context, opts *signOpts) (notation.SignOptio
 		rootCAs := x509.NewCertPool()
 		rootCAs.AddCert(tsaRootCert)
 		signOpts.TSARootCAs = rootCAs
+		tsaRevocationValidator, err := clirev.NewRevocationValidator(ctx, purpose.Timestamping)
+		if err != nil {
+			return notation.SignOptions{}, fmt.Errorf("failed to create timestamping revocation validator: %w", err)
+		}
+		signOpts.TSARevocationValidator = tsaRevocationValidator
 	}
 	return signOpts, nil
 }
diff --git a/cmd/notation/verify.go b/cmd/notation/verify.go
index 933d41661..d320db47b 100644
--- a/cmd/notation/verify.go
+++ b/cmd/notation/verify.go
@@ -18,28 +18,22 @@ import (
 	"errors"
 	"fmt"
 	"io/fs"
-	"net/http"
 	"os"
 	"reflect"
-	"time"
 
-	"github.com/notaryproject/notation-core-go/revocation"
 	"github.com/notaryproject/notation-core-go/revocation/purpose"
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/dir"
 	"github.com/notaryproject/notation-go/plugin"
 	"github.com/notaryproject/notation-go/verifier"
-	"github.com/notaryproject/notation-go/verifier/crl"
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 	"github.com/notaryproject/notation-go/verifier/truststore"
 	"github.com/notaryproject/notation/cmd/notation/internal/experimental"
 	"github.com/notaryproject/notation/internal/cmd"
-	"github.com/notaryproject/notation/internal/httputil"
 	"github.com/notaryproject/notation/internal/ioutil"
 	"github.com/spf13/cobra"
 
-	corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
-	clicrl "github.com/notaryproject/notation/internal/crl"
+	clirev "github.com/notaryproject/notation/internal/revocation"
 )
 
 type verifyOpts struct {
@@ -234,39 +228,11 @@ func printMetadataIfPresent(outcome *notation.VerificationOutcome) {
 
 func getVerifier(ctx context.Context) (notation.Verifier, error) {
 	// revocation check
-	ocspHttpClient := httputil.NewClient(ctx, &http.Client{Timeout: 2 * time.Second})
-	crlFetcher, err := corecrl.NewHTTPFetcher(httputil.NewClient(ctx, &http.Client{Timeout: 5 * time.Second}))
+	revocationCodeSigningValidator, err := clirev.NewRevocationValidator(ctx, purpose.CodeSigning)
 	if err != nil {
 		return nil, err
 	}
-	crlFetcher.DiscardCacheError = true // discard crl cache error
-	cacheRoot, err := dir.CacheFS().SysPath(dir.PathCRLCache)
-	if err != nil {
-		return nil, err
-	}
-	fileCache, err := crl.NewFileCache(cacheRoot)
-	if err != nil {
-		// discard NewFileCache error as cache errors are not critical
-		fmt.Fprintf(os.Stderr, "Warning: %v\n", err)
-	} else {
-		crlFetcher.Cache = &clicrl.CacheWithLog{
-			Cache:             fileCache,
-			DiscardCacheError: crlFetcher.DiscardCacheError,
-		}
-	}
-	revocationCodeSigningValidator, err := revocation.NewWithOptions(revocation.Options{
-		OCSPHTTPClient:   ocspHttpClient,
-		CRLFetcher:       crlFetcher,
-		CertChainPurpose: purpose.CodeSigning,
-	})
-	if err != nil {
-		return nil, err
-	}
-	revocationTimestampingValidator, err := revocation.NewWithOptions(revocation.Options{
-		OCSPHTTPClient:   ocspHttpClient,
-		CRLFetcher:       crlFetcher,
-		CertChainPurpose: purpose.Timestamping,
-	})
+	revocationTimestampingValidator, err := clirev.NewRevocationValidator(ctx, purpose.Timestamping)
 	if err != nil {
 		return nil, err
 	}
diff --git a/cmd/notation/verify_test.go b/cmd/notation/verify_test.go
index b68796436..98464f1cc 100644
--- a/cmd/notation/verify_test.go
+++ b/cmd/notation/verify_test.go
@@ -120,10 +120,10 @@ func TestGetVerifier(t *testing.T) {
 	})
 }
 
-func dummyOCIPolicyDocument() trustpolicy.OCIDocument {
-	return trustpolicy.OCIDocument{
+func dummyOCIPolicyDocument() trustpolicy.Document {
+	return trustpolicy.Document{
 		Version: "1.0",
-		TrustPolicies: []trustpolicy.OCITrustPolicy{
+		TrustPolicies: []trustpolicy.TrustPolicy{
 			{
 				Name:                  "test-statement-name",
 				RegistryScopes:        []string{"registry.acme-rockets.io/software/net-monitor"},
diff --git a/go.mod b/go.mod
index 6d67dbd9d..7e2867604 100644
--- a/go.mod
+++ b/go.mod
@@ -3,9 +3,9 @@ module github.com/notaryproject/notation
 go 1.23
 
 require (
-	github.com/notaryproject/notation-core-go v1.2.0-rc.1
-	github.com/notaryproject/notation-go v1.3.0-rc.1
-	github.com/notaryproject/tspclient-go v0.2.0
+	github.com/notaryproject/notation-core-go v1.2.0-rc.2
+	github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada
+	github.com/notaryproject/tspclient-go v1.0.0-rc.1
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/sirupsen/logrus v1.9.3
@@ -25,10 +25,10 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect
-	github.com/veraison/go-cose v1.1.0 // indirect
+	github.com/veraison/go-cose v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/crypto v0.29.0 // indirect
-	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/mod v0.22.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.27.0 // indirect
 )
diff --git a/go.sum b/go.sum
index b98b45acd..076ea59ea 100644
--- a/go.sum
+++ b/go.sum
@@ -35,14 +35,14 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/notaryproject/notation-core-go v1.2.0-rc.1 h1:VMFlG+9a1JoNAQ3M96g8iqCq0cDRtE7XBaiTD8Ouvqw=
-github.com/notaryproject/notation-core-go v1.2.0-rc.1/go.mod h1:b/70rA4OgOHlg0A7pb8zTWKJadFO6781zS3a37KHEJQ=
-github.com/notaryproject/notation-go v1.3.0-rc.1 h1:pm9tdUy2tWYqlwyRDZyKXgLwAscDATPUYv0ul2RK/Iw=
-github.com/notaryproject/notation-go v1.3.0-rc.1/go.mod h1:W4o45yolX4Q+3PKlcpGleLLXEKWHa3BshEqw/JX5c6I=
+github.com/notaryproject/notation-core-go v1.2.0-rc.2 h1:0jOItalNwBNUhyuc5PPHQxO3jIZ5xRYq+IvRMQXNbuE=
+github.com/notaryproject/notation-core-go v1.2.0-rc.2/go.mod h1:7aIcavfywFvBQoYyfVFJB501kt7Etqyubrt5mhJBG2c=
+github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada h1:WQdxuYhh9DH1Mjp9FJmjWTHBRq+ZGVeaWLklAaIEcWE=
+github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada/go.mod h1:6a3/g7yD/8dxxBpimzUWthH8DLBrzHs4RTzdz9CALvw=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
-github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ=
-github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
+github.com/notaryproject/tspclient-go v1.0.0-rc.1 h1:KcHxlqg6Adt4kzGLw012i0YMLlwGwToiR129c6IQ7Ys=
+github.com/notaryproject/tspclient-go v1.0.0-rc.1/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -65,8 +65,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o=
-github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
+github.com/veraison/go-cose v1.3.0 h1:2/H5w8kdSpQJyVtIhx8gmwPJ2uSz1PkyWFx0idbd7rk=
+github.com/veraison/go-cose v1.3.0/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
@@ -79,8 +79,8 @@ golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
 golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
-golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
diff --git a/internal/crl/crl.go b/internal/revocation/crl/crl.go
similarity index 100%
rename from internal/crl/crl.go
rename to internal/revocation/crl/crl.go
diff --git a/internal/crl/crl_test.go b/internal/revocation/crl/crl_test.go
similarity index 100%
rename from internal/crl/crl_test.go
rename to internal/revocation/crl/crl_test.go
diff --git a/internal/revocation/revocation.go b/internal/revocation/revocation.go
new file mode 100644
index 000000000..412d6f0e5
--- /dev/null
+++ b/internal/revocation/revocation.go
@@ -0,0 +1,54 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package revocation
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/notaryproject/notation-core-go/revocation"
+	corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
+	"github.com/notaryproject/notation-core-go/revocation/purpose"
+	"github.com/notaryproject/notation-go/dir"
+	"github.com/notaryproject/notation-go/verifier/crl"
+	"github.com/notaryproject/notation/internal/httputil"
+	clicrl "github.com/notaryproject/notation/internal/revocation/crl"
+)
+
+// NewRevocationValidator returns a revocation.Validator given the certificate
+// purpose
+func NewRevocationValidator(ctx context.Context, purpose purpose.Purpose) (revocation.Validator, error) {
+	// err is always nil
+	crlFetcher, _ := corecrl.NewHTTPFetcher(httputil.NewClient(ctx, &http.Client{Timeout: 5 * time.Second}))
+	crlFetcher.DiscardCacheError = true                     // discard crl cache error
+	cacheRoot, _ := dir.CacheFS().SysPath(dir.PathCRLCache) // err is always nil
+	fileCache, err := crl.NewFileCache(cacheRoot)
+	if err != nil {
+		// discard NewFileCache error as cache errors are not critical
+		fmt.Fprintf(os.Stderr, "Warning: %v\n", err)
+	} else {
+		crlFetcher.Cache = &clicrl.CacheWithLog{
+			Cache:             fileCache,
+			DiscardCacheError: crlFetcher.DiscardCacheError,
+		}
+	}
+	return revocation.NewWithOptions(revocation.Options{
+		OCSPHTTPClient:   httputil.NewClient(ctx, &http.Client{Timeout: 2 * time.Second}),
+		CRLFetcher:       crlFetcher,
+		CertChainPurpose: purpose,
+	})
+}
diff --git a/internal/revocation/revocation_test.go b/internal/revocation/revocation_test.go
new file mode 100644
index 000000000..eeb7ff54b
--- /dev/null
+++ b/internal/revocation/revocation_test.go
@@ -0,0 +1,75 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package revocation
+
+import (
+	"context"
+	"net/http"
+	"os"
+	"runtime"
+	"testing"
+	"time"
+
+	corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
+	"github.com/notaryproject/notation-core-go/revocation/purpose"
+	"github.com/notaryproject/notation-go/dir"
+	"github.com/notaryproject/notation/internal/httputil"
+)
+
+func TestNewRevocationValidator(t *testing.T) {
+	defer func(oldCacheDir string) {
+		dir.UserCacheDir = oldCacheDir
+	}(dir.UserCacheDir)
+
+	t.Run("Success", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping test on Windows")
+		}
+		if _, err := NewRevocationValidator(context.Background(), purpose.Timestamping); err != nil {
+			t.Fatal(err)
+		}
+	})
+
+	tempRoot := t.TempDir()
+	t.Run("Success but without permission to create cache directory", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping test on Windows")
+		}
+		dir.UserCacheDir = tempRoot
+		if err := os.Chmod(tempRoot, 0); err != nil {
+			t.Fatal(err)
+		}
+		defer func() {
+			// restore permission
+			if err := os.Chmod(tempRoot, 0755); err != nil {
+				t.Fatalf("failed to change permission: %v", err)
+			}
+		}()
+		if _, err := NewRevocationValidator(context.Background(), purpose.Timestamping); err != nil {
+			t.Fatal(err)
+		}
+	})
+}
+
+func TestNilError(t *testing.T) {
+	_, err := corecrl.NewHTTPFetcher(httputil.NewClient(context.Background(), &http.Client{Timeout: 5 * time.Second}))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = dir.CacheFS().SysPath(dir.PathCRLCache)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/test/e2e/go.mod b/test/e2e/go.mod
index 5fe255001..806836a5b 100644
--- a/test/e2e/go.mod
+++ b/test/e2e/go.mod
@@ -3,8 +3,8 @@ module github.com/notaryproject/notation/test/e2e
 go 1.23
 
 require (
-	github.com/notaryproject/notation-core-go v1.2.0-rc.1
-	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240926015724-84c2ec076201
+	github.com/notaryproject/notation-core-go v1.2.0-rc.2
+	github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada
 	github.com/onsi/ginkgo/v2 v2.21.0
 	github.com/onsi/gomega v1.35.1
 	github.com/opencontainers/image-spec v1.1.0
@@ -17,14 +17,15 @@ require (
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
-	github.com/notaryproject/tspclient-go v0.2.0 // indirect
+	github.com/notaryproject/tspclient-go v1.0.0-rc.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/veraison/go-cose v1.1.0 // indirect
+	github.com/veraison/go-cose v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/crypto v0.29.0 // indirect
 	golang.org/x/net v0.30.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.26.0 // indirect
-	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/sync v0.9.0 // indirect
+	golang.org/x/sys v0.27.0 // indirect
+	golang.org/x/text v0.20.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/test/e2e/go.sum b/test/e2e/go.sum
index e0f76124b..e2aab9f19 100644
--- a/test/e2e/go.sum
+++ b/test/e2e/go.sum
@@ -10,12 +10,12 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
 github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
-github.com/notaryproject/notation-core-go v1.2.0-rc.1 h1:VMFlG+9a1JoNAQ3M96g8iqCq0cDRtE7XBaiTD8Ouvqw=
-github.com/notaryproject/notation-core-go v1.2.0-rc.1/go.mod h1:b/70rA4OgOHlg0A7pb8zTWKJadFO6781zS3a37KHEJQ=
-github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240926015724-84c2ec076201 h1:2QBYa9Df+vMwMiaHaFqPoUiwfx5vcPEgM7KbusivTpw=
-github.com/notaryproject/notation-go v1.2.0-beta.1.0.20240926015724-84c2ec076201/go.mod h1:F6zMQl3PhVdCsI1xlIjK66kCorUQhWkoMtlZdvJWxFI=
-github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ=
-github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
+github.com/notaryproject/notation-core-go v1.2.0-rc.2 h1:0jOItalNwBNUhyuc5PPHQxO3jIZ5xRYq+IvRMQXNbuE=
+github.com/notaryproject/notation-core-go v1.2.0-rc.2/go.mod h1:7aIcavfywFvBQoYyfVFJB501kt7Etqyubrt5mhJBG2c=
+github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada h1:WQdxuYhh9DH1Mjp9FJmjWTHBRq+ZGVeaWLklAaIEcWE=
+github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada/go.mod h1:6a3/g7yD/8dxxBpimzUWthH8DLBrzHs4RTzdz9CALvw=
+github.com/notaryproject/tspclient-go v1.0.0-rc.1 h1:KcHxlqg6Adt4kzGLw012i0YMLlwGwToiR129c6IQ7Ys=
+github.com/notaryproject/tspclient-go v1.0.0-rc.1/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
 github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
@@ -28,20 +28,20 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o=
-github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
+github.com/veraison/go-cose v1.3.0 h1:2/H5w8kdSpQJyVtIhx8gmwPJ2uSz1PkyWFx0idbd7rk=
+github.com/veraison/go-cose v1.3.0/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
 golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
 golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
 golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod
index daab39766..d0581c5d3 100644
--- a/test/e2e/plugin/go.mod
+++ b/test/e2e/plugin/go.mod
@@ -4,8 +4,8 @@ go 1.23
 
 require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/notaryproject/notation-core-go v1.2.0-rc.1
-	github.com/notaryproject/notation-go v1.3.0-rc.1
+	github.com/notaryproject/notation-core-go v1.2.0-rc.2
+	github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
 	github.com/spf13/cobra v1.8.1
 )
@@ -18,14 +18,14 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/notaryproject/tspclient-go v0.2.0 // indirect
+	github.com/notaryproject/tspclient-go v1.0.0-rc.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/veraison/go-cose v1.1.0 // indirect
+	github.com/veraison/go-cose v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/crypto v0.27.0 // indirect
-	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/mod v0.22.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	oras.land/oras-go/v2 v2.5.0 // indirect
 )
diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum
index b805bb0b5..5d4bf70aa 100644
--- a/test/e2e/plugin/go.sum
+++ b/test/e2e/plugin/go.sum
@@ -37,14 +37,14 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/notaryproject/notation-core-go v1.2.0-rc.1 h1:VMFlG+9a1JoNAQ3M96g8iqCq0cDRtE7XBaiTD8Ouvqw=
-github.com/notaryproject/notation-core-go v1.2.0-rc.1/go.mod h1:b/70rA4OgOHlg0A7pb8zTWKJadFO6781zS3a37KHEJQ=
-github.com/notaryproject/notation-go v1.3.0-rc.1 h1:pm9tdUy2tWYqlwyRDZyKXgLwAscDATPUYv0ul2RK/Iw=
-github.com/notaryproject/notation-go v1.3.0-rc.1/go.mod h1:W4o45yolX4Q+3PKlcpGleLLXEKWHa3BshEqw/JX5c6I=
+github.com/notaryproject/notation-core-go v1.2.0-rc.2 h1:0jOItalNwBNUhyuc5PPHQxO3jIZ5xRYq+IvRMQXNbuE=
+github.com/notaryproject/notation-core-go v1.2.0-rc.2/go.mod h1:7aIcavfywFvBQoYyfVFJB501kt7Etqyubrt5mhJBG2c=
+github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada h1:WQdxuYhh9DH1Mjp9FJmjWTHBRq+ZGVeaWLklAaIEcWE=
+github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada/go.mod h1:6a3/g7yD/8dxxBpimzUWthH8DLBrzHs4RTzdz9CALvw=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
-github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ=
-github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
+github.com/notaryproject/tspclient-go v1.0.0-rc.1 h1:KcHxlqg6Adt4kzGLw012i0YMLlwGwToiR129c6IQ7Ys=
+github.com/notaryproject/tspclient-go v1.0.0-rc.1/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -64,8 +64,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o=
-github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
+github.com/veraison/go-cose v1.3.0 h1:2/H5w8kdSpQJyVtIhx8gmwPJ2uSz1PkyWFx0idbd7rk=
+github.com/veraison/go-cose v1.3.0/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
@@ -74,12 +74,12 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
-golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
diff --git a/test/e2e/suite/command/verify.go b/test/e2e/suite/command/verify.go
index b0efdceee..9ab8d29d0 100644
--- a/test/e2e/suite/command/verify.go
+++ b/test/e2e/suite/command/verify.go
@@ -229,7 +229,7 @@ var _ = Describe("notation verify", func() {
 			notation.Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()).
 				MatchKeyWords(SignSuccessfully)
 
-			notation.Exec("verify", artifact.ReferenceWithDigest(), "-v").
+			notation.Exec("verify", artifact.ReferenceWithDigest(), "-d").
 				MatchKeyWords(VerifySuccessfully).
 				MatchErrKeyWords("Timestamp verification disabled")
 		})
@@ -240,7 +240,7 @@ var _ = Describe("notation verify", func() {
 			notation.Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()).
 				MatchKeyWords(SignSuccessfully)
 
-			notation.Exec("verify", artifact.ReferenceWithDigest(), "-v").
+			notation.Exec("verify", artifact.ReferenceWithDigest(), "-d").
 				MatchKeyWords(VerifySuccessfully).
 				MatchErrKeyWords("Performing timestamp verification...")
 		})
@@ -251,7 +251,7 @@ var _ = Describe("notation verify", func() {
 			notation.Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "DigiCertTSARootSHA384.cer"), artifact.ReferenceWithDigest()).
 				MatchKeyWords(SignSuccessfully)
 
-			notation.Exec("verify", artifact.ReferenceWithDigest(), "-v").
+			notation.Exec("verify", artifact.ReferenceWithDigest(), "-d").
 				MatchKeyWords(VerifySuccessfully).
 				MatchErrKeyWords("Timestamp verification disabled: verifyTimestamp is set to \"afterCertExpiry\" and signing cert chain unexpired")
 		})

From 647447d98c447815d14c759065953323a01c32ae Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Fri, 13 Dec 2024 15:33:14 +0800
Subject: [PATCH 25/34] bump up

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 go.mod |  8 ++++----
 go.sum | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/go.mod b/go.mod
index 7e2867604..68f1eee5c 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.23
 
 require (
 	github.com/notaryproject/notation-core-go v1.2.0-rc.2
-	github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada
+	github.com/notaryproject/notation-go v1.3.0-rc.2
 	github.com/notaryproject/tspclient-go v1.0.0-rc.1
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
@@ -12,7 +12,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	golang.org/x/net v0.31.0
-	golang.org/x/term v0.26.0
+	golang.org/x/term v0.27.0
 	oras.land/oras-go/v2 v2.5.0
 )
 
@@ -27,8 +27,8 @@ require (
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect
 	github.com/veraison/go-cose v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/mod v0.22.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 076ea59ea..d993e8a8e 100644
--- a/go.sum
+++ b/go.sum
@@ -37,8 +37,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/notaryproject/notation-core-go v1.2.0-rc.2 h1:0jOItalNwBNUhyuc5PPHQxO3jIZ5xRYq+IvRMQXNbuE=
 github.com/notaryproject/notation-core-go v1.2.0-rc.2/go.mod h1:7aIcavfywFvBQoYyfVFJB501kt7Etqyubrt5mhJBG2c=
-github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada h1:WQdxuYhh9DH1Mjp9FJmjWTHBRq+ZGVeaWLklAaIEcWE=
-github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada/go.mod h1:6a3/g7yD/8dxxBpimzUWthH8DLBrzHs4RTzdz9CALvw=
+github.com/notaryproject/notation-go v1.3.0-rc.2 h1:uugL3kruAAWPMFoOhjcoPAhUnIqMF1pcc8nIlqOKpeU=
+github.com/notaryproject/notation-go v1.3.0-rc.2/go.mod h1:l7C6xVLPy5cBb+6MpsM9iLyFrVYxgS6+QjBdrl/KSY8=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
 github.com/notaryproject/tspclient-go v1.0.0-rc.1 h1:KcHxlqg6Adt4kzGLw012i0YMLlwGwToiR129c6IQ7Ys=
@@ -75,8 +75,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
@@ -107,16 +107,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
-golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

From 6168ce91006fc6bbaafe90f5c533be08c2ec2d61 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:18:26 +0800
Subject: [PATCH 26/34] build(deps): Bump github.com/onsi/ginkgo/v2 from 2.21.0
 to 2.22.0 in /test/e2e (#1093)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 test/e2e/go.mod | 12 ++++++------
 test/e2e/go.sum | 24 ++++++++++++------------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/test/e2e/go.mod b/test/e2e/go.mod
index 806836a5b..734737506 100644
--- a/test/e2e/go.mod
+++ b/test/e2e/go.mod
@@ -4,8 +4,8 @@ go 1.23
 
 require (
 	github.com/notaryproject/notation-core-go v1.2.0-rc.2
-	github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada
-	github.com/onsi/ginkgo/v2 v2.21.0
+	github.com/notaryproject/notation-go v1.3.0-rc.2
+	github.com/onsi/ginkgo/v2 v2.22.0
 	github.com/onsi/gomega v1.35.1
 	github.com/opencontainers/image-spec v1.1.0
 	oras.land/oras-go/v2 v2.5.0
@@ -21,11 +21,11 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/veraison/go-cose v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/net v0.30.0 // indirect
-	golang.org/x/sync v0.9.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/test/e2e/go.sum b/test/e2e/go.sum
index e2aab9f19..226776d8f 100644
--- a/test/e2e/go.sum
+++ b/test/e2e/go.sum
@@ -12,12 +12,12 @@ github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgY
 github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/notaryproject/notation-core-go v1.2.0-rc.2 h1:0jOItalNwBNUhyuc5PPHQxO3jIZ5xRYq+IvRMQXNbuE=
 github.com/notaryproject/notation-core-go v1.2.0-rc.2/go.mod h1:7aIcavfywFvBQoYyfVFJB501kt7Etqyubrt5mhJBG2c=
-github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada h1:WQdxuYhh9DH1Mjp9FJmjWTHBRq+ZGVeaWLklAaIEcWE=
-github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada/go.mod h1:6a3/g7yD/8dxxBpimzUWthH8DLBrzHs4RTzdz9CALvw=
+github.com/notaryproject/notation-go v1.3.0-rc.2 h1:uugL3kruAAWPMFoOhjcoPAhUnIqMF1pcc8nIlqOKpeU=
+github.com/notaryproject/notation-go v1.3.0-rc.2/go.mod h1:l7C6xVLPy5cBb+6MpsM9iLyFrVYxgS6+QjBdrl/KSY8=
 github.com/notaryproject/tspclient-go v1.0.0-rc.1 h1:KcHxlqg6Adt4kzGLw012i0YMLlwGwToiR129c6IQ7Ys=
 github.com/notaryproject/tspclient-go v1.0.0-rc.1/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
-github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
-github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg=
+github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
 github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -32,16 +32,16 @@ github.com/veraison/go-cose v1.3.0 h1:2/H5w8kdSpQJyVtIhx8gmwPJ2uSz1PkyWFx0idbd7r
 github.com/veraison/go-cose v1.3.0/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
 golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
 golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=

From 1beafc70307e93272c6f4fae656460c76e6adb2c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:19:31 +0800
Subject: [PATCH 27/34] build(deps): Bump golang.org/x/term from 0.26.0 to
 0.27.0 (#1098)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>

From e108a7b964e3e360a725a1e3bd61637cc3f3c62c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:20:35 +0800
Subject: [PATCH 28/34] build(deps): Bump actions/cache from 4.1.2 to 4.2.0
 (#1101)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 323efeab0..632eeb9a6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -38,7 +38,7 @@ jobs:
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Cache Go modules
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         id: go-mod-cache
         with:
           path: ~/go/pkg/mod

From 0e76dd4bb891f5458d58d67231a9d96fca3ede66 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:21:16 +0800
Subject: [PATCH 29/34] build(deps): Bump codecov/codecov-action from 5.0.7 to
 5.1.1 (#1102)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 632eeb9a6..8f4ae073b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -59,6 +59,6 @@ jobs:
             make e2e-covdata
           fi
       - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v5.0.7
+        uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

From 3aa71ad45f1c8c87ccabe7186c8dc0302a866370 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:21:49 +0800
Subject: [PATCH 30/34] build(deps): Bump github/codeql-action from 3.27.5 to
 3.27.6 (#1103)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 .github/workflows/codeql.yml    | 4 ++--
 .github/workflows/scorecard.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 26ff7c8b6..00ae70369 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -49,8 +49,8 @@ jobs:
           go-version: ${{ matrix.go-version }}
           check-latest: true
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           languages: go
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 08435f65b..609938962 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -61,6 +61,6 @@ jobs:
           retention-days: 5
       
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           sarif_file: results.sarif

From c3a6d98be07704e6dee29d432ed960f67b1c51c2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 08:23:55 +0800
Subject: [PATCH 31/34] build(deps): Bump github.com/notaryproject/tspclient-go
 from 0.2.1-0.20241030015323-90a141e7525c to 1.0.0-rc.1 (#1100)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>

From 32a35a837d692855105b8d34e6574271a016400d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 11:07:25 +0800
Subject: [PATCH 32/34] build(deps): Bump golang.org/x/net from 0.31.0 to
 0.32.0 (#1099)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 68f1eee5c..d25649623 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/net v0.31.0
+	golang.org/x/net v0.32.0
 	golang.org/x/term v0.27.0
 	oras.land/oras-go/v2 v2.5.0
 )
diff --git a/go.sum b/go.sum
index d993e8a8e..50b5b3669 100644
--- a/go.sum
+++ b/go.sum
@@ -90,8 +90,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
-golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
+golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
+golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

From e51129f9c840d3f416e5bfc92ac06f4028b288f6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 13 Dec 2024 11:10:15 +0800
Subject: [PATCH 33/34] build(deps): Bump github.com/onsi/gomega from 1.35.1 to
 1.36.1 in /test/e2e (#1106)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 test/e2e/go.mod | 2 +-
 test/e2e/go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/e2e/go.mod b/test/e2e/go.mod
index 734737506..24fcc881f 100644
--- a/test/e2e/go.mod
+++ b/test/e2e/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/notaryproject/notation-core-go v1.2.0-rc.2
 	github.com/notaryproject/notation-go v1.3.0-rc.2
 	github.com/onsi/ginkgo/v2 v2.22.0
-	github.com/onsi/gomega v1.35.1
+	github.com/onsi/gomega v1.36.1
 	github.com/opencontainers/image-spec v1.1.0
 	oras.land/oras-go/v2 v2.5.0
 )
diff --git a/test/e2e/go.sum b/test/e2e/go.sum
index 226776d8f..a9febc544 100644
--- a/test/e2e/go.sum
+++ b/test/e2e/go.sum
@@ -18,8 +18,8 @@ github.com/notaryproject/tspclient-go v1.0.0-rc.1 h1:KcHxlqg6Adt4kzGLw012i0YMLlw
 github.com/notaryproject/tspclient-go v1.0.0-rc.1/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg=
 github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw=
+github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=

From bd5fd906e6ced7b8e4e2e913d3d0aec8006af4a9 Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Fri, 13 Dec 2024 15:53:09 +0800
Subject: [PATCH 34/34] bump up

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 test/e2e/plugin/go.mod | 4 ++--
 test/e2e/plugin/go.sum | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/test/e2e/plugin/go.mod b/test/e2e/plugin/go.mod
index d0581c5d3..2a1600a44 100644
--- a/test/e2e/plugin/go.mod
+++ b/test/e2e/plugin/go.mod
@@ -5,7 +5,7 @@ go 1.23
 require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/notaryproject/notation-core-go v1.2.0-rc.2
-	github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada
+	github.com/notaryproject/notation-go v1.3.0-rc.2
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
 	github.com/spf13/cobra v1.8.1
 )
@@ -24,7 +24,7 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/veraison/go-cose v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/mod v0.22.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	oras.land/oras-go/v2 v2.5.0 // indirect
diff --git a/test/e2e/plugin/go.sum b/test/e2e/plugin/go.sum
index 5d4bf70aa..856583b69 100644
--- a/test/e2e/plugin/go.sum
+++ b/test/e2e/plugin/go.sum
@@ -39,8 +39,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/notaryproject/notation-core-go v1.2.0-rc.2 h1:0jOItalNwBNUhyuc5PPHQxO3jIZ5xRYq+IvRMQXNbuE=
 github.com/notaryproject/notation-core-go v1.2.0-rc.2/go.mod h1:7aIcavfywFvBQoYyfVFJB501kt7Etqyubrt5mhJBG2c=
-github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada h1:WQdxuYhh9DH1Mjp9FJmjWTHBRq+ZGVeaWLklAaIEcWE=
-github.com/notaryproject/notation-go v1.3.0-rc.1.0.20241210003804-2d9fa222cada/go.mod h1:6a3/g7yD/8dxxBpimzUWthH8DLBrzHs4RTzdz9CALvw=
+github.com/notaryproject/notation-go v1.3.0-rc.2 h1:uugL3kruAAWPMFoOhjcoPAhUnIqMF1pcc8nIlqOKpeU=
+github.com/notaryproject/notation-go v1.3.0-rc.2/go.mod h1:l7C6xVLPy5cBb+6MpsM9iLyFrVYxgS6+QjBdrl/KSY8=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
 github.com/notaryproject/tspclient-go v1.0.0-rc.1 h1:KcHxlqg6Adt4kzGLw012i0YMLlwGwToiR129c6IQ7Ys=
@@ -74,8 +74,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=