From 456a11ab87f0537968c899127d986f02e5784777 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 14 Jan 2025 16:59:53 +0800
Subject: [PATCH 1/3] build(deps): Bump github.com/notaryproject/tspclient-go
 from 1.0.0-rc.1 to 1.0.0 (#1143)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[github.com/notaryproject/tspclient-go](https://github.com/notaryproject/tspclient-go)
from 1.0.0-rc.1 to 1.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/notaryproject/tspclient-go/releases">github.com/notaryproject/tspclient-go's
releases</a>.</em></p>
<blockquote>
<h2>v1.0.0</h2>
<h1>tspclient-go V1</h1>
<p>The robust implementation of <a
href="https://datatracker.ietf.org/doc/html/rfc3161">RFC 3161</a>
Timestamp Protocol Client in Go.</p>
<h2>Key Features</h2>
<ul>
<li><strong>RFC 3161 Compliance</strong>: Based on the specifications
outlined in RFC 3161 for timestamping clients.</li>
<li><strong>Secure</strong>: Implements secure communication protocols,
ensuring integrity and authenticity of timestamps.</li>
<li><strong>Reliable</strong>: Fully depends on standard Go libraries.
Test coverage is as high as 95%.</li>
<li><strong>Easy Integration</strong>: Designed to be easily integrated
into existing Go applications with straightforward API. Supports
timestamping with popular public TSAs, such as <a
href="http://timestamp.digicert.com">digicert</a> and <a
href="http://rfc3161timestamp.globalsign.com/advanced">globalsign</a>.</li>
</ul>
<h2>What's Changed since v1.0.0-rc.1</h2>
<ul>
<li>fix(test): unit test failed on GOARCH=386 by <a
href="https://github.com/JeyJeyGao"><code>@​JeyJeyGao</code></a> in <a
href="https://redirect.github.com/notaryproject/tspclient-go/pull/41">notaryproject/tspclient-go#41</a></li>
<li>chore: add patch to codecov by <a
href="https://github.com/Two-Hearts"><code>@​Two-Hearts</code></a> in <a
href="https://redirect.github.com/notaryproject/tspclient-go/pull/42">notaryproject/tspclient-go#42</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/notaryproject/tspclient-go/compare/v1.0.0-rc.1...v1.0.0">https://github.com/notaryproject/tspclient-go/compare/v1.0.0-rc.1...v1.0.0</a></p>
<p>Vote PASSED [+4 -0]: <a
href="https://redirect.github.com/notaryproject/tspclient-go/issues/43">#43</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/notaryproject/tspclient-go/commit/543cd58803b6c7260bad9bc78973a47ab02f249a"><code>543cd58</code></a>
chore: add patch to codecov (<a
href="https://redirect.github.com/notaryproject/tspclient-go/issues/42">#42</a>)</li>
<li><a
href="https://github.com/notaryproject/tspclient-go/commit/63a40da507a28dfc9f858db108ae4e09be199e07"><code>63a40da</code></a>
fix(test): unit test failed on GOARCH=386 (<a
href="https://redirect.github.com/notaryproject/tspclient-go/issues/41">#41</a>)</li>
<li>See full diff in <a
href="https://github.com/notaryproject/tspclient-go/compare/v1.0.0-rc.1...v1.0.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/notaryproject/tspclient-go&package-manager=go_modules&previous-version=1.0.0-rc.1&new-version=1.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 88843464..320b0a4b 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.23
 require (
 	github.com/notaryproject/notation-core-go v1.2.0-rc.2
 	github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250107003620-26ce0894a624
-	github.com/notaryproject/tspclient-go v1.0.0-rc.1
+	github.com/notaryproject/tspclient-go v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/sirupsen/logrus v1.9.3
diff --git a/go.sum b/go.sum
index 34a5fdda..5e0aadee 100644
--- a/go.sum
+++ b/go.sum
@@ -42,8 +42,8 @@ github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250107003620-26ce0894a624
 github.com/notaryproject/notation-go v1.2.0-beta.1.0.20250107003620-26ce0894a624/go.mod h1:1QaHYG/UOeAYhfLBipsSxquu3BheRm7a+5RODcc5nQg=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
-github.com/notaryproject/tspclient-go v1.0.0-rc.1 h1:KcHxlqg6Adt4kzGLw012i0YMLlwGwToiR129c6IQ7Ys=
-github.com/notaryproject/tspclient-go v1.0.0-rc.1/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
+github.com/notaryproject/tspclient-go v1.0.0 h1:AwQ4x0gX8IHnyiZB1tggpn5NFqHpTEm1SDX8YNv4Dg4=
+github.com/notaryproject/tspclient-go v1.0.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=

From f134aca2ac10034c9475fd8f0766c52cd98f8a12 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 14 Jan 2025 17:00:33 +0800
Subject: [PATCH 2/3] build(deps): Bump github/codeql-action from 3.28.0 to
 3.28.1 (#1142)

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 3.28.0 to 3.28.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v3.28.1</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>3.28.1 - 10 Jan 2025</h2>
<ul>
<li>CodeQL Action v2 is now deprecated, and is no longer updated or
supported. For better performance, improved security, and new features,
upgrade to v3. For more information, see <a
href="https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/">this
changelog post</a>. <a
href="https://redirect.github.com/github/codeql-action/pull/2677">#2677</a></li>
<li>Update default CodeQL bundle version to 2.20.1. <a
href="https://redirect.github.com/github/codeql-action/pull/2678">#2678</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.28.1/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.28.1 - 10 Jan 2025</h2>
<ul>
<li>CodeQL Action v2 is now deprecated, and is no longer updated or
supported. For better performance, improved security, and new features,
upgrade to v3. For more information, see <a
href="https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/">this
changelog post</a>. <a
href="https://redirect.github.com/github/codeql-action/pull/2677">#2677</a></li>
<li>Update default CodeQL bundle version to 2.20.1. <a
href="https://redirect.github.com/github/codeql-action/pull/2678">#2678</a></li>
</ul>
<h2>3.28.0 - 20 Dec 2024</h2>
<ul>
<li>Bump the minimum CodeQL bundle version to 2.15.5. <a
href="https://redirect.github.com/github/codeql-action/pull/2655">#2655</a></li>
<li>Don't fail in the unusual case that a file is on the search path. <a
href="https://redirect.github.com/github/codeql-action/pull/2660">#2660</a>.</li>
</ul>
<h2>3.27.9 - 12 Dec 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.8 - 12 Dec 2024</h2>
<ul>
<li>Fixed an issue where streaming the download and extraction of the
CodeQL bundle did not respect proxy settings. <a
href="https://redirect.github.com/github/codeql-action/pull/2624">#2624</a></li>
</ul>
<h2>3.27.7 - 10 Dec 2024</h2>
<ul>
<li>We are rolling out a change in December 2024 that will extract the
CodeQL bundle directly to the toolcache to improve performance. <a
href="https://redirect.github.com/github/codeql-action/pull/2631">#2631</a></li>
<li>Update default CodeQL bundle version to 2.20.0. <a
href="https://redirect.github.com/github/codeql-action/pull/2636">#2636</a></li>
</ul>
<h2>3.27.6 - 03 Dec 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.19.4. <a
href="https://redirect.github.com/github/codeql-action/pull/2626">#2626</a></li>
</ul>
<h2>3.27.5 - 19 Nov 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.4 - 14 Nov 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.3 - 12 Nov 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.2 - 12 Nov 2024</h2>
<ul>
<li>Fixed an issue where setting up the CodeQL tools would sometimes
fail with the message &quot;Invalid value 'undefined' for header
'authorization'&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/2590">#2590</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/b6a472f63d85b9c78a3ac5e89422239fc15e9b3c"><code>b6a472f</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2681">#2681</a>
from github/update-v3.28.1-ea6acbfea</li>
<li><a
href="https://github.com/github/codeql-action/commit/bb999b434f581db70696c32bf01941ec0391c3cb"><code>bb999b4</code></a>
Update changelog for v3.28.1</li>
<li><a
href="https://github.com/github/codeql-action/commit/ea6acbfeae40310725526bdaea16fb48c1f62be0"><code>ea6acbf</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2677">#2677</a>
from github/angelapwen/deprecate-action-v2</li>
<li><a
href="https://github.com/github/codeql-action/commit/4df151edec34bbfb2f213ed8b2dc74363baa69ca"><code>4df151e</code></a>
Merge branch 'main' into angelapwen/deprecate-action-v2</li>
<li><a
href="https://github.com/github/codeql-action/commit/a05a7eb09cb4faebee87507a854cbd429fbe6bc6"><code>a05a7eb</code></a>
Fix PR number in changenote</li>
<li><a
href="https://github.com/github/codeql-action/commit/8d2753b250830f4073d10fc13a3264a17ba82a20"><code>8d2753b</code></a>
Add public changelog blog post link</li>
<li><a
href="https://github.com/github/codeql-action/commit/e83e0a4f58f2ca25f7dd222e8689519a74bf26fc"><code>e83e0a4</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2673">#2673</a>
from github/dependabot/npm_and_yarn/npm-877f465710</li>
<li><a
href="https://github.com/github/codeql-action/commit/b7ff30899f3f4aa6705d70c1456d7189e1b320ba"><code>b7ff308</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2678">#2678</a>
from github/update-bundle/codeql-bundle-v2.20.1</li>
<li><a
href="https://github.com/github/codeql-action/commit/1aa16c2c36f41e9ce531bdcd2aa834171700e48d"><code>1aa16c2</code></a>
Merge branch 'main' into update-bundle/codeql-bundle-v2.20.1</li>
<li><a
href="https://github.com/github/codeql-action/commit/fb65b6ce7884900fde5b15518bec92ad6875180e"><code>fb65b6c</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2672">#2672</a>
from github/mbg/start-proxy/include-type-in-urls-output</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/48ab28a6f5dbc2a99bf1e0131198dd8f1df78169...b6a472f63d85b9c78a3ac5e89422239fc15e9b3c">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=3.28.0&new-version=3.28.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/codeql.yml    | 4 ++--
 .github/workflows/scorecard.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 980c79f3..43530dfa 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -49,8 +49,8 @@ jobs:
           go-version: ${{ matrix.go-version }}
           check-latest: true
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/init@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           languages: go
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/analyze@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index e7219e37..10e494bd 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -61,6 +61,6 @@ jobs:
           retention-days: 5
       
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: results.sarif

From cd933daede84c390b5814c223c20751e3a5dcd75 Mon Sep 17 00:00:00 2001
From: Junjie Gao <junjiegao@microsoft.com>
Date: Tue, 14 Jan 2025 17:16:49 +0800
Subject: [PATCH 3/3] fix: load config error (#1145)

Fix:
- the `LoadConfigOnce` function forgets the error and return a nil
config and nil error next time. Updated to use `sync.OnceValues` to keep
the returned values.

Resolves #1144

---------

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
---
 internal/cmd/flags.go       | 10 +++++-----
 pkg/configutil/once.go      | 36 ++++++++++++++++++------------------
 pkg/configutil/once_test.go | 31 ++++++++++++++++++++++++++++++-
 pkg/configutil/util_test.go |  9 ++++-----
 4 files changed, 57 insertions(+), 29 deletions(-)

diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go
index 196768b2..a2bed995 100644
--- a/internal/cmd/flags.go
+++ b/internal/cmd/flags.go
@@ -44,14 +44,14 @@ var (
 		Usage: "signature envelope format, options: \"jws\", \"cose\"",
 	}
 	SetPflagSignatureFormat = func(fs *pflag.FlagSet, p *string) {
-		defaultSignatureFormat := envelope.JWS
-		// load config to get signatureFormat
 		config, err := configutil.LoadConfigOnce()
-		if err == nil && config.SignatureFormat != "" {
-			defaultSignatureFormat = config.SignatureFormat
+		if err != nil || config.SignatureFormat == "" {
+			fs.StringVar(p, PflagSignatureFormat.Name, envelope.JWS, PflagSignatureFormat.Usage)
+			return
 		}
 
-		fs.StringVar(p, PflagSignatureFormat.Name, defaultSignatureFormat, PflagSignatureFormat.Usage)
+		// set signatureFormat from config
+		fs.StringVar(p, PflagSignatureFormat.Name, config.SignatureFormat, PflagSignatureFormat.Usage)
 	}
 
 	PflagID = &pflag.Flag{
diff --git a/pkg/configutil/once.go b/pkg/configutil/once.go
index 00e2a2a4..f5e1d96e 100644
--- a/pkg/configutil/once.go
+++ b/pkg/configutil/once.go
@@ -21,28 +21,28 @@ import (
 	"github.com/notaryproject/notation/internal/envelope"
 )
 
-var (
-	// configInfo is the config.json data
-	configInfo *config.Config
-	configOnce sync.Once
-)
+// loadConfigOnce is a function that invokes loadConfig only once.
+var loadConfigOnce = sync.OnceValues(loadConfig)
 
 // LoadConfigOnce returns the previously read config file.
 // If previous config file does not exist, it reads the config from file
 // or return a default config if not found.
 // The returned config is only suitable for read only scenarios for short-lived processes.
 func LoadConfigOnce() (*config.Config, error) {
-	var err error
-	configOnce.Do(func() {
-		configInfo, err = config.LoadConfig()
-		if err != nil {
-			return
-		}
-		// set default value
-		configInfo.SignatureFormat = strings.ToLower(configInfo.SignatureFormat)
-		if configInfo.SignatureFormat == "" {
-			configInfo.SignatureFormat = envelope.JWS
-		}
-	})
-	return configInfo, err
+	return loadConfigOnce()
+}
+
+// loadConfig reads the config from file or return a default config if not
+// found.
+func loadConfig() (*config.Config, error) {
+	configInfo, err := config.LoadConfig()
+	if err != nil {
+		return nil, err
+	}
+	// set default value
+	configInfo.SignatureFormat = strings.ToLower(configInfo.SignatureFormat)
+	if configInfo.SignatureFormat == "" {
+		configInfo.SignatureFormat = envelope.JWS
+	}
+	return configInfo, nil
 }
diff --git a/pkg/configutil/once_test.go b/pkg/configutil/once_test.go
index d218669d..bd406919 100644
--- a/pkg/configutil/once_test.go
+++ b/pkg/configutil/once_test.go
@@ -14,10 +14,19 @@
 package configutil
 
 import (
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
 	"testing"
+
+	"github.com/notaryproject/notation-go/dir"
 )
 
 func TestLoadConfigOnce(t *testing.T) {
+	defer func() {
+		loadConfigOnce = sync.OnceValues(loadConfig)
+	}()
 	config1, err := LoadConfigOnce()
 	if err != nil {
 		t.Fatal("LoadConfigOnce failed.")
@@ -27,6 +36,26 @@ func TestLoadConfigOnce(t *testing.T) {
 		t.Fatal("LoadConfigOnce failed.")
 	}
 	if config1 != config2 {
-		t.Fatal("LoadConfigOnce is invalid.")
+		t.Fatal("LoadConfigOnce should return the same config.")
+	}
+}
+
+func TestLoadConfigOnceError(t *testing.T) {
+	dir.UserConfigDir = t.TempDir()
+	defer func() {
+		dir.UserConfigDir = ""
+		loadConfigOnce = sync.OnceValues(loadConfig)
+	}()
+	if err := os.WriteFile(filepath.Join(dir.UserConfigDir, dir.PathConfigFile), []byte("invalid json"), 0600); err != nil {
+		t.Fatal("Failed to create file.")
+	}
+
+	_, err := LoadConfigOnce()
+	if err == nil || !strings.Contains(err.Error(), "invalid character") {
+		t.Fatal("LoadConfigOnce should fail.")
+	}
+	_, err2 := LoadConfigOnce()
+	if err != err2 {
+		t.Fatal("LoadConfigOnce should return the same error.")
 	}
 }
diff --git a/pkg/configutil/util_test.go b/pkg/configutil/util_test.go
index cac87584..1570996d 100644
--- a/pkg/configutil/util_test.go
+++ b/pkg/configutil/util_test.go
@@ -25,11 +25,10 @@ import (
 )
 
 func TestIsRegistryInsecure(t *testing.T) {
-	configOnce = sync.Once{}
 	// for restore dir
 	defer func(oldDir string) {
 		dir.UserConfigDir = oldDir
-		configOnce = sync.Once{}
+		loadConfigOnce = sync.OnceValues(loadConfig)
 	}(dir.UserConfigDir)
 	// update config dir
 	dir.UserConfigDir = "testdata"
@@ -56,11 +55,10 @@ func TestIsRegistryInsecure(t *testing.T) {
 }
 
 func TestIsRegistryInsecureMissingConfig(t *testing.T) {
-	configOnce = sync.Once{}
 	// for restore dir
 	defer func(oldDir string) {
 		dir.UserConfigDir = oldDir
-		configOnce = sync.Once{}
+		loadConfigOnce = sync.OnceValues(loadConfig)
 	}(dir.UserConfigDir)
 	// update config dir
 	dir.UserConfigDir = "./testdata2"
@@ -93,7 +91,7 @@ func TestIsRegistryInsecureConfigPermissionError(t *testing.T) {
 	defer func(oldDir string) error {
 		// restore permission
 		dir.UserConfigDir = oldDir
-		configOnce = sync.Once{}
+		loadConfigOnce = sync.OnceValues(loadConfig)
 		return os.Chmod(filepath.Join(configDir, "config.json"), 0644)
 	}(dir.UserConfigDir)
 
@@ -113,6 +111,7 @@ func TestIsRegistryInsecureConfigPermissionError(t *testing.T) {
 func TestResolveKey(t *testing.T) {
 	defer func(oldDir string) {
 		dir.UserConfigDir = oldDir
+		loadConfigOnce = sync.OnceValues(loadConfig)
 	}(dir.UserConfigDir)
 
 	t.Run("valid e2e key", func(t *testing.T) {