chore(deps): update module github.com/distribution/distribution/v3 to v3.0.0

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/distribution/distribution/v3	v3.0.0-20230519140516-983358f8e250 -> v3.0.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

distribution/distribution (github.com/distribution/distribution/v3)

v3.0.0

Compare Source

Welcome to the v3.0.0 release of registry!

This is the first v3 stable release since v2.8.3 which is a culmination of years of hard work of the container community and registry maintainers!

If you are upgrading from v2.x and have never used any of the release candidates, please familiarise yourselves with the v2.x deprecations properly.

Deprecations

• oss and swift storage drivers are no longer supported
• docker/libtrust has been replaced with go-jose/go-jose in #​4096
• client is no longer supported as a standalone package in #​4126
• the default configuration path has changed to /etc/distribution/config.yml
• ManifestBuilder interface in 3886
• manifest.Versioned has been deprecated in favor of oci.Versioned in 3887
• reference package has been moved to github.com/distribution/reference in #​4063

Changes since the last release candidate

Changes

7 commits

* [`2e63da99`](https://redirect.github.com/distribution/distribution/commit/2e63da99776be71a17be3f79f60e4c3f485b87e1) Fix golangci-lint config (#​4612) * [`fd14cf19`](https://redirect.github.com/distribution/distribution/commit/fd14cf193339eb2300828363560884f4ccbadba3) Vrify the linter config first before running it * [`3a33ba12`](https://redirect.github.com/distribution/distribution/commit/3a33ba12ad9a436792c1e89a3732f8600940f6e6) Fix golangci-lint config * [`75f32197`](https://redirect.github.com/distribution/distribution/commit/75f32197b6f180518d17210195ae0d3eb3885ce5) Bump Azure deps (#​4611) * [`52f0f6c4`](https://redirect.github.com/distribution/distribution/commit/52f0f6c45d5397ebff48778b7c5c8b1dec89e572) Bump Azure deps * [`ef21149b`](https://redirect.github.com/distribution/distribution/commit/ef21149b4999ac0be22fe292640491b55cac9d9b) build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 in the go_modules group across 1 directory (#​4608) * [`05b308bc`](https://redirect.github.com/distribution/distribution/commit/05b308bc42519068f6157747301f5e68ef01b9af) build(deps): bump github.com/golang-jwt/jwt/v5

Previous release can be found at v3.0.0-rc.4

v3.0.0-rc.4

Compare Source

Welcome to the v3.0.0-rc.4 release of registry!

This is the fourth stable release candidate!

See the changelog below for a full list of changes.

Notable changes

• Enable MD5 check on GCS driver by @​milosgajdos in #​4586
• Azure driver [retry] fix by @​milosgajdos in #​4576, thanks @​vespian for reporting!

What's Changed

• registry/storage: add an option to silence GC output. by @​r4f4 in #​4560
• Fix broken signing algorithm configuration for token authentication by @​evanebb in #​4578
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5 in the go_modules group by @​dependabot in #​4582
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @​dependabot in #​4579
• build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @​dependabot in #​4580
• Enable MD5 check on GCS driver by @​milosgajdos in #​4586
• Update osx-setup-guide.md and com.docker.registry.plist by @​andy-cooper in #​4592
• fix: remove nested structs from configuration by @​shanduur in #​4523
• use cached blob statter in ManifestService if available by @​Ollegio in #​4595
• Azure driver retry fix and refactor by @​milosgajdos in #​4576
• Rename cloud make targets to s3 by @​milosgajdos in #​4600
• Bump Go version in prep for a release by @​milosgajdos in #​4601
• build(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 in the go_modules group across 1 directory by @​dependabot in #​4597
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @​dependabot in #​4603
• Fix potential resource leak by ensuring the response body is closed in HTTPReadSeeker by @​Vad1mo in #​4605
• Prep for v3-rc.4 release by @​milosgajdos in #​4606

New Contributors

• @​r4f4 made their first contribution in #​4560
• @​evanebb made their first contribution in #​4578
• @​andy-cooper made their first contribution in #​4592
• @​shanduur made their first contribution in #​4523
• @​Ollegio made their first contribution in #​4595
• @​Vad1mo made their first contribution in #​4605

Full Changelog: distribution/distribution@v3.0.0-rc.3...v3.0.0-rc.4

v3.0.0-rc.3

Compare Source

Welcome to the v3.0.0-rc.3 release of registry!

This is the third stable release candidate!

See the changelog below for a full list of changes.

Notable changes

• Fixes CVE-2025-24976, thanks @​evanebb for reporting!

What's Changed

• build(deps): bump actions/upload-artifact from 4.3.6 to 4.5.0 by @​dependabot in #​4538
• ci: update bake-action to v6 by @​crazy-max in #​4554
• build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.0 by @​dependabot in #​4553
• (security): Bump golang.org/x/net module by @​milosgajdos in #​4542
• (security): fix registry Token authentication bug by @​milosgajdos in f4a500c
• ci: fix bake build by @​crazy-max in #​4555
• Bump Go version by @​milosgajdos in #​4566
• Prep for v3-rc.3 release by @​milosgajdos in #​4568

Full Changelog: distribution/distribution@v3.0.0-rc.2...v3.0.0-rc.3

v3.0.0-rc.2

Compare Source

Welcome to the v3.0.0-rc.2 release of registry!

This is the second release candidate of registry!

See the changelog below for a full list of changes.

Notable changes

• Upgrade Go OpenTelemetry #​4508
• Add support for mTLS auth #​4537
• Update Go runtime and Alpine image #​4532

What's Changed

• build(deps): bump codecov/codecov-action from 4 to 5 by @​dependabot in #​4508
• Upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp by @​krynju in #​4507
• docs: Explain how to configure a list through env variables by @​barbu110 in #​4522
• build(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0 by @​dependabot in #​4531
• update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ by @​thaJeztah in #​4527
• chore: Bump alpine image version by @​milosgajdos in #​4532
• Update squizzi maintainer email by @​squizzi in #​4530
• feat(configuration): support mtls auth mod by @​vitshev in #​4537
• Prepare for rc2 release by @​milosgajdos in #​4539

New Contributors

• @​krynju made their first contribution in #​4507
• @​barbu110 made their first contribution in #​4522
• @​squizzi made their first contribution in #​4530
• @​vitshev made their first contribution in #​4537

Full Changelog: distribution/distribution@v3.0.0-rc.1...v3.0.0-rc.2

v3.0.0-rc.1

Compare Source

Welcome to the v3.0.0-rc.1 release of registry!

This is the the first release candidate of registry!

See the changelog below for full list of changes.

Deprecated

• ManifestBuilder interface 3886
• Versioned in favor of oci.Versioned 3887

Notable Changes

• Attempt HeadObject on Stat call first before failing over to List in S3 driver 4401
• Use a consistent multipart chunk size in S3 driver 4424
• Build artifacts and images for linux/riscv64 4444
• Fix token verification chain in auth 4415
• Support custom exec-based credential helper in proxy mode #​4438

What's Changed

• vendor: github.com/opencontainers/image-spec v1.1.0 by @​thaJeztah in #​3889
• Descriptor: do not implement Describable interface by @​thaJeztah in #​3886
• S3 driver: Attempt HeadObject on Stat first, fail over to List by @​milosgajdos in #​4401
• manifest: slight cleanup of init / registration by @​thaJeztah in #​4403
• ci:bump Go version by @​milosgajdos in #​4402
• deprecate Versioned in favor of oci.Versioned by @​thaJeztah in #​3887
• fix logic for handling regionEndpoint by @​Ankurk99 in #​4341
• fix nil pointer in s3 list api by @​jkroepke in #​4412
• build(deps): bump softprops/action-gh-release from 1 to 2 by @​dependabot in #​4407
• build(deps): bump docker/bake-action from 4 to 5 by @​dependabot in #​4410
• build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @​dependabot in #​4416
• chore: fix typos returned in some errors by @​milosgajdos in #​4414
• auth: fix token verification chain by @​milosgajdos in #​4415
• build(deps): bump github/codeql-action from 2.22.12 to 3.25.15 by @​dependabot in #​4426
• build(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0 by @​dependabot in #​4422
• build(deps): bump actions/configure-pages from 4 to 5 by @​dependabot in #​4409
• fix: skip removing layer's link file when '--dry-run' option specified by @​microyahoo in #​4425
• build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.5 by @​dependabot in #​4428
• Use x.y.0 format for the go module version by @​ialidzhikov in #​4423
• build(deps): bump actions/upload-artifact from 4.3.5 to 4.3.6 by @​dependabot in #​4430
• build(deps): bump github/codeql-action from 3.25.15 to 3.26.0 by @​dependabot in #​4431
• build(deps): bump github/codeql-action from 3.26.0 to 3.26.2 by @​dependabot in #​4434
• chore: fix typo in rewrite storage middleware init by @​milosgajdos in #​4435
• build(deps): bump github/codeql-action from 3.26.2 to 3.26.3 by @​dependabot in #​4441
• Build artifacts and images for linux/riscv64 by @​macabu in #​4444
• build(deps): bump github/codeql-action from 3.26.3 to 3.26.5 by @​dependabot in #​4446
• chore: bump golangci-lint and fix govet issues by @​milosgajdos in #​4454
• Remove deprecated version field by @​tiborrr in #​4459
• Add a note regarding redirects to pre-signed URLs by @​Felixoid in #​4466
• fix: Add the token's rootcert public key to the list of known keys by @​josegomezr in #​4471
• TestProxyManifestsMetrics: use actual size of manifest by @​thaJeztah in #​4467
• docs: removed description of ELB as an example of an not sophisticated Load Balancer by @​yamoyamoto in #​4476
• Make Descriptor an alias for oci.Descriptor by @​thaJeztah in #​3888
• replace uses of Descriptor alias by @​thaJeztah in #​4479
• ci: Add validation for api docs by @​pratik-parikh01 in #​4481
• avoid appending directory as file path in s3 driver Walk by @​flavianmissi in #​4485
• ci: fix GHA CI build matrix by @​milosgajdos in #​4436
• docs: update hugo and theme versions by @​dvdksn in #​4499
• fix(registry/storage/driver/s3-aws): use a consistent multipart chunk size by @​uhthomas in #​4424
• feat: support custom exec-based credential helper in proxy mode by @​chhsia0 in #​4438
• Bump dependencies by @​milosgajdos in #​4498
• Prep for v3-rc.1 release by @​milosgajdos in #​4502

New Contributors

• @​Ankurk99 made their first contribution in #​4341
• @​jkroepke made their first contribution in #​4412
• @​macabu made their first contribution in #​4444
• @​tiborrr made their first contribution in #​4459
• @​Felixoid made their first contribution in #​4466
• @​josegomezr made their first contribution in #​4471
• @​yamoyamoto made their first contribution in #​4476
• @​pratik-parikh01 made their first contribution in #​4481
• @​uhthomas made their first contribution in #​4424
• @​chhsia0 made their first contribution in #​4438

Full Changelog: distribution/distribution@v3.0.0-beta.1...v3.0.0-rc.1

v3.0.0-beta.1

Compare Source

Welcome to the 3.0.0-beta.1 release of registry!

This is the last major pre-release of registry.

See the changelog below for full list of changes.

Deprecated

• the default configuration path has changed to /etc/distribution/config.yml

Notable Changes

• Support for sparse indexes enables selective mirroring of platform images
• Auth config now requires explicit declaration of token signing algorithms if using an unsupported signing algorithm
• Support for OpenTelemetry tracing has been added
• Redis cache now supports clustering and custom TLS config
• Caching proxy bug fixes and minor improvements
• Garbage collection fixes and improvements
• Documentation has received several updates

What's Changed

• update: set User-Agent header in GCS storage driver by @​milosgajdos in #​4203
• version: export getter functions by @​corhere in #​4204
• feat: add GH issue template by @​milosgajdos in #​4206
• fix: build status badge by @​milosgajdos in #​4207
• docs: remove legacy kramdown options from link by @​SKalt in #​4209
• update: readme cleanup and fxes by @​milosgajdos in #​4208
• feat: add PR labeler by @​milosgajdos in #​4205
• fix: add missing skip in s3 driver test by @​katexochen in #​4219
• vendor: github.com/mitchellh/mapstructure v1.5.0 by @​thaJeztah in #​4222
• chore: dependabot to keep gha up to date by @​crazy-max in #​4217
• build(deps): bump github/codeql-action from 1.0.26 to 3.22.12 by @​dependabot in #​4225
• build(deps): bump actions/deploy-pages from 2 to 4 by @​dependabot in #​4224
• build(deps): bump actions/checkout from 3 to 4 by @​dependabot in #​4226
• build(deps): bump actions/setup-go from 3 to 5 by @​dependabot in #​4228
• build(deps): bump actions/configure-pages from 3 to 4 by @​dependabot in #​4227
• chore: generate authors and update mailmap by @​crazy-max in #​4215
• chore: use no-cache-filter for outdated stage by @​crazy-max in #​4216
• build(deps): bump actions/upload-pages-artifact from 2 to 3 by @​dvdksn in #​4234
• build(deps): bump docker/login-action from 2 to 3 by @​dependabot in #​4239
• build(deps): bump docker/metadata-action from 4 to 5 by @​dependabot in #​4240
• update to alpine 3.19 by @​thaJeztah in #​4210
• build(deps): bump docker/setup-buildx-action from 2 to 3 by @​dependabot in #​4230
• fix: load gcs credentials and client inside DriverConstructor by @​katexochen in #​4218
• build(deps): bump docker/bake-action from 2 to 4 by @​crazy-max in #​4253
• build(deps): bump actions/upload-artifact from 3.0.0 to 4.1.0 by @​dependabot in #​4254
• remove deprecated ReadSeekCloser interfaces by @​thaJeztah in #​4245
• vendor: github.com/gorilla/handlers v1.5.2 by @​thaJeztah in #​4211
• fix: update Dockerfile version output by @​milosgajdos in #​4212
• fix: add labeler action by @​milosgajdos in #​4213
• chore: Remove duplicate area/ci entry in PR labeler by @​erezrokah in #​4256
• chore: Remove area/config duplicate entry in labeler.yml by @​erezrokah in #​4257
• chore: Migrate PR labeler config to v5 by @​erezrokah in #​4258
• docs: add rendering hook and fix broken links by @​dvdksn in #​4247
• refactor(storage/s3): remove redundant len check by @​Juneezee in #​4259
• feat: Add HTTP2 for unencrypted HTTP (v3) by @​erezrokah in #​4248
• build(deps): bump actions/upload-artifact from 4.1.0 to 4.3.0 by @​dependabot in #​4265
• build(deps): bump peter-evans/dockerhub-description from 3 to 4 by @​dependabot in #​4267
• Add a trademarks and docs license link by @​Jamstah in #​4276
• Do not write manifests on HEAD requests by @​jaimem88 in #​4286
• build(deps): bump codecov/codecov-action from 3 to 4 by @​dependabot in #​4271
• Update notifications.md by @​wyckster in #​4287
• fix: typo by @​testwill in #​4290
• [otel-tracing] Added Tracing to Base package (driver) by @​gotgelf in #​4196
• Standardize OTEL error logging format to match application logs by @​gotgelf in #​4292
• fix: typo by @​testwill in #​4296
• Support redirects in gcs storage with default credentials by @​teqwve in #​4295
• build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by @​dependabot in #​4301
• build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @​dependabot in #​4297
• Update go versions by @​ialidzhikov in #​4303
• Initialize proxy prometheus counters values to 0 by @​dimitar-kostadinov in #​4283
• Don't try to parse error responses with no body by @​markusthoemmes in #​4307
• Upgrade Scorecard Action version to fix error by @​joycebrum in #​4311
• build(deps): bump ossf/scorecard-action from 2.0.6 to 2.3.1 by @​dependabot in #​4231
• build(deps): bump fossa-contrib/fossa-action from 2 to 3 by @​dependabot in #​4232
• chore: remove repetitive words in comments by @​xiaoxiangxianzi in #​4313
• chore: bump distriution/reference dependency by @​milosgajdos in #​4312
• Add Go 1.22 support to CI by @​austinvazquez in #​4314
• Fix garbage-collect --delete-untagged to handle schema 2 manifest list and OCI image index by @​thewolt in #​4285
• proxy: Do not configure HTTP secret for proxy registry by @​ialidzhikov in #​4305
• chore: fix some typos in comments by @​goodactive in #​4332
• build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0 by @​dependabot in #​4333
• chore: fix some typos in comments by @​testwill in #​4335
• Allow setting s3 forcepathstyle without regionendpoint by @​schanzel in #​4291
• fix: ignore error of manifest tag path not found in gc by @​microyahoo in #​4331
• add bounded concurrency for tag lookup and untag by @​microyahoo in #​4329
• Add Shutdown method to registry.Registry by @​robinkb in #​4338
• Set readStartAtFile context aware for purge uploads by @​artpej in #​4339
• Fix #​2902: ‘autoRedirect’ hardcode ‘https’ scheme by @​icefed in #​2903
• Stop proxy scheduler on system exit by @​dimitar-kostadinov in #​4293
• Add support for Basic Authentication to proxyingRegistry by @​oliver-goetz in #​4263
• Include headers when serving blob through proxy by @​mikelr in #​4273
• docs: update location of filesystem.md by @​emmanuel-ferdman in #​4355
• Add a go.mod toolchain version by @​Jamstah in #​4347
• Add option to enable sparse indexes by @​Jamstah in #​3536
• feature: Bump go-jose and require signing algorithms in auth by @​milosgajdos in #​4349
• New path for distribution config by @​milosgajdos in #​4365
• build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.0 to 1.6.0 by @​dependabot in #​4380
• Update dockerhub.md by @​MahmoudKKandil in #​4394
• remove layer's link file by gc by @​microyahoo in #​4344
• docs: disable base element override by @​dvdksn in #​4391
• Replace custom Redis config struct with go-redis UniversalOptions (adds sentinel & cluster support) by @​andsens in #​4306
• feat: implement 'rewrite' storage middleware by @​smira in #​4146
• Update docs: JWKS credentials and AZ identity by @​milosgajdos in #​4397
• Bump Go and golang linter by @​milosgajdos in #​4389
• Prep for v3-beta1 release by @​milosgajdos in #​4399

New Contributors

• @​SKalt made their first contribution in #​4209
• @​katexochen made their first contribution in #​4219
• @​erezrokah made their first contribution in #​4256
• @​jaimem88 made their first contribution in #​4286
• @​testwill made their first contribution in #​4290
• @​teqwve made their first contribution in #​4295
• @​markusthoemmes made their first contribution in #​4307
• @​xiaoxiangxianzi made their first contribution in #​4313
• @​austinvazquez made their first contribution in #​4314
• @​thewolt made their first contribution in #​4285
• @​goodactive made their first contribution in #​4332
• @​schanzel made their first contribution in #​4291
• @​microyahoo made their first contribution in #​4331
• @​robinkb made their first contribution in #​4338
• @​artpej made their first contribution in #​4339
• @​icefed made their first contribution in #​2903
• @​oliver-goetz made their first contribution in #​4263
• @​mikelr made their first contribution in #​4273
• @​emmanuel-ferdman made their first contribution in #​4355
• @​MahmoudKKandil made their first contribution in #​4394
• @​andsens made their first contribution in #​4306
• @​smira made their first contribution in #​4146

Full Changelog: distribution/distribution@v3.0.0-alpha.1...v3.0.0-beta.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.