github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-08 17:46:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
458 Commits 40 Branches 45 Tags
190fddac0ef7fcc481d43c2c2fa714031f34c700
Commit Graph

458 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mend Renovate
190fddac0e chore(deps): update github-actions (#817) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | minor | `v4.1.7` -> `v4.2.2` |
|
[actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action)
| action | minor | `v4.3.3` -> `v4.5.0` |
|
[actions/download-artifact](https://redirect.github.com/actions/download-artifact)
| action | patch | `v4.1.7` -> `v4.1.8` |
| [actions/setup-go](https://redirect.github.com/actions/setup-go) |
action | minor | `v5.0.2` -> `v5.1.0` |
| [actions/setup-go](https://redirect.github.com/actions/setup-go) |
action | minor | `v5.0.1` -> `v5.1.0` |
| [actions/setup-node](https://redirect.github.com/actions/setup-node) |
action | minor | `v4.0.2` -> `v4.1.0` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v4.3.3` -> `v4.4.3` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v3.25.11` -> `v3.27.6` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | minor | `v2.3.3` -> `v2.4.0` |
|
[slsa-framework/slsa-verifier](https://redirect.github.com/slsa-framework/slsa-verifier)
| action | minor | `v2.5.1` -> `v2.6.0` |
|
[thehanimo/pr-title-checker](https://redirect.github.com/thehanimo/pr-title-checker)
| action | patch | `v1.4.2` -> `v1.4.3` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.2.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v422)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.2.1...v4.2.2)

- `url-helper.ts` now leverages well-known environment variables by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/checkout/pull/1941](https://redirect.github.com/actions/checkout/pull/1941)
- Expand unit test coverage for `isGhes` by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/checkout/pull/1946](https://redirect.github.com/actions/checkout/pull/1946)

###
[`v4.2.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v421)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.2.0...v4.2.1)

- Check out other refs/\* by commit if provided, fall back to ref by
[@&#8203;orhantoy](https://redirect.github.com/orhantoy) in
[https://github.com/actions/checkout/pull/1924](https://redirect.github.com/actions/checkout/pull/1924)

###
[`v4.2.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v420)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.1.7...v4.2.0)

- Add Ref and Commit outputs by
[@&#8203;lucacome](https://redirect.github.com/lucacome) in
[https://github.com/actions/checkout/pull/1180](https://redirect.github.com/actions/checkout/pull/1180)
- Dependency updates by
[@&#8203;dependabot-](https://redirect.github.com/dependabot-)
[https://github.com/actions/checkout/pull/1777](https://redirect.github.com/actions/checkout/pull/1777),
[https://github.com/actions/checkout/pull/1872](https://redirect.github.com/actions/checkout/pull/1872)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.5.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.5.0)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.4.0...v4.5.0)

#### What's Changed

- Bump got from 14.4.2 to 14.4.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/844](https://redirect.github.com/actions/dependency-review-action/pull/844)
- Bump nodemon from 3.1.0 to 3.1.7 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/847](https://redirect.github.com/actions/dependency-review-action/pull/847)
- Bump [@&#8203;vercel/ncc](https://redirect.github.com/vercel/ncc) from
0.38.1 to 0.38.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/849](https://redirect.github.com/actions/dependency-review-action/pull/849)
- Overriding the cross-spawn dependency to use a safe version by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/850](https://redirect.github.com/actions/dependency-review-action/pull/850)
- fix: add summary comment on failure when warn-only: true by
[@&#8203;ebickle](https://redirect.github.com/ebickle) in
[https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827)
- Prepare for 4.5.0 release by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/851](https://redirect.github.com/actions/dependency-review-action/pull/851)

#### New Contributors

- [@&#8203;ebickle](https://redirect.github.com/ebickle) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4...v4.5.0

###
[`v4.4.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.4.0)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0)

#### What's Changed

- Fix for merge_group event bug by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/846](https://redirect.github.com/actions/dependency-review-action/pull/846)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0

###
[`v4.3.5`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.5)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5)

#### What's Changed

- fix: getRefs function to handle merge_group events by
[@&#8203;louis-bompart](https://redirect.github.com/louis-bompart) in
[https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766)
- Create pull_request_template.md by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/794](https://redirect.github.com/actions/dependency-review-action/pull/794)
- Update CONTRIBUTING.md by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/793](https://redirect.github.com/actions/dependency-review-action/pull/793)
- Bump [@&#8203;types/node](https://redirect.github.com/types/node) from
20.11.28 to 20.16.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/815](https://redirect.github.com/actions/dependency-review-action/pull/815)
- Upgrade transitive micromatch library by
[@&#8203;elireisman](https://redirect.github.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/829](https://redirect.github.com/actions/dependency-review-action/pull/829)
- Do not list changed dependencies in summary by
[@&#8203;hmaurer](https://redirect.github.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/828](https://redirect.github.com/actions/dependency-review-action/pull/828)
- Update stale.yaml by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/832](https://redirect.github.com/actions/dependency-review-action/pull/832)
- Bump got from 14.4.1 to 14.4.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/822](https://redirect.github.com/actions/dependency-review-action/pull/822)
- Bump eslint-plugin-jest and ts-jest by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840)

#### New Contributors

- [@&#8203;louis-bompart](https://redirect.github.com/louis-bompart)
made their first contribution in
[https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766)
- [@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah)
made their first contribution in
[https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5

###
[`v4.3.4`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.4)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4)

#### What's Changed

- Include all added dependencies in scorecard entries by
[@&#8203;elireisman](https://redirect.github.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/783](https://redirect.github.com/actions/dependency-review-action/pull/783)
- Update SPDX Expression Parsing by
[@&#8203;febuiles](https://redirect.github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/719](https://redirect.github.com/actions/dependency-review-action/pull/719)
- This PR is a significant refactor of SPDX expression parsing that
*may* fix some bugs, but unfortunately there are several related known
issues that remain unresolved as of this version.

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.8`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.8)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.7...v4.1.8)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/download-artifact/pull/341](https://redirect.github.com/actions/download-artifact/pull/341)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.8

</details>

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v5.1.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.1.0)

[Compare
Source](https://redirect.github.com/actions/setup-go/compare/v5.0.2...v5.1.0)

##### What's Changed

- Add workflow file for publishing releases to immutable action package
by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500)
- Upgrade IA Publish by
[@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/setup-go/pull/502](https://redirect.github.com/actions/setup-go/pull/502)
- Add architecture to cache key by
[@&#8203;Zxilly](https://redirect.github.com/Zxilly) in
[https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493)
This addresses issues with caching by adding the architecture (arch) to
the cache key, ensuring that cache keys are accurate to prevent
conflicts.
Note: This change may break previous cache keys as they will no longer
be compatible with the new format.
- Enhance workflows and Upgrade micromatch Dependency by
[@&#8203;priyagupta108](https://redirect.github.com/priyagupta108) in
[https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510)

**Bug Fixes**

- Revise `isGhes` logic by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511)

##### New Contributors

- [@&#8203;Zxilly](https://redirect.github.com/Zxilly) made their first
contribution in
[https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493)
- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their
first contribution in
[https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500)
- [@&#8203;jww3](https://redirect.github.com/jww3) made their first
contribution in
[https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511)
- [@&#8203;priyagupta108](https://redirect.github.com/priyagupta108)
made their first contribution in
[https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510)

**Full Changelog**:
https://github.com/actions/setup-go/compare/v5...v5.1.0

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v4.1.0`](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0)

###
[`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

###
[`v4.0.3`](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.4.3`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.3)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3)

##### What's Changed

- Undo indirect dependency updates from
[#&#8203;627](https://redirect.github.com/actions/upload-artifact/issues/627)
by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in
[https://github.com/actions/upload-artifact/pull/632](https://redirect.github.com/actions/upload-artifact/pull/632)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3

###
[`v4.4.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.2)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2)

##### What's Changed

- Bump `@actions/artifact` to 2.1.11 by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/627](https://redirect.github.com/actions/upload-artifact/pull/627)
    -   Includes fix for relative symlinks not resolving properly

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2

###
[`v4.4.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.1)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1)

##### What's Changed

- Add a section about hidden files by
[@&#8203;joshmgross](https://redirect.github.com/joshmgross) in
[https://github.com/actions/upload-artifact/pull/607](https://redirect.github.com/actions/upload-artifact/pull/607)
- Add workflow file for publishing releases to immutable action package
by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621)
- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
to latest version, includes symlink and timeout fixes by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/625](https://redirect.github.com/actions/upload-artifact/pull/625)

##### New Contributors

- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their
first contribution in
[https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1

###
[`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

###
[`v4.3.6`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

###
[`v4.3.5`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

###
[`v4.3.4`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.4)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4)

##### What's Changed

- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/584](https://redirect.github.com/actions/upload-artifact/pull/584)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.27.6`](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6)

###
[`v3.27.5`](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5)

###
[`v3.27.4`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.3...v3.27.4)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.4 - 14 Nov 2024

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.4/CHANGELOG.md)
for more information.

###
[`v3.27.3`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.2...v3.27.3)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.3 - 12 Nov 2024

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.3/CHANGELOG.md)
for more information.

###
[`v3.27.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.1...v3.27.2)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.2 - 12 Nov 2024

- Fixed an issue where setting up the CodeQL tools would sometimes fail
with the message "Invalid value 'undefined' for header 'authorization'".
[#&#8203;2590](https://redirect.github.com/github/codeql-action/pull/2590)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.2/CHANGELOG.md)
for more information.

###
[`v3.27.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.0...v3.27.1)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.1 - 08 Nov 2024

- The CodeQL Action now downloads bundles compressed using Zstandard on
GitHub Enterprise Server when using Linux or macOS runners. This speeds
up the installation of the CodeQL tools. This feature is already
available to GitHub.com users.
[#&#8203;2573](https://redirect.github.com/github/codeql-action/pull/2573)
- Update default CodeQL bundle version to 2.19.3.
[#&#8203;2576](https://redirect.github.com/github/codeql-action/pull/2576)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.1/CHANGELOG.md)
for more information.

###
[`v3.27.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.13...v3.27.0)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.0 - 22 Oct 2024

- Bump the minimum CodeQL bundle version to 2.14.6.
[#&#8203;2549](https://redirect.github.com/github/codeql-action/pull/2549)
- Fix an issue where the `upload-sarif` Action would fail with
"upload-sarif post-action step failed: Input required and not supplied:
token" when called in a composite Action that had a different set of
inputs to the ones expected by the `upload-sarif` Action.
[#&#8203;2557](https://redirect.github.com/github/codeql-action/pull/2557)
- Update default CodeQL bundle version to 2.19.2.
[#&#8203;2552](https://redirect.github.com/github/codeql-action/pull/2552)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.0/CHANGELOG.md)
for more information.

###
[`v3.26.13`](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13)

###
[`v3.26.12`](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12)

###
[`v3.26.11`](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11)

###
[`v3.26.10`](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10)

###
[`v3.26.9`](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9)

###
[`v3.26.8`](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

###
[`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

###
[`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

###
[`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

###
[`v3.26.4`](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

###
[`v3.26.3`](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

###
[`v3.26.2`](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

###
[`v3.26.1`](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

###
[`v3.26.0`](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

###
[`v3.25.15`](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

###
[`v3.25.14`](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

###
[`v3.25.13`](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

###
[`v3.25.12`](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0).
Of special note to Scorecard Action is the Maintainer Annotation
feature, which can be used to suppress some Code Scanning false
positives. Alerts will not be generated for any Scorecard Check with an
annotation.

- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410)
- 🐛 lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.6.0`](https://redirect.github.com/slsa-framework/slsa-verifier/releases/tag/v2.6.0)

[Compare
Source](https://redirect.github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0)

#### What's Changed

- chore: Update doc and digests for v2.5.1 by
[@&#8203;laurentsimon](https://redirect.github.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/748](https://redirect.github.com/slsa-framework/slsa-verifier/pull/748)
- fix(deps): update module google.golang.org/protobuf to v1.33.0
\[security] by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/743](https://redirect.github.com/slsa-framework/slsa-verifier/pull/743)
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/718](https://redirect.github.com/slsa-framework/slsa-verifier/pull/718)
- chore: Update
[@&#8203;actions/github](https://redirect.github.com/actions/github) v6
by [@&#8203;laurentsimon](https://redirect.github.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/749](https://redirect.github.com/slsa-framework/slsa-verifier/pull/749)
- fix: use sigstore/pkg/fulcioroots to lessen deps by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/746](https://redirect.github.com/slsa-framework/slsa-verifier/pull/746)
- feat: add ramonpetgrave64 as CODEOWNER by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/750](https://redirect.github.com/slsa-framework/slsa-verifier/pull/750)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`1a8ece8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/1a8ece8)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/701](https://redirect.github.com/slsa-framework/slsa-verifier/pull/701)
- chore(deps): update github-actions (major) by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/719](https://redirect.github.com/slsa-framework/slsa-verifier/pull/719)
- fix(deps): update dependency org.apache.maven:maven-plugin-api to
v3.9.6 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/751](https://redirect.github.com/slsa-framework/slsa-verifier/pull/751)
- chore(deps): update npm dev (major) by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/753](https://redirect.github.com/slsa-framework/slsa-verifier/pull/753)
- fix(deps): update dependency
org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/752](https://redirect.github.com/slsa-framework/slsa-verifier/pull/752)
- feat: fixes
[#&#8203;547](https://redirect.github.com/slsa-framework/slsa-verifier/issues/547):
add npm sigstore-tuf suport by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/731](https://redirect.github.com/slsa-framework/slsa-verifier/pull/731)
- fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4
\[security] by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/723](https://redirect.github.com/slsa-framework/slsa-verifier/pull/723)
- chore(deps): update golang:1.21 docker digest to
[`81811f8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/81811f8)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/693](https://redirect.github.com/slsa-framework/slsa-verifier/pull/693)
- chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/758](https://redirect.github.com/slsa-framework/slsa-verifier/pull/758)
- chore(deps): update golang:1.21 docker digest to
[`d83472f`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/d83472f)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/764](https://redirect.github.com/slsa-framework/slsa-verifier/pull/764)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`53745e9`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/53745e9)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/763](https://redirect.github.com/slsa-framework/slsa-verifier/pull/763)
- feat: workflow to update actions dist by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/760](https://redirect.github.com/slsa-framework/slsa-verifier/pull/760)
- fix(deps): update dependency
[@&#8203;actions/core](https://redirect.github.com/actions/core) to
v1.10.1 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/717](https://redirect.github.com/slsa-framework/slsa-verifier/pull/717)
- chore: fix pr-title-checker by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/770](https://redirect.github.com/slsa-framework/slsa-verifier/pull/770)
- chore: Update Renovate config by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/769](https://redirect.github.com/slsa-framework/slsa-verifier/pull/769)
- fix: use pr_number as env variable by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/771](https://redirect.github.com/slsa-framework/slsa-verifier/pull/771)
- fix: signoff commit by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/767](https://redirect.github.com/slsa-framework/slsa-verifier/pull/767)
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/781](https://redirect.github.com/slsa-framework/slsa-verifier/pull/781)
- chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to
0.7.7 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/782](https://redirect.github.com/slsa-framework/slsa-verifier/pull/782)
- chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/779](https://redirect.github.com/slsa-framework/slsa-verifier/pull/779)
- chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/780](https://redirect.github.com/slsa-framework/slsa-verifier/pull/780)
- chore(deps): bump the npm_and_yarn group across 2 directories with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/slsa-framework/slsa-verifier/pull/784](https://redirect.github.com/slsa-framework/slsa-verifier/pull/784)
- fix(deps): update golang.org/x/exp digest to
[`7f521ea`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/7f521ea)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/775](https://redirect.github.com/slsa-framework/slsa-verifier/pull/775)
- fix: make download-artifacts.sh more flexible by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/761](https://redirect.github.com/slsa-framework/slsa-verifier/pull/761)
- chore(deps): update golang:1.21 docker digest to
[`b405b62`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/b405b62)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/774](https://redirect.github.com/slsa-framework/slsa-verifier/pull/774)
- chore(deps): update npm dev by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/650](https://redirect.github.com/slsa-framework/slsa-verifier/pull/650)
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/787](https://redirect.github.com/slsa-framework/slsa-verifier/pull/787)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/786](https://redirect.github.com/slsa-framework/slsa-verifier/pull/786)
- feat: vsa support by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/777](https://redirect.github.com/slsa-framework/slsa-verifier/pull/777)
- fix: use tag for the builder in the release workflow by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/788](https://redirect.github.com/slsa-framework/slsa-verifier/pull/788)

**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0

</details>

<details>
<summary>thehanimo/pr-title-checker
(thehanimo/pr-title-checker)</summary>

###
[`v1.4.3`](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3)

[Compare
Source](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
 2024-12-04 13:00:06 -05:00
Ramon Petgrave
17f79583c5 fix: fix method for getting leaf certs in Bundle v0.3 (#813) 
Followup to
https://github.com/slsa-framework/slsa-github-generator/pull/3777

This PR adds a missing modification for getting the leaf certificate in
the new Bundle format v0.3.

In my original experiments, I did have this method in a dev branch, but
neglected to include it in the final PR.
-
https://github.com/slsa-framework/slsa-verifier/compare/main...verify-sigstore-go-Bundlev3#diff-a9bfffae1bd0d145e950805e7a35b8e65adc7a68affa605b484f4831097b989cR98-R107
 - https://github.com/slsa-framework/slsa-verifier/pull/799/files

## Testing

- I re-used the same attestation file from a failing workflow for unit
tests and manual invocation.
-
https://github.com/slsa-framework/example-package/actions/runs/11511156484

## Followup

- Finish finding a way to test changes within PRs.
-
https://github.com/slsa-framework/slsa-github-generator/pull/3777#discussion_r1795254767
  - https://github.com/slsa-framework/slsa-verifier/pull/797

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-10-29 16:43:56 -04:00
dependabot[bot]
70f3c9a079 chore(deps): bump github.com/sigstore/sigstore-go from 0.6.1 to 0.6.2 in the go_modules group across 1 directory (#812) 
Bumps the go_modules group with 1 update in the / directory:
[github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go).

Updates `github.com/sigstore/sigstore-go` from 0.6.1 to 0.6.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sigstore/sigstore-go/releases">github.com/sigstore/sigstore-go's
releases</a>.</em></p>
<blockquote>
<h2>v0.6.2</h2>
<p>This is a minor release to enable better error handling in the gh
CLI.</p>
<h2>What's Changed</h2>
<ul>
<li>Use sentinel errors bundle validation in <code>validateBundle</code>
func by <a
href="https://github.com/malancas"><code>@​malancas</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-go/pull/291">sigstore/sigstore-go#291</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/sigstore/sigstore-go/compare/v0.6.1...v0.6.2">https://github.com/sigstore/sigstore-go/compare/v0.6.1...v0.6.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0726854518"><code>0726854</code></a>
Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (<a
href="https://redirect.github.com/sigstore/sigstore-go/issues/289">#289</a>)</li>
<li><a
href="8c0e75bb62"><code>8c0e75b</code></a>
Use sentinel errors bundle validation in <code>validateBundle</code>
func (<a
href="https://redirect.github.com/sigstore/sigstore-go/issues/291">#291</a>)</li>
<li>See full diff in <a
href="https://github.com/sigstore/sigstore-go/compare/v0.6.1...v0.6.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/sigstore/sigstore-go&package-manager=go_modules&previous-version=0.6.1&new-version=0.6.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-10-15 17:02:39 +00:00
Mend Renovate
ba80473d23 chore(deps): update gcr.io/distroless/base:nonroot docker digest to e5260be (#795) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `53745e9` -> `e5260be` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM4LjgwLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
 2024-10-15 16:45:28 +00:00
Mend Renovate
f42f81fc35 fix(deps): update module github.com/sigstore/sigstore-go to v0.6.1 [security] (#805) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/sigstore/sigstore-go](https://redirect.github.com/sigstore/sigstore-go)
| `v0.5.1` -> `v0.6.1` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fsigstore-go/v0.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fsigstore-go/v0.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fsigstore-go/v0.5.1/v0.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fsigstore-go/v0.5.1/v0.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-45395](https://redirect.github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq)

### Impact

sigstore-go is susceptible to a denial of service attack when a verifier
is provided a maliciously crafted Sigstore Bundle containing large
amounts of verifiable data, in the form of signed transparency log
entries, RFC 3161 timestamps, and attestation subjects. The verification
of these data structures is computationally expensive. This can be used
to consume excessive CPU resources, leading to a denial of service
attack. TUF's security model labels this type of vulnerability an
"Endless data attack," and can lead to verification failing to complete
and disrupting services that rely on sigstore-go for verification.

The vulnerable loops are in the verification functions in the package
`github.com/sigstore/sigstore-go/pkg/verify`. The first is the DSSE
envelope verification loop in `verifyEnvelopeWithArtifact`, which
decodes all the digests in an attestation can be found here:


725e508ed4/pkg/verify/signature.go (L183-L193)

The next loop is in the `VerifyArtifactTransparencyLog` function, which
verifies all the signed entries in a bundle:


725e508ed4/pkg/verify/tlog.go (L74-L178)

The next loop is the `VerifyTimestampAuthority` function, which verifies
all the RFC 3161 timestamps in a bundle:


725e508ed4/pkg/verify/tsa.go (L59-L68)

### Patches

This vulnerability is addressed with sigstore-go 0.6.1, which adds hard
limits to the number of verifiable data structures that can be processed
in a bundle. Verification will fail if a bundle has data that exceeds
these limits. The limits are:

- 32 signed transparency log entries
- 32 RFC 3161 timestamps
- 1024 attestation subjects
- 32 digests per attestation subject

These limits are intended to be high enough to accommodate the vast
majority of use cases, while preventing the verification of maliciously
crafted bundles that contain large amounts of verifiable data.

### Workarounds

The best way to mitigate the risk is to upgrade to sigstore-go 0.6.1 or
later. Users who are vulnerable but unable to quickly upgrade may
consider adding manual bundle validation to enforce limits similar to
those in the referenced patch prior to calling sigstore-go's
verification functions.

---

### Release Notes

<details>
<summary>sigstore/sigstore-go
(github.com/sigstore/sigstore-go)</summary>

###
[`v0.6.1`](https://redirect.github.com/sigstore/sigstore-go/releases/tag/v0.6.1)

[Compare
Source](https://redirect.github.com/sigstore/sigstore-go/compare/v0.6.0...v0.6.1)

#### What's Changed

v0.6.1 resolves a security advisory for a denial of service. See
https://github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq
for more information.

- Add fuzz tests for bundle, tlog and verify packages by
[@&#8203;AdamKorcz](https://redirect.github.com/AdamKorcz) in
[https://github.com/sigstore/sigstore-go/pull/272](https://redirect.github.com/sigstore/sigstore-go/pull/272)
- Add the ability to contruct TrustRoot from targets by
[@&#8203;bkabrda](https://redirect.github.com/bkabrda) in
[https://github.com/sigstore/sigstore-go/pull/247](https://redirect.github.com/sigstore/sigstore-go/pull/247)
- add oss-fuzz build script by
[@&#8203;AdamKorcz](https://redirect.github.com/AdamKorcz) in
[https://github.com/sigstore/sigstore-go/pull/278](https://redirect.github.com/sigstore/sigstore-go/pull/278)
- Fix proof of key possession generation by
[@&#8203;adityasaky](https://redirect.github.com/adityasaky) in
[https://github.com/sigstore/sigstore-go/pull/283](https://redirect.github.com/sigstore/sigstore-go/pull/283)
- Add additional validation for nil elements in Bundles by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/285](https://redirect.github.com/sigstore/sigstore-go/pull/285)
- Add hard limits for number of TSA entries, Tlog entries, and
attestation subjects/digests by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/286](https://redirect.github.com/sigstore/sigstore-go/pull/286)

**Full Changelog**:
https://github.com/sigstore/sigstore-go/compare/v0.6.0...v0.6.1

###
[`v0.6.0`](https://redirect.github.com/sigstore/sigstore-go/releases/tag/v0.6.0)

[Compare
Source](https://redirect.github.com/sigstore/sigstore-go/compare/v0.5.1...v0.6.0)

As folks use sigstore-go in more cases, we continue to make fixes and do
some minor API interface changes.

Because we are pre-1.0.0 these were made as breaking changes. After
1.0.0 we will provide deprecation notices and smoother migration paths.
There may be more minor interface changes between now and v1.0.0.

#### Breaking Changes

-   In `pkg/bundle/bundle.go`
    -   `ProtobufBundle` is now `Bundle`
    -   `NewProtobufBundle` is now `NewBundle`
-   In `pkg/bundle/signature_content.go`
- Use `Statement()` type was from
`github.com/in-toto/in-toto-golang/in_toto` now comes from
`github.com/in-toto/attestation/go/v1`

#### What's Changed

- feat: add support for additional transparency log key types by
[@&#8203;vishal-chdhry](https://redirect.github.com/vishal-chdhry) in
[https://github.com/sigstore/sigstore-go/pull/197](https://redirect.github.com/sigstore/sigstore-go/pull/197)
- feat: use GetLogEntryByIndex to query rekor by
[@&#8203;vishal-chdhry](https://redirect.github.com/vishal-chdhry) in
[https://github.com/sigstore/sigstore-go/pull/188](https://redirect.github.com/sigstore/sigstore-go/pull/188)
- feat: add validation of required fields in the bundle by
[@&#8203;vishal-chdhry](https://redirect.github.com/vishal-chdhry) in
[https://github.com/sigstore/sigstore-go/pull/189](https://redirect.github.com/sigstore/sigstore-go/pull/189)
- Rename ProtobufBundle to Bundle by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/251](https://redirect.github.com/sigstore/sigstore-go/pull/251)
- Fix verify DSSE bundles (after signing) by
[@&#8203;steiza](https://redirect.github.com/steiza) in
[https://github.com/sigstore/sigstore-go/pull/258](https://redirect.github.com/sigstore/sigstore-go/pull/258)
- Fix crash with missing checkpoint by
[@&#8203;haydentherapper](https://redirect.github.com/haydentherapper)
in
[https://github.com/sigstore/sigstore-go/pull/260](https://redirect.github.com/sigstore/sigstore-go/pull/260)
- Add file pattern to CODEOWNERS by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/269](https://redirect.github.com/sigstore/sigstore-go/pull/269)
- Use example.com and remove trademark from tests by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/267](https://redirect.github.com/sigstore/sigstore-go/pull/267)
- Add deprecation message for ProtobufBundle by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/271](https://redirect.github.com/sigstore/sigstore-go/pull/271)
- Switch in-toto library to github.com/in-toto/attestation by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/274](https://redirect.github.com/sigstore/sigstore-go/pull/274)

**Full Changelog**:
https://github.com/sigstore/sigstore-go/compare/v0.5.1...v0.6.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguMTE1LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
 2024-10-10 19:48:14 +00:00
Kyle Colantonio
d758bd3718 feat(action): Updating to Node20 (#811) 
This PR relates to the discussion from
https://github.com/slsa-framework/slsa-verifier/issues/806 regarding the
Node16 deprecation notice.

There are no changes to the `dist/` folder with the change to Node20
(used `v20.17.0`) - this is completely drop-in.

Signed-off-by: Kyle Colantonio <k@yle.sh>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-10-10 15:30:23 -04:00
Ramon Petgrave
4cd7d4802e chore: update go and golanci lint (#810) 
This PR updates go to 1.23.1 and updates golanci-lint to v1.61.1, while
fixing new lint errors.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-10-10 13:07:08 -04:00
Mend Renovate
9093b4fd79 fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.9 (#809) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-plugin-api](https://maven.apache.org/) |
`3.9.6` -> `3.9.9` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-plugin-api/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-plugin-api/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-plugin-api/3.9.6/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-plugin-api/3.9.6/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC45Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguOTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-10-07 17:09:17 +00:00
Mend Renovate
8fff4c861d chore(deps): update golang:1.21 docker digest to 4746d26 (#802) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `f2eb989` -> `4746d26` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41Ni4wIiwidXBkYXRlZEluVmVyIjoiMzguNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
 2024-10-07 16:22:25 +00:00
Mend Renovate
9868d0ae94 chore(deps): update dependency pyyaml to v6.0.2 (#808) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [pyyaml](https://pyyaml.org/)
([source](https://redirect.github.com/yaml/pyyaml)) | `==6.0.1` ->
`==6.0.2` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/pyyaml/6.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/pyyaml/6.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/pyyaml/6.0.1/6.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/pyyaml/6.0.1/6.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>yaml/pyyaml (pyyaml)</summary>

###
[`v6.0.2`](https://redirect.github.com/yaml/pyyaml/releases/tag/6.0.2)

[Compare
Source](https://redirect.github.com/yaml/pyyaml/compare/6.0.1...6.0.2)

#### What's Changed

-   Support for Cython 3.x and Python 3.13.

**Full Changelog**: https://github.com/yaml/pyyaml/compare/6.0.1...6.0.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC45Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguOTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-10-07 07:26:38 +00:00
Mend Renovate
090586f5aa fix(deps): update golang.org/x/exp digest to 225e2ab (#803) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/exp | require | digest | `7f521ea` -> `225e2ab` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41Ni4wIiwidXBkYXRlZEluVmVyIjoiMzguOTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
 2024-10-07 03:12:18 -04:00
Ramon Petgrave
767ecf9e0a feat: handle dssev001 tlog entry types (#799) 
re: https://github.com/slsa-framework/slsa-github-generator/issues/3750

Rekor TLog entries can now be of the type dsse v0.0.1, as when what's
returned when using sigstore-go's `Bundle()`.

This is to support eventual Sigstore Bundles produced by
slsa-github-generator's "generic" generator, which will likely use
sigstore-go's Bundle to produce attestations

-
https://github.com/slsa-framework/slsa-github-generator/compare/main...ramonpetgrave64-internal-builder-sigstore-bundlev2#diff-b186a0c5d9ae459b11b694f05455568453699670926d21cad06cafec3dbf895eR101
-
https://github.com/slsa-framework/slsa-github-generator/actions/runs/10359750833

## Tesing

- Added unit tests with stub data
- manual invocations to very both new and old attestations and bundles,
with some modifications for testing purposes
-
https://github.com/slsa-framework/slsa-verifier/compare/main...verify-sigstore-go-Bundlev3#diff-94741068472ee694a12811cd704179dd478a9fa20a3bf45cf6ea2d4406214dc2R179

## Followup

Finish the work to produce bundles from the generic generators
-
https://github.com/slsa-framework/slsa-github-generator/compare/main...ramonpetgrave64-internal-builder-sigstore-bundlev2#diff-b186a0c5d9ae459b11b694f05455568453699670926d21cad06cafec3dbf895eR101

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-08-24 03:31:43 +00:00
Bob Callaway
b92dabfb1c feat: set user-agent header on Rekor requests (#801) 
This is part of an effort to track clients of Sigstore infrastructure,
and their versions.

Signed-off-by: Bob Callaway <bcallaway@google.com>
 2024-08-23 18:42:14 +07:00
Mend Renovate
1694bbf872 chore(config): migrate renovate config (#800) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

The Renovate config in this repository needs migrating. Typically this
is because one or more configuration options you are using have been
renamed.

You don't need to merge this PR right away, because Renovate will
continue to migrate these fields internally each time it runs. But later
some of these fields may be fully deprecated and the migrations removed.
So it's a good idea to merge this migration PR soon.





🔕 **Ignore**: Close this PR and you won't be reminded about config
migration again, but one day your current config may no longer be valid.

 Got questions? Does something look wrong to you? Please don't hesitate
to [request help
here](https://togithub.com/renovatebot/renovate/discussions).


---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).
 2024-08-14 00:02:10 -04:00
Ramon Petgrave
3f37511042 chore: fix vuln: override autolinker ^4.0.0 (#785) 
fixes
https://github.com/slsa-framework/slsa-verifier/security/code-scanning/11

markdown-toc's latest v1.2.0 is still vulnerable via a transitive
dependency, but hasn't received updates in a long time.

This PR overrides one of the other transitive dependencies to a
non-vulnerable version.

more info here
https://github.com/jonschlinkert/markdown-toc/issues/156#issuecomment-2197630000

# Testing process

- Manually invoked `make markdown-toc` and it did succeed, while also
adding a missing header in the README.
 - Made a few typos in the headers and markdown-toc did fix them.
 - Cloned markdown-toc, added the override, and its unit tests passed

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-08-13 19:08:24 +00:00
dependabot[bot]
e8275856e0 chore(deps): bump github.com/docker/docker from 26.1.4+incompatible to 26.1.5+incompatible in the go_modules group (#798) 
Bumps the go_modules group with 1 update:
[github.com/docker/docker](https://github.com/docker/docker).

Updates `github.com/docker/docker` from 26.1.4+incompatible to
26.1.5+incompatible
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/docker/releases">github.com/docker/docker's
releases</a>.</em></p>
<blockquote>
<h2>v26.1.5</h2>
<h2>26.1.5</h2>
<h3>Security</h3>
<p>This release contains a fix for <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41110">CVE-2024-41110</a>
/ <a
href="https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq">GHSA-v23v-6jw2-98fq</a>
that impacted setups using <a
href="https://docs.docker.com/engine/extend/plugins_authorization/">authorization
plugins (AuthZ)</a>
for access control. No other changes are included in this release, and
this
release is otherwise identical for users not using AuthZ plugins.</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/moby/moby/compare/v26.1.4...v26.1.5">https://github.com/moby/moby/compare/v26.1.4...v26.1.5</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="411e817ddf"><code>411e817</code></a>
Merge commit from fork</li>
<li><a
href="9cc85eaef1"><code>9cc85ea</code></a>
If url includes scheme, urlPath will drop hostname, which would not
match the...</li>
<li><a
href="820cab90bc"><code>820cab9</code></a>
Authz plugin security fixes for 0-length content and path
validation</li>
<li><a
href="6bc49067a6"><code>6bc4906</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/48123">#48123</a>
from vvoland/v26.1-48120</li>
<li><a
href="6fbdce4b94"><code>6fbdce4</code></a>
update to go1.21.12</li>
<li><a
href="f5334644ec"><code>f533464</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47986">#47986</a>
from vvoland/v26.1-47985</li>
<li><a
href="c1d4587d76"><code>c1d4587</code></a>
builder/mobyexporter: Add missing nil check</li>
<li><a
href="d6428049a5"><code>d642804</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47940">#47940</a>
from thaJeztah/26.1_backport_api_remove_container_c...</li>
<li><a
href="daba2462f5"><code>daba246</code></a>
docs: api: image inspect: remove Container and ContainerConfig</li>
<li>See full diff in <a
href="https://github.com/docker/docker/compare/v26.1.4...v26.1.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/docker/docker&package-manager=go_modules&previous-version=26.1.4+incompatible&new-version=26.1.5+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-08-12 11:04:32 -04:00
Mend Renovate
489e79138b chore(deps): update golang:1.21 docker digest to f2eb989 (#796) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `b405b62` -> `f2eb989` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
 2024-08-05 16:21:16 +00:00
Ramon Petgrave
c789437815 feat: refactor: use sigstore-go for fetching TrustedRoot (#791) 
Uses the `sigstore-go` library for fetching the `TrustedRoot`, which
contains the Sigstore infrastructure certificates needed to validate the
leaf ephemeral certificates used to sign artifacts.

Refactors:

- replace `TrustedRootSingleton()` with `getDefaultCosignCheckOpts()`,
since only `VerifyImage()` will now need that data.
- replace `cosign.ValidateAndUnpackCert`
with`sigstoreVerify.VerifyLeafCertificate()`
- use `sync.Once` for sigstore and rekor clients, and the `TrustedRoot`

## Testing

- existing tests continue to pass
- [negative tests
](d96b977709/cli/slsa-verifier/main_regression_test.go (L450-L471))
against rekor TLogs
- manual invocations of `verify-artifact`.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-08-02 21:47:50 +00:00
Ramon Petgrave
88bcb6bff7 chore: pin yamllint, golangci-lint (#783) 
pins the yaml-lint and golangci-lint dependency used in pre-submits.

This is to fix code-scanning alerts about unpinned dependencies
-
https://github.com/slsa-framework/slsa-verifier/security/code-scanning/8
-
https://github.com/slsa-framework/slsa-verifier/security/code-scanning/21

### Testing Process

The pre-submit test that uses yamllint and golangci-lint passes

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-08-02 19:51:07 +00:00
Ramon Petgrave
7f3db9211e feat: support npm cli provenance v1 attestations (#776) 
Fixes #614, #450, #449, #515

Adds support for NPM CLIs build provenances, generated when running `npm
publish --provenance --access public` from a [GitHub Actions
workflow](5995008213/.github/workflows/npm-publish.yml (L21)).

## Testing

- added unit tests for some new helper functions
- added regression test cases

## Future work

- https://github.com/slsa-framework/slsa-verifier/issues/493, so we can
do `--print-provenance`
- implemented in
https://github.com/slsa-framework/slsa-verifier/pull/768#discussion_r1662938115

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-07-30 19:46:04 +00:00
dependabot[bot]
0b14659dde chore(deps): bump github.com/docker/docker from 24.0.9+incompatible to 26.1.4+incompatible in the go_modules group (#794) 
Bumps the go_modules group with 1 update:
[github.com/docker/docker](https://github.com/docker/docker).

Updates `github.com/docker/docker` from 24.0.9+incompatible to
26.1.4+incompatible
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/docker/releases">github.com/docker/docker's
releases</a>.</em></p>
<blockquote>
<h2>v26.1.4</h2>
<h2>26.1.4</h2>
<p>For a full list of pull requests and changes in this release, refer
to the relevant GitHub milestones:</p>
<ul>
<li><a
href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A26.1.4">docker/cli,
26.1.4 milestone</a></li>
<li><a
href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A26.1.4">moby/moby,
26.1.4 milestone</a></li>
<li>Deprecated and removed features, see <a
href="https://github.com/docker/cli/blob/v26.1.4/docs/deprecated.md">Deprecated
Features</a>.</li>
<li>Changes to the Engine API, see <a
href="https://github.com/moby/moby/blob/v26.1.4/docs/api/version-history.md">API
version history</a>.</li>
</ul>
<h3>Security</h3>
<p>This release updates the Go runtime to 1.21.11 which contains
security fixes for:</p>
<ul>
<li><a
href="https://redirect.github.com/golang/go/issues/66869">CVE-2024-24789</a></li>
<li><a
href="https://redirect.github.com/golang/go/issues/67680">CVE-2024-24790</a></li>
<li>A symlink time of check to time of use race condition during
directory removal reported by Addison Crump (<a
href="https://github.com/addisoncrump"><code>@​addisoncrump</code></a>).</li>
</ul>
<h3>Bug fixes and enhancements</h3>
<ul>
<li>Fixed an issue where promoting a node immediately after another node
was demoted could cause the promotion to fail. <a
href="https://redirect.github.com/moby/moby/pull/47870">moby/moby#47870</a></li>
<li>Prevent the daemon log from being spammed with <code>superfluous
response.WriteHeader call ...</code> messages.. <a
href="https://redirect.github.com/moby/moby/pull/47843">moby/moby#47843</a></li>
<li>Don't show empty hints when plugins return an empty hook message. <a
href="https://redirect.github.com/docker/cli/pull/5083">docker/cli#5083</a></li>
<li>Added <code>ContextType: &quot;moby&quot;</code> to the context
list/inspect output to address a compatibility issue with Visual Studio
Container Tools. <a
href="https://redirect.github.com/docker/cli/pull/5095">docker/cli#5095</a></li>
<li>Fix a compatibility issue with Visual Studio Container Tools. <a
href="https://redirect.github.com/docker/cli/pull/5095">docker/cli#5095</a></li>
</ul>
<h3>Packaging updates</h3>
<ul>
<li>Update containerd (static binaries only) to <a
href="https://github.com/containerd/containerd/releases/tag/v1.7.17">v1.7.17</a>.
<a
href="https://redirect.github.com/moby/moby/pull/47841">moby/moby#47841</a></li>
<li><a
href="https://redirect.github.com/golang/go/issues/66869">CVE-2024-24789</a>,
<a
href="https://redirect.github.com/golang/go/issues/67680">CVE-2024-24790</a>:
Update Go runtime to 1.21.11. <a
href="https://redirect.github.com/moby/moby/pull/47904">moby/moby#47904</a></li>
<li>Update Compose to <a
href="https://github.com/docker/compose/releases/tag/v2.27.1">v2.27.1</a>.
<a
href="https://redirect.github.com/docker/docker-ce-packaging/pull/1022">docker/docker-ce-packages#1022</a></li>
<li>Update Buildx to <a
href="https://github.com/docker/buildx/releases/tag/v0.14.1">v0.14.1</a>.
<a
href="https://redirect.github.com/docker/docker-ce-packaging/pull/1021">docker/docker-ce-packages#1021</a></li>
</ul>
<h2>v26.1.3</h2>
<h2>26.1.3</h2>
<p>For a full list of pull requests and changes in this release, refer
to the relevant GitHub milestones:</p>
<ul>
<li><a
href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A26.1.3">docker/cli,
26.1.3 milestone</a></li>
<li><a
href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A26.1.3">moby/moby,
26.1.3 milestone</a></li>
<li>Deprecated and removed features, see <a
href="https://github.com/docker/cli/blob/v26.1.3/docs/deprecated.md">Deprecated
Features</a>.</li>
<li>Changes to the Engine API, see <a
href="https://github.com/moby/moby/blob/v26.1.3/docs/api/version-history.md">API
version history</a>.</li>
</ul>
<h3>Bug fixes and enhancements</h3>
<ul>
<li>Fix a regression that prevented the use of DNS servers within a
<code>--internal</code> network. <a
href="https://redirect.github.com/moby/moby/pull/47832">moby/moby#47832</a></li>
<li>When the internal DNS server's own address is supplied as an
external server address, ignore it to avoid unproductive recursion. <a
href="https://redirect.github.com/moby/moby/pull/47833">moby/moby#47833</a></li>
</ul>
<h3>Packaging updates</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="de5c9cf0b9"><code>de5c9cf</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47912">#47912</a>
from thaJeztah/26.1_backport_vendor_containerd_1.7.18</li>
<li><a
href="c62dcf8ab1"><code>c62dcf8</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47911">#47911</a>
from thaJeztah/26.1_backport_bump_containerd_binary...</li>
<li><a
href="17315a20ee"><code>17315a2</code></a>
vendor: github.com/containerd/containerd v1.7.18</li>
<li><a
href="cbd94183ab"><code>cbd9418</code></a>
update containerd binary to v1.7.18</li>
<li><a
href="fb9f72aeb6"><code>fb9f72a</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47904">#47904</a>
from thaJeztah/26.1_backport_bump_go1.21.11</li>
<li><a
href="3115daaa91"><code>3115daa</code></a>
update to go1.21.11</li>
<li><a
href="2861734174"><code>2861734</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47892">#47892</a>
from thaJeztah/26.1_backport_api_docs_network_confi...</li>
<li><a
href="9c95aea306"><code>9c95aea</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47893">#47893</a>
from thaJeztah/26.1_backport_bump_docker_py</li>
<li><a
href="3e09e197a7"><code>3e09e19</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47894">#47894</a>
from thaJeztah/26.1_backport_vendor_containerd_v1.7.17</li>
<li><a
href="65b679ac9c"><code>65b679a</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47889">#47889</a>
from thaJeztah/26.1_backport_platforms_err_handling</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/docker/compare/v24.0.9...v26.1.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/docker/docker&package-manager=go_modules&previous-version=24.0.9+incompatible&new-version=26.1.4+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-07-30 10:22:23 -04:00
Hayden B
40153f57a2 chore: Update CODEOWNERS to use teams (#793) 
This will assign teams rather than individuals to PRs.

Signed-off-by: Hayden B <hblauzvern@google.com>
 2024-07-23 18:18:55 -04:00
Ramon Petgrave
d96b977709 chore: v2.6.0: update docs (#789) 
#label:release v2.6.0

# How to Verify

Clone the repo and run the script described in
https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#verify-provenance.
```
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ bash verify-release.sh v2.6.0
```

This will download the release files and verify the binaries. Confirm
that the output hashes matches those in this PR's SHA256SUM.md
-
https://github.com/slsa-framework/slsa-verifier/pull/789/files#diff-7834ca792905514302a0630d1c57dc1d330569a18fc2fff4aac6129efb00f4ccR1-R8

---------

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-07-17 12:21:44 -04:00
Ramon Petgrave
3714a2a468 fix: use tag for the builder in the release workflow (#788) 
The slsa-github-generator's workflow ref needs to be pinned by tag, not
by hash.

Fixes this error

-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9893912259/job/27330429383#step:4:17

```
Verifying slsa-verifier-linux-arm64 using slsa-verifier-linux-arm64.intoto.jsonl
Verified signature against tlog entry index 110869188 at URL: 24296fb24b120088fe641b8e84
Verifying artifact slsa-verifier-linux-arm64: FAILED: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""

FAILED: SLSA verification failed: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""
```

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
v2.6.0-rc.1 v2.6.0 		2024-07-11 12:34:52 -04:00
Ramon Petgrave
208ac12589 feat: vsa support (#777) 
Fixes #542

Adds support for VSAs.

## Testing process

- added some unit an end-to-end tests
- manually invoking

    ```
    go run ./cli/slsa-verifier/ verify-vsa \
    --subject-digest gce_image_id:8970095005306000053 \
--attestation-path
./cli/slsa-verifier/testdata/vsa/gce/v1/gke-gce-pre.bcid-vsa.jsonl \
--verifier-id
https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1 \
--resource-uri
gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre
\
    --verified-level BCID_L1 \
    --verified-level SLSA_BUILD_LEVEL_2 \
--public-key-path
./cli/slsa-verifier/testdata/vsa/gce/v1/vsa_signing_public_key.pem \
    --public-key-id keystore://76574:prod:vsa_signing_public_key \
    --print-attestation



{"_type":"https://in-toto.io/Statement/v1","predicateType":"https://slsa.dev/verification_summary/v1","predicate":{"timeVerified":"2024-06-12T07:24:34.351608Z","verifier":{"id":"https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1"},"verificationResult":"PASSED","verifiedLevels":["BCID_L1","SLSA_BUILD_LEVEL_2"],"resourceUri":"gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre","policy":{"uri":"googlefile:/google_src/files/642513192/depot/google3/production/security/bcid/software/gce_image/gke/vm_images.sw_policy.textproto"}},"subject":[{"name":"_","digest":{"gce_image_id":"8970095005306000053"}}]}
    Verifying VSA: PASSED
    
    PASSED: SLSA verification passed
    ```

TODOS:
- open issue on the in_toto attestations repo about the incorrect json
[fields](36c1129542/go/predicates/vsa/v1/vsa.pb.go (L26-L40))
for vsa 1.0

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-07-10 21:25:16 -04:00
Mend Renovate
1049da4841 chore(deps): update github-actions (#786) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
patch | `v4.1.1` -> `v4.1.7` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | minor | `v4.2.5` -> `v4.3.3` |
|
[actions/download-artifact](https://togithub.com/actions/download-artifact)
| action | patch | `v4.1.4` -> `v4.1.7` |
| [actions/setup-go](https://togithub.com/actions/setup-go) | action |
patch | `v5.0.0` -> `v5.0.1` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | patch | `v4.3.1` -> `v4.3.3` |
|
[actionsdesk/lfs-warning](https://togithub.com/actionsdesk/lfs-warning)
| action | minor | `v3.2` -> `v3.3` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | minor | `v3.24.9` -> `v3.25.11` |
|
[golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action)
| action | pinDigest | -> `d6238b0` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.3.1` -> `v2.3.3` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator)
| action | pinDigest | -> `c747fe7` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier)
| action | minor | `v2.4.1` -> `v2.5.1` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.7`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.6...v4.1.7)

- Bump the minor-npm-dependencies group across 1 directory with 4
updates by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1739](https://togithub.com/actions/checkout/pull/1739)
- Bump actions/checkout from 3 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1697](https://togithub.com/actions/checkout/pull/1697)
- Check out other refs/\* by commit by
[@&#8203;orhantoy](https://togithub.com/orhantoy) in
[https://github.com/actions/checkout/pull/1774](https://togithub.com/actions/checkout/pull/1774)
- Pin actions/checkout's own workflows to a known, good, stable version.
by [@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1776](https://togithub.com/actions/checkout/pull/1776)

###
[`v4.1.6`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v416)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.5...v4.1.6)

- Check platform to set archive extension appropriately by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1732](https://togithub.com/actions/checkout/pull/1732)

###
[`v4.1.5`](https://togithub.com/actions/checkout/releases/tag/v4.1.5)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.4...v4.1.5)

#### What's Changed

- Update NPM dependencies by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1703](https://togithub.com/actions/checkout/pull/1703)
- Bump github/codeql-action from 2 to 3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1694](https://togithub.com/actions/checkout/pull/1694)
- Bump actions/setup-node from 1 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1696](https://togithub.com/actions/checkout/pull/1696)
- Bump actions/upload-artifact from 2 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1695](https://togithub.com/actions/checkout/pull/1695)
- README: Suggest `user.email` to be
`41898282+github-actions[bot]@&#8203;users.noreply.github.com` by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1707](https://togithub.com/actions/checkout/pull/1707)

**Full Changelog**:
https://github.com/actions/checkout/compare/v4.1.4...v4.1.5

###
[`v4.1.4`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v414)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.3...v4.1.4)

- Disable `extensions.worktreeConfig` when disabling `sparse-checkout`
by [@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1692](https://togithub.com/actions/checkout/pull/1692)
- Add dependabot config by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1688](https://togithub.com/actions/checkout/pull/1688)
- Bump the minor-actions-dependencies group with 2 updates by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1693](https://togithub.com/actions/checkout/pull/1693)
- Bump word-wrap from 1.2.3 to 1.2.5 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1643](https://togithub.com/actions/checkout/pull/1643)

###
[`v4.1.3`](https://togithub.com/actions/checkout/releases/tag/v4.1.3)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.2...v4.1.3)

#### What's Changed

- Update `actions/checkout` version in `update-main-version.yml` by
[@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1650](https://togithub.com/actions/checkout/pull/1650)
- Check git version before attempting to disable `sparse-checkout` by
[@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1656](https://togithub.com/actions/checkout/pull/1656)
- Add SSH user parameter by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1685](https://togithub.com/actions/checkout/pull/1685)

**Full Changelog**:
https://github.com/actions/checkout/compare/v4.1.2...v4.1.3

###
[`v4.1.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.1...v4.1.2)

- Fix: Disable sparse checkout whenever `sparse-checkout` option is not
present [@&#8203;dscho](https://togithub.com/dscho) in
[https://github.com/actions/checkout/pull/1598](https://togithub.com/actions/checkout/pull/1598)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.3.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.3):
Notes for v4.3.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3)

#### What's Changed

- Allow slashes in purl package names by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/765](https://togithub.com/actions/dependency-review-action/pull/765)
- use the v3 version of the deps.dev API by
[@&#8203;josieang](https://togithub.com/josieang) in
[https://github.com/actions/dependency-review-action/pull/741](https://togithub.com/actions/dependency-review-action/pull/741)
- PR with suggestions - \[Improvement]: Help streamline / simplify
dependency review action README by
[@&#8203;am-stead](https://togithub.com/am-stead) in
[https://github.com/actions/dependency-review-action/pull/773](https://togithub.com/actions/dependency-review-action/pull/773)
- fix show-openssf-scorecard-levels input by
[@&#8203;ramann](https://togithub.com/ramann) in
[https://github.com/actions/dependency-review-action/pull/776](https://togithub.com/actions/dependency-review-action/pull/776)
- Updates to the contribution guidelines by
[@&#8203;jonjanego](https://togithub.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/778](https://togithub.com/actions/dependency-review-action/pull/778)
- Create issue templates by
[@&#8203;jonjanego](https://togithub.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/777](https://togithub.com/actions/dependency-review-action/pull/777)
- Fix the max comment length issue by
[@&#8203;jhutchings1](https://togithub.com/jhutchings1) and
[@&#8203;elireisman](https://togithub.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/767](https://togithub.com/actions/dependency-review-action/pull/767)
- Bump project version to 4.3.3 in prep for a release by
[@&#8203;elireisman](https://togithub.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/781](https://togithub.com/actions/dependency-review-action/pull/781)

#### New Contributors

- [@&#8203;josieang](https://togithub.com/josieang) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/741](https://togithub.com/actions/dependency-review-action/pull/741)
- [@&#8203;am-stead](https://togithub.com/am-stead) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/773](https://togithub.com/actions/dependency-review-action/pull/773)
- [@&#8203;ramann](https://togithub.com/ramann) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/776](https://togithub.com/actions/dependency-review-action/pull/776)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3

###
[`v4.3.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.2)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2)

#### What's Changed

- Fix package-url parsing for allow-dependencies-licenses by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/761](https://togithub.com/actions/dependency-review-action/pull/761)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2

###
[`v4.3.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.1)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.0...v4.3.1)

#### What's Changed

This release fixes some bugs related to package-url parsing that were
introduced in 4.3.0. See
[https://github.com/actions/dependency-review-action/pull/753](https://togithub.com/actions/dependency-review-action/pull/753).

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/V4.3.0...v4.3.1

###
[`v4.3.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.0)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.5...v4.3.0)

#### New Features

- The `deny-packages` option can now be used without a version number to
exclude *all* versions of a package.

#### What's Changed

- Fix action variable name for scorecard by
[@&#8203;lukehinds](https://togithub.com/lukehinds) in
[https://github.com/actions/dependency-review-action/pull/735](https://togithub.com/actions/dependency-review-action/pull/735)
- Fix extra https:// in summary by
[@&#8203;jhutchings1](https://togithub.com/jhutchings1) in
[https://github.com/actions/dependency-review-action/pull/748](https://togithub.com/actions/dependency-review-action/pull/748)
- Bump typescript from 5.3.3 to 5.4.5 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/744](https://togithub.com/actions/dependency-review-action/pull/744)
- Bump eslint-plugin-github from 4.10.1 to 4.10.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/737](https://togithub.com/actions/dependency-review-action/pull/737)
- Show denied packages with red X by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/750](https://togithub.com/actions/dependency-review-action/pull/750)
- deny-packages configuration option can deny specified version or all
packages by [@&#8203;febuiles](https://togithub.com/febuiles) and
[@&#8203;bteng22](https://togithub.com/bteng22) in
[https://github.com/actions/dependency-review-action/pull/733](https://togithub.com/actions/dependency-review-action/pull/733)

#### New Contributors

- [@&#8203;bteng22](https://togithub.com/bteng22) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/733](https://togithub.com/actions/dependency-review-action/pull/733)
- [@&#8203;lukehinds](https://togithub.com/lukehinds) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/735](https://togithub.com/actions/dependency-review-action/pull/735)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.5...V4.3.0

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.7`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.7)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.6...v4.1.7)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact)
dependency by [@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/325](https://togithub.com/actions/download-artifact/pull/325)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4.1.6...v4.1.7

###
[`v4.1.6`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.6)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.5...v4.1.6)

#### What's Changed

- updating `@actions/artifact` dependency to v2.1.6 by
[@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/download-artifact/pull/324](https://togithub.com/actions/download-artifact/pull/324)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4.1.5...v4.1.6

###
[`v4.1.5`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.5)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.4...v4.1.5)

#### What's Changed

- Update readme with v3/v2/v1 deprecation notice by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/download-artifact/pull/322](https://togithub.com/actions/download-artifact/pull/322)
- Update dependencies `@actions/core` to v1.10.1 and `@actions/artifact`
to v2.1.5

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4.1.4...v4.1.5

</details>

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v5.0.1`](https://togithub.com/actions/setup-go/releases/tag/v5.0.1)

[Compare
Source](https://togithub.com/actions/setup-go/compare/v5.0.0...v5.0.1)

#### What's Changed

- Bump undici from 5.28.2 to 5.28.3 and dependencies upgrade by
[@&#8203;dependabot](https://togithub.com/dependabot) ,
[@&#8203;HarithaVattikuti](https://togithub.com/HarithaVattikuti) in
[https://github.com/actions/setup-go/pull/465](https://togithub.com/actions/setup-go/pull/465)
- Update documentation with latest V5 release notes by
[@&#8203;ab](https://togithub.com/ab) in
[https://github.com/actions/setup-go/pull/459](https://togithub.com/actions/setup-go/pull/459)
- Update version documentation by
[@&#8203;178inaba](https://togithub.com/178inaba) in
[https://github.com/actions/setup-go/pull/458](https://togithub.com/actions/setup-go/pull/458)
- Documentation update of `actions/setup-go` to v5 by
[@&#8203;chenrui333](https://togithub.com/chenrui333) in
[https://github.com/actions/setup-go/pull/449](https://togithub.com/actions/setup-go/pull/449)

#### New Contributors

- [@&#8203;ab](https://togithub.com/ab) made their first contribution in
[https://github.com/actions/setup-go/pull/459](https://togithub.com/actions/setup-go/pull/459)

**Full Changelog**:
https://github.com/actions/setup-go/compare/v5.0.0...v5.0.1

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.3.3`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.3)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.2...v4.3.3)

##### What's Changed

- updating `@actions/artifact` dependency to v2.1.6 by
[@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/upload-artifact/pull/565](https://togithub.com/actions/upload-artifact/pull/565)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.3.2...v4.3.3

###
[`v4.3.2`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.2)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.1...v4.3.2)

#### What's Changed

- Update release-new-action-version.yml by
[@&#8203;konradpabjan](https://togithub.com/konradpabjan) in
[https://github.com/actions/upload-artifact/pull/516](https://togithub.com/actions/upload-artifact/pull/516)
- Minor fix to the migration readme by
[@&#8203;andrewakim](https://togithub.com/andrewakim) in
[https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523)
- Update readme with v3/v2/v1 deprecation notice by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/561](https://togithub.com/actions/upload-artifact/pull/561)
- updating `@actions/artifact` dependency to v2.1.5 and `@actions/core`
to v1.0.1 by [@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/upload-artifact/pull/562](https://togithub.com/actions/upload-artifact/pull/562)

#### New Contributors

- [@&#8203;andrewakim](https://togithub.com/andrewakim) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.3.1...v4.3.2

</details>

<details>
<summary>actionsdesk/lfs-warning (actionsdesk/lfs-warning)</summary>

### [`v3.3`](https://togithub.com/ppremk/lfs-warning/releases/tag/v3.3)

[Compare
Source](https://togithub.com/actionsdesk/lfs-warning/compare/v3.2...v3.3)

#### What's Changed

- update node js to 16 by
[@&#8203;GlazerMann](https://togithub.com/GlazerMann) in
[https://github.com/ppremk/lfs-warning/pull/148](https://togithub.com/ppremk/lfs-warning/pull/148)
- Fixing README to match repo move by
[@&#8203;samthebest](https://togithub.com/samthebest) in
[https://github.com/ppremk/lfs-warning/pull/153](https://togithub.com/ppremk/lfs-warning/pull/153)
- Update CODEOWNERS by [@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/158](https://togithub.com/ppremk/lfs-warning/pull/158)
- Bump http-cache-semantics from 4.1.0 to 4.1.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/151](https://togithub.com/ppremk/lfs-warning/pull/151)
- Bump [@&#8203;babel/traverse](https://togithub.com/babel/traverse)
from 7.15.4 to 7.23.4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/159](https://togithub.com/ppremk/lfs-warning/pull/159)
- Bump tough-cookie from 4.0.0 to 4.1.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/160](https://togithub.com/ppremk/lfs-warning/pull/160)
- Bump cacheable-request and gts by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/152](https://togithub.com/ppremk/lfs-warning/pull/152)
- Update emoji and convert file list to markdown list by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/161](https://togithub.com/ppremk/lfs-warning/pull/161)
- Bump got and gts by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/155](https://togithub.com/ppremk/lfs-warning/pull/155)
- Exclude files without blob_url when getting PR blobs by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/162](https://togithub.com/ppremk/lfs-warning/pull/162)
- Support pull_request_target by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/164](https://togithub.com/ppremk/lfs-warning/pull/164)
- Update-node by [@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/163](https://togithub.com/ppremk/lfs-warning/pull/163)
- Fix text setup for the issue comment by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/166](https://togithub.com/ppremk/lfs-warning/pull/166)
- Validate PR changes to make sure there are no changes missing by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/165](https://togithub.com/ppremk/lfs-warning/pull/165)
- Fix emoji by [@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/167](https://togithub.com/ppremk/lfs-warning/pull/167)
- Bump undici from 5.28.2 to 5.28.4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/171](https://togithub.com/ppremk/lfs-warning/pull/171)

#### New Contributors

- [@&#8203;GlazerMann](https://togithub.com/GlazerMann) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/148](https://togithub.com/ppremk/lfs-warning/pull/148)
- [@&#8203;samthebest](https://togithub.com/samthebest) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/153](https://togithub.com/ppremk/lfs-warning/pull/153)
- [@&#8203;rajbos](https://togithub.com/rajbos) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/158](https://togithub.com/ppremk/lfs-warning/pull/158)

**Full Changelog**:
https://github.com/ppremk/lfs-warning/compare/v3.2...v3.3

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.25.11`](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11)

###
[`v3.25.10`](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10)

###
[`v3.25.9`](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9)

###
[`v3.25.8`](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8)

###
[`v3.25.7`](https://togithub.com/github/codeql-action/compare/v3.25.6...v3.25.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.6...v3.25.7)

###
[`v3.25.6`](https://togithub.com/github/codeql-action/compare/v3.25.5...v3.25.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.5...v3.25.6)

###
[`v3.25.5`](https://togithub.com/github/codeql-action/compare/v3.25.4...v3.25.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.4...v3.25.5)

###
[`v3.25.4`](https://togithub.com/github/codeql-action/compare/v3.25.3...v3.25.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.3...v3.25.4)

###
[`v3.25.3`](https://togithub.com/github/codeql-action/compare/v3.25.2...v3.25.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.2...v3.25.3)

###
[`v3.25.2`](https://togithub.com/github/codeql-action/compare/v3.25.1...v3.25.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.1...v3.25.2)

###
[`v3.25.1`](https://togithub.com/github/codeql-action/compare/v3.25.0...v3.25.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.0...v3.25.1)

###
[`v3.25.0`](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.25.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.11...v3.25.0)

###
[`v3.24.11`](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.24.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.24.11)

###
[`v3.24.10`](https://togithub.com/github/codeql-action/compare/v3.24.9...v3.24.10)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.9...v3.24.10)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.3)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.2...v2.3.3)

> \[!NOTE]\
> There is no v2.3.2 release as a step was skipped in the release
process. This was fixed and re-released under the v2.3.3 tag

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to
github.com/ossf/scorecard/v5 (v5.0.0-rc1) by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1366](https://togithub.com/ossf/scorecard-action/pull/1366)
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to
v5.0.0-rc2 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1374](https://togithub.com/ossf/scorecard-action/pull/1374)
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to
v5.0.0-rc2.0.20240509182734-7ce860946928 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1377](https://togithub.com/ossf/scorecard-action/pull/1377)

For a full changelist of what these include, see the
[v5.0.0-rc1](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc1)
and
[v5.0.0-rc2](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc2)
release notes.

##### Documentation

- 📖 Move token discussion out of main README. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1279](https://togithub.com/ossf/scorecard-action/pull/1279)
- 📖 link to `ossf/scorecard` workflow instead of maintaining an
example by [@&#8203;spencerschrock](https://togithub.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1352](https://togithub.com/ossf/scorecard-action/pull/1352)
- 📖 update api links to new scorecard.dev site by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1376](https://togithub.com/ossf/scorecard-action/pull/1376)

**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.3

###
[`v2.3.2`](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2)

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.5.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.5.1)

[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1)

#### What's Changed

- feat: Add cosign registry opts for provenance registry by
[@&#8203;saisatishkarra](https://togithub.com/saisatishkarra) in
[https://github.com/slsa-framework/slsa-verifier/pull/729](https://togithub.com/slsa-framework/slsa-verifier/pull/729)
and
[https://github.com/slsa-framework/slsa-verifier/pull/736](https://togithub.com/slsa-framework/slsa-verifier/pull/736)
- feat: Add support for DSSE Rekor type by
[@&#8203;haydentherapper](https://togithub.com/haydentherapper) in
[https://github.com/slsa-framework/slsa-verifier/pull/742](https://togithub.com/slsa-framework/slsa-verifier/pull/742)

#### New Contributors

- [@&#8203;saisatishkarra](https://togithub.com/saisatishkarra) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/729](https://togithub.com/slsa-framework/slsa-verifier/pull/729)
- [@&#8203;ramonpetgrave64](https://togithub.com/ramonpetgrave64) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/737](https://togithub.com/slsa-framework/slsa-verifier/pull/737)
- [@&#8203;haydentherapper](https://togithub.com/haydentherapper) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/742](https://togithub.com/slsa-framework/slsa-verifier/pull/742)

**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-07-01 17:21:38 +00:00
Mend Renovate
903cddc5c3 fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 (#787) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-core](https://maven.apache.org/) | `3.9.6` ->
`3.9.8` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-core/3.9.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-core/3.9.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-core/3.9.6/3.9.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-core/3.9.6/3.9.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
 2024-07-01 12:43:35 -04:00
Mend Renovate
4bab78a528 chore(deps): update npm dev (#650) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence | Type |
Update |
|---|---|---|---|---|---|---|---|
|
[@types/node](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node)
([source](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node))
| [`18.19.28` ->
`18.19.33`](https://renovatebot.com/diffs/npm/@types%2fnode/18.19.28/18.19.33)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fnode/18.19.33?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@types%2fnode/18.19.33?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@types%2fnode/18.19.28/18.19.33?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fnode/18.19.28/18.19.33?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | patch |
| [eslint](https://eslint.org)
([source](https://togithub.com/eslint/eslint)) | [`^8.57.0` ->
`8.57.0`](https://renovatebot.com/diffs/npm/eslint/8.57.0/8.57.0) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/eslint/8.57.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/eslint/8.57.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/eslint/8.57.0/8.57.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint/8.57.0/8.57.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | pin |
|
[eslint-plugin-prettier](https://togithub.com/prettier/eslint-plugin-prettier)
| [`^5.1.3` ->
`5.1.3`](https://renovatebot.com/diffs/npm/eslint-plugin-prettier/5.1.3/5.1.3)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/eslint-plugin-prettier/5.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/eslint-plugin-prettier/5.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/eslint-plugin-prettier/5.1.3/5.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint-plugin-prettier/5.1.3/5.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | pin |
| [markdown-toc](https://togithub.com/jonschlinkert/markdown-toc) |
[`^1.2.0` ->
`1.2.0`](https://renovatebot.com/diffs/npm/markdown-toc/1.2.0/1.2.0) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/markdown-toc/1.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/markdown-toc/1.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/markdown-toc/1.2.0/1.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/markdown-toc/1.2.0/1.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | pin |
| [renovate](https://renovatebot.com)
([source](https://togithub.com/renovatebot/renovate)) | [`37.363.4` ->
`37.374.1`](https://renovatebot.com/diffs/npm/renovate/37.363.4/37.374.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/renovate/37.374.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/renovate/37.374.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/renovate/37.363.4/37.374.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/renovate/37.363.4/37.374.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | minor |
| [typescript](https://www.typescriptlang.org/)
([source](https://togithub.com/Microsoft/TypeScript)) | [`^5.4.3` ->
`5.4.3`](https://renovatebot.com/diffs/npm/typescript/5.4.3/5.4.3) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/typescript/5.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/typescript/5.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/typescript/5.4.3/5.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/typescript/5.4.3/5.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | pin |
|
[typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint)
([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint))
| [`^7.5.0` ->
`7.5.0`](https://renovatebot.com/diffs/npm/typescript-eslint/7.5.0/7.5.0)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/typescript-eslint/7.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/typescript-eslint/7.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/typescript-eslint/7.5.0/7.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/typescript-eslint/7.5.0/7.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | pin |

---

### Release Notes

<details>
<summary>renovatebot/renovate (renovate)</summary>

###
[`v37.374.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.374.1)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.374.0...37.374.1)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.6
([#&#8203;29212](https://togithub.com/renovatebot/renovate/issues/29212))
([f4eeaaa](f4eeaaaff6))

###
[`v37.374.0`](https://togithub.com/renovatebot/renovate/compare/37.373.0...fe62e80aebe988dd9dcbe47d3e5eee225ec3904d)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.373.0...37.374.0)

###
[`v37.373.0`](https://togithub.com/renovatebot/renovate/compare/37.372.1...25255596d63a03a312885aba1b25fdfd7b76c7a4)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.372.1...37.373.0)

###
[`v37.372.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.372.1)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.372.0...37.372.1)

##### Bug Fixes

- **packageRules:** prPriority should only be in packageRules
([#&#8203;29201](https://togithub.com/renovatebot/renovate/issues/29201))
([70f1f93](70f1f93823))

###
[`v37.372.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.372.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.371.1...37.372.0)

##### Features

- **util/package-rules:** allow glob pattens in match{Current,New}Value
([#&#8203;29168](https://togithub.com/renovatebot/renovate/issues/29168))
([56856d4](56856d4a46))

##### Bug Fixes

- **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.14
([#&#8203;29199](https://togithub.com/renovatebot/renovate/issues/29199))
([4edd63a](4edd63a297))
- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.5
([#&#8203;29200](https://togithub.com/renovatebot/renovate/issues/29200))
([757574b](757574b931))

##### Miscellaneous Chores

- **deps:** update ghcr.io/containerbase/devcontainer docker tag to
v10.6.14
([#&#8203;29198](https://togithub.com/renovatebot/renovate/issues/29198))
([a8855d8](a8855d811c))

###
[`v37.371.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.371.1)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.371.0...37.371.1)

##### Bug Fixes

- **pdm:** change pdm update strategy to eager
([#&#8203;29183](https://togithub.com/renovatebot/renovate/issues/29183))
([2f335b6](2f335b61f4))

##### Miscellaneous Chores

- **deps:** update dependency
[@&#8203;swc/core](https://togithub.com/swc/core) to v1.5.7
([#&#8203;29192](https://togithub.com/renovatebot/renovate/issues/29192))
([436fa71](436fa71ce4))
- **deps:** update linters to v7.10.0
([#&#8203;29196](https://togithub.com/renovatebot/renovate/issues/29196))
([ab36239](ab36239421))
- log when \_PROXY values detected
([#&#8203;29191](https://togithub.com/renovatebot/renovate/issues/29191))
([e281931](e28193134a))

###
[`v37.371.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.371.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.370.0...37.371.0)

##### Features

- **asdf:** Add rebar3 to asdf manager
([#&#8203;29188](https://togithub.com/renovatebot/renovate/issues/29188))
([2e6c563](2e6c5636ea))

##### Miscellaneous Chores

- **deps:** update linters
([#&#8203;29193](https://togithub.com/renovatebot/renovate/issues/29193))
([f59c7f3](f59c7f3162))

###
[`v37.370.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.370.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.369.1...37.370.0)

##### Features

- **self-hosted:** `mergeConfidenceEndpoint` and
`mergeConfidenceDatasources`
([#&#8203;28880](https://togithub.com/renovatebot/renovate/issues/28880))
([044dc0f](044dc0fa28))

###
[`v37.369.1`](https://togithub.com/renovatebot/renovate/compare/37.369.0...ae15a51554828bb3891268c16f180124a90ade55)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.369.0...37.369.1)

###
[`v37.369.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.369.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.10...37.369.0)

##### Features

- **datasource:** `sourceUrl` & `releaseTimestamp` support
([#&#8203;29122](https://togithub.com/renovatebot/renovate/issues/29122))
([d0b77e5](d0b77e584a))

###
[`v37.368.10`](https://togithub.com/renovatebot/renovate/compare/37.368.9...3c75e4bfb3e6786508f57ead837af102d468f4ab)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.9...37.368.10)

###
[`v37.368.9`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.9)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.8...37.368.9)

##### Bug Fixes

- **homebrew:** handle new github archive url format
([#&#8203;29138](https://togithub.com/renovatebot/renovate/issues/29138))
([e035f05](e035f0562d))

###
[`v37.368.8`](https://togithub.com/renovatebot/renovate/compare/37.368.7...5b88dd6a31c24880da2b2dc5915916a8f3e4f6e8)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.7...37.368.8)

###
[`v37.368.7`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.7)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.6...37.368.7)

##### Bug Fixes

- **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.12
([#&#8203;29157](https://togithub.com/renovatebot/renovate/issues/29157))
([4a1e758](4a1e75889f))

##### Documentation

- **readme:** better alt text, add toggleable list of companies/projects
that use Renovate
([#&#8203;29022](https://togithub.com/renovatebot/renovate/issues/29022))
([f8f5184](f8f518493d))

##### Miscellaneous Chores

- **deps:** update containerbase/internal-tools action to v3.0.88
([#&#8203;29149](https://togithub.com/renovatebot/renovate/issues/29149))
([92686aa](92686aa201))

###
[`v37.368.6`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.6)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.5...37.368.6)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.3
([#&#8203;29143](https://togithub.com/renovatebot/renovate/issues/29143))
([7f6964c](7f6964cea9))

###
[`v37.368.5`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.5)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.4...37.368.5)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.2
([#&#8203;29142](https://togithub.com/renovatebot/renovate/issues/29142))
([c23c70f](c23c70fc8b))

##### Miscellaneous Chores

- **deps:** update dependency rimraf to v5.0.7
([#&#8203;29141](https://togithub.com/renovatebot/renovate/issues/29141))
([483bfc2](483bfc28f5))

###
[`v37.368.4`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.4)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.3...37.368.4)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.1
([#&#8203;29140](https://togithub.com/renovatebot/renovate/issues/29140))
([947bf17](947bf17aea))

##### Miscellaneous Chores

- **deps:** update dependency rimraf to v5.0.6
([#&#8203;29139](https://togithub.com/renovatebot/renovate/issues/29139))
([a2ba884](a2ba88412c))

###
[`v37.368.3`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.3)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.2...37.368.3)

##### Bug Fixes

- **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.11
([#&#8203;29134](https://togithub.com/renovatebot/renovate/issues/29134))
([8216f20](8216f205dc))

##### Documentation

- **config:** warn about spaces in `schedule`
([#&#8203;29121](https://togithub.com/renovatebot/renovate/issues/29121))
([ebfb48d](ebfb48d416))

##### Miscellaneous Chores

- **deps:** update ghcr.io/containerbase/devcontainer docker tag to
v10.6.11
([#&#8203;29133](https://togithub.com/renovatebot/renovate/issues/29133))
([463226b](463226b1ed))

###
[`v37.368.2`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.2)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.1...37.368.2)

##### Bug Fixes

- **gomod:** treat v0 pseudo version updates as digest updates
([#&#8203;29042](https://togithub.com/renovatebot/renovate/issues/29042))
([6f8cde4](6f8cde4e67))

###
[`v37.368.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.1)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.0...37.368.1)

##### Miscellaneous Chores

- **deps:** update actions/checkout action to v4.1.6
([#&#8203;29126](https://togithub.com/renovatebot/renovate/issues/29126))
([f951139](f951139409))

##### Build System

- **deps:** update dependency glob to v10.3.15
([#&#8203;29125](https://togithub.com/renovatebot/renovate/issues/29125))
([dc7d73f](dc7d73f98f))

###
[`v37.368.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.367.0...37.368.0)

##### Features

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.0
([#&#8203;29124](https://togithub.com/renovatebot/renovate/issues/29124))
([676e1ef](676e1ef47f))

##### Build System

- **deps:** update dependency glob to v10.3.14
([#&#8203;29123](https://togithub.com/renovatebot/renovate/issues/29123))
([40a6b4d](40a6b4d290))

###
[`v37.367.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.367.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.366.1...37.367.0)

##### Features

- **presets:** add replacements for ZAP org moves
([#&#8203;29117](https://togithub.com/renovatebot/renovate/issues/29117))
([7df1dc7](7df1dc77ae))

###
[`v37.366.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.366.1)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.366.0...37.366.1)

##### Build System

- **deps:** update dependency jsonata to v2.0.5
([#&#8203;29116](https://togithub.com/renovatebot/renovate/issues/29116))
([8bbde23](8bbde23579))

###
[`v37.366.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.366.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.365.0...37.366.0)

##### Features

- **datasource:** Add python-version datasource
([#&#8203;27583](https://togithub.com/renovatebot/renovate/issues/27583))
([c8aacc4](c8aacc4c05))
- Support custom artifact notice
([#&#8203;28957](https://togithub.com/renovatebot/renovate/issues/28957))
([1c8eb34](1c8eb34876))

###
[`v37.365.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.365.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.364.0...37.365.0)

##### Features

- **presets/workarounds:** add bitnami docker versioning
([#&#8203;29112](https://togithub.com/renovatebot/renovate/issues/29112))
([66de046](66de0465e9))

###
[`v37.364.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.364.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.9...37.364.0)

##### Features

- **presets:** add strum to monorepos
([#&#8203;29109](https://togithub.com/renovatebot/renovate/issues/29109))
([20716b0](20716b0609))

##### Miscellaneous Chores

- **deps:** update containerbase/internal-tools action to v3.0.87
([#&#8203;29108](https://togithub.com/renovatebot/renovate/issues/29108))
([e03a5cf](e03a5cf0cb))

##### Tests

- **osgi:** Use "codeBlock" for tests
([#&#8203;29110](https://togithub.com/renovatebot/renovate/issues/29110))
([2429a07](2429a07eef))

###
[`v37.363.9`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.9)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.8...37.363.9)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.11.2
([#&#8203;29099](https://togithub.com/renovatebot/renovate/issues/29099))
([99ba857](99ba857374))

##### Documentation

- **config:** add note about GnuPG v2.4 usage
([#&#8203;29067](https://togithub.com/renovatebot/renovate/issues/29067))
([88fd212](88fd2124ff))

###
[`v37.363.8`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.8)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.7...37.363.8)

##### Bug Fixes

- **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.10
([#&#8203;29096](https://togithub.com/renovatebot/renovate/issues/29096))
([1254f6a](1254f6a662))

##### Documentation

- **bot comparison:** dependabot-core switched to MIT license
([#&#8203;29095](https://togithub.com/renovatebot/renovate/issues/29095))
([d9cd961](d9cd9612ec))
- Update Swissquote article with information on the scheduler and
dashboards
([#&#8203;29030](https://togithub.com/renovatebot/renovate/issues/29030))
([01f9861](01f9861069))

###
[`v37.363.7`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.7)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.6...37.363.7)

##### Miscellaneous Chores

- **deps:** update ghcr.io/containerbase/devcontainer docker tag to
v10.6.10
([#&#8203;29091](https://togithub.com/renovatebot/renovate/issues/29091))
([dba9ad3](dba9ad3353))

##### Build System

- **deps:** update dependency zod to v3.23.8
([#&#8203;29090](https://togithub.com/renovatebot/renovate/issues/29090))
([caedb6f](caedb6f452))

###
[`v37.363.6`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.6)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.5...37.363.6)

##### Bug Fixes

- **datasource/github-runners:** add Ubuntu 24.04 Noble Numbat as
unstable
([#&#8203;29088](https://togithub.com/renovatebot/renovate/issues/29088))
([e291ef0](e291ef0dbd))

###
[`v37.363.5`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.5)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.4...37.363.5)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.11.1
([#&#8203;29079](https://togithub.com/renovatebot/renovate/issues/29079))
([945c4cf](945c4cf8ba))

##### Miscellaneous Chores

- **deps:** update codecov/codecov-action action to v4.4.0
([#&#8203;29080](https://togithub.com/renovatebot/renovate/issues/29080))
([78edb5b](78edb5b0f8))

##### Build System

- **deps:** update dependency zod to v3.23.7
([#&#8203;29077](https://togithub.com/renovatebot/renovate/issues/29077))
([ead5d55](ead5d55a49))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM3LjM2OC4xMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-06-27 18:54:52 +00:00
Mend Renovate
163abe52e2 chore(deps): update golang:1.21 docker digest to b405b62 (#774) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `d83472f` -> `b405b62` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzcuOCIsInVwZGF0ZWRJblZlciI6IjM3LjQxMy4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
 2024-06-27 18:37:34 +00:00
Ramon Petgrave
2f70fef663 fix: make download-artifacts.sh more flexible (#761) 
Making the `download-artifacts.sh` script be more useful.

Before, it would error upon seeing some zip files that it doesn't expect
to be in the GH release. I think the script is just a bit outdated. But
for now, I think we should bypass that, since the script is already
written to know which of the final files within the archives are
actually needed.

related PR
https://github.com/slsa-framework/slsa-github-generator/pull/3589

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-27 17:22:49 +00:00
Mend Renovate
b69efeea0b fix(deps): update golang.org/x/exp digest to 7f521ea (#775) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/exp | require | digest | `2478ac8` -> `7f521ea` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzcuOCIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
 2024-06-27 17:07:30 +00:00
dependabot[bot]
34ab203678 chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates (#784) 
Bumps the npm_and_yarn group with 1 update in the / directory:
[braces](https://github.com/micromatch/braces).
Bumps the npm_and_yarn group with 2 updates in the /actions/installer
directory: [braces](https://github.com/micromatch/braces) and
[undici](https://github.com/nodejs/undici).

Updates `braces` from 3.0.2 to 3.0.3
<details>
<summary>Commits</summary>
<ul>
<li><a
href="74b2db2938"><code>74b2db2</code></a>
3.0.3</li>
<li><a
href="88f1429a0f"><code>88f1429</code></a>
update eslint. lint, fix unit tests.</li>
<li><a
href="415d660c30"><code>415d660</code></a>
Snyk js braces 6838727 (<a
href="https://redirect.github.com/micromatch/braces/issues/40">#40</a>)</li>
<li><a
href="190510f79d"><code>190510f</code></a>
fix tests, skip 1 test in test/braces.expand</li>
<li><a
href="716eb9f12d"><code>716eb9f</code></a>
readme bump</li>
<li><a
href="a5851e57f4"><code>a5851e5</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/braces/issues/37">#37</a>
from coderaiser/fix/vulnerability</li>
<li><a
href="2092bd1fb1"><code>2092bd1</code></a>
feature: braces: add maxSymbols (<a
href="https://github.com/micromatch/braces/issues/">https://github.com/micromatch/braces/issues/</a>...</li>
<li><a
href="9f5b4cf473"><code>9f5b4cf</code></a>
fix: vulnerability (<a
href="https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727">https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727</a>)</li>
<li><a
href="98414f9f1f"><code>98414f9</code></a>
remove funding file</li>
<li><a
href="665ab5d561"><code>665ab5d</code></a>
update keepEscaping doc (<a
href="https://redirect.github.com/micromatch/braces/issues/27">#27</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/micromatch/braces/compare/3.0.2...3.0.3">compare
view</a></li>
</ul>
</details>
<br />

Updates `braces` from 3.0.2 to 3.0.3
<details>
<summary>Commits</summary>
<ul>
<li><a
href="74b2db2938"><code>74b2db2</code></a>
3.0.3</li>
<li><a
href="88f1429a0f"><code>88f1429</code></a>
update eslint. lint, fix unit tests.</li>
<li><a
href="415d660c30"><code>415d660</code></a>
Snyk js braces 6838727 (<a
href="https://redirect.github.com/micromatch/braces/issues/40">#40</a>)</li>
<li><a
href="190510f79d"><code>190510f</code></a>
fix tests, skip 1 test in test/braces.expand</li>
<li><a
href="716eb9f12d"><code>716eb9f</code></a>
readme bump</li>
<li><a
href="a5851e57f4"><code>a5851e5</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/braces/issues/37">#37</a>
from coderaiser/fix/vulnerability</li>
<li><a
href="2092bd1fb1"><code>2092bd1</code></a>
feature: braces: add maxSymbols (<a
href="https://github.com/micromatch/braces/issues/">https://github.com/micromatch/braces/issues/</a>...</li>
<li><a
href="9f5b4cf473"><code>9f5b4cf</code></a>
fix: vulnerability (<a
href="https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727">https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727</a>)</li>
<li><a
href="98414f9f1f"><code>98414f9</code></a>
remove funding file</li>
<li><a
href="665ab5d561"><code>665ab5d</code></a>
update keepEscaping doc (<a
href="https://redirect.github.com/micromatch/braces/issues/27">#27</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/micromatch/braces/compare/3.0.2...3.0.3">compare
view</a></li>
</ul>
</details>
<br />

Updates `undici` from 5.28.3 to 5.28.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v5.28.4</h2>
<h2>⚠️ Security Release ⚠️</h2>
<ul>
<li>Fixes <a
href="https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7">https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7</a>
CVE-2024-30260</li>
<li>Fixes <a
href="https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672">https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672</a>
CVE-2024-30261</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="fb98306907"><code>fb98306</code></a>
Bumped v5.28.4</li>
<li><a
href="2b39440bd9"><code>2b39440</code></a>
Merge pull request from GHSA-9qxr-qj54-h672</li>
<li><a
href="64e3402da4"><code>64e3402</code></a>
Merge pull request from GHSA-m4v8-wqvr-p9f7</li>
<li><a
href="723c4e7280"><code>723c4e7</code></a>
Revert &quot;build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (<a
href="https://redirect.github.com/nodejs/undici/issues/2389">#2389</a>)&quot;</li>
<li><a
href="0e9d54b2c2"><code>0e9d54b</code></a>
skip failing test due to Node.js changes</li>
<li>See full diff in <a
href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-06-27 12:03:26 -04:00
dependabot[bot]
9fb6f246f8 chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer (#780) 
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to
3.0.3.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="74b2db2938"><code>74b2db2</code></a>
3.0.3</li>
<li><a
href="88f1429a0f"><code>88f1429</code></a>
update eslint. lint, fix unit tests.</li>
<li><a
href="415d660c30"><code>415d660</code></a>
Snyk js braces 6838727 (<a
href="https://redirect.github.com/micromatch/braces/issues/40">#40</a>)</li>
<li><a
href="190510f79d"><code>190510f</code></a>
fix tests, skip 1 test in test/braces.expand</li>
<li><a
href="716eb9f12d"><code>716eb9f</code></a>
readme bump</li>
<li><a
href="a5851e57f4"><code>a5851e5</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/braces/issues/37">#37</a>
from coderaiser/fix/vulnerability</li>
<li><a
href="2092bd1fb1"><code>2092bd1</code></a>
feature: braces: add maxSymbols (<a
href="https://github.com/micromatch/braces/issues/">https://github.com/micromatch/braces/issues/</a>...</li>
<li><a
href="9f5b4cf473"><code>9f5b4cf</code></a>
fix: vulnerability (<a
href="https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727">https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727</a>)</li>
<li><a
href="98414f9f1f"><code>98414f9</code></a>
remove funding file</li>
<li><a
href="665ab5d561"><code>665ab5d</code></a>
update keepEscaping doc (<a
href="https://redirect.github.com/micromatch/braces/issues/27">#27</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/micromatch/braces/compare/3.0.2...3.0.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=braces&package-manager=npm_and_yarn&previous-version=3.0.2&new-version=3.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-27 15:37:36 +00:00
dependabot[bot]
96619e48c2 chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer (#779) 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v5.28.4</h2>
<h2>⚠️ Security Release ⚠️</h2>
<ul>
<li>Fixes <a
href="https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7">https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7</a>
CVE-2024-30260</li>
<li>Fixes <a
href="https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672">https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672</a>
CVE-2024-30261</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="fb98306907"><code>fb98306</code></a>
Bumped v5.28.4</li>
<li><a
href="2b39440bd9"><code>2b39440</code></a>
Merge pull request from GHSA-9qxr-qj54-h672</li>
<li><a
href="64e3402da4"><code>64e3402</code></a>
Merge pull request from GHSA-m4v8-wqvr-p9f7</li>
<li><a
href="723c4e7280"><code>723c4e7</code></a>
Revert &quot;build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (<a
href="https://redirect.github.com/nodejs/undici/issues/2389">#2389</a>)&quot;</li>
<li><a
href="0e9d54b2c2"><code>0e9d54b</code></a>
skip failing test due to Node.js changes</li>
<li>See full diff in <a
href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=undici&package-manager=npm_and_yarn&previous-version=5.28.3&new-version=5.28.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-06-27 14:28:25 +00:00
dependabot[bot]
56bc29bf2e chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 (#782) 
Bumps
[github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp)
from 0.7.5 to 0.7.7.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md">github.com/hashicorp/go-retryablehttp's
changelog</a>.</em></p>
<blockquote>
<h2>0.7.7 (May 30, 2024)</h2>
<p>BUG FIXES:</p>
<ul>
<li>client: avoid potentially leaking URL-embedded basic authentication
credentials in logs (<a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/158">#158</a>)</li>
</ul>
<h2>0.7.6 (May 9, 2024)</h2>
<p>ENHANCEMENTS:</p>
<ul>
<li>client: support a <code>RetryPrepare</code> function for modifying
the request before retrying (<a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/216">#216</a>)</li>
<li>client: support HTTP-date values for <code>Retry-After</code> header
value (<a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/138">#138</a>)</li>
<li>client: avoid reading entire body when the body is a
<code>*bytes.Reader</code> (<a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/197">#197</a>)</li>
</ul>
<p>BUG FIXES:</p>
<ul>
<li>client: fix a broken check for invalid server certificate in go
1.20+ (<a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/210">#210</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1542b31176"><code>1542b31</code></a>
v0.7.7</li>
<li><a
href="defb9f441d"><code>defb9f4</code></a>
v0.7.7</li>
<li><a
href="a99f07beb3"><code>a99f07b</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/158">#158</a>
from dany74q/danny/redacted-url-in-logs</li>
<li><a
href="8a28c574da"><code>8a28c57</code></a>
Merge branch 'main' into danny/redacted-url-in-logs</li>
<li><a
href="86e852df43"><code>86e852d</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/227">#227</a>
from hashicorp/dependabot/github_actions/actions/chec...</li>
<li><a
href="47fe99e646"><code>47fe99e</code></a>
Bump actions/checkout from 4.1.5 to 4.1.6</li>
<li><a
href="490fc06be0"><code>490fc06</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/226">#226</a>
from testwill/ioutil</li>
<li><a
href="f3e9417dbf"><code>f3e9417</code></a>
chore: remove refs to deprecated io/ioutil</li>
<li><a
href="d969eaa9c9"><code>d969eaa</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/225">#225</a>
from hashicorp/manicminer-patch-2</li>
<li><a
href="2ad8ed4a1d"><code>2ad8ed4</code></a>
v0.7.6</li>
<li>Additional commits viewable in <a
href="https://github.com/hashicorp/go-retryablehttp/compare/v0.7.5...v0.7.7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/hashicorp/go-retryablehttp&package-manager=go_modules&previous-version=0.7.5&new-version=0.7.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-26 22:19:00 +00:00
dependabot[bot]
b54e813948 chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 (#781) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.22.0 to
0.23.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c48da13158"><code>c48da13</code></a>
http2: fix TestServerContinuationFlood flakes</li>
<li><a
href="762b58d1cf"><code>762b58d</code></a>
http2: fix tipos in comment</li>
<li><a
href="ba872109ef"><code>ba87210</code></a>
http2: close connections when receiving too many headers</li>
<li><a
href="ebc8168ac8"><code>ebc8168</code></a>
all: fix some typos</li>
<li><a
href="3678185f8a"><code>3678185</code></a>
http2: make TestCanonicalHeaderCacheGrowth faster</li>
<li><a
href="448c44f928"><code>448c44f</code></a>
http2: remove clientTester</li>
<li><a
href="c7877ac421"><code>c7877ac</code></a>
http2: convert the remaining clientTester tests to testClientConn</li>
<li><a
href="d8870b0bf2"><code>d8870b0</code></a>
http2: use synthetic time in TestIdleConnTimeout</li>
<li><a
href="d73acffdc9"><code>d73acff</code></a>
http2: only set up deadline when Server.IdleTimeout is positive</li>
<li><a
href="89f602b7bb"><code>89f602b</code></a>
http2: validate client/outgoing trailers</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.22.0...v0.23.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/net&package-manager=go_modules&previous-version=0.22.0&new-version=0.23.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-26 18:06:19 -04:00
Ramon Petgrave
18c5f13b3e fix: signoff commit (#767) 
Followup to https://github.com/slsa-framework/slsa-verifier/pull/760

Fix the .github/workflows/update-actions-dist-post-commit.yml workflow
to also signoff commit

# Testing

- [x] Invoked this PR's branch copy of the workflow against #717, and it
did signoff the commit.
-
9670f76ab8

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 16:45:20 +00:00
Ramon Petgrave
b55bf59ce4 fix: use pr_number as env variable (#771) 
changing the update-dist workflow to use the `pr_number` input as an env
variable to avoid [script
injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks).

Our workflows are only invokable by our trusted maintainers so we should
be okay. This is just an extra hardening measure.

Open issue
https://github.com/actions/runner/issues/1070#issuecomment-2113287699

## Testing

I confirmed the issue by invoking the workflow with `650 && echo SCRIPT
INJECTION`, and it did also do the extra `echo` command.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36

after invoking the workflow again with this PR's version, the problem is
mitigated.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 12:20:16 -04:00
Ian Lewis
87b5bae6d4 chore: Update Renovate config (#769) 
# Summary

Updates renovate config to use the
[`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices)
preset rather than the `config:base` preset since `config:base` seems to
be deprecated.

Also updates the `schedule` config to use the
[`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly)
preset.

Also adds a pre-submit to run the
[`renovate-config-validator`](https://docs.renovatebot.com/config-validation/)
to ensure that renovate config is valid. This pre-submit will need to be
made required in the repository branch protection rule for `main` in the
repository settings after this PR is merged.

---------

Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-16 07:13:09 +09:00
Ian Lewis
138a2348fc chore: fix pr-title-checker (#770) 
Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version
comment.

Signed-off-by: Ian Lewis <ianlewis@google.com>
 2024-05-15 12:10:15 -04:00
Mend Renovate
e7a8f74b9c fix(deps): update dependency @actions/core to v1.10.1 (#717) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[@actions/core](https://togithub.com/actions/toolkit/tree/main/packages/core)
([source](https://togithub.com/actions/toolkit/tree/HEAD/packages/core))
| [`1.10.0` ->
`1.10.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.0/1.10.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/core)</summary>

###
[`v1.10.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1101)

- Fix error message reference in oidc utils
[#&#8203;1511](https://togithub.com/actions/toolkit/pull/1511)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

---------

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>
 2024-05-07 14:09:48 -04:00
Ramon Petgrave
23160d82c0 feat: workflow to update actions dist (#760) 
Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.

> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!

## Testing.

Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-06 17:56:35 -04:00
Mend Renovate
9c4e2196d8 chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 (#763) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `1a8ece8` -> `53745e9` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-06 16:01:16 +00:00
Mend Renovate
f787eeebf7 chore(deps): update golang:1.21 docker digest to d83472f (#764) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `81811f8` -> `d83472f` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-05-06 11:48:47 -04:00
Ramon Petgrave
637b07fdab chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata (#758) 
https://github.com/slsa-framework/slsa-github-generator/issues/3576

Next step in 

https://github.com/slsa-framework/slsa-github-generator/blob/main/RELEASE.md#update-verifier

Creating new test data for slsa-github-generator@v2.0.0

# Instructions:

## diff to download-artifacts.sh

```
diff --git a/download-artifacts.sh b/download-artifacts.sh
old mode 100644
new mode 100755
index e5e218e8..49257ea6
--- a/download-artifacts.sh
+++ b/download-artifacts.sh
@@ -88,6 +88,10 @@ unzip_files() {
         rm -rf "${tmp_dir}"
         ;;
 
+    ./*.zip)
+        unzip -o "${zip_path}" -d "${output_path}"
+        ;;
+
     *)
         echo "unexpected file path: ${zip_path}"
         exit 1
@@ -167,7 +171,7 @@ rename_java_files "test-java-project-" "maven"
 rename_java_files "workflow_dispatch-" "gradle"
 
 # Files downloaded. Now copy them
-repo_path="../.."
+repo_path="/path/to/slsa-verifier"
 
 # Go builder files.
 copy_files "gha_go-binary-linux-amd64-" "${repo_path}/cli/slsa-verifier/testdata/gha_go/${version}"
```

## download the artifacts

```
../slsa-verifier/download-artifacts.sh 8791212155 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219359 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219514 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219607 v2.0.0
```

## docker github auth

```
gh auth login --scopes=read:packages
echo `gh auth token` | docker login ghcr.io -u ramonpetgrave64 --password-stdin
cosign save \
    --dir ./cli/slsa-verifier/testdata/gha_generic_container/v2.0.0/container_workflow_dispatch \
    ghcr.io/slsa-framework/example-package.verifier-e2e.all.tag.main.default.slsa3@sha256:55aee984fd6b1d0e0a19a55265d10d40063a2212bdbabd75b202b1728236548d
```

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-04-23 12:26:13 -04:00
Mend Renovate
ee32cbff7e chore(deps): update golang:1.21 docker digest to 81811f8 (#693) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `ec457a2` -> `81811f8` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuMzAxLjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-04-18 16:46:15 +00:00
Mend Renovate
79d225bb44 fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] (#723) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/sigstore/cosign/v2](https://togithub.com/sigstore/cosign)
| `v2.2.0` -> `v2.2.4` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.0/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.0/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2023-46737](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9)

### Summary
Cosign is susceptible to a denial of service by an attacker controlled
registry. An attacker who controls a remote registry can return a high
number of attestations and/or signatures to Cosign and cause Cosign to
enter a long loop resulting in an endless data attack. The root cause is
that Cosign loops through all attestations fetched from the remote
registry in `pkg/cosign.FetchAttestations`.

The attacker needs to compromise the registry or make a request to a
registry they control. When doing so, the attacker must return a high
number of attestations in the response to Cosign. The result will be
that the attacker can cause Cosign to go into a long or infinite loop
that will prevent other users from verifying their data. In Kyvernos
case, an attacker whose privileges are limited to making requests to the
cluster can make a request with an image reference to their own
registry, trigger the infinite loop and deny other users from completing
their admission requests. Alternatively, the attacker can obtain control
of the registry used by an organization and return a high number of
attestations instead the expected number of attestations.

The vulnerable loop in Cosign starts on line 154 below:

0044432284/pkg/cosign/fetch.go (L135-L196)

The `l` slice is controllable by an attacker who controls the remote
registry.

Many cloud-native projects consider the remote registry to be untrusted,
including Crossplane, Notary and Kyverno. We consider the same to be the
case for Cosign, since users are not in control of whether the registry
returns the expected data.

TUF's security model labels this type of vulnerability an ["Endless data
attack"](https://theupdateframework.io/security/), but an attacker could
use this as a type of rollback attack, in case the user attempts to
deploy a patched version of a vulnerable image; The attacker could
prevent this upgrade by causing Cosign to get stuck in an infinite loop
and never complete.

### Mitigation
The issue can be mitigated rather simply by setting a limit to the limit
of attestations that Cosign will loop through. The limit does not need
to be high to be within the vast majority of use cases and still prevent
the endless data attack.

####
[CVE-2024-29902](https://togithub.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc)

### Summary
A remote image with a malicious attachment can cause denial of service
of the host machine running Cosign. This can impact other services on
the machine that rely on having memory available such as a Redis
database which can result in data loss. It can also impact the
availability of other services on the machine that will not be available
for the duration of the machine denial.

### Details
The root cause of this issue is that Cosign reads the attachment from a
remote image entirely into memory without checking the size of the
attachment first. As such, a large attachment can make Cosign read a
large attachment into memory; If the attachments size is larger than the
machine has memory available, the machine will be denied of service. The
Go runtime will make a `SIGKILL` after a few seconds of system-wide
denial.

The root cause is that Cosign reads the contents of the attachments
entirely into memory on line 238 below:


9bc3ee309b/pkg/oci/remote/remote.go (L228-L239)

...and prior to that, neither Cosign nor go-containerregistry checks the
size of the attachment and enforces a max cap. In the case of a remote
layer of `f *attached`, go-containerregistry will invoke this API:


a0658aa1d0/pkg/v1/remote/layer.go (L36-L40)
```golang
func (rl *remoteLayer) Compressed() (io.ReadCloser, error) {
	// We don't want to log binary layers -- this can break terminals.
	ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs")
	return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)
}
```

Notice that the second argument to `rl.fetcher.fetchBlob` is
`verify.SizeUnknown` which results in not using the `io.LimitReader` in
`verify.ReadCloser`:

a0658aa1d0/internal/verify/verify.go (L82-L100)
```golang
func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {
	w, err := v1.Hasher(h.Algorithm)
	if err != nil {
		return nil, err
	}
	r2 := io.TeeReader(r, w) // pass all writes to the hasher.
	if size != SizeUnknown {
		r2 = io.LimitReader(r2, size) // if we know the size, limit to that size.
	}
	return &and.ReadCloser{
		Reader: &verifyReader{
			inner:    r2,
			hasher:   w,
			expected: h,
			wantSize: size,
		},
		CloseFunc: r.Close,
	}, nil
}
```

### Impact
This issue can allow a supply-chain escalation from a compromised
registry to the Cosign user: If an attacher has compromised a registry
or the account of an image vendor, they can include a malicious
attachment and hurt the image consumer.

### Remediation
Update to the latest version of Cosign, which limits the number of
attachments. An environment variable can override this value.

####
[CVE-2024-29903](https://togithub.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv)

Maliciously-crafted software artifacts can cause denial of service of
the machine running Cosign, thereby impacting all services on the
machine. The root cause is that Cosign creates slices based on the
number of signatures, manifests or attestations in untrusted artifacts.
As such, the untrusted artifact can control the amount of memory that
Cosign allocates.

As an example, these lines demonstrate the problem:


286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)

This `Get()` method gets the manifest of the image, allocates a slice
equal to the length of the layers in the manifest, loops through the
layers and adds a new signature to the slice.

The exact issue is Cosign allocates excessive memory on the lines that
creates a slice of the same length as the manifests.

## Remediation

Update to the latest version of Cosign, where the number of
attestations, signatures and manifests has been limited to a reasonable
value.

## Cosign PoC

In the case of this API (also referenced above):


286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)

… The first line can contain a length that is safe for the system and
will not throw a runtime panic or be blocked by other safety mechanisms.
For the sake of argument, let’s say that the length of `m, err :=
s.Manifest()` is the max allowed (by the machine without throwing OOM
panics) manifests minus 1. When Cosign then allocates a new slice on
this line: `signatures := make([]oci.Signature, 0, len(m.Layers))`,
Cosign will allocate more memory than is available and the machine will
be denied of service, causing Cosign and all other services on the
machine to be unavailable.

To illustrate the issue here, we run a modified version of
`TestSignedImageIndex()` in `pkg/oci/remote`:


14795db164/pkg/oci/remote/index_test.go (L31-L57)

Here, `wantLayers` is the number of manifests from these lines:


286a98a4a9/pkg/oci/remote/signatures.go (L56-L60)

To test this, we want to make `wantLayers` high enough to not cause a
memory on its own but still trigger the machine-wide OOM when a slice
gets create with the same length. On my local machine, it would take
hours to create a slice of layers that fulfils that criteria, so instead
I modify the Cosign production code to reflect a long list of manifests:

```golang
// Get implements oci.Signatures
func (s *sigs) Get() ([]oci.Signature, error) {
        m, err := s.Manifest()
        if err != nil {
                return nil, err
        }
        // Here we imitate a long list of manifests
        ms := make([]byte, 2600000000) // imitate a long list of manifests
        signatures := make([]oci.Signature, 0, len(ms))
        panic("Done")
        //signatures := make([]oci.Signature, 0, len(m.Layers))
        for _, desc := range m.Layers {
```

With this modified code, if we can cause an OOM without triggering the
`panic("Done")`, we have succeeded.

---

### Release Notes

<details>
<summary>sigstore/cosign (github.com/sigstore/cosign/v2)</summary>

###
[`v2.2.4`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v224)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.3...v2.2.4)

#### Bug Fixes

- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv
([#&#8203;3661](https://togithub.com/sigstore/cosign/issues/3661))
- ErrNoSignaturesFound should be used when there is no signature
attached to an image.
([#&#8203;3526](https://togithub.com/sigstore/cosign/issues/3526))
- fix semgrep issues for dgryski.semgrep-go ruleset
([#&#8203;3541](https://togithub.com/sigstore/cosign/issues/3541))
- Honor creation timestamp for signatures again
([#&#8203;3549](https://togithub.com/sigstore/cosign/issues/3549))

#### Features

- Adds Support for Fulcio Client Credentials Flow, and Argument to Set
Flow Explicitly
([#&#8203;3578](https://togithub.com/sigstore/cosign/issues/3578))

#### Documentation

- add oci bundle spec
([#&#8203;3622](https://togithub.com/sigstore/cosign/issues/3622))
- Correct help text of triangulate cmd
([#&#8203;3551](https://togithub.com/sigstore/cosign/issues/3551))
- Correct help text of verify-attestation policy argument
([#&#8203;3527](https://togithub.com/sigstore/cosign/issues/3527))
- feat: add OVHcloud MPR registry tested with cosign
([#&#8203;3639](https://togithub.com/sigstore/cosign/issues/3639))

#### Testing

- Refactor e2e-tests.yml workflow
([#&#8203;3627](https://togithub.com/sigstore/cosign/issues/3627))
- Clean up and clarify e2e scripts
([#&#8203;3628](https://togithub.com/sigstore/cosign/issues/3628))
- Don't ignore transparency log in tests if possible
([#&#8203;3528](https://togithub.com/sigstore/cosign/issues/3528))
- Make E2E tests hermetic
([#&#8203;3499](https://togithub.com/sigstore/cosign/issues/3499))
- add e2e test for pkcs11 token signing
([#&#8203;3495](https://togithub.com/sigstore/cosign/issues/3495))

###
[`v2.2.3`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v223)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.2...v2.2.3)

#### Bug Fixes

- Fix race condition on verification with multiple signatures attached
to image
([#&#8203;3486](https://togithub.com/sigstore/cosign/issues/3486))
- fix(clean): Fix clean cmd for private registries
([#&#8203;3446](https://togithub.com/sigstore/cosign/issues/3446))
- Fixed BYO PKI verification
([#&#8203;3427](https://togithub.com/sigstore/cosign/issues/3427))

#### Features

- Allow for option in cosign attest and attest-blob to upload
attestation as supported in Rekor
([#&#8203;3466](https://togithub.com/sigstore/cosign/issues/3466))
- Add support for OpenVEX predicate type
([#&#8203;3405](https://togithub.com/sigstore/cosign/issues/3405))

#### Documentation

- Resolves
[#&#8203;3088](https://togithub.com/sigstore/cosign/issues/3088):
`version` sub-command expected behaviour documentation and testing
([#&#8203;3447](https://togithub.com/sigstore/cosign/issues/3447))
- add examples for cosign attach signature cmd
([#&#8203;3468](https://togithub.com/sigstore/cosign/issues/3468))

#### Misc

- Remove CertSubject function
([#&#8203;3467](https://togithub.com/sigstore/cosign/issues/3467))
- Use local rekor and fulcio instances in e2e tests
([#&#8203;3478](https://togithub.com/sigstore/cosign/issues/3478))

#### Contributors

-   aalsabag
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Colleen Murphy
-   Hayden B
-   Mukuls77
-   Omri Bornstein
-   Puerco
-   vivek kumar sahu

###
[`v2.2.2`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v222)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.1...v2.2.2)

v2.2.2 adds a new container with a shell,
`gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing
container `gcr.io/projectsigstore/cosign:vx.y.z` without a shell.

For private deployments, we have also added an alias for
`--insecure-skip-log`, `--private-infrastructure`.

#### Bug Fixes

- chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6
([#&#8203;3411](https://togithub.com/sigstore/cosign/issues/3411)) which
fixes a bug with using Azure KMS
- Don't require CT log keys if using a key/sk
([#&#8203;3415](https://togithub.com/sigstore/cosign/issues/3415))
- Fix copy without any flag set
([#&#8203;3409](https://togithub.com/sigstore/cosign/issues/3409))
- Update cosign generate cmd to not include newline
([#&#8203;3393](https://togithub.com/sigstore/cosign/issues/3393))
- Fix idempotency error with signing
([#&#8203;3371](https://togithub.com/sigstore/cosign/issues/3371))

#### Features

- Add `--yes` flag `cosign import-key-pair` to skip the overwrite
confirmation.
([#&#8203;3383](https://togithub.com/sigstore/cosign/issues/3383))
- Use the timeout flag value in verify\* commands.
([#&#8203;3391](https://togithub.com/sigstore/cosign/issues/3391))
- add --private-infrastructure flag
([#&#8203;3369](https://togithub.com/sigstore/cosign/issues/3369))

#### Container Updates

- Bump builder image to use go1.21.4 and add new cosign image tags with
shell ([#&#8203;3373](https://togithub.com/sigstore/cosign/issues/3373))

#### Documentation

- Update SBOM_SPEC.md
([#&#8203;3358](https://togithub.com/sigstore/cosign/issues/3358))

#### Contributors

-   Carlos Tadeu Panato Junior
-   Dylan Richardson
-   Hayden B
-   Lily Sturmann
-   Nikos Fotiou
-   Yonghe Zhao

###
[`v2.2.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v221)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.0...v2.2.1)

**Note: This release comes with a fix for CVE-2023-46737 described in
this [Github Security
Advisory](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
Please upgrade to this release ASAP**

#### Enhancements

- feat: Support basic auth and bearer auth login to registry
([#&#8203;3310](https://togithub.com/sigstore/cosign/issues/3310))
- add support for ignoring certificates with pkcs11
([#&#8203;3334](https://togithub.com/sigstore/cosign/issues/3334))
- Support ReplaceOp in Signatures
([#&#8203;3315](https://togithub.com/sigstore/cosign/issues/3315))
- feat: added ability to get image digest back via triangulate
([#&#8203;3255](https://togithub.com/sigstore/cosign/issues/3255))
- feat: add `--only` flag in `cosign copy` to copy sign, att & sbom
([#&#8203;3247](https://togithub.com/sigstore/cosign/issues/3247))
- feat: add support attaching a Rekor bundle to a container
([#&#8203;3246](https://togithub.com/sigstore/cosign/issues/3246))
- feat: add support outputting rekor response on signing
([#&#8203;3248](https://togithub.com/sigstore/cosign/issues/3248))
- feat: improve dockerfile verify subcommand
([#&#8203;3264](https://togithub.com/sigstore/cosign/issues/3264))
- Add guard flag for experimental OCI 1.1 verify.
([#&#8203;3272](https://togithub.com/sigstore/cosign/issues/3272))
- Deprecate SBOM attachments
([#&#8203;3256](https://togithub.com/sigstore/cosign/issues/3256))
- feat: dedent line in cosign copy doc
([#&#8203;3244](https://togithub.com/sigstore/cosign/issues/3244))
- feat: add platform flag to cosign copy command
([#&#8203;3234](https://togithub.com/sigstore/cosign/issues/3234))
- Add SLSA 1.0 attestation support to cosign. Closes
[#&#8203;2860](https://togithub.com/sigstore/cosign/issues/2860)
([#&#8203;3219](https://togithub.com/sigstore/cosign/issues/3219))
- attest: pass OCI remote opts to att resolver.
([#&#8203;3225](https://togithub.com/sigstore/cosign/issues/3225))

#### Bug Fixes

-   Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent
([#&#8203;3245](https://togithub.com/sigstore/cosign/issues/3245))
- ci: add a OCI registry test for referrers support
([#&#8203;3253](https://togithub.com/sigstore/cosign/issues/3253))
- Fix ReplaceSignatures
([#&#8203;3292](https://togithub.com/sigstore/cosign/issues/3292))
- Stop using deprecated in_toto.ProvenanceStatement
([#&#8203;3243](https://togithub.com/sigstore/cosign/issues/3243))
- Fixes
[#&#8203;3236](https://togithub.com/sigstore/cosign/issues/3236),
disable SCT checking for a cosign verification when usin…
([#&#8203;3237](https://togithub.com/sigstore/cosign/issues/3237))
- fix: update error in `SignedEntity` to be more descriptive
([#&#8203;3233](https://togithub.com/sigstore/cosign/issues/3233))
- Fail timestamp verification if no root is provided
([#&#8203;3224](https://togithub.com/sigstore/cosign/issues/3224))

#### Documentation

- Add some docs about verifying in an air-gapped environment
([#&#8203;3321](https://togithub.com/sigstore/cosign/issues/3321))
- Update CONTRIBUTING.md
([#&#8203;3268](https://togithub.com/sigstore/cosign/issues/3268))
- docs: improves the Contribution guidelines
([#&#8203;3257](https://togithub.com/sigstore/cosign/issues/3257))
- Remove security policy
([#&#8203;3230](https://togithub.com/sigstore/cosign/issues/3230))

#### Others

- Set go to min 1.21 and update dependencies
([#&#8203;3327](https://togithub.com/sigstore/cosign/issues/3327))
- Update contact for code of conduct
([#&#8203;3266](https://togithub.com/sigstore/cosign/issues/3266))
- Update .ko.yaml
([#&#8203;3240](https://togithub.com/sigstore/cosign/issues/3240))

#### Contributors

-   AdamKorcz
-   Andres Galante
-   Appu
-   Billy Lynch
-   Bob Callaway
-   Caleb Woodbine
-   Carlos Tadeu Panato Junior
-   Dylan Richardson
-   Gareth Healy
-   Hayden B
-   John Kjell
-   Jon Johnson
-   jonvnadelberg
-   Luiz Carvalho
-   Priya Wadhwa
-   Ramkumar Chinchani
-   Tosone
-   Ville Aikas
-   Vishal Choudhary
-   ziel

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [x] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-04-18 12:33:11 -04:00
Ramon Petgrave
8c9ed07f8f feat: fixes #547: add npm sigstore-tuf suport (#731) 
Addresses: https://github.com/slsa-framework/slsa-verifier/issues/547
 - [x] Pending: https://github.com/sigstore/sigstore-go/pull/41
Uses the new
[sigstore-go@0.2.0](https://github.com/sigstore/sigstore-go/releases/tag/v0.2.0)

Currently slsa-verifier has npmjs' attestation key hardcoded. But
sigstore now stores the same key within their own TUF root.

This PR 
- dynamically use the keyid specified in the sigstore bundle, rather
than the hardcoded keyid.
- uses an updated ([pending](
https://github.com/sigstore/sigstore-go/pull/41)) sigstore-go library
that allows us to fetch a signed and verified copy of the same key.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-04-16 17:21:49 +00:00
Mend Renovate
2a07cd6e3a fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 (#752) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[org.apache.maven.plugin-tools:maven-plugin-annotations](https://maven.apache.org/plugin-tools)
| `3.9.0` -> `3.11.0` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.9.0/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.9.0/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-04-03 00:55:07 +00:00
Ramon Petgrave
bcc39bf21a chore(deps): update npm dev (major) (#753) 
Redo of https://github.com/slsa-framework/slsa-verifier/pull/654

- Fix dev-dependencies related to es-lint that the renovate-bot couldn't
auto-fix

- a few commas automatically added by the new linter

- use node20 for tests to avoid caompatibility warnings

```
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@typescript-eslint/parser@7.5.0',
npm WARN EBADENGINE   required: { node: '^18.18.0 || >=20.0.0' },
npm WARN EBADENGINE   current: { node: 'v16.20.2', npm: '8.19.4' }
npm WARN EBADENGINE }
```

---------

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Co-authored-by: Mend Renovate <bot@renovateapp.com>
 2024-04-02 17:44:08 -07:00