Flavio Castelli

True, this can now be closed. I've also created https://github.com/sigstore/sigstore-rs/pull/489 to not hide this error from `cargo audit`

Instead of using `Swatinem/rust-cache` we could use the GitHub's official `cache` action. Something like that should work: ```yaml - name: Setup Cache uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: path: | ~/.cargo/registry...

You're right. Let's stick with your original PR. Can you please rebase it against the `main` branch?

Building fails because another direct dependency [pulldown-cmark-mdcat](https://crates.io/crates/pulldown-cmark-mdcat) is using the previous version of [pulldown-cmark](https://redirect.github.com/raphlinus/pulldown-cmark). Unfortunately `pulldown-cmark-mdcat` is part of [mdcat](https://github.com/swsnr/mdcat), which has been archived by the maintainer last month (Jan...

I had to manually fix this PR. It's now handling **only** the crate updates. I've also tuned renovatebot's configuration to group GHA updates together

There's also https://github.com/dtolnay/rust-toolchain which is gained popularity. Unfortunately the releases are not tagged and there's no plan to start doing that (see [this issue](https://github.com/dtolnay/rust-toolchain/issues/121))

Kinda of a duplicate of https://github.com/sigstore/sigstore-rs/issues/367

This is something we already support, you can tune that with [this knob](https://docs.rs/oci-client/latest/oci_client/client/struct.ClientConfig.html#structfield.use_monolithic_push). Does that solve your problem?

Honestly, we don't have any milestone. We usually tag new releases whenever: - a bunch of PRs with new fixes are merged into `main` - a security update is done...

> @flavio I wouldn't be opposed to autobumping the patch version on a regular cadence for all non-breaking dep updates Good, I'll look into the other automation I mentioned and...