chore: upgrade in-toto-golang dependency to v0.11.0

[l-qing]

Summary

Auto-generated by tektoncd-run-skills.sh. Every skill below ran in
changes-only mode and all modifications were combined into a single commit
on top of origin/alauda-v0.43.0.

Commit message

chore: upgrade in-toto-golang dependency to v0.11.0

• bump github.com/in-toto/in-toto-golang from a pseudo version to v0.11.0
• refresh go.sum and vendor/modules metadata for the new module version
• vendor upstream in-toto-golang updates including safer type assertions and docs fixes

Skills executed (in order)

• devops-refresh-containerfile-digests — changed(40s)
• devops-sync-alauda-github-releases — changed(42s)
• devops-upgrade-go — changed(224s)
• devops-fix-go-vulns — changed(272s)

Changed files

 go.mod                                             |  2 +-
 go.sum                                             |  4 +-
 .../in-toto/in-toto-golang/in_toto/attestations.go |  2 +-
 .../in-toto/in-toto-golang/in_toto/keylib.go       |  6 +-
 .../in-toto/in-toto-golang/in_toto/match.go        |  8 ++-
 .../in-toto/in-toto-golang/in_toto/model.go        | 10 ++-
 .../in-toto/in-toto-golang/in_toto/runlib.go       |  4 +-
 .../in_toto/slsa_provenance/common/common.go       |  2 +-
 .../in_toto/slsa_provenance/v0.1/provenance.go     |  4 +-
 .../in_toto/slsa_provenance/v0.2/provenance.go     |  4 +-
 .../in_toto/slsa_provenance/v1/provenance.go       |  4 +-
 .../in-toto/in-toto-golang/in_toto/verifylib.go    | 82 ++++++++++++++++------
 vendor/modules.txt                                 |  4 +-
 13 files changed, 95 insertions(+), 41 deletions(-)

Test plan

• CI on alauda-v0.43.0 passes
• Spot-check each skill section against its standalone behaviour
• If vulnerabilities were fixed, confirm trivy re-scan shows 0 fixable

[alaudabot]

Review Summary

This PR upgrades in-toto-golang dependency to v0.11.0. The changes include safer type assertions (security improvement), documentation typo fixes, and spec compliance updates.

No blocking issues found.

Key Observations:

• Type assertion safety improvements in , , use the safer comma-ok idiom
• Documentation fixes (typos like "specifictaion" → "specification")
• Character class negation change ( → ) improves Python compatibility

Note (informational only):

The upstream module declares Go 1.24.0 requirement, but the vendored code appears compatible. Please verify CI passes on your target Go version.

[alaudabot]

🤖 AI Code Review

Property	Value
Model	opencode/minimax-m2.5-free
Style	strict
Issues Found	0
Config Source	centralized
Profile	❌ Not Found
Personalized Prompt	❌ No
Prompt Path	.github/review/profiles/alaudadevops/tektoncd-cli/pr-review.md
Alauda Skills	✅ base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade
Reviewed at	2026-05-09 15:27:04 UTC

---

Summary

This PR upgrades the in-toto-golang dependency from a pseudo version to v0.11.0. The changes include vendor updates with safer type assertions, documentation typo fixes, and API improvements. Overall, this is a routine dependency upgrade that brings security improvements.

Review Statistics

Category	Count
Critical Issues	0
Warnings	0
Suggestions	1
Files Reviewed	13

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None

Warnings

Issues that SHOULD be addressed but are not blocking

None

Suggestions

Recommendations for improvement (nice to have)

• [vendor/modules.txt:1024] Note: The upstream in-toto-golang v0.11.0 declares go 1.24.0 requirement in its go.mod. While the vendored code appears compatible with older Go versions (no Go 1.24-specific features are used in this diff), you may want to verify the build passes on your target Go version (currently set to go 1.12 in go.mod). This is informational only and not a blocking issue.

Positive Feedback

• Security improvement: The type assertion changes in keylib.go, model.go, verifylib.go use the safer comma-ok idiom instead of direct type assertions, reducing potential runtime panics.
• Documentation quality: Multiple typo fixes in comments improve code readability (e.g., "specifictaion" → "specification", "wheter" → "whether", "metatadata" → "metadata").
• Spec compliance: The character class negation change in match.go (^ → !) improves compatibility with the Python in-toto implementation.
• API consistency: The JSON field tag change from invocationID to invocationId follows camelCase convention (SLSA spec v1.0).

---

---

ℹ️ About this review

This review was automatically generated using the run-actions workflow.

• Shared prompt: .github/prompts/code-review.md
• Config source: centralized
• Profile path: Not Found
• Profile ref: 4a9568cdd56fea5ff37c463d60c67e04c765f13f
• No repository-specific prompt configured
• Alauda skills: base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade