slsa-verifier

mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-09 01:56:52 +00:00

Author	SHA1	Message	Date
laurentsimon	4d0ebdcbee	docs: Add example for maven verification plugin (#676 ) closes https://github.com/slsa-framework/slsa-verifier/issues/675 --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-08-02 11:55:09 +09:00
Ian Lewis	e7fc7a4621	feat: Verification for when sha1 is specified in BYOB TRW (#641 ) Fixes #600 --------- Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2023-07-25 11:29:15 +09:00
laurentsimon	66ae6bcdf6	docs: Fix maven-plugin README (#671 ) Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2023-07-25 00:56:29 +00:00
AdamKorcz	1d65178d65	move maven-plugin from slsa-github-generator (#664 ) Adds the maven plugin from https://github.com/slsa-framework/slsa-github-generator/pull/2439 Signed-off-by: AdamKorcz <adam@adalogics.com>	2023-07-21 22:40:01 +00:00
Mend Renovate	59f6ba3e00	chore(deps): update github-actions (#651 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| minor \| `v3.6.0` -> `v3.7.0` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| minor \| `v2.3.6` -> `v2.20.4` \| \| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) \| action \| minor \| `v2.1.3` -> `v2.2.0` \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.7.0`](https://togithub.com/actions/setup-node/releases/tag/v3.7.0) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.6.0...v3.7.0) ##### What's Changed In scope of this release we added a logic to save an additional cache path for yarn 3 ([related pull request](https://togithub.com/actions/setup-node/pull/744) and [feature request](https://togithub.com/actions/setup-node/issues/325)). Moreover, we added functionality to use all the sub directories derived from `cache-dependency-path` input and add detect all dependencies directories to cache (related [pull request](https://togithub.com/actions/setup-node/pull/735) and [feature request](https://togithub.com/actions/setup-node/issues/488)). ##### Besides, we made such changes as: - Replace workflow badge with new badge by [@jongwooo](https://togithub.com/jongwooo) in [https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653) - Fix a minor typo by [@phanan](https://togithub.com/phanan) in [https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662) - docs: fix typo in advanced-usage.md by [@remarkablemark](https://togithub.com/remarkablemark) in [https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697) - bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by [@domdomegg](https://togithub.com/domdomegg) in [https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718) - Update to node 18.x by [@feelepxyz](https://togithub.com/feelepxyz) in [https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751) - Remove implicit dependencies by [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758) - Fix description about ensuring workflow access to private package by [@x86chi](https://togithub.com/x86chi) in [https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704) ##### New Contributors - [@jongwooo](https://togithub.com/jongwooo) made their first contribution in [https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653) - [@phanan](https://togithub.com/phanan) made their first contribution in [https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662) - [@remarkablemark](https://togithub.com/remarkablemark) made their first contribution in [https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697) - [@domdomegg](https://togithub.com/domdomegg) made their first contribution in [https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718) - [@feelepxyz](https://togithub.com/feelepxyz) made their first contribution in [https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751) - [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) made their first contribution in [https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758) - [@x86chi](https://togithub.com/x86chi) made their first contribution in [https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704) Full Changelog: https://github.com/actions/setup-node/compare/v3...v3.7.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.20.4`](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4) ### [`v2.20.3`](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) ### [`v2.20.2`](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) ### [`v2.20.1`](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) ### [`v2.20.0`](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1192](https://togithub.com/ossf/scorecard-action/pull/1192) #### Scorecard Result Viewer Thanks to contributions from [@cynthia-sg](https://togithub.com/cynthia-sg) and [@tegioz](https://togithub.com/tegioz) at [CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new Scorecard Result visualization page at `https://securityscorecards.dev/viewer/?uri=<project-url>`. - [https://github.com/ossf/scorecard-webapp/pull/406](https://togithub.com/ossf/scorecard-webapp/pull/406) - [https://github.com/ossf/scorecard-webapp/pull/422](https://togithub.com/ossf/scorecard-webapp/pull/422) As an example, you can see our own score visualized [here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) Checkout our [README](`08b4669551/README.md (scorecard-badge)`) to learn how to link your README badge to the new visualization page. #### Publishing Results This release contains two fixes which will improve the user experience when `publish_results` is `true` - Runs that fail our [workflow restrictions](`08b4669551/README.md (workflow-restrictions)`) will fail with a 400 response indicating the problem, instead of a vague 500 status. ([https://github.com/ossf/scorecard-action/pull/1156](https://togithub.com/ossf/scorecard-action/pull/1156), resolved [https://github.com/ossf/scorecard-action/issues/1150](https://togithub.com/ossf/scorecard-action/issues/1150)) - Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. ([https://github.com/ossf/scorecard-action/pull/1191](https://togithub.com/ossf/scorecard-action/pull/1191)) #### Docs - 📖 Update README to accept fine-grained tokens by [@pnacht](https://togithub.com/pnacht) in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) - 📖 Update installation instructions to match current GitHub UI by [@joycebrum](https://togithub.com/joycebrum) in [https://github.com/ossf/scorecard-action/pull/1153](https://togithub.com/ossf/scorecard-action/pull/1153) - 📖 Document the GitHub action workflow restrictions when publishing results. by [@spencerschrock](https://togithub.com/spencerschrock) in #### New Contributors - [@bobcallaway](https://togithub.com/bobcallaway) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1140](https://togithub.com/ossf/scorecard-action/pull/1140) - [@pnacht](https://togithub.com/pnacht) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0 </details> --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2023-07-18 10:51:23 +09:00
laurentsimon	c6d12b745c	feat: Use tags `vX.Y.Z-<language>` for JReleaser builders (#644 ) Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-07-10 16:42:48 +00:00
Ian Lewis	1778495466	refactor: Use full builder id (#648 ) Internally use full builder IDs including server url rather than worflow ref as a path. This should hopefully avoid confusion between dealing with builder IDs and `GITHUB_WORKFLOW_REF` which only contains the path portion. `GITHUB_WORKFLOW_REF` is the only thing that doesn't include the domain/server url part of the workflow/builder ID. The Fulcio OID claims include the full url. Code extracted from #641 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-07-10 06:23:48 +00:00
Ian Lewis	965f5784c1	refactor: Add more git utils (#645 ) Adds the functions `NormalizeGitURI`, `ParseGitURIAndRef`, and `ValidateGitRef`. `ParseGitRef` was updated to be permissive of the ref type whereas `ValidateGitRef` validates that the type is of a given type. Code extracted from #641 Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-07-01 09:03:52 +09:00
Ian Lewis	e2b1828894	fix: pre-submit: e2e-cli.sh artifact download (#646 ) Updates #647 Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-29 10:05:12 -07:00
Ian Lewis	90f4f23e1e	test: Add more ProvenanceFromEnvelope tests (#640 ) Fixes #573 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-26 02:03:34 +00:00
Ian Lewis	f025c630ac	refactor: Use Go 1.20 (#643 ) Fixes #589 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-26 10:49:52 +09:00
Ian Lewis	d2dc8193ae	feat: Verify provenance by build type (#632 ) Fixes #473 Updates handling of provenance by providing implementations based on [buildType](https://slsa.dev/provenance/v1#buildType) since this determines how to interpret parameters and dependencies. This is done because we need a way to interpret parameters not just based on the predicateType. The 3 major build types with format differences are: - non-BYOB SLSA v0.2 - BYOB SLSA v0.2 - BYOB SLSA v1.0 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-16 09:54:20 +09:00
Mend Renovate	7aa6533540	chore(deps): update golang:1.19 docker digest to 83f9f84 (#583 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 05:06:28 +00:00
Mend Renovate	658d91aa82	chore(deps): update npm dev (#608 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 13:47:38 +09:00
Mend Renovate	dab7d387fa	fix(deps): update github.com/sigstore/protobuf-specs digest to 5ef5406 (#606 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 01:33:18 +00:00
Mend Renovate	b69ed475aa	chore(deps): update gcr.io/distroless/base:nonroot docker digest to c623859 (#567 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 01:00:06 +00:00
Mend Renovate	3ee6cee147	chore(deps): update github-actions (#607 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 09:44:31 +09:00
asraa	3a772f79ec	test: add tests for v1.7.0 builders (#638 ) * test: add tests for v1.7.0 builders Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-06-08 21:14:28 +00:00
Ian Lewis	c39b10c4c9	fix: allow workflow_dispatch to trigger release.yml (#637 ) Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-08 22:49:25 +09:00
asraa	733cecb300	chore: update toc in README.md (#636 ) Signed-off-by: Asra Ali <asraa@google.com>	2023-06-07 09:15:51 -05:00
asraa	aac022747e	feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format (#634 ) * feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format Signed-off-by: Asra Ali <asraa@google.com> * docs: update verifier README.md for docker-based builder Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-06-06 22:07:20 +00:00
Ian Lewis	8faf24c6dc	fix: builder ID verification for testing (#635 ) Fix builder ID verification for testing Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-06 08:32:20 -05:00
laurentsimon	7b942b8666	fix: only allow hashes of 256 bits or more (#633 ) Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-06-05 08:32:53 +09:00
Mend Renovate	5ca5eb0120	fix(deps): update module github.com/sigstore/rekor to v1.2.0 [security] (#622 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-02 09:10:53 -05:00
Ian Lewis	9bfbc91c5b	refactor: Provenance tests (#628 ) Refactors GHA provenance tests to use `testProvenance` which makes it clearer what is actually being tested. This will also make it easier to support `buildType` as a way to have different verification logic as the tests no longer rely on testdata with the `"https://github.com/Attestations/GitHubActionsWorkflow@v1"` build type, which isn't used by any supported builders. A couple of updates to utilities: - `VerifyTag` will now validate the ref returned by the `Provenance` instance. - `VerifyBranch` will now validate the ref returned by the `Provenance` instance. - `VerifyDigest` now supports the 160 bit `"sha1"` algo (FWIW) and will now search all subject entries even if one subject entry's algorithm does not match the expected algorithm. --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-02 13:34:56 +09:00
asraa	8fe8ee9f3f	fix: revert to using resolvedDepdendencies for source verification (#629 ) Signed-off-by: Asra Ali <asraa@google.com>	2023-06-01 20:15:22 +00:00
asraa	70d23d4f26	test: re-generate container-based tests (#627 ) Signed-off-by: Asra Ali <asraa@google.com>	2023-05-30 14:38:47 -05:00
asraa	db0560e328	fix: use ExternalParameters["source"] for the Source URI for SLSA v1.0 provenance (#621 ) * feat: add support for checking a source annotation when there are multiple resolveddependencies Signed-off-by: Asra Ali <asraa@google.com> * revert to using external parameters source key Signed-off-by: Asra Ali <asraa@google.com> * unused file Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-05-27 02:28:44 +00:00
Ian Lewis	7e2c7ae288	chore: Don't be verbose with tests locally (#620 ) It can sometimes be unwieldy when running tests with the verbose flag. This changes the Makefile to run tests without the flag by default but with the flag set on GitHub Actions. Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-05-26 05:39:52 +00:00
laurentsimon	93d3f8c06c	fix: Verify the TRW tag is a semver tag (#619 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * Update verifiers/utils/builder.go Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-05-26 01:15:32 +00:00
Ian Lewis	de79463752	test: Add test data for v1.6.0 (#612 ) --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-05-25 23:40:28 +00:00
laurentsimon	fba178ea9c	feat: Use env variable to retrieve trigger workflow (#615 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-25 14:32:48 -07:00
laurentsimon	ba32c706ac	feat: Support for v1.0 verification in BYOB (#609 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-23 07:31:13 -07:00
laurentsimon	bda35e0238	feat: BYOB verification support (#604 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-23 01:41:17 +00:00
Mend Renovate	a86957c6a5	chore(deps): update dependency jasmine to v5 (#598 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-05-15 04:14:31 +00:00
Mend Renovate	52a48d18af	chore(deps): update github-actions (#597 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-05-15 04:05:12 +00:00
Mend Renovate	ab4b6b4cc7	chore(deps): update dependency @types/node to v18.16.9 (#596 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-05-15 03:55:18 +00:00
laurentsimon	1ac77fa5dc	docs: npm provenance verification from GitHub runner (#595 ) Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Ian Lewis <ianlewis@google.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-05-12 03:13:22 +00:00
laurentsimon	18ee30fca6	docs: Make npm package version and name non-optional (#591 ) update Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-12 02:16:46 +00:00
Ian Lewis	f59b55ef21	chore: Update SHA256SUM.md for v2.3.0 (#592 ) Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-05-12 08:23:56 +09:00
Mend Renovate	c9abffe4d2	chore(deps): update npm dev (#586 ) Signed-off-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Ian Lewis <ianlewis@google.com> v2.3.0 v2.3.0-rc.3	2023-05-10 00:48:36 +00:00
Ian Lewis	95e6555274	docs: Add docs for npm package verification (#587 ) Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-05-10 00:33:29 +00:00
laurentsimon	3a4e992444	feat: verify claims in provenance match the certificate (#572 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-09 23:52:36 +00:00
Mend Renovate	8da58c6c6d	chore(deps): update github/codeql-action action to v2.3.3 (#585 ) Signed-off-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: asraa <asraa@google.com> v2.3.0-rc.2	2023-05-08 16:30:17 +00:00
Mend Renovate	9b6ec903b9	fix(deps): update github.com/sigstore/protobuf-specs digest to 91485b4 (#584 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-05-09 00:32:22 +09:00
asraa	467e0820b6	chore: update slsa provenance to v1 (#579 ) * chore: update slsa provenance to v1 Signed-off-by: Asra Ali <asraa@google.com> * fix import path Signed-off-by: Asra Ali <asraa@google.com> * update dsse testcases Signed-off-by: Asra Ali <asraa@google.com> * fix cosign image verification in update Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-05-08 15:18:16 +00:00
sunnyyip	030c40080b	docs(gh-action): update actions installer path (#581 ) Signed-off-by: Sunny Yip <sunny@kusari.dev>	2023-05-03 09:20:04 -07:00
Ian Lewis	88cd40e2ee	feat: Use low-perms delegator for Node.js builder (#577 ) Signed-off-by: Ian Lewis <ianlewis@google.com> v2.3.0-rc.1	2023-05-01 16:27:58 +09:00
Mend Renovate	5c0baa4f3e	chore(deps): update npm dev (#568 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-05-01 11:03:55 +09:00
laurentsimon	d67e7c1da7	feat: npm: Make package name and version mandatory for verification (#576 ) Signed-off-by: laurentsimon <laurentsimon@google.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-05-01 01:48:41 +00:00

1 2 3 4 5 ...

357 Commits