chore(deps): upgrade in-toto-golang and refresh vendored sources

[l-qing]

Summary

Auto-generated by tektoncd-run-skills.sh. Every skill below ran in
changes-only mode and all modifications were combined into a single commit
on top of origin/alauda-v0.34.0.

Commit message

chore(deps): upgrade in-toto-golang and refresh vendored sources

• bump github.com/in-toto/in-toto-golang from v0.9.0 to v0.11.0
• update Go toolchain patch version to 1.26.3 in module and image build args
• refresh vendored in-toto files and checksums to match the dependency upgrade

Skills executed (in order)

• devops-refresh-containerfile-digests — noop(30s)
• devops-sync-alauda-github-releases — noop(42s)
• devops-upgrade-go — changed(249s)
• devops-fix-go-vulns — changed(218s)

Changed files

 contrib/tkn-image/Dockerfile                       |   2 +-
 go.mod                                             |   4 +-
 go.sum                                             |   4 +-
 .../in-toto/in-toto-golang/in_toto/attestations.go |  36 +++-
 .../in-toto/in-toto-golang/in_toto/keylib.go       | 216 +--------------------
 .../in-toto/in-toto-golang/in_toto/match.go        |   8 +-
 .../in-toto/in-toto-golang/in_toto/model.go        |  51 ++++-
 .../in-toto/in-toto-golang/in_toto/runlib.go       |  92 +++++++--
 .../in_toto/slsa_provenance/common/common.go       |   2 +-
 .../in_toto/slsa_provenance/v0.1/provenance.go     |   4 +-
 .../in_toto/slsa_provenance/v0.2/provenance.go     |   4 +-
 .../in_toto/slsa_provenance/v1/provenance.go       |  36 +++-
 .../in-toto/in-toto-golang/in_toto/util.go         |   4 +-
 .../in-toto/in-toto-golang/in_toto/verifylib.go    |  90 ++++++---
 vendor/modules.txt                                 |   4 +-
 15 files changed, 281 insertions(+), 276 deletions(-)

Test plan

• CI on alauda-v0.34.0 passes
• Spot-check each skill section against its standalone behaviour
• If vulnerabilities were fixed, confirm trivy re-scan shows 0 fixable

[alaudabot]

PR Review Summary

Reviewed by alaudabot. This is a clean dependency upgrade PR with no blocking issues.

Verdict: PR is good to go.

Files Reviewed

15 files changed (+281/-276), primarily vendored sources.

Findings

• Critical Issues: 0
• Warnings: 0
• Suggestions: 1

Suggestion

• vendor/modules.txt:1018 — The vendored modules.txt now declares go 1.24.0 as the Go version for in-toto/in-toto-golang, while the module declares go 1.26.3. This is cosmetic (the local go.mod governs the build) but indicates the vendor was refreshed with a newer Go toolchain.

Positive Feedback

• Go version consistency across go.mod and Dockerfile (both 1.26.2 → 1.26.3)
• Build compiles successfully with updated dependencies
• Dependency upgrade follows a clean, standard pattern
• Vulnerability fixes from upstream (devops-fix-go-vulns) are included

[alaudabot]

Info (style/consistency): The vendored modules.txt shows go 1.24.0 for in-toto-golang v0.11.0, while the main go.mod declares go 1.26.3. This is cosmetic and doesn't break the build, but it's worth noting the vendor was created with a newer Go toolchain than the project minimum.

[alaudabot]

🤖 AI Code Review

Property	Value
Model	opencode/minimax-m2.5-free
Style	strict
Issues Found	0
Config Source	centralized
Profile	❌ Not Found
Personalized Prompt	❌ No
Prompt Path	.github/review/profiles/alaudadevops/tektoncd-cli/pr-review.md
Alauda Skills	✅ base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade
Reviewed at	2026-05-09 15:07:57 UTC

---

Summary

This PR upgrades in-toto-golang from v0.9.0 to v0.11.0, updates the Go toolchain version in go.mod and the Dockerfile from 1.26.2 to 1.26.3, and refreshes vendored sources accordingly. The changes are primarily vendored dependency updates with minimal code impact since in-toto-golang is an indirect dependency. The build compiles successfully.

Review Statistics

Category	Count
Critical Issues	0
Warnings	0
Suggestions	1
Files Reviewed	15

Critical Issues

None.

Warnings

None.

Suggestions

• [vendor/modules.txt:1018] The vendored modules.txt now declares go 1.24.0 as the Go version requirement for in-toto/in-toto-golang, but the module itself only declares go 1.26.3 (via go.mod). This mismatch in the vendored modules.txt is cosmetic and doesn't affect the build, but it could be a sign that the vendor was created with a newer Go version. Consider verifying the vendor was refreshed consistently.

Positive Feedback

• The dependency upgrade follows a clean pattern: module version bump, go mod tidy, and vendor refresh are all aligned.
• The Dockerfile and go.mod Go version are consistently updated from 1.26.2 to 1.26.3.
• Build passes successfully with the updated dependencies.
• The devops-fix-go-vulns skill was applied as part of the upgrade pipeline, ensuring any Go vulnerability fixes from the upstream upgrade are included.

---

---

ℹ️ About this review

This review was automatically generated using the run-actions workflow.

• Shared prompt: .github/prompts/code-review.md
• Config source: centralized
• Profile path: Not Found
• Profile ref: 4a9568cdd56fea5ff37c463d60c67e04c765f13f
• No repository-specific prompt configured
• Alauda skills: base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade