468 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Mend Renovate	90efbaaeb1	chore(deps): update golang:1.23 docker digest to 51a6466 (#822) ... This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `574185e` -> `51a6466` | --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44NS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTA3LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->	2025-01-21 20:13:59 +00:00
Mend Renovate	2d6982fb07	fix(deps): update go (#825) ... This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/google/go-containerregistry](https://redirect.github.com/google/go-containerregistry) | `v0.20.2` -> `v0.20.3` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/secure-systems-lab/go-securesystemslib](https://redirect.github.com/secure-systems-lab/go-securesystemslib) | `v0.8.0` -> `v0.9.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/sigstore/cosign/v2](https://redirect.github.com/sigstore/cosign) | `v2.2.4` -> `v2.4.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/sigstore/fulcio](https://redirect.github.com/sigstore/fulcio) | `v1.4.5` -> `v1.6.5` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/sigstore/protobuf-specs](https://redirect.github.com/sigstore/protobuf-specs) | `v0.3.2` -> `v0.3.3` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/sigstore/rekor](https://redirect.github.com/sigstore/rekor) | `v1.3.6` -> `v1.3.8` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/sigstore/sigstore](https://redirect.github.com/sigstore/sigstore) | `v1.8.9` -> `v1.8.12` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [github.com/slsa-framework/slsa-github-generator](https://redirect.github.com/slsa-framework/slsa-github-generator) | `v1.9.0` -> `v1.10.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | golang.org/x/mod | `v0.21.0` -> `v0.22.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [google.golang.org/protobuf](https://redirect.github.com/protocolbuffers/protobuf-go) | `v1.34.2` -> `v1.36.3` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [sigs.k8s.io/release-utils](https://redirect.github.com/kubernetes-sigs/release-utils) | `v0.8.4` -> `v0.9.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>google/go-containerregistry (github.com/google/go-containerregistry)</summary> ### [`v0.20.3`](https://redirect.github.com/google/go-containerregistry/releases/tag/v0.20.3) [Compare Source](https://redirect.github.com/google/go-containerregistry/compare/v0.20.2...v0.20.3) #### What's Changed - remote/transport: Make bearer transport go-routine-safe by [@&#8203;2opremio](https://redirect.github.com/2opremio) in [https://github.com/google/go-containerregistry/pull/1806](https://redirect.github.com/google/go-containerregistry/pull/1806) - Expose compare package by [@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) in [https://github.com/google/go-containerregistry/pull/2001](https://redirect.github.com/google/go-containerregistry/pull/2001) - fix: redact.URL uses (\*URL).Redacted to omit basic-auth password by [@&#8203;bmoylan](https://redirect.github.com/bmoylan) in [https://github.com/google/go-containerregistry/pull/1947](https://redirect.github.com/google/go-containerregistry/pull/1947) - bump actions to latest by [@&#8203;ajayk](https://redirect.github.com/ajayk) in [https://github.com/google/go-containerregistry/pull/2011](https://redirect.github.com/google/go-containerregistry/pull/2011) - don't pin chainguard-dev/actions by [@&#8203;imjasonh](https://redirect.github.com/imjasonh) in [https://github.com/google/go-containerregistry/pull/2025](https://redirect.github.com/google/go-containerregistry/pull/2025) - Check for 406 status code when handling referrers API endpoint response by [@&#8203;malancas](https://redirect.github.com/malancas) in [https://github.com/google/go-containerregistry/pull/2026](https://redirect.github.com/google/go-containerregistry/pull/2026) - mutate: Create a defensive annotations copy by [@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) in [https://github.com/google/go-containerregistry/pull/2030](https://redirect.github.com/google/go-containerregistry/pull/2030) - Detect zstd in crane append by [@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) in [https://github.com/google/go-containerregistry/pull/2023](https://redirect.github.com/google/go-containerregistry/pull/2023) - bump deps using hack/bump-deps.sh by [@&#8203;imjasonh](https://redirect.github.com/imjasonh) in [https://github.com/google/go-containerregistry/pull/2042](https://redirect.github.com/google/go-containerregistry/pull/2042) #### New Contributors - [@&#8203;bmoylan](https://redirect.github.com/bmoylan) made their first contribution in [https://github.com/google/go-containerregistry/pull/1947](https://redirect.github.com/google/go-containerregistry/pull/1947) - [@&#8203;ajayk](https://redirect.github.com/ajayk) made their first contribution in [https://github.com/google/go-containerregistry/pull/2011](https://redirect.github.com/google/go-containerregistry/pull/2011) - [@&#8203;malancas](https://redirect.github.com/malancas) made their first contribution in [https://github.com/google/go-containerregistry/pull/2026](https://redirect.github.com/google/go-containerregistry/pull/2026) **Full Changelog**: https://github.com/google/go-containerregistry/compare/v0.20.2...v0.20.3 </details> <details> <summary>secure-systems-lab/go-securesystemslib (github.com/secure-systems-lab/go-securesystemslib)</summary> ### [`v0.9.0`](https://redirect.github.com/secure-systems-lab/go-securesystemslib/compare/v0.8.0...v0.9.0) [Compare Source](https://redirect.github.com/secure-systems-lab/go-securesystemslib/compare/v0.8.0...v0.9.0) </details> <details> <summary>sigstore/cosign (github.com/sigstore/cosign/v2)</summary> ### [`v2.4.1`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v241) [Compare Source](https://redirect.github.com/sigstore/cosign/compare/v2.4.0...v2.4.1) v2.4.1 largely contains bug fixes and updates dependencies. #### Features - Added fuzzing coverage to multiple packages #### Bug Fixes - Fix bug in attest-blob when using a timestamp authority with new bundles ([#&#8203;3877](https://redirect.github.com/sigstore/cosign/issues/3877)) - fix: documentation link for installation guide ([#&#8203;3884](https://redirect.github.com/sigstore/cosign/issues/3884)) #### Contributors - AdamKorcz - Bob Callaway - Carlos Tadeu Panato Junior - Hayden B - Hemil K - Sota Sugiura - Zach Steindler ### [`v2.4.0`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v240) [Compare Source](https://redirect.github.com/sigstore/cosign/compare/v2.3.0...v2.4.0) v2.4.0 begins the modernization of the Cosign client, which includes: - Support for the newer Sigstore specification-compliant bundle format - Support for providing trust roots (e.g. Fulcio certificates, Rekor keys) through a trust root file, instead of many different flags - Conformance test suite integration to verify signing and verification behavior In future updates, we'll include: - General support for the trust root file, instead of only when using the bundle format during verification - Simplification of trust root flags and deprecation of the Cosign-specific bundle format - Bundle support with container signing We have also moved nightly Cosign container builds to GHCR instead of GCR. #### Features - Add new bundle support to `verify-blob` and `verify-blob-attestation` ([#&#8203;3796](https://redirect.github.com/sigstore/cosign/issues/3796)) - Adding protobuf bundle support to sign-blob and attest-blob ([#&#8203;3752](https://redirect.github.com/sigstore/cosign/issues/3752)) - Bump sigstore/sigstore to support `email_verified` as string or boolean ([#&#8203;3819](https://redirect.github.com/sigstore/cosign/issues/3819)) - Conformance testing for cosign ([#&#8203;3806](https://redirect.github.com/sigstore/cosign/issues/3806)) - move incremental builds per commit to GHCR instead of GCR ([#&#8203;3808](https://redirect.github.com/sigstore/cosign/issues/3808)) - Add support for recording creation timestamp for cosign attest ([#&#8203;3797](https://redirect.github.com/sigstore/cosign/issues/3797)) - Include SCT verification failure details in error message ([#&#8203;3799](https://redirect.github.com/sigstore/cosign/issues/3799)) #### Contributors - Bob Callaway - Hayden B - Slavek Kabrda - Zach Steindler - Zsolt Horvath ### [`v2.3.0`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v230) [Compare Source](https://redirect.github.com/sigstore/cosign/compare/v2.2.4...v2.3.0) #### Features - Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface ([#&#8203;3693](https://redirect.github.com/sigstore/cosign/issues/3693)) - add registry options to cosign save ([#&#8203;3645](https://redirect.github.com/sigstore/cosign/issues/3645)) - Add debug providers command. ([#&#8203;3728](https://redirect.github.com/sigstore/cosign/issues/3728)) - Make config layers in ociremote mountable ([#&#8203;3741](https://redirect.github.com/sigstore/cosign/issues/3741)) - upgrade to go1.22 ([#&#8203;3739](https://redirect.github.com/sigstore/cosign/issues/3739)) - adds tsa cert chain check for env var or tuf targets. ([#&#8203;3600](https://redirect.github.com/sigstore/cosign/issues/3600)) - add --ca-roots and --ca-intermediates flags to 'cosign verify' ([#&#8203;3464](https://redirect.github.com/sigstore/cosign/issues/3464)) - add handling of keyless verification for all verify commands ([#&#8203;3761](https://redirect.github.com/sigstore/cosign/issues/3761)) #### Bug Fixes - fix: close attestationFile ([#&#8203;3679](https://redirect.github.com/sigstore/cosign/issues/3679)) - Set `bundleVerified` to true after Rekor verification (Resolves [#&#8203;3740](https://redirect.github.com/sigstore/cosign/issues/3740)) ([#&#8203;3745](https://redirect.github.com/sigstore/cosign/issues/3745)) #### Documentation - Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign ([#&#8203;3776](https://redirect.github.com/sigstore/cosign/issues/3776)) #### Testing - Refactor KMS E2E tests ([#&#8203;3684](https://redirect.github.com/sigstore/cosign/issues/3684)) - Remove sign_blob_test.sh test ([#&#8203;3707](https://redirect.github.com/sigstore/cosign/issues/3707)) - Remove KMS E2E test script ([#&#8203;3702](https://redirect.github.com/sigstore/cosign/issues/3702)) - Refactor insecure registry E2E tests ([#&#8203;3701](https://redirect.github.com/sigstore/cosign/issues/3701)) #### Contributors - Billy Lynch - bminahan73 - Bob Callaway - Carlos Tadeu Panato Junior - Cody Soyland - Colleen Murphy - Dmitry Savintsev - guangwu - Hayden B - Hector Fernandez - ian hundere - Jason Power - Jon Johnson - Max Lambrecht - Meeki1l </details> <details> <summary>sigstore/fulcio (github.com/sigstore/fulcio)</summary> ### [`v1.6.5`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v165) [Compare Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.4...v1.6.5) #### Features - use go1.23.2 ([#&#8203;1834](https://redirect.github.com/sigstore/fulcio/issues/1834)) - fallback to json default cfg path if yaml does not exist ([#&#8203;1810](https://redirect.github.com/sigstore/fulcio/issues/1810)) - Include IDP type and subject domain in configuration API response ([#&#8203;1824](https://redirect.github.com/sigstore/fulcio/issues/1824)) #### Documentation - Update OIDC claim mapping table to reflect the current state ([#&#8203;1801](https://redirect.github.com/sigstore/fulcio/issues/1801)) #### Contributors - Aditya Sirish - Bob Callaway - Carlos Tadeu Panato Junior - Hayden B - Nina - Richard Fan ### [`v1.6.4`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v164) [Compare Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.3...v1.6.4) #### Features - use go1.22.6 to build fulcio ([#&#8203;1793](https://redirect.github.com/sigstore/fulcio/issues/1793)) #### Bugs - Revert "If custom server url exists, use that instead of the default one." ([#&#8203;1791](https://redirect.github.com/sigstore/fulcio/issues/1791)) #### Contributors - Carlos Tadeu Panato Junior - Fredrik Skogman ### [`v1.6.3`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v163) [Compare Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.2...v1.6.3) #### Features - If custom server url exists, use that instead of the default one. ([#&#8203;1776](https://redirect.github.com/sigstore/fulcio/issues/1776)) #### Contributors - Fredrik Skogman - Javan Lacerda ### [`v1.6.2`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v162) [Compare Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.1...v1.6.2) #### Bug Fixes - fix: adding ci provider for meta-issuers ([#&#8203;1767](https://redirect.github.com/sigstore/fulcio/issues/1767)) #### Contributors - Javan Lacerda ### [`v1.6.1`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v161) [Compare Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.0...v1.6.1) #### Bug Fixes - fix: removing surplus slash, making logs richer ([#&#8203;1762](https://redirect.github.com/sigstore/fulcio/issues/1762)) #### Contributors - Javan Lacerda ### [`v1.6.0`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v160) [Compare Source](https://redirect.github.com/sigstore/fulcio/compare/v1.5.1...v1.6.0) v1.6.0 adds support for onboarding CI identity providers via configuration rather than code changes, which should greatly simplify the onboarding process. #### Features - CiProvider as a new OIDCIssuer type ([#&#8203;1729](https://redirect.github.com/sigstore/fulcio/issues/1729)) - Add TLS support for CTLog ([#&#8203;1718](https://redirect.github.com/sigstore/fulcio/issues/1718)) - Added support for email_verified being a string or bool ([#&#8203;1744](https://redirect.github.com/sigstore/fulcio/issues/1744)) #### Documentation - Update IDP requirements ([#&#8203;1742](https://redirect.github.com/sigstore/fulcio/issues/1742)) #### Public Good Instance Configuration - Move codefresh and buildkite to ci-provider identity ([#&#8203;1743](https://redirect.github.com/sigstore/fulcio/issues/1743)) - Move gitlab to ci-provider ([#&#8203;1740](https://redirect.github.com/sigstore/fulcio/issues/1740)) - Migrate github to ci provider flow ([#&#8203;1738](https://redirect.github.com/sigstore/fulcio/issues/1738)) - add Hellō provider ([#&#8203;1739](https://redirect.github.com/sigstore/fulcio/issues/1739)) - Move configuration to yaml format ([#&#8203;1720](https://redirect.github.com/sigstore/fulcio/issues/1720)) - Removes identity providers federation ([#&#8203;1736](https://redirect.github.com/sigstore/fulcio/issues/1736)) #### Contributors - Andrew Block - cpanato - Dick Hardt - Firas Ghanmi - Hayden B - Javan Lacerda - Matt Moore ### [`v1.5.1`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v151) [Compare Source](https://redirect.github.com/sigstore/fulcio/compare/v1.5.0...v1.5.1) #### Bug Fixes - Surface the right `Name()` from our principal. ([#&#8203;1726](https://redirect.github.com/sigstore/fulcio/issues/1726)) #### Contributors - Matt Moore ### [`v1.5.0`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v150) [Compare Source](https://redirect.github.com/sigstore/fulcio/compare/v1.4.5...v1.5.0) #### Features - Add Chainguard OIDC provider. ([#&#8203;1703](https://redirect.github.com/sigstore/fulcio/issues/1703)) - Adding support for configuration from yaml file ([#&#8203;1687](https://redirect.github.com/sigstore/fulcio/issues/1687)) - Upgrade go to 1.22 ([#&#8203;1625](https://redirect.github.com/sigstore/fulcio/issues/1625)) #### Documentation - oid-info: fix table render ([#&#8203;1662](https://redirect.github.com/sigstore/fulcio/issues/1662)) - docs: Fix extensions for digest values requiring a type prefix ([#&#8203;1661](https://redirect.github.com/sigstore/fulcio/issues/1661)) #### Contributors - Bob Callaway - Carlos Tadeu Panato Junior - Facundo Tuesca - Javan Lacerda - Matt Moore - Tomas Turek - William Woodruff </details> <details> <summary>sigstore/protobuf-specs (github.com/sigstore/protobuf-specs)</summary> ### [`v0.3.3`](https://redirect.github.com/sigstore/protobuf-specs/compare/v0.3.2...v0.3.3) [Compare Source](https://redirect.github.com/sigstore/protobuf-specs/compare/v0.3.2...v0.3.3) </details> <details> <summary>sigstore/rekor (github.com/sigstore/rekor)</summary> ### [`v1.3.8`](https://redirect.github.com/sigstore/rekor/blob/HEAD/CHANGELOG.md#v138) [Compare Source](https://redirect.github.com/sigstore/rekor/compare/v1.3.7...v1.3.8) #### Bug Fixes - fix zizmor issues ([#&#8203;2298](https://redirect.github.com/sigstore/rekor/issues/2298)) - remove unneeded value in log message ([#&#8203;2282](https://redirect.github.com/sigstore/rekor/issues/2282)) #### Quality Enhancements - chore: relax go directive to permit 1.22.x - fetch minisign from homebrew instead of custom ppa ([#&#8203;2329](https://redirect.github.com/sigstore/rekor/issues/2329)) - fix(ci): simplify GOVERSION extraction - chore(deps): bump actions pins to latest - Updates go and golangci-lint ([#&#8203;2302](https://redirect.github.com/sigstore/rekor/issues/2302)) - update builder to use go1.23.4 ([#&#8203;2301](https://redirect.github.com/sigstore/rekor/issues/2301)) - clean up spaces - log request body on 500 error to aid debugging ([#&#8203;2283](https://redirect.github.com/sigstore/rekor/issues/2283)) #### Contributors - Appu Goundan - Bob Callaway - Carlos Tadeu Panato Junior - Dominic Evans - sgpinkus ### [`v1.3.7`](https://redirect.github.com/sigstore/rekor/blob/HEAD/CHANGELOG.md#v137) [Compare Source](https://redirect.github.com/sigstore/rekor/compare/v1.3.6...v1.3.7) #### New Features - log request body on 500 error to aid debugging ([#&#8203;2283](https://redirect.github.com/sigstore/rekor/issues/2283)) - Add support for signing with Tink keyset ([#&#8203;2228](https://redirect.github.com/sigstore/rekor/issues/2228)) - Add public key hash check in Signed Note verification ([#&#8203;2214](https://redirect.github.com/sigstore/rekor/issues/2214)) - update Trillian TLS configuration ([#&#8203;2202](https://redirect.github.com/sigstore/rekor/issues/2202)) - Add TLS support for Trillian server ([#&#8203;2164](https://redirect.github.com/sigstore/rekor/issues/2164)) - Replace docker-compose with plugin if available ([#&#8203;2153](https://redirect.github.com/sigstore/rekor/issues/2153)) - Add flags to backfill script ([#&#8203;2146](https://redirect.github.com/sigstore/rekor/issues/2146)) - Unset DisableKeepalive for backfill HTTP client ([#&#8203;2137](https://redirect.github.com/sigstore/rekor/issues/2137)) - Add script to delete indexes from Redis ([#&#8203;2120](https://redirect.github.com/sigstore/rekor/issues/2120)) - Run CREATE statement in backfill script ([#&#8203;2109](https://redirect.github.com/sigstore/rekor/issues/2109)) - Add MySQL support to backfill script ([#&#8203;2081](https://redirect.github.com/sigstore/rekor/issues/2081)) - Run e2e tests on mysql and redis index backends ([#&#8203;2079](https://redirect.github.com/sigstore/rekor/issues/2079)) #### Bug Fixes - remove unneeded value in log message ([#&#8203;2282](https://redirect.github.com/sigstore/rekor/issues/2282)) - Add error message when computing consistency proof ([#&#8203;2278](https://redirect.github.com/sigstore/rekor/issues/2278)) - fix validation error handling on API ([#&#8203;2217](https://redirect.github.com/sigstore/rekor/issues/2217)) - fix error in pretty-printed inclusion proof from verify subcommand ([#&#8203;2210](https://redirect.github.com/sigstore/rekor/issues/2210)) - Fix index scripts ([#&#8203;2203](https://redirect.github.com/sigstore/rekor/issues/2203)) - fix failing sharding test - Better error handling in backfill script ([#&#8203;2148](https://redirect.github.com/sigstore/rekor/issues/2148)) - Batch entries in cleanup script ([#&#8203;2158](https://redirect.github.com/sigstore/rekor/issues/2158)) - Add missing workflow for index cleanup test ([#&#8203;2121](https://redirect.github.com/sigstore/rekor/issues/2121)) - hashedrekord: fix schema $id ([#&#8203;2092](https://redirect.github.com/sigstore/rekor/issues/2092)) #### Contributors - Aditya Sirish - Bob Callaway - Colleen Murphy - cpanato - Firas Ghanmi - Hayden B - Hojoung (Brian) Jang - William Woodruff </details> <details> <summary>sigstore/sigstore (github.com/sigstore/sigstore)</summary> ### [`v1.8.12`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.12) [Compare Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.11...v1.8.12) #### What's Changed - build(deps): Bump google.golang.org/api from 0.210.0 to 0.212.0 in /pkg/signature/kms/gcp by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1912](https://redirect.github.com/sigstore/sigstore/pull/1912) - build(deps): Bump google.golang.org/protobuf from 1.35.2 to 1.36.0 in /pkg/signature/kms/gcp by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1911](https://redirect.github.com/sigstore/sigstore/pull/1911) - build(deps): Bump actions/setup-go from 5.1.0 to 5.2.0 in the all group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1909](https://redirect.github.com/sigstore/sigstore/pull/1909) - build(deps): Bump google.golang.org/api from 0.212.0 to 0.214.0 in /pkg/signature/kms/gcp by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1917](https://redirect.github.com/sigstore/sigstore/pull/1917) - build(deps): Bump hashicorp/vault from 1.18.2 to 1.18.3 in /test/e2e in the all group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1915](https://redirect.github.com/sigstore/sigstore/pull/1915) - build(deps): Bump the gomod group across 2 directories with 5 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1916](https://redirect.github.com/sigstore/sigstore/pull/1916) - build(deps): Bump cloud.google.com/go/kms from 1.20.3 to 1.20.4 in /pkg/signature/kms/gcp in the gomod group across 1 directory by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1920](https://redirect.github.com/sigstore/sigstore/pull/1920) - build(deps): Bump github.com/coreos/go-oidc/v3 from 3.11.0 to 3.12.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1924](https://redirect.github.com/sigstore/sigstore/pull/1924) - build(deps): Bump golang.org/x/oauth2 from 0.24.0 to 0.25.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1921](https://redirect.github.com/sigstore/sigstore/pull/1921) - build(deps): Bump golang.org/x/term from 0.27.0 to 0.28.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1922](https://redirect.github.com/sigstore/sigstore/pull/1922) - build(deps): Bump golang.org/x/crypto from 0.31.0 to 0.32.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1923](https://redirect.github.com/sigstore/sigstore/pull/1923) - build(deps): Bump golang.org/x/crypto from 0.28.0 to 0.31.0 in /test/fuzz by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1908](https://redirect.github.com/sigstore/sigstore/pull/1908) - build(deps): Bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1910](https://redirect.github.com/sigstore/sigstore/pull/1910) - build(deps): Bump the tools group across 1 directory with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/sigstore/pull/1913](https://redirect.github.com/sigstore/sigstore/pull/1913) - cleanup ci by [@&#8203;cpanato](https://redirect.github.com/cpanato) in [https://github.com/sigstore/sigstore/pull/1927](https://redirect.github.com/sigstore/sigstore/pull/1927) **Full Changelog**: https://github.com/sigstore/sigstore/compare/v1.8.11...v1.8.12 ### [`v1.8.11`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.11) [Compare Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.10...v1.8.11) #### What's Changed - several dependabot updates - Replace custom auth code with `azidentity.NewDefaultCredential` for Azure KMS client by [@&#8203;malancas](https://redirect.github.com/malancas) in [https://github.com/sigstore/sigstore/pull/1888](https://redirect.github.com/sigstore/sigstore/pull/1888) - fix: set go module directive to 1.22.0 by [@&#8203;dnwe](https://redirect.github.com/dnwe) in [https://github.com/sigstore/sigstore/pull/1878](https://redirect.github.com/sigstore/sigstore/pull/1878) #### New Contributors - [@&#8203;dnwe](https://redirect.github.com/dnwe) made their first contribution in [https://github.com/sigstore/sigstore/pull/1878](https://redirect.github.com/sigstore/sigstore/pull/1878) **Full Changelog**: https://github.com/sigstore/sigstore/compare/v1.8.10...v1.8.11 ### [`v1.8.10`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.10) [Compare Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.9...v1.8.10) #### What's Changed - fix(kms): fix CreateKey may panic when using GCP KMS by [@&#8203;mozillazg](https://redirect.github.com/mozillazg) in [https://github.com/sigstore/sigstore/pull/1829](https://redirect.github.com/sigstore/sigstore/pull/1829) - update to go1.22.7 and ci job by [@&#8203;cpanato](https://redirect.github.com/cpanato) in [https://github.com/sigstore/sigstore/pull/1847](https://redirect.github.com/sigstore/sigstore/pull/1847) - Mark TUF client as deprecated by [@&#8203;haydentherapper](https://redirect.github.com/haydentherapper) in [https://github.com/sigstore/sigstore/pull/1858](https://redirect.github.com/sigstore/sigstore/pull/1858) - bump to go 1.22.8 by [@&#8203;cpanato](https://redirect.github.com/cpanato) in [https://github.com/sigstore/sigstore/pull/1865](https://redirect.github.com/sigstore/sigstore/pull/1865) and several dependencies updates #### New Contributors - [@&#8203;mozillazg](https://redirect.github.com/mozillazg) made their first contribution in [https://github.com/sigstore/sigstore/pull/1829](https://redirect.github.com/sigstore/sigstore/pull/1829) **Full Changelog**: https://github.com/sigstore/sigstore/compare/v1.8.9...v1.8.10 </details> <details> <summary>slsa-framework/slsa-github-generator (github.com/slsa-framework/slsa-github-generator)</summary> ### [`v1.10.0`](https://redirect.github.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100) [Compare Source](https://redirect.github.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0) Release [v1.10.0](https://redirect.github.com/slsa-framework/slsa-github-generator/releases/tag/v1.10.0) includes bug fixes and new features. See the [full change list](https://redirect.github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0). ##### v1.10.0: TUF fix - The cosign TUF roots were fixed ([#&#8203;3350](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/3350)). More details [here](https://redirect.github.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid). ##### v1.10.0: Gradle Builder - The Gradle Builder was fixed when the project root is the same as the repository root ([#&#8203;2727](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/2727)) ##### v1.10.0: Go Builder - The `go-version-file` input was fixed so that it can find the `go.mod` file ([#&#8203;2661](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/2661)) ##### v1.10.0: Container Generator - A new `provenance-repository` input was added to allow reading provenance from a different container repository than the image itself ([#&#8203;2956](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/2956)) ### [`v1.9.1`](https://redirect.github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1) [Compare Source](https://redirect.github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1) **This is an un-finalized release.** See the [CHANGELOG](./CHANGELOG.md) for details. </details> <details> <summary>protocolbuffers/protobuf-go (google.golang.org/protobuf)</summary> ### [`v1.36.3`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.3) [Compare Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.2...v1.36.3) **Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.36.2...v1.36.3 Bug fixes: [CL/642575](https://go-review.googlesource.com/c/protobuf/+/642575): reflect/protodesc: fix panic when working with dynamicpb [CL/641036](https://go-review.googlesource.com/c/protobuf/+/641036): cmd/protoc-gen-go: remove json struct tags from unexported fields User-visible changes: [CL/641876](https://go-review.googlesource.com/c/protobuf/+/641876): proto: add example for GetExtension, SetExtension [CL/642015](https://go-review.googlesource.com/c/protobuf/+/642015): runtime/protolazy: replace internal doc link with external link Maintenance: [CL/641635](https://go-review.googlesource.com/c/protobuf/+/641635): all: split flags.ProtoLegacyWeak out of flags.ProtoLegacy [CL/641019](https://go-review.googlesource.com/c/protobuf/+/641019): internal/impl: remove unused exporter parameter [CL/641018](https://go-review.googlesource.com/c/protobuf/+/641018): internal/impl: switch to reflect.Value.IsZero [CL/641035](https://go-review.googlesource.com/c/protobuf/+/641035): internal/impl: clean up unneeded Go<1.12 MapRange() alternative [CL/641017](https://go-review.googlesource.com/c/protobuf/+/641017): types/dynamicpb: switch atomicExtFiles to atomic.Uint64 type ### [`v1.36.2`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.2) [Compare Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.1...v1.36.2) **Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.36.1...v1.36.2 Bug fixes: [CL/638515](https://go-review.googlesource.com/c/protobuf/+/638515): internal/impl: fix WhichOneof() to work with synthetic oneofs ### [`v1.36.1`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.1) [Compare Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.0...v1.36.1) **Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.36.0...v1.36.1 Bug fixes: [CL/638495](https://go-review.googlesource.com/c/protobuf/+/638495): internal/impl: revert IsSynthetic() check to fix panic Maintenance: [CL/637475](https://go-review.googlesource.com/c/protobuf/+/637475): internal/errors: delete compatibility code for Go before 1.13 ### [`v1.36.0`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.0) [Compare Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.35.2...v1.36.0) **Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.35.2...v1.36.0 User-visible changes: [CL/635139](https://go-review.googlesource.com/c/protobuf/+/635139): src/google/protobuf: document UnmarshalJSON / API level behavior [CL/635138](https://go-review.googlesource.com/c/protobuf/+/635138): reflect/protoreflect: use \[] syntax to reference method [CL/635137](https://go-review.googlesource.com/c/protobuf/+/635137): proto: add reference to size semantics with lazy decoding to comment [CL/634818](https://go-review.googlesource.com/c/protobuf/+/634818): compiler/protogen: allow overriding API level from --go_opt [CL/634817](https://go-review.googlesource.com/c/protobuf/+/634817): cmd/protoc-gen-go: generate \_protoopaque variant for hybrid [CL/634816](https://go-review.googlesource.com/c/protobuf/+/634816): all: regenerate.bash for Opaque API [CL/634815](https://go-review.googlesource.com/c/protobuf/+/634815): all: Release the Opaque API [CL/634015](https://go-review.googlesource.com/c/protobuf/+/634015): types/descriptorpb: regenerate using latest protobuf v29.1 release [CL/632735](https://go-review.googlesource.com/c/protobuf/+/632735): internal/impl: skip synthetic oneofs in messageInfo [CL/627876](https://go-review.googlesource.com/c/protobuf/+/627876): all: start v1.35.2-devel ### [`v1.35.2`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.35.2) [Compare Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.35.1...v1.35.2) **Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.35.1...v1.35.2 Maintenance: [CL/623115](https://go-review.googlesource.com/c/protobuf/+/623115): proto: refactor equal_test from explicit table to use makeMessages() [CL/623116](https://go-review.googlesource.com/c/protobuf/+/623116): encoding/prototext: use testmessages_test.go approach, too [CL/623117](https://go-review.googlesource.com/c/protobuf/+/623117): internal/testprotos/test: add nested message field with \[lazy=true] [CL/624415](https://go-review.googlesource.com/c/protobuf/+/624415): proto: switch messageset_test to use makeMessages() injection point [CL/624416](https://go-review.googlesource.com/c/protobuf/+/624416): internal/impl: fix TestMarshalMessageSetLazyRace (was a no-op!) User-visible changes: [CL/618395](https://go-review.googlesource.com/c/protobuf/+/618395): encoding/protojson: allow missing value for Any of type Empty [CL/618979](https://go-review.googlesource.com/c/protobuf/+/618979): all: implement strip_enum_prefix editions feature [CL/622575](https://go-review.googlesource.com/c/protobuf/+/622575): testing/protocmp: document behavior when combining Ignore and Sort ### [`v1.35.1`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.35.1) [Compare Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.35.0...v1.35.1) **Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.34.2...v1.35.1 Maintenance: - [CL/606755](https://go-review.googlesource.com/c/protobuf/+/606755): all: remove unused purego support - [CL/608316](https://go-review.googlesource.com/c/protobuf/+/608316): all: set Go language version to Go 1.21 User-visible changes: - [CL/587536](https://go-review.googlesource.com/c/protobuf/+/587536): protojson: include field name in error messages - [CL/597055](https://go-review.googlesource.com/c/protobuf/+/597055): compiler/protogen: always report editions support level of the plugin - [CL/596539](https://go-review.googlesource.com/c/protobuf/+/596539): all: plumb the lazy option into filedesc.Field and .Extension - [CL/601775](https://go-review.googlesource.com/c/protobuf/+/601775): types/known/structpb: add support for more types and json.Number - [CL/607995](https://go-review.googlesource.com/c/protobuf/+/607995): proto: extend documentation of GetExtension, SetExtension - [CL/609035](https://go-review.googlesource.com/c/protobuf/+/609035): proto: implement proto.Equal fast-path Bug fixes: - [CL/595337](https://go-review.googlesource.com/c/protobuf/+/595337): reflect/protodesc: fix handling of delimited extensions in editions - [CL/602055](https://go-review.googlesource.com/c/protobuf/+/602055): internal/cmd/generate-protos: fix pkg check for editions features - [CL/603015](https://go-review.googlesource.com/c/protobuf/+/603015): internal: generate extension numbers, fix editions parsing ### [`v1.35.0`](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.34.2...v1.35.0) [Compare Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.34.2...v1.35.0) </details> <details> <summary>kubernetes-sigs/release-utils (sigs.k8s.io/release-utils)</summary> ### [`v0.9.0`](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.5...v0.9.0) [Compare Source](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.5...v0.9.0) ### [`v0.8.5`](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.4...v0.8.5) [Compare Source](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.4...v0.8.5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44NS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTA3LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->	2025-01-21 14:57:32 -05:00
dependabot[bot]	32a562e05a	chore(deps): bump golang.org/x/net from 0.27.0 to 0.33.0 in the go_modules group (#826) ... Bumps the go_modules group with 1 update: [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/net` from 0.27.0 to 0.33.0 <details> <summary>Commits</summary> <ul> <li><a href="dfc720dfe0"><code>dfc720d</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="8e66b04771"><code>8e66b04</code></a> html: use strings.EqualFold instead of lowering ourselves</li> <li><a href="b935f7b5d7"><code>b935f7b</code></a> html: avoid endless loop on error token</li> <li><a href="9af49ef148"><code>9af49ef</code></a> route: remove unused sizeof* consts</li> <li><a href="6705db9a4d"><code>6705db9</code></a> quic: clean up crypto streams when dropping packet protection keys</li> <li><a href="4ef7588d2b"><code>4ef7588</code></a> quic: handle ACK frame in packet which drops number space</li> <li><a href="552d8ac903"><code>552d8ac</code></a> Revert &quot;route: change from syscall to x/sys/unix&quot;</li> <li><a href="13a7c0108b"><code>13a7c01</code></a> Revert &quot;route: remove unused sizeof* consts on freebsd&quot;</li> <li><a href="285e1cf665"><code>285e1cf</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="d0a1049b7e"><code>d0a1049</code></a> route: remove unused sizeof* consts on freebsd</li> <li>Additional commits viewable in <a href="https://github.com/golang/net/compare/v0.27.0...v0.33.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-01-21 14:12:21 -05:00
Mend Renovate	417bde6e6f	chore(deps): update github-actions (#823) ... This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-go](https://redirect.github.com/actions/setup-go) | action | minor | `v5.1.0` -> `v5.3.0` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | minor | `v4.4.3` -> `v4.6.0` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | minor | `v3.27.6` -> `v3.28.1` | | [golangci/golangci-lint-action](https://redirect.github.com/golangci/golangci-lint-action) | action | minor | `v6.1.1` -> `v6.2.0` | --- ### Release Notes <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v5.3.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.3.0) [Compare Source](https://redirect.github.com/actions/setup-go/compare/v5.2.0...v5.3.0) ##### What's Changed - Use the new cache service: upgrade `@actions/cache` to `^4.0.0` by [@&#8203;Link-](https://redirect.github.com/Link-) in [https://github.com/actions/setup-go/pull/531](https://redirect.github.com/actions/setup-go/pull/531) - Configure Dependabot settings by [@&#8203;HarithaVattikuti](https://redirect.github.com/HarithaVattikuti) in [https://github.com/actions/setup-go/pull/530](https://redirect.github.com/actions/setup-go/pull/530) - Document update - permission section by [@&#8203;HarithaVattikuti](https://redirect.github.com/HarithaVattikuti) in [https://github.com/actions/setup-go/pull/533](https://redirect.github.com/actions/setup-go/pull/533) - Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/setup-go/pull/534](https://redirect.github.com/actions/setup-go/pull/534) ##### New Contributors - [@&#8203;Link-](https://redirect.github.com/Link-) made their first contribution in [https://github.com/actions/setup-go/pull/531](https://redirect.github.com/actions/setup-go/pull/531) **Full Changelog**: https://github.com/actions/setup-go/compare/v5...v5.3.0 ### [`v5.2.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.2.0) [Compare Source](https://redirect.github.com/actions/setup-go/compare/v5.1.0...v5.2.0) #### What's Changed - Leveraging the raw API to retrieve the version-manifest, as it does not impose a rate limit and hence facilitates unrestricted consumption without the need for a token for Github Enterprise Servers by [@&#8203;Shegox](https://redirect.github.com/Shegox) in [https://github.com/actions/setup-go/pull/496](https://redirect.github.com/actions/setup-go/pull/496) #### New Contributors - [@&#8203;Shegox](https://redirect.github.com/Shegox) made their first contribution in [https://github.com/actions/setup-go/pull/496](https://redirect.github.com/actions/setup-go/pull/496) **Full Changelog**: https://github.com/actions/setup-go/compare/v5...v5.2.0 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.6.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.6.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.5.0...v4.6.0) #### What's Changed - Expose env vars to control concurrency and timeout by [@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in [https://github.com/actions/upload-artifact/pull/662](https://redirect.github.com/actions/upload-artifact/pull/662) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.6.0 ### [`v4.5.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.4.3...v4.5.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.3...v4.5.0) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.28.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.28.0...v3.28.1) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 3.28.1 - 10 Jan 2025 - CodeQL Action v2 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v3. For more information, see [this changelog post](https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/). [#&#8203;2677](https://redirect.github.com/github/codeql-action/pull/2677) - Update default CodeQL bundle version to 2.20.1. [#&#8203;2678](https://redirect.github.com/github/codeql-action/pull/2678) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.1/CHANGELOG.md) for more information. ### [`v3.28.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.9...v3.28.0) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.28.0 - 20 Dec 2024 - Bump the minimum CodeQL bundle version to 2.15.5. [#&#8203;2655](https://redirect.github.com/github/codeql-action/pull/2655) - Don't fail in the unusual case that a file is on the search path. [#&#8203;2660](https://redirect.github.com/github/codeql-action/pull/2660). See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.0/CHANGELOG.md) for more information. ### [`v3.27.9`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.8...v3.27.9) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.9 - 12 Dec 2024 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.9/CHANGELOG.md) for more information. ### [`v3.27.8`](https://redirect.github.com/github/codeql-action/compare/v3.27.7...v3.27.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.7...v3.27.8) ### [`v3.27.7`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.6...v3.27.7) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.7 - 10 Dec 2024 - We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. [#&#8203;2631](https://redirect.github.com/github/codeql-action/pull/2631) - Update default CodeQL bundle version to 2.20.0. [#&#8203;2636](https://redirect.github.com/github/codeql-action/pull/2636) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.7/CHANGELOG.md) for more information. </details> <details> <summary>golangci/golangci-lint-action (golangci/golangci-lint-action)</summary> ### [`v6.2.0`](https://redirect.github.com/golangci/golangci-lint-action/releases/tag/v6.2.0) [Compare Source](https://redirect.github.com/golangci/golangci-lint-action/compare/v6.1.1...v6.2.0) <!-- Release notes generated using configuration in .github/release.yml at v6.2.0 --> #### What's Changed ##### Changes - chore: use new build tag syntax by [@&#8203;alexandear](https://redirect.github.com/alexandear) in [https://github.com/golangci/golangci-lint-action/pull/1133](https://redirect.github.com/golangci/golangci-lint-action/pull/1133) - feat: support linux arm64 public preview by [@&#8203;ldez](https://redirect.github.com/ldez) in [https://github.com/golangci/golangci-lint-action/pull/1144](https://redirect.github.com/golangci/golangci-lint-action/pull/1144) ##### Documentation - docs: update local development instructions by [@&#8203;dmitris](https://redirect.github.com/dmitris) in [https://github.com/golangci/golangci-lint-action/pull/1125](https://redirect.github.com/golangci/golangci-lint-action/pull/1125) ##### Dependencies - build(deps-dev): bump the dev-dependencies group with 3 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1112](https://redirect.github.com/golangci/golangci-lint-action/pull/1112) - build(deps): bump the dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1113](https://redirect.github.com/golangci/golangci-lint-action/pull/1113) - build(deps-dev): bump the dev-dependencies group with 3 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1114](https://redirect.github.com/golangci/golangci-lint-action/pull/1114) - build(deps): bump [@&#8203;types/node](https://redirect.github.com/types/node) from 22.7.4 to 22.7.5 in the dependencies group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1115](https://redirect.github.com/golangci/golangci-lint-action/pull/1115) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1117](https://redirect.github.com/golangci/golangci-lint-action/pull/1117) - build(deps): bump [@&#8203;types/node](https://redirect.github.com/types/node) from 22.7.5 to 22.7.7 in the dependencies group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1118](https://redirect.github.com/golangci/golangci-lint-action/pull/1118) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1119](https://redirect.github.com/golangci/golangci-lint-action/pull/1119) - build(deps): bump [@&#8203;types/node](https://redirect.github.com/types/node) from 22.7.7 to 22.8.1 in the dependencies group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1120](https://redirect.github.com/golangci/golangci-lint-action/pull/1120) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1122](https://redirect.github.com/golangci/golangci-lint-action/pull/1122) - build(deps): bump the dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1123](https://redirect.github.com/golangci/golangci-lint-action/pull/1123) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1126](https://redirect.github.com/golangci/golangci-lint-action/pull/1126) - build(deps): bump [@&#8203;types/node](https://redirect.github.com/types/node) from 22.8.7 to 22.9.0 in the dependencies group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1127](https://redirect.github.com/golangci/golangci-lint-action/pull/1127) - build(deps-dev): bump the dev-dependencies group with 3 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1128](https://redirect.github.com/golangci/golangci-lint-action/pull/1128) - build(deps): bump [@&#8203;types/node](https://redirect.github.com/types/node) from 22.9.0 to 22.9.3 in the dependencies group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1130](https://redirect.github.com/golangci/golangci-lint-action/pull/1130) - build(deps): bump [@&#8203;types/node](https://redirect.github.com/types/node) from 22.9.3 to 22.10.1 in the dependencies group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1131](https://redirect.github.com/golangci/golangci-lint-action/pull/1131) - build(deps-dev): bump the dev-dependencies group across 1 directory with 4 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1132](https://redirect.github.com/golangci/golangci-lint-action/pull/1132) - build(deps-dev): bump the dev-dependencies group with 3 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1134](https://redirect.github.com/golangci/golangci-lint-action/pull/1134) - build(deps): bump [@&#8203;actions/cache](https://redirect.github.com/actions/cache) from 3.3.0 to 4.0.0 in the dependencies group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1135](https://redirect.github.com/golangci/golangci-lint-action/pull/1135) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1136](https://redirect.github.com/golangci/golangci-lint-action/pull/1136) - build(deps): bump [@&#8203;types/node](https://redirect.github.com/types/node) from 22.10.1 to 22.10.2 in the dependencies group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1137](https://redirect.github.com/golangci/golangci-lint-action/pull/1137) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1138](https://redirect.github.com/golangci/golangci-lint-action/pull/1138) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1139](https://redirect.github.com/golangci/golangci-lint-action/pull/1139) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1141](https://redirect.github.com/golangci/golangci-lint-action/pull/1141) - build(deps): bump [@&#8203;types/node](https://redirect.github.com/types/node) from 22.10.2 to 22.10.5 in the dependencies group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1142](https://redirect.github.com/golangci/golangci-lint-action/pull/1142) - build(deps-dev): bump the dev-dependencies group with 3 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1143](https://redirect.github.com/golangci/golangci-lint-action/pull/1143) #### New Contributors - [@&#8203;dmitris](https://redirect.github.com/dmitris) made their first contribution in [https://github.com/golangci/golangci-lint-action/pull/1125](https://redirect.github.com/golangci/golangci-lint-action/pull/1125) - [@&#8203;alexandear](https://redirect.github.com/alexandear) made their first contribution in [https://github.com/golangci/golangci-lint-action/pull/1133](https://redirect.github.com/golangci/golangci-lint-action/pull/1133) **Full Changelog**: https://github.com/golangci/golangci-lint-action/compare/v6.1.1...v6.2.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44NS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTA3LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->	2025-01-21 11:16:33 -05:00
Mend Renovate	b6645ca106	fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.15.1 (#824) ... This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [org.apache.maven.plugin-tools:maven-plugin-annotations](https://maven.apache.org/plugin-tools) | `3.11.0` -> `3.15.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44NS4wIiwidXBkYXRlZEluVmVyIjoiMzkuODUuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->	2025-01-02 15:43:27 -05:00
Mend Renovate	d2384e2eca	fix(deps): update dependency org.apache.maven:maven-core to v3.9.9 (#816) ... This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [org.apache.maven:maven-core](https://maven.apache.org/) | `3.9.8` -> `3.9.9` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-12-13 11:32:01 +00:00
dependabot[bot]	8bdd724323	chore(deps): bump golang.org/x/crypto from 0.27.0 to 0.31.0 in the go_modules group (#821) ... Bumps the go_modules group with 1 update: [golang.org/x/crypto](https://github.com/golang/crypto). Updates `golang.org/x/crypto` from 0.27.0 to 0.31.0 <details> <summary>Commits</summary> <ul> <li><a href="b4f1988a35"><code>b4f1988</code></a> ssh: make the public key cache a 1-entry FIFO cache</li> <li><a href="7042ebcbe0"><code>7042ebc</code></a> openpgp/clearsign: just use rand.Reader in tests</li> <li><a href="3e90321ac7"><code>3e90321</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="8c4e668694"><code>8c4e668</code></a> x509roots/fallback: update bundle</li> <li><a href="6018723c74"><code>6018723</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="71ed71b4fa"><code>71ed71b</code></a> README: don't recommend go get</li> <li><a href="750a45fe5e"><code>750a45f</code></a> sha3: add MarshalBinary, AppendBinary, and UnmarshalBinary</li> <li><a href="36b172546b"><code>36b1725</code></a> sha3: avoid trailing permutation</li> <li><a href="80ea76eb17"><code>80ea76e</code></a> sha3: fix padding for long cSHAKE parameters</li> <li><a href="c17aa50fbd"><code>c17aa50</code></a> sha3: avoid buffer copy</li> <li>Additional commits viewable in <a href="https://github.com/golang/crypto/compare/v0.27.0...v0.31.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-12-13 06:15:03 -05:00
dependabot[bot]	4200507dd2	chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.0.0 to 2.0.1 in the go_modules group (#820) ... Bumps the go_modules group with 1 update: [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf). Updates `github.com/theupdateframework/go-tuf/v2` from 2.0.0 to 2.0.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/theupdateframework/go-tuf/releases">github.com/theupdateframework/go-tuf/v2's releases</a>.</em></p> <blockquote> <h2>v2.0.1</h2> <h2>What's Changed</h2> <h3>Security</h3> <ul> <li>Fix incorrect delegation lookups that can make go-tuf download the wrong artifact by <a href="https://github.com/rdimitrov"><code>@​rdimitrov</code></a> (Thanks to <a href="https://github.com/AdamKorcz"><code>@​AdamKorcz</code></a> for reporting it). This fixes CVE-2024-47534 <a href="https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j">GHSA-4f8r-qqr9-fq8j</a></li> </ul> <h3>Other</h3> <ul> <li>Update MAINTAINERS.md by <a href="https://github.com/trishankatdatadog"><code>@​trishankatdatadog</code></a> in <a href="https://redirect.github.com/theupdateframework/go-tuf/pull/647">theupdateframework/go-tuf#647</a></li> <li>Update the staging TUF repo in the multi-repo example by <a href="https://github.com/rdimitrov"><code>@​rdimitrov</code></a> in <a href="https://redirect.github.com/theupdateframework/go-tuf/pull/650">theupdateframework/go-tuf#650</a></li> <li>Fix branch name in multi-repo client example by <a href="https://github.com/rdimitrov"><code>@​rdimitrov</code></a> in <a href="https://redirect.github.com/theupdateframework/go-tuf/pull/651">theupdateframework/go-tuf#651</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/theupdateframework/go-tuf/compare/v2.0.0...v2.0.1">https://github.com/theupdateframework/go-tuf/compare/v2.0.0...v2.0.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="6c47391ef3"><code>6c47391</code></a> Fix branch name in multi-repo client example (<a href="https://redirect.github.com/theupdateframework/go-tuf/issues/651">#651</a>)</li> <li><a href="eee48422ef"><code>eee4842</code></a> Update the staging TUF repo in the multi-repo example (<a href="https://redirect.github.com/theupdateframework/go-tuf/issues/650">#650</a>)</li> <li><a href="f36420caba"><code>f36420c</code></a> Merge commit from fork</li> <li><a href="f95222bdd2"><code>f95222b</code></a> Update MAINTAINERS.md (<a href="https://redirect.github.com/theupdateframework/go-tuf/issues/647">#647</a>)</li> <li>See full diff in <a href="https://github.com/theupdateframework/go-tuf/compare/v2.0.0...v2.0.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-12-05 17:43:59 +00:00
Mend Renovate	84e5c03318	fix(deps): update dependency @actions/core to v1.11.1 (#819) ... This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@actions/core](https://redirect.github.com/actions/toolkit/tree/main/packages/core) ([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/core)) | [`1.10.1` -> `1.11.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.1/1.11.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>actions/toolkit (@&#8203;actions/core)</summary> ### [`v1.11.1`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1111) - Fix uses of `crypto.randomUUID` on Node 18 and earlier [#&#8203;1842](https://redirect.github.com/actions/toolkit/pull/1842) ### [`v1.11.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1110) - Add platform info utilities [#&#8203;1551](https://redirect.github.com/actions/toolkit/pull/1551) - Remove dependency on `uuid` package [#&#8203;1824](https://redirect.github.com/actions/toolkit/pull/1824) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> --------- Signed-off-by: github-actions <github-actions@github.com> Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-12-05 12:27:39 -05:00
Mend Renovate	e6b1b817c1	chore(deps): update golang docker tag to v1.23 (#818) ... This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | minor | `1.21` -> `1.23` | --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-12-04 18:16:02 +00:00
Mend Renovate	190fddac0e	chore(deps): update github-actions (#817) ... This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://redirect.github.com/actions/checkout) | action | minor | `v4.1.7` -> `v4.2.2` | | [actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action) | action | minor | `v4.3.3` -> `v4.5.0` | | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | patch | `v4.1.7` -> `v4.1.8` | | [actions/setup-go](https://redirect.github.com/actions/setup-go) | action | minor | `v5.0.2` -> `v5.1.0` | | [actions/setup-go](https://redirect.github.com/actions/setup-go) | action | minor | `v5.0.1` -> `v5.1.0` | | [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | minor | `v4.0.2` -> `v4.1.0` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | minor | `v4.3.3` -> `v4.4.3` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | minor | `v3.25.11` -> `v3.27.6` | | [ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action) | action | minor | `v2.3.3` -> `v2.4.0` | | [slsa-framework/slsa-verifier](https://redirect.github.com/slsa-framework/slsa-verifier) | action | minor | `v2.5.1` -> `v2.6.0` | | [thehanimo/pr-title-checker](https://redirect.github.com/thehanimo/pr-title-checker) | action | patch | `v1.4.2` -> `v1.4.3` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.2.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v422) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.1...v4.2.2) - `url-helper.ts` now leverages well-known environment variables by [@&#8203;jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1941](https://redirect.github.com/actions/checkout/pull/1941) - Expand unit test coverage for `isGhes` by [@&#8203;jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1946](https://redirect.github.com/actions/checkout/pull/1946) ### [`v4.2.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v421) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.0...v4.2.1) - Check out other refs/\* by commit if provided, fall back to ref by [@&#8203;orhantoy](https://redirect.github.com/orhantoy) in [https://github.com/actions/checkout/pull/1924](https://redirect.github.com/actions/checkout/pull/1924) ### [`v4.2.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v420) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.7...v4.2.0) - Add Ref and Commit outputs by [@&#8203;lucacome](https://redirect.github.com/lucacome) in [https://github.com/actions/checkout/pull/1180](https://redirect.github.com/actions/checkout/pull/1180) - Dependency updates by [@&#8203;dependabot-](https://redirect.github.com/dependabot-) [https://github.com/actions/checkout/pull/1777](https://redirect.github.com/actions/checkout/pull/1777), [https://github.com/actions/checkout/pull/1872](https://redirect.github.com/actions/checkout/pull/1872) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v4.5.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.5.0) [Compare Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.4.0...v4.5.0) #### What's Changed - Bump got from 14.4.2 to 14.4.3 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/844](https://redirect.github.com/actions/dependency-review-action/pull/844) - Bump nodemon from 3.1.0 to 3.1.7 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/847](https://redirect.github.com/actions/dependency-review-action/pull/847) - Bump [@&#8203;vercel/ncc](https://redirect.github.com/vercel/ncc) from 0.38.1 to 0.38.3 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/849](https://redirect.github.com/actions/dependency-review-action/pull/849) - Overriding the cross-spawn dependency to use a safe version by [@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in [https://github.com/actions/dependency-review-action/pull/850](https://redirect.github.com/actions/dependency-review-action/pull/850) - fix: add summary comment on failure when warn-only: true by [@&#8203;ebickle](https://redirect.github.com/ebickle) in [https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827) - Prepare for 4.5.0 release by [@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in [https://github.com/actions/dependency-review-action/pull/851](https://redirect.github.com/actions/dependency-review-action/pull/851) #### New Contributors - [@&#8203;ebickle](https://redirect.github.com/ebickle) made their first contribution in [https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4...v4.5.0 ### [`v4.4.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.4.0) [Compare Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0) #### What's Changed - Fix for merge_group event bug by [@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in [https://github.com/actions/dependency-review-action/pull/846](https://redirect.github.com/actions/dependency-review-action/pull/846) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0 ### [`v4.3.5`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.5) [Compare Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5) #### What's Changed - fix: getRefs function to handle merge_group events by [@&#8203;louis-bompart](https://redirect.github.com/louis-bompart) in [https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766) - Create pull_request_template.md by [@&#8203;jonjanego](https://redirect.github.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/794](https://redirect.github.com/actions/dependency-review-action/pull/794) - Update CONTRIBUTING.md by [@&#8203;jonjanego](https://redirect.github.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/793](https://redirect.github.com/actions/dependency-review-action/pull/793) - Bump [@&#8203;types/node](https://redirect.github.com/types/node) from 20.11.28 to 20.16.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/815](https://redirect.github.com/actions/dependency-review-action/pull/815) - Upgrade transitive micromatch library by [@&#8203;elireisman](https://redirect.github.com/elireisman) in [https://github.com/actions/dependency-review-action/pull/829](https://redirect.github.com/actions/dependency-review-action/pull/829) - Do not list changed dependencies in summary by [@&#8203;hmaurer](https://redirect.github.com/hmaurer) in [https://github.com/actions/dependency-review-action/pull/828](https://redirect.github.com/actions/dependency-review-action/pull/828) - Update stale.yaml by [@&#8203;jonjanego](https://redirect.github.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/832](https://redirect.github.com/actions/dependency-review-action/pull/832) - Bump got from 14.4.1 to 14.4.2 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/822](https://redirect.github.com/actions/dependency-review-action/pull/822) - Bump eslint-plugin-jest and ts-jest by [@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in [https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840) #### New Contributors - [@&#8203;louis-bompart](https://redirect.github.com/louis-bompart) made their first contribution in [https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766) - [@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) made their first contribution in [https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5 ### [`v4.3.4`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.4) [Compare Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4) #### What's Changed - Include all added dependencies in scorecard entries by [@&#8203;elireisman](https://redirect.github.com/elireisman) in [https://github.com/actions/dependency-review-action/pull/783](https://redirect.github.com/actions/dependency-review-action/pull/783) - Update SPDX Expression Parsing by [@&#8203;febuiles](https://redirect.github.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/719](https://redirect.github.com/actions/dependency-review-action/pull/719) - This PR is a significant refactor of SPDX expression parsing that *may* fix some bugs, but unfortunately there are several related known issues that remain unresolved as of this version. **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4 </details> <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.8`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.8) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.7...v4.1.8) #### What's Changed - Update [@&#8203;actions/artifact](https://redirect.github.com/actions/artifact) version, bump dependencies by [@&#8203;robherley](https://redirect.github.com/robherley) in [https://github.com/actions/download-artifact/pull/341](https://redirect.github.com/actions/download-artifact/pull/341) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4...v4.1.8 </details> <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v5.1.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.1.0) [Compare Source](https://redirect.github.com/actions/setup-go/compare/v5.0.2...v5.1.0) ##### What's Changed - Add workflow file for publishing releases to immutable action package by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500) - Upgrade IA Publish by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/setup-go/pull/502](https://redirect.github.com/actions/setup-go/pull/502) - Add architecture to cache key by [@&#8203;Zxilly](https://redirect.github.com/Zxilly) in [https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493) This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts. Note: This change may break previous cache keys as they will no longer be compatible with the new format. - Enhance workflows and Upgrade micromatch Dependency by [@&#8203;priyagupta108](https://redirect.github.com/priyagupta108) in [https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510) **Bug Fixes** - Revise `isGhes` logic by [@&#8203;jww3](https://redirect.github.com/jww3) in [https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511) ##### New Contributors - [@&#8203;Zxilly](https://redirect.github.com/Zxilly) made their first contribution in [https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493) - [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500) - [@&#8203;jww3](https://redirect.github.com/jww3) made their first contribution in [https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511) - [@&#8203;priyagupta108](https://redirect.github.com/priyagupta108) made their first contribution in [https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510) **Full Changelog**: https://github.com/actions/setup-go/compare/v5...v5.1.0 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v4.1.0`](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0) ### [`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4) ### [`v4.0.3`](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.4.3`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.3) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3) ##### What's Changed - Undo indirect dependency updates from [#&#8203;627](https://redirect.github.com/actions/upload-artifact/issues/627) by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/632](https://redirect.github.com/actions/upload-artifact/pull/632) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3 ### [`v4.4.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.2) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2) ##### What's Changed - Bump `@actions/artifact` to 2.1.11 by [@&#8203;robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/627](https://redirect.github.com/actions/upload-artifact/pull/627) - Includes fix for relative symlinks not resolving properly **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2 ### [`v4.4.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.1) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1) ##### What's Changed - Add a section about hidden files by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/607](https://redirect.github.com/actions/upload-artifact/pull/607) - Add workflow file for publishing releases to immutable action package by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621) - Update [@&#8203;actions/artifact](https://redirect.github.com/actions/artifact) to latest version, includes symlink and timeout fixes by [@&#8203;robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/625](https://redirect.github.com/actions/upload-artifact/pull/625) ##### New Contributors - [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1 ### [`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0) ### [`v4.3.6`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6) ### [`v4.3.5`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) ### [`v4.3.4`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.4) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4) ##### What's Changed - Update [@&#8203;actions/artifact](https://redirect.github.com/actions/artifact) version, bump dependencies by [@&#8203;robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/584](https://redirect.github.com/actions/upload-artifact/pull/584) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.27.6`](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6) ### [`v3.27.5`](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5) ### [`v3.27.4`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.3...v3.27.4) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.4 - 14 Nov 2024 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.4/CHANGELOG.md) for more information. ### [`v3.27.3`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.2...v3.27.3) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.3 - 12 Nov 2024 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.3/CHANGELOG.md) for more information. ### [`v3.27.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.1...v3.27.2) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.2 - 12 Nov 2024 - Fixed an issue where setting up the CodeQL tools would sometimes fail with the message "Invalid value 'undefined' for header 'authorization'". [#&#8203;2590](https://redirect.github.com/github/codeql-action/pull/2590) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.2/CHANGELOG.md) for more information. ### [`v3.27.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.0...v3.27.1) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.1 - 08 Nov 2024 - The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. [#&#8203;2573](https://redirect.github.com/github/codeql-action/pull/2573) - Update default CodeQL bundle version to 2.19.3. [#&#8203;2576](https://redirect.github.com/github/codeql-action/pull/2576) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.1/CHANGELOG.md) for more information. ### [`v3.27.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.13...v3.27.0) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.0 - 22 Oct 2024 - Bump the minimum CodeQL bundle version to 2.14.6. [#&#8203;2549](https://redirect.github.com/github/codeql-action/pull/2549) - Fix an issue where the `upload-sarif` Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the `upload-sarif` Action. [#&#8203;2557](https://redirect.github.com/github/codeql-action/pull/2557) - Update default CodeQL bundle version to 2.19.2. [#&#8203;2552](https://redirect.github.com/github/codeql-action/pull/2552) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.0/CHANGELOG.md) for more information. ### [`v3.26.13`](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13) ### [`v3.26.12`](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12) ### [`v3.26.11`](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11) ### [`v3.26.10`](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10) ### [`v3.26.9`](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9) ### [`v3.26.8`](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8) ### [`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7) ### [`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6) ### [`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5) ### [`v3.26.4`](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4) ### [`v3.26.3`](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3) ### [`v3.26.2`](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2) ### [`v3.26.1`](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1) ### [`v3.26.0`](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0) ### [`v3.25.15`](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15) ### [`v3.25.14`](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14) ### [`v3.25.13`](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13) ### [`v3.25.12`](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0) [Compare Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0) #### What's Changed This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the [v5.0.0 release notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0). Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation. - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0 by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410) - 🐛 lower license sarif alert threshold to 9 by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411) ##### Documentation - docs: dogfooding badge by [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) in [https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399) #### New Contributors - [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0 </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.6.0`](https://redirect.github.com/slsa-framework/slsa-verifier/releases/tag/v2.6.0) [Compare Source](https://redirect.github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0) #### What's Changed - chore: Update doc and digests for v2.5.1 by [@&#8203;laurentsimon](https://redirect.github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/748](https://redirect.github.com/slsa-framework/slsa-verifier/pull/748) - fix(deps): update module google.golang.org/protobuf to v1.33.0 \[security] by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/743](https://redirect.github.com/slsa-framework/slsa-verifier/pull/743) - fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/718](https://redirect.github.com/slsa-framework/slsa-verifier/pull/718) - chore: Update [@&#8203;actions/github](https://redirect.github.com/actions/github) v6 by [@&#8203;laurentsimon](https://redirect.github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/749](https://redirect.github.com/slsa-framework/slsa-verifier/pull/749) - fix: use sigstore/pkg/fulcioroots to lessen deps by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/746](https://redirect.github.com/slsa-framework/slsa-verifier/pull/746) - feat: add ramonpetgrave64 as CODEOWNER by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/750](https://redirect.github.com/slsa-framework/slsa-verifier/pull/750) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`1a8ece8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/1a8ece8) by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/701](https://redirect.github.com/slsa-framework/slsa-verifier/pull/701) - chore(deps): update github-actions (major) by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/719](https://redirect.github.com/slsa-framework/slsa-verifier/pull/719) - fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/751](https://redirect.github.com/slsa-framework/slsa-verifier/pull/751) - chore(deps): update npm dev (major) by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/753](https://redirect.github.com/slsa-framework/slsa-verifier/pull/753) - fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/752](https://redirect.github.com/slsa-framework/slsa-verifier/pull/752) - feat: fixes [#&#8203;547](https://redirect.github.com/slsa-framework/slsa-verifier/issues/547): add npm sigstore-tuf suport by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/731](https://redirect.github.com/slsa-framework/slsa-verifier/pull/731) - fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 \[security] by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/723](https://redirect.github.com/slsa-framework/slsa-verifier/pull/723) - chore(deps): update golang:1.21 docker digest to [`81811f8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/81811f8) by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/693](https://redirect.github.com/slsa-framework/slsa-verifier/pull/693) - chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/758](https://redirect.github.com/slsa-framework/slsa-verifier/pull/758) - chore(deps): update golang:1.21 docker digest to [`d83472f`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/d83472f) by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/764](https://redirect.github.com/slsa-framework/slsa-verifier/pull/764) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`53745e9`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/53745e9) by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/763](https://redirect.github.com/slsa-framework/slsa-verifier/pull/763) - feat: workflow to update actions dist by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/760](https://redirect.github.com/slsa-framework/slsa-verifier/pull/760) - fix(deps): update dependency [@&#8203;actions/core](https://redirect.github.com/actions/core) to v1.10.1 by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/717](https://redirect.github.com/slsa-framework/slsa-verifier/pull/717) - chore: fix pr-title-checker by [@&#8203;ianlewis](https://redirect.github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/770](https://redirect.github.com/slsa-framework/slsa-verifier/pull/770) - chore: Update Renovate config by [@&#8203;ianlewis](https://redirect.github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/769](https://redirect.github.com/slsa-framework/slsa-verifier/pull/769) - fix: use pr_number as env variable by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/771](https://redirect.github.com/slsa-framework/slsa-verifier/pull/771) - fix: signoff commit by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/767](https://redirect.github.com/slsa-framework/slsa-verifier/pull/767) - chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/slsa-framework/slsa-verifier/pull/781](https://redirect.github.com/slsa-framework/slsa-verifier/pull/781) - chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/slsa-framework/slsa-verifier/pull/782](https://redirect.github.com/slsa-framework/slsa-verifier/pull/782) - chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/slsa-framework/slsa-verifier/pull/779](https://redirect.github.com/slsa-framework/slsa-verifier/pull/779) - chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/slsa-framework/slsa-verifier/pull/780](https://redirect.github.com/slsa-framework/slsa-verifier/pull/780) - chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [https://github.com/slsa-framework/slsa-verifier/pull/784](https://redirect.github.com/slsa-framework/slsa-verifier/pull/784) - fix(deps): update golang.org/x/exp digest to [`7f521ea`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/7f521ea) by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/775](https://redirect.github.com/slsa-framework/slsa-verifier/pull/775) - fix: make download-artifacts.sh more flexible by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/761](https://redirect.github.com/slsa-framework/slsa-verifier/pull/761) - chore(deps): update golang:1.21 docker digest to [`b405b62`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/b405b62) by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/774](https://redirect.github.com/slsa-framework/slsa-verifier/pull/774) - chore(deps): update npm dev by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/650](https://redirect.github.com/slsa-framework/slsa-verifier/pull/650) - fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/787](https://redirect.github.com/slsa-framework/slsa-verifier/pull/787) - chore(deps): update github-actions by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/786](https://redirect.github.com/slsa-framework/slsa-verifier/pull/786) - feat: vsa support by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/777](https://redirect.github.com/slsa-framework/slsa-verifier/pull/777) - fix: use tag for the builder in the release workflow by [@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/788](https://redirect.github.com/slsa-framework/slsa-verifier/pull/788) **Full Changelog**: https://github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0 </details> <details> <summary>thehanimo/pr-title-checker (thehanimo/pr-title-checker)</summary> ### [`v1.4.3`](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3) [Compare Source](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->	2024-12-04 13:00:06 -05:00
Ramon Petgrave	17f79583c5	fix: fix method for getting leaf certs in Bundle v0.3 (#813) ... Followup to https://github.com/slsa-framework/slsa-github-generator/pull/3777 This PR adds a missing modification for getting the leaf certificate in the new Bundle format v0.3. In my original experiments, I did have this method in a dev branch, but neglected to include it in the final PR. - https://github.com/slsa-framework/slsa-verifier/compare/main...verify-sigstore-go-Bundlev3#diff-a9bfffae1bd0d145e950805e7a35b8e65adc7a68affa605b484f4831097b989cR98-R107 - https://github.com/slsa-framework/slsa-verifier/pull/799/files ## Testing - I re-used the same attestation file from a failing workflow for unit tests and manual invocation. - https://github.com/slsa-framework/example-package/actions/runs/11511156484 ## Followup - Finish finding a way to test changes within PRs. - https://github.com/slsa-framework/slsa-github-generator/pull/3777#discussion_r1795254767 - https://github.com/slsa-framework/slsa-verifier/pull/797 --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-10-29 16:43:56 -04:00
dependabot[bot]	70f3c9a079	chore(deps): bump github.com/sigstore/sigstore-go from 0.6.1 to 0.6.2 in the go_modules group across 1 directory (#812) ... Bumps the go_modules group with 1 update in the / directory: [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go). Updates `github.com/sigstore/sigstore-go` from 0.6.1 to 0.6.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sigstore/sigstore-go/releases">github.com/sigstore/sigstore-go's releases</a>.</em></p> <blockquote> <h2>v0.6.2</h2> <p>This is a minor release to enable better error handling in the gh CLI.</p> <h2>What's Changed</h2> <ul> <li>Use sentinel errors bundle validation in <code>validateBundle</code> func by <a href="https://github.com/malancas"><code>@​malancas</code></a> in <a href="https://redirect.github.com/sigstore/sigstore-go/pull/291">sigstore/sigstore-go#291</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/sigstore/sigstore-go/compare/v0.6.1...v0.6.2">https://github.com/sigstore/sigstore-go/compare/v0.6.1...v0.6.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="0726854518"><code>0726854</code></a> Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/289">#289</a>)</li> <li><a href="8c0e75bb62"><code>8c0e75b</code></a> Use sentinel errors bundle validation in <code>validateBundle</code> func (<a href="https://redirect.github.com/sigstore/sigstore-go/issues/291">#291</a>)</li> <li>See full diff in <a href="https://github.com/sigstore/sigstore-go/compare/v0.6.1...v0.6.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-10-15 17:02:39 +00:00
Mend Renovate	ba80473d23	chore(deps): update gcr.io/distroless/base:nonroot docker digest to e5260be (#795) ... This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | gcr.io/distroless/base | final | digest | `53745e9` -> `e5260be` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM4LjgwLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->	2024-10-15 16:45:28 +00:00
Mend Renovate	f42f81fc35	fix(deps): update module github.com/sigstore/sigstore-go to v0.6.1 [security] (#805) ... This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/sigstore/sigstore-go](https://redirect.github.com/sigstore/sigstore-go) | `v0.5.1` -> `v0.6.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-45395](https://redirect.github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq) ### Impact sigstore-go is susceptible to a denial of service attack when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these data structures is computationally expensive. This can be used to consume excessive CPU resources, leading to a denial of service attack. TUF's security model labels this type of vulnerability an "Endless data attack," and can lead to verification failing to complete and disrupting services that rely on sigstore-go for verification. The vulnerable loops are in the verification functions in the package `github.com/sigstore/sigstore-go/pkg/verify`. The first is the DSSE envelope verification loop in `verifyEnvelopeWithArtifact`, which decodes all the digests in an attestation can be found here: 725e508ed4/pkg/verify/signature.go (L183-L193) The next loop is in the `VerifyArtifactTransparencyLog` function, which verifies all the signed entries in a bundle: 725e508ed4/pkg/verify/tlog.go (L74-L178) The next loop is the `VerifyTimestampAuthority` function, which verifies all the RFC 3161 timestamps in a bundle: 725e508ed4/pkg/verify/tsa.go (L59-L68) ### Patches This vulnerability is addressed with sigstore-go 0.6.1, which adds hard limits to the number of verifiable data structures that can be processed in a bundle. Verification will fail if a bundle has data that exceeds these limits. The limits are: - 32 signed transparency log entries - 32 RFC 3161 timestamps - 1024 attestation subjects - 32 digests per attestation subject These limits are intended to be high enough to accommodate the vast majority of use cases, while preventing the verification of maliciously crafted bundles that contain large amounts of verifiable data. ### Workarounds The best way to mitigate the risk is to upgrade to sigstore-go 0.6.1 or later. Users who are vulnerable but unable to quickly upgrade may consider adding manual bundle validation to enforce limits similar to those in the referenced patch prior to calling sigstore-go's verification functions. --- ### Release Notes <details> <summary>sigstore/sigstore-go (github.com/sigstore/sigstore-go)</summary> ### [`v0.6.1`](https://redirect.github.com/sigstore/sigstore-go/releases/tag/v0.6.1) [Compare Source](https://redirect.github.com/sigstore/sigstore-go/compare/v0.6.0...v0.6.1) #### What's Changed v0.6.1 resolves a security advisory for a denial of service. See https://github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq for more information. - Add fuzz tests for bundle, tlog and verify packages by [@&#8203;AdamKorcz](https://redirect.github.com/AdamKorcz) in [https://github.com/sigstore/sigstore-go/pull/272](https://redirect.github.com/sigstore/sigstore-go/pull/272) - Add the ability to contruct TrustRoot from targets by [@&#8203;bkabrda](https://redirect.github.com/bkabrda) in [https://github.com/sigstore/sigstore-go/pull/247](https://redirect.github.com/sigstore/sigstore-go/pull/247) - add oss-fuzz build script by [@&#8203;AdamKorcz](https://redirect.github.com/AdamKorcz) in [https://github.com/sigstore/sigstore-go/pull/278](https://redirect.github.com/sigstore/sigstore-go/pull/278) - Fix proof of key possession generation by [@&#8203;adityasaky](https://redirect.github.com/adityasaky) in [https://github.com/sigstore/sigstore-go/pull/283](https://redirect.github.com/sigstore/sigstore-go/pull/283) - Add additional validation for nil elements in Bundles by [@&#8203;codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/285](https://redirect.github.com/sigstore/sigstore-go/pull/285) - Add hard limits for number of TSA entries, Tlog entries, and attestation subjects/digests by [@&#8203;codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/286](https://redirect.github.com/sigstore/sigstore-go/pull/286) **Full Changelog**: https://github.com/sigstore/sigstore-go/compare/v0.6.0...v0.6.1 ### [`v0.6.0`](https://redirect.github.com/sigstore/sigstore-go/releases/tag/v0.6.0) [Compare Source](https://redirect.github.com/sigstore/sigstore-go/compare/v0.5.1...v0.6.0) As folks use sigstore-go in more cases, we continue to make fixes and do some minor API interface changes. Because we are pre-1.0.0 these were made as breaking changes. After 1.0.0 we will provide deprecation notices and smoother migration paths. There may be more minor interface changes between now and v1.0.0. #### Breaking Changes - In `pkg/bundle/bundle.go` - `ProtobufBundle` is now `Bundle` - `NewProtobufBundle` is now `NewBundle` - In `pkg/bundle/signature_content.go` - Use `Statement()` type was from `github.com/in-toto/in-toto-golang/in_toto` now comes from `github.com/in-toto/attestation/go/v1` #### What's Changed - feat: add support for additional transparency log key types by [@&#8203;vishal-chdhry](https://redirect.github.com/vishal-chdhry) in [https://github.com/sigstore/sigstore-go/pull/197](https://redirect.github.com/sigstore/sigstore-go/pull/197) - feat: use GetLogEntryByIndex to query rekor by [@&#8203;vishal-chdhry](https://redirect.github.com/vishal-chdhry) in [https://github.com/sigstore/sigstore-go/pull/188](https://redirect.github.com/sigstore/sigstore-go/pull/188) - feat: add validation of required fields in the bundle by [@&#8203;vishal-chdhry](https://redirect.github.com/vishal-chdhry) in [https://github.com/sigstore/sigstore-go/pull/189](https://redirect.github.com/sigstore/sigstore-go/pull/189) - Rename ProtobufBundle to Bundle by [@&#8203;codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/251](https://redirect.github.com/sigstore/sigstore-go/pull/251) - Fix verify DSSE bundles (after signing) by [@&#8203;steiza](https://redirect.github.com/steiza) in [https://github.com/sigstore/sigstore-go/pull/258](https://redirect.github.com/sigstore/sigstore-go/pull/258) - Fix crash with missing checkpoint by [@&#8203;haydentherapper](https://redirect.github.com/haydentherapper) in [https://github.com/sigstore/sigstore-go/pull/260](https://redirect.github.com/sigstore/sigstore-go/pull/260) - Add file pattern to CODEOWNERS by [@&#8203;codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/269](https://redirect.github.com/sigstore/sigstore-go/pull/269) - Use example.com and remove trademark from tests by [@&#8203;codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/267](https://redirect.github.com/sigstore/sigstore-go/pull/267) - Add deprecation message for ProtobufBundle by [@&#8203;codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/271](https://redirect.github.com/sigstore/sigstore-go/pull/271) - Switch in-toto library to github.com/in-toto/attestation by [@&#8203;codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/274](https://redirect.github.com/sigstore/sigstore-go/pull/274) **Full Changelog**: https://github.com/sigstore/sigstore-go/compare/v0.5.1...v0.6.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguMTE1LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->	2024-10-10 19:48:14 +00:00
Kyle Colantonio	d758bd3718	feat(action): Updating to Node20 (#811) ... This PR relates to the discussion from https://github.com/slsa-framework/slsa-verifier/issues/806 regarding the Node16 deprecation notice. There are no changes to the `dist/` folder with the change to Node20 (used `v20.17.0`) - this is completely drop-in. Signed-off-by: Kyle Colantonio <k@yle.sh> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-10-10 15:30:23 -04:00
Ramon Petgrave	4cd7d4802e	chore: update go and golanci lint (#810) ... This PR updates go to 1.23.1 and updates golanci-lint to v1.61.1, while fixing new lint errors. --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-10-10 13:07:08 -04:00
Mend Renovate	9093b4fd79	fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.9 (#809) ... This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [org.apache.maven:maven-plugin-api](https://maven.apache.org/) | `3.9.6` -> `3.9.9` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC45Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguOTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-10-07 17:09:17 +00:00
Mend Renovate	8fff4c861d	chore(deps): update golang:1.21 docker digest to 4746d26 (#802) ... This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `f2eb989` -> `4746d26` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41Ni4wIiwidXBkYXRlZEluVmVyIjoiMzguNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->	2024-10-07 16:22:25 +00:00
Mend Renovate	9868d0ae94	chore(deps): update dependency pyyaml to v6.0.2 (#808) ... This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [pyyaml](https://pyyaml.org/) ([source](https://redirect.github.com/yaml/pyyaml)) | `==6.0.1` -> `==6.0.2` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>yaml/pyyaml (pyyaml)</summary> ### [`v6.0.2`](https://redirect.github.com/yaml/pyyaml/releases/tag/6.0.2) [Compare Source](https://redirect.github.com/yaml/pyyaml/compare/6.0.1...6.0.2) #### What's Changed - Support for Cython 3.x and Python 3.13. **Full Changelog**: https://github.com/yaml/pyyaml/compare/6.0.1...6.0.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC45Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguOTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-10-07 07:26:38 +00:00
Mend Renovate	090586f5aa	fix(deps): update golang.org/x/exp digest to 225e2ab (#803) ... This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang.org/x/exp | require | digest | `7f521ea` -> `225e2ab` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41Ni4wIiwidXBkYXRlZEluVmVyIjoiMzguOTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->	2024-10-07 03:12:18 -04:00
Ramon Petgrave	767ecf9e0a	feat: handle dssev001 tlog entry types (#799) ... re: https://github.com/slsa-framework/slsa-github-generator/issues/3750 Rekor TLog entries can now be of the type dsse v0.0.1, as when what's returned when using sigstore-go's `Bundle()`. This is to support eventual Sigstore Bundles produced by slsa-github-generator's "generic" generator, which will likely use sigstore-go's Bundle to produce attestations - https://github.com/slsa-framework/slsa-github-generator/compare/main...ramonpetgrave64-internal-builder-sigstore-bundlev2#diff-b186a0c5d9ae459b11b694f05455568453699670926d21cad06cafec3dbf895eR101 - https://github.com/slsa-framework/slsa-github-generator/actions/runs/10359750833 ## Tesing - Added unit tests with stub data - manual invocations to very both new and old attestations and bundles, with some modifications for testing purposes - https://github.com/slsa-framework/slsa-verifier/compare/main...verify-sigstore-go-Bundlev3#diff-94741068472ee694a12811cd704179dd478a9fa20a3bf45cf6ea2d4406214dc2R179 ## Followup Finish the work to produce bundles from the generic generators - https://github.com/slsa-framework/slsa-github-generator/compare/main...ramonpetgrave64-internal-builder-sigstore-bundlev2#diff-b186a0c5d9ae459b11b694f05455568453699670926d21cad06cafec3dbf895eR101 --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-08-24 03:31:43 +00:00
Bob Callaway	b92dabfb1c	feat: set user-agent header on Rekor requests (#801) ... This is part of an effort to track clients of Sigstore infrastructure, and their versions. Signed-off-by: Bob Callaway <bcallaway@google.com>	2024-08-23 18:42:14 +07:00
Mend Renovate	1694bbf872	chore(config): migrate renovate config (#800) ... [](https://renovatebot.com) The Renovate config in this repository needs migrating. Typically this is because one or more configuration options you are using have been renamed. You don't need to merge this PR right away, because Renovate will continue to migrate these fields internally each time it runs. But later some of these fields may be fully deprecated and the migrations removed. So it's a good idea to merge this migration PR soon. 🔕 **Ignore**: Close this PR and you won't be reminded about config migration again, but one day your current config may no longer be valid. ❓ Got questions? Does something look wrong to you? Please don't hesitate to [request help here](https://togithub.com/renovatebot/renovate/discussions). --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier).	2024-08-14 00:02:10 -04:00
Ramon Petgrave	3f37511042	chore: fix vuln: override autolinker ^4.0.0 (#785) ... fixes https://github.com/slsa-framework/slsa-verifier/security/code-scanning/11 markdown-toc's latest v1.2.0 is still vulnerable via a transitive dependency, but hasn't received updates in a long time. This PR overrides one of the other transitive dependencies to a non-vulnerable version. more info here https://github.com/jonschlinkert/markdown-toc/issues/156#issuecomment-2197630000 # Testing process - Manually invoked `make markdown-toc` and it did succeed, while also adding a missing header in the README. - Made a few typos in the headers and markdown-toc did fix them. - Cloned markdown-toc, added the override, and its unit tests passed --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-08-13 19:08:24 +00:00
dependabot[bot]	e8275856e0	chore(deps): bump github.com/docker/docker from 26.1.4+incompatible to 26.1.5+incompatible in the go_modules group (#798) ... Bumps the go_modules group with 1 update: [github.com/docker/docker](https://github.com/docker/docker). Updates `github.com/docker/docker` from 26.1.4+incompatible to 26.1.5+incompatible <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/docker/releases">github.com/docker/docker's releases</a>.</em></p> <blockquote> <h2>v26.1.5</h2> <h2>26.1.5</h2> <h3>Security</h3> <p>This release contains a fix for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41110">CVE-2024-41110</a> / <a href="https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq">GHSA-v23v-6jw2-98fq</a> that impacted setups using <a href="https://docs.docker.com/engine/extend/plugins_authorization/">authorization plugins (AuthZ)</a> for access control. No other changes are included in this release, and this release is otherwise identical for users not using AuthZ plugins.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/moby/moby/compare/v26.1.4...v26.1.5">https://github.com/moby/moby/compare/v26.1.4...v26.1.5</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="411e817ddf"><code>411e817</code></a> Merge commit from fork</li> <li><a href="9cc85eaef1"><code>9cc85ea</code></a> If url includes scheme, urlPath will drop hostname, which would not match the...</li> <li><a href="820cab90bc"><code>820cab9</code></a> Authz plugin security fixes for 0-length content and path validation</li> <li><a href="6bc49067a6"><code>6bc4906</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/48123">#48123</a> from vvoland/v26.1-48120</li> <li><a href="6fbdce4b94"><code>6fbdce4</code></a> update to go1.21.12</li> <li><a href="f5334644ec"><code>f533464</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/47986">#47986</a> from vvoland/v26.1-47985</li> <li><a href="c1d4587d76"><code>c1d4587</code></a> builder/mobyexporter: Add missing nil check</li> <li><a href="d6428049a5"><code>d642804</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/47940">#47940</a> from thaJeztah/26.1_backport_api_remove_container_c...</li> <li><a href="daba2462f5"><code>daba246</code></a> docs: api: image inspect: remove Container and ContainerConfig</li> <li>See full diff in <a href="https://github.com/docker/docker/compare/v26.1.4...v26.1.5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-08-12 11:04:32 -04:00
Mend Renovate	489e79138b	chore(deps): update golang:1.21 docker digest to f2eb989 (#796) ... [](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `b405b62` -> `f2eb989` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->	2024-08-05 16:21:16 +00:00
Ramon Petgrave	c789437815	feat: refactor: use sigstore-go for fetching TrustedRoot (#791) ... Uses the `sigstore-go` library for fetching the `TrustedRoot`, which contains the Sigstore infrastructure certificates needed to validate the leaf ephemeral certificates used to sign artifacts. Refactors: - replace `TrustedRootSingleton()` with `getDefaultCosignCheckOpts()`, since only `VerifyImage()` will now need that data. - replace `cosign.ValidateAndUnpackCert` with`sigstoreVerify.VerifyLeafCertificate()` - use `sync.Once` for sigstore and rekor clients, and the `TrustedRoot` ## Testing - existing tests continue to pass - [negative tests ](d96b977709/cli/slsa-verifier/main_regression_test.go (L450-L471)) against rekor TLogs - manual invocations of `verify-artifact`. --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-08-02 21:47:50 +00:00
Ramon Petgrave	88bcb6bff7	chore: pin yamllint, golangci-lint (#783) ... pins the yaml-lint and golangci-lint dependency used in pre-submits. This is to fix code-scanning alerts about unpinned dependencies - https://github.com/slsa-framework/slsa-verifier/security/code-scanning/8 - https://github.com/slsa-framework/slsa-verifier/security/code-scanning/21 ### Testing Process The pre-submit test that uses yamllint and golangci-lint passes --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-08-02 19:51:07 +00:00
Ramon Petgrave	7f3db9211e	feat: support npm cli provenance v1 attestations (#776) ... Fixes #614, #450, #449, #515 Adds support for NPM CLIs build provenances, generated when running `npm publish --provenance --access public` from a [GitHub Actions workflow](5995008213/.github/workflows/npm-publish.yml (L21)). ## Testing - added unit tests for some new helper functions - added regression test cases ## Future work - https://github.com/slsa-framework/slsa-verifier/issues/493, so we can do `--print-provenance` - implemented in https://github.com/slsa-framework/slsa-verifier/pull/768#discussion_r1662938115 --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-07-30 19:46:04 +00:00
dependabot[bot]	0b14659dde	chore(deps): bump github.com/docker/docker from 24.0.9+incompatible to 26.1.4+incompatible in the go_modules group (#794) ... Bumps the go_modules group with 1 update: [github.com/docker/docker](https://github.com/docker/docker). Updates `github.com/docker/docker` from 24.0.9+incompatible to 26.1.4+incompatible <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/docker/releases">github.com/docker/docker's releases</a>.</em></p> <blockquote> <h2>v26.1.4</h2> <h2>26.1.4</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:</p> <ul> <li><a href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A26.1.4">docker/cli, 26.1.4 milestone</a></li> <li><a href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A26.1.4">moby/moby, 26.1.4 milestone</a></li> <li>Deprecated and removed features, see <a href="https://github.com/docker/cli/blob/v26.1.4/docs/deprecated.md">Deprecated Features</a>.</li> <li>Changes to the Engine API, see <a href="https://github.com/moby/moby/blob/v26.1.4/docs/api/version-history.md">API version history</a>.</li> </ul> <h3>Security</h3> <p>This release updates the Go runtime to 1.21.11 which contains security fixes for:</p> <ul> <li><a href="https://redirect.github.com/golang/go/issues/66869">CVE-2024-24789</a></li> <li><a href="https://redirect.github.com/golang/go/issues/67680">CVE-2024-24790</a></li> <li>A symlink time of check to time of use race condition during directory removal reported by Addison Crump (<a href="https://github.com/addisoncrump"><code>@​addisoncrump</code></a>).</li> </ul> <h3>Bug fixes and enhancements</h3> <ul> <li>Fixed an issue where promoting a node immediately after another node was demoted could cause the promotion to fail. <a href="https://redirect.github.com/moby/moby/pull/47870">moby/moby#47870</a></li> <li>Prevent the daemon log from being spammed with <code>superfluous response.WriteHeader call ...</code> messages.. <a href="https://redirect.github.com/moby/moby/pull/47843">moby/moby#47843</a></li> <li>Don't show empty hints when plugins return an empty hook message. <a href="https://redirect.github.com/docker/cli/pull/5083">docker/cli#5083</a></li> <li>Added <code>ContextType: &quot;moby&quot;</code> to the context list/inspect output to address a compatibility issue with Visual Studio Container Tools. <a href="https://redirect.github.com/docker/cli/pull/5095">docker/cli#5095</a></li> <li>Fix a compatibility issue with Visual Studio Container Tools. <a href="https://redirect.github.com/docker/cli/pull/5095">docker/cli#5095</a></li> </ul> <h3>Packaging updates</h3> <ul> <li>Update containerd (static binaries only) to <a href="https://github.com/containerd/containerd/releases/tag/v1.7.17">v1.7.17</a>. <a href="https://redirect.github.com/moby/moby/pull/47841">moby/moby#47841</a></li> <li><a href="https://redirect.github.com/golang/go/issues/66869">CVE-2024-24789</a>, <a href="https://redirect.github.com/golang/go/issues/67680">CVE-2024-24790</a>: Update Go runtime to 1.21.11. <a href="https://redirect.github.com/moby/moby/pull/47904">moby/moby#47904</a></li> <li>Update Compose to <a href="https://github.com/docker/compose/releases/tag/v2.27.1">v2.27.1</a>. <a href="https://redirect.github.com/docker/docker-ce-packaging/pull/1022">docker/docker-ce-packages#1022</a></li> <li>Update Buildx to <a href="https://github.com/docker/buildx/releases/tag/v0.14.1">v0.14.1</a>. <a href="https://redirect.github.com/docker/docker-ce-packaging/pull/1021">docker/docker-ce-packages#1021</a></li> </ul> <h2>v26.1.3</h2> <h2>26.1.3</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:</p> <ul> <li><a href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A26.1.3">docker/cli, 26.1.3 milestone</a></li> <li><a href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A26.1.3">moby/moby, 26.1.3 milestone</a></li> <li>Deprecated and removed features, see <a href="https://github.com/docker/cli/blob/v26.1.3/docs/deprecated.md">Deprecated Features</a>.</li> <li>Changes to the Engine API, see <a href="https://github.com/moby/moby/blob/v26.1.3/docs/api/version-history.md">API version history</a>.</li> </ul> <h3>Bug fixes and enhancements</h3> <ul> <li>Fix a regression that prevented the use of DNS servers within a <code>--internal</code> network. <a href="https://redirect.github.com/moby/moby/pull/47832">moby/moby#47832</a></li> <li>When the internal DNS server's own address is supplied as an external server address, ignore it to avoid unproductive recursion. <a href="https://redirect.github.com/moby/moby/pull/47833">moby/moby#47833</a></li> </ul> <h3>Packaging updates</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="de5c9cf0b9"><code>de5c9cf</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/47912">#47912</a> from thaJeztah/26.1_backport_vendor_containerd_1.7.18</li> <li><a href="c62dcf8ab1"><code>c62dcf8</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/47911">#47911</a> from thaJeztah/26.1_backport_bump_containerd_binary...</li> <li><a href="17315a20ee"><code>17315a2</code></a> vendor: github.com/containerd/containerd v1.7.18</li> <li><a href="cbd94183ab"><code>cbd9418</code></a> update containerd binary to v1.7.18</li> <li><a href="fb9f72aeb6"><code>fb9f72a</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/47904">#47904</a> from thaJeztah/26.1_backport_bump_go1.21.11</li> <li><a href="3115daaa91"><code>3115daa</code></a> update to go1.21.11</li> <li><a href="2861734174"><code>2861734</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/47892">#47892</a> from thaJeztah/26.1_backport_api_docs_network_confi...</li> <li><a href="9c95aea306"><code>9c95aea</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/47893">#47893</a> from thaJeztah/26.1_backport_bump_docker_py</li> <li><a href="3e09e197a7"><code>3e09e19</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/47894">#47894</a> from thaJeztah/26.1_backport_vendor_containerd_v1.7.17</li> <li><a href="65b679ac9c"><code>65b679a</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/47889">#47889</a> from thaJeztah/26.1_backport_platforms_err_handling</li> <li>Additional commits viewable in <a href="https://github.com/docker/docker/compare/v24.0.9...v26.1.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-07-30 10:22:23 -04:00
Hayden B	40153f57a2	chore: Update CODEOWNERS to use teams (#793) ... This will assign teams rather than individuals to PRs. Signed-off-by: Hayden B <hblauzvern@google.com>	2024-07-23 18:18:55 -04:00
Ramon Petgrave	d96b977709	chore: v2.6.0: update docs (#789) ... #label:release v2.6.0 # How to Verify Clone the repo and run the script described in https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#verify-provenance. ``` $ git clone git@github.com:slsa-framework/slsa-verifier.git $ cd slsa-verifier $ bash verify-release.sh v2.6.0 ``` This will download the release files and verify the binaries. Confirm that the output hashes matches those in this PR's SHA256SUM.md - https://github.com/slsa-framework/slsa-verifier/pull/789/files#diff-7834ca792905514302a0630d1c57dc1d330569a18fc2fff4aac6129efb00f4ccR1-R8 --------- Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-07-17 12:21:44 -04:00
Ramon Petgrave	3714a2a468	fix: use tag for the builder in the release workflow (#788) ... The slsa-github-generator's workflow ref needs to be pinned by tag, not by hash. Fixes this error - https://github.com/slsa-framework/slsa-verifier/actions/runs/9893912259/job/27330429383#step:4:17 ``` Verifying slsa-verifier-linux-arm64 using slsa-verifier-linux-arm64.intoto.jsonl Verified signature against tlog entry index 110869188 at URL: 24296fb24b120088fe641b8e84 Verifying artifact slsa-verifier-linux-arm64: FAILED: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: "" FAILED: SLSA verification failed: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: "" ``` Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> v2.6.0-rc.1 v2.6.0	2024-07-11 12:34:52 -04:00
Ramon Petgrave	208ac12589	feat: vsa support (#777) ... Fixes #542 Adds support for VSAs. ## Testing process - added some unit an end-to-end tests - manually invoking ``` go run ./cli/slsa-verifier/ verify-vsa \ --subject-digest gce_image_id:8970095005306000053 \ --attestation-path ./cli/slsa-verifier/testdata/vsa/gce/v1/gke-gce-pre.bcid-vsa.jsonl \ --verifier-id https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1 \ --resource-uri gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre \ --verified-level BCID_L1 \ --verified-level SLSA_BUILD_LEVEL_2 \ --public-key-path ./cli/slsa-verifier/testdata/vsa/gce/v1/vsa_signing_public_key.pem \ --public-key-id keystore://76574:prod:vsa_signing_public_key \ --print-attestation {"_type":"https://in-toto.io/Statement/v1","predicateType":"https://slsa.dev/verification_summary/v1","predicate":{"timeVerified":"2024-06-12T07:24:34.351608Z","verifier":{"id":"https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1"},"verificationResult":"PASSED","verifiedLevels":["BCID_L1","SLSA_BUILD_LEVEL_2"],"resourceUri":"gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre","policy":{"uri":"googlefile:/google_src/files/642513192/depot/google3/production/security/bcid/software/gce_image/gke/vm_images.sw_policy.textproto"}},"subject":[{"name":"_","digest":{"gce_image_id":"8970095005306000053"}}]} Verifying VSA: PASSED PASSED: SLSA verification passed ``` TODOS: - open issue on the in_toto attestations repo about the incorrect json [fields](36c1129542/go/predicates/vsa/v1/vsa.pb.go (L26-L40)) for vsa 1.0 --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-07-10 21:25:16 -04:00
Mend Renovate	1049da4841	chore(deps): update github-actions (#786) ... [](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | patch | `v4.1.1` -> `v4.1.7` | | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | minor | `v4.2.5` -> `v4.3.3` | | [actions/download-artifact](https://togithub.com/actions/download-artifact) | action | patch | `v4.1.4` -> `v4.1.7` | | [actions/setup-go](https://togithub.com/actions/setup-go) | action | patch | `v5.0.0` -> `v5.0.1` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v4.3.1` -> `v4.3.3` | | [actionsdesk/lfs-warning](https://togithub.com/actionsdesk/lfs-warning) | action | minor | `v3.2` -> `v3.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v3.24.9` -> `v3.25.11` | | [golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action) | action | pinDigest | -> `d6238b0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | patch | `v2.3.1` -> `v2.3.3` | | [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) | action | pinDigest | -> `c747fe7` | | [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) | action | minor | `v2.4.1` -> `v2.5.1` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.1.7`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.6...v4.1.7) - Bump the minor-npm-dependencies group across 1 directory with 4 updates by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1739](https://togithub.com/actions/checkout/pull/1739) - Bump actions/checkout from 3 to 4 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1697](https://togithub.com/actions/checkout/pull/1697) - Check out other refs/\* by commit by [@&#8203;orhantoy](https://togithub.com/orhantoy) in [https://github.com/actions/checkout/pull/1774](https://togithub.com/actions/checkout/pull/1774) - Pin actions/checkout's own workflows to a known, good, stable version. by [@&#8203;jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1776](https://togithub.com/actions/checkout/pull/1776) ### [`v4.1.6`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v416) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.5...v4.1.6) - Check platform to set archive extension appropriately by [@&#8203;cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1732](https://togithub.com/actions/checkout/pull/1732) ### [`v4.1.5`](https://togithub.com/actions/checkout/releases/tag/v4.1.5) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.4...v4.1.5) #### What's Changed - Update NPM dependencies by [@&#8203;cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1703](https://togithub.com/actions/checkout/pull/1703) - Bump github/codeql-action from 2 to 3 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1694](https://togithub.com/actions/checkout/pull/1694) - Bump actions/setup-node from 1 to 4 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1696](https://togithub.com/actions/checkout/pull/1696) - Bump actions/upload-artifact from 2 to 4 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1695](https://togithub.com/actions/checkout/pull/1695) - README: Suggest `user.email` to be `41898282+github-actions[bot]@&#8203;users.noreply.github.com` by [@&#8203;cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1707](https://togithub.com/actions/checkout/pull/1707) **Full Changelog**: https://github.com/actions/checkout/compare/v4.1.4...v4.1.5 ### [`v4.1.4`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v414) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.3...v4.1.4) - Disable `extensions.worktreeConfig` when disabling `sparse-checkout` by [@&#8203;jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1692](https://togithub.com/actions/checkout/pull/1692) - Add dependabot config by [@&#8203;cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1688](https://togithub.com/actions/checkout/pull/1688) - Bump the minor-actions-dependencies group with 2 updates by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1693](https://togithub.com/actions/checkout/pull/1693) - Bump word-wrap from 1.2.3 to 1.2.5 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1643](https://togithub.com/actions/checkout/pull/1643) ### [`v4.1.3`](https://togithub.com/actions/checkout/releases/tag/v4.1.3) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.2...v4.1.3) #### What's Changed - Update `actions/checkout` version in `update-main-version.yml` by [@&#8203;jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1650](https://togithub.com/actions/checkout/pull/1650) - Check git version before attempting to disable `sparse-checkout` by [@&#8203;jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1656](https://togithub.com/actions/checkout/pull/1656) - Add SSH user parameter by [@&#8203;cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1685](https://togithub.com/actions/checkout/pull/1685) **Full Changelog**: https://github.com/actions/checkout/compare/v4.1.2...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.1...v4.1.2) - Fix: Disable sparse checkout whenever `sparse-checkout` option is not present [@&#8203;dscho](https://togithub.com/dscho) in [https://github.com/actions/checkout/pull/1598](https://togithub.com/actions/checkout/pull/1598) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v4.3.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.3): Notes for v4.3.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3) #### What's Changed - Allow slashes in purl package names by [@&#8203;juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/765](https://togithub.com/actions/dependency-review-action/pull/765) - use the v3 version of the deps.dev API by [@&#8203;josieang](https://togithub.com/josieang) in [https://github.com/actions/dependency-review-action/pull/741](https://togithub.com/actions/dependency-review-action/pull/741) - PR with suggestions - \[Improvement]: Help streamline / simplify dependency review action README by [@&#8203;am-stead](https://togithub.com/am-stead) in [https://github.com/actions/dependency-review-action/pull/773](https://togithub.com/actions/dependency-review-action/pull/773) - fix show-openssf-scorecard-levels input by [@&#8203;ramann](https://togithub.com/ramann) in [https://github.com/actions/dependency-review-action/pull/776](https://togithub.com/actions/dependency-review-action/pull/776) - Updates to the contribution guidelines by [@&#8203;jonjanego](https://togithub.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/778](https://togithub.com/actions/dependency-review-action/pull/778) - Create issue templates by [@&#8203;jonjanego](https://togithub.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/777](https://togithub.com/actions/dependency-review-action/pull/777) - Fix the max comment length issue by [@&#8203;jhutchings1](https://togithub.com/jhutchings1) and [@&#8203;elireisman](https://togithub.com/elireisman) in [https://github.com/actions/dependency-review-action/pull/767](https://togithub.com/actions/dependency-review-action/pull/767) - Bump project version to 4.3.3 in prep for a release by [@&#8203;elireisman](https://togithub.com/elireisman) in [https://github.com/actions/dependency-review-action/pull/781](https://togithub.com/actions/dependency-review-action/pull/781) #### New Contributors - [@&#8203;josieang](https://togithub.com/josieang) made their first contribution in [https://github.com/actions/dependency-review-action/pull/741](https://togithub.com/actions/dependency-review-action/pull/741) - [@&#8203;am-stead](https://togithub.com/am-stead) made their first contribution in [https://github.com/actions/dependency-review-action/pull/773](https://togithub.com/actions/dependency-review-action/pull/773) - [@&#8203;ramann](https://togithub.com/ramann) made their first contribution in [https://github.com/actions/dependency-review-action/pull/776](https://togithub.com/actions/dependency-review-action/pull/776) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3 ### [`v4.3.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.2) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2) #### What's Changed - Fix package-url parsing for allow-dependencies-licenses by [@&#8203;juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/761](https://togithub.com/actions/dependency-review-action/pull/761) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2 ### [`v4.3.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.1) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.0...v4.3.1) #### What's Changed This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See [https://github.com/actions/dependency-review-action/pull/753](https://togithub.com/actions/dependency-review-action/pull/753). **Full Changelog**: https://github.com/actions/dependency-review-action/compare/V4.3.0...v4.3.1 ### [`v4.3.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.0) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.5...v4.3.0) #### New Features - The `deny-packages` option can now be used without a version number to exclude *all* versions of a package. #### What's Changed - Fix action variable name for scorecard by [@&#8203;lukehinds](https://togithub.com/lukehinds) in [https://github.com/actions/dependency-review-action/pull/735](https://togithub.com/actions/dependency-review-action/pull/735) - Fix extra https:// in summary by [@&#8203;jhutchings1](https://togithub.com/jhutchings1) in [https://github.com/actions/dependency-review-action/pull/748](https://togithub.com/actions/dependency-review-action/pull/748) - Bump typescript from 5.3.3 to 5.4.5 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/744](https://togithub.com/actions/dependency-review-action/pull/744) - Bump eslint-plugin-github from 4.10.1 to 4.10.2 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/737](https://togithub.com/actions/dependency-review-action/pull/737) - Show denied packages with red X by [@&#8203;juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/750](https://togithub.com/actions/dependency-review-action/pull/750) - deny-packages configuration option can deny specified version or all packages by [@&#8203;febuiles](https://togithub.com/febuiles) and [@&#8203;bteng22](https://togithub.com/bteng22) in [https://github.com/actions/dependency-review-action/pull/733](https://togithub.com/actions/dependency-review-action/pull/733) #### New Contributors - [@&#8203;bteng22](https://togithub.com/bteng22) made their first contribution in [https://github.com/actions/dependency-review-action/pull/733](https://togithub.com/actions/dependency-review-action/pull/733) - [@&#8203;lukehinds](https://togithub.com/lukehinds) made their first contribution in [https://github.com/actions/dependency-review-action/pull/735](https://togithub.com/actions/dependency-review-action/pull/735) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.2.5...V4.3.0 </details> <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.7`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.7) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.6...v4.1.7) #### What's Changed - Update [@&#8203;actions/artifact](https://togithub.com/actions/artifact) dependency by [@&#8203;bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/325](https://togithub.com/actions/download-artifact/pull/325) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4.1.6...v4.1.7 ### [`v4.1.6`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.6) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.5...v4.1.6) #### What's Changed - updating `@actions/artifact` dependency to v2.1.6 by [@&#8203;eggyhead](https://togithub.com/eggyhead) in [https://github.com/actions/download-artifact/pull/324](https://togithub.com/actions/download-artifact/pull/324) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4.1.5...v4.1.6 ### [`v4.1.5`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.5) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.4...v4.1.5) #### What's Changed - Update readme with v3/v2/v1 deprecation notice by [@&#8203;robherley](https://togithub.com/robherley) in [https://github.com/actions/download-artifact/pull/322](https://togithub.com/actions/download-artifact/pull/322) - Update dependencies `@actions/core` to v1.10.1 and `@actions/artifact` to v2.1.5 **Full Changelog**: https://github.com/actions/download-artifact/compare/v4.1.4...v4.1.5 </details> <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v5.0.1`](https://togithub.com/actions/setup-go/releases/tag/v5.0.1) [Compare Source](https://togithub.com/actions/setup-go/compare/v5.0.0...v5.0.1) #### What's Changed - Bump undici from 5.28.2 to 5.28.3 and dependencies upgrade by [@&#8203;dependabot](https://togithub.com/dependabot) , [@&#8203;HarithaVattikuti](https://togithub.com/HarithaVattikuti) in [https://github.com/actions/setup-go/pull/465](https://togithub.com/actions/setup-go/pull/465) - Update documentation with latest V5 release notes by [@&#8203;ab](https://togithub.com/ab) in [https://github.com/actions/setup-go/pull/459](https://togithub.com/actions/setup-go/pull/459) - Update version documentation by [@&#8203;178inaba](https://togithub.com/178inaba) in [https://github.com/actions/setup-go/pull/458](https://togithub.com/actions/setup-go/pull/458) - Documentation update of `actions/setup-go` to v5 by [@&#8203;chenrui333](https://togithub.com/chenrui333) in [https://github.com/actions/setup-go/pull/449](https://togithub.com/actions/setup-go/pull/449) #### New Contributors - [@&#8203;ab](https://togithub.com/ab) made their first contribution in [https://github.com/actions/setup-go/pull/459](https://togithub.com/actions/setup-go/pull/459) **Full Changelog**: https://github.com/actions/setup-go/compare/v5.0.0...v5.0.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.3`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.2...v4.3.3) ##### What's Changed - updating `@actions/artifact` dependency to v2.1.6 by [@&#8203;eggyhead](https://togithub.com/eggyhead) in [https://github.com/actions/upload-artifact/pull/565](https://togithub.com/actions/upload-artifact/pull/565) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.3.2...v4.3.3 ### [`v4.3.2`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.2) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.1...v4.3.2) #### What's Changed - Update release-new-action-version.yml by [@&#8203;konradpabjan](https://togithub.com/konradpabjan) in [https://github.com/actions/upload-artifact/pull/516](https://togithub.com/actions/upload-artifact/pull/516) - Minor fix to the migration readme by [@&#8203;andrewakim](https://togithub.com/andrewakim) in [https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523) - Update readme with v3/v2/v1 deprecation notice by [@&#8203;robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/561](https://togithub.com/actions/upload-artifact/pull/561) - updating `@actions/artifact` dependency to v2.1.5 and `@actions/core` to v1.0.1 by [@&#8203;eggyhead](https://togithub.com/eggyhead) in [https://github.com/actions/upload-artifact/pull/562](https://togithub.com/actions/upload-artifact/pull/562) #### New Contributors - [@&#8203;andrewakim](https://togithub.com/andrewakim) made their first contribution in [https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.3.1...v4.3.2 </details> <details> <summary>actionsdesk/lfs-warning (actionsdesk/lfs-warning)</summary> ### [`v3.3`](https://togithub.com/ppremk/lfs-warning/releases/tag/v3.3) [Compare Source](https://togithub.com/actionsdesk/lfs-warning/compare/v3.2...v3.3) #### What's Changed - update node js to 16 by [@&#8203;GlazerMann](https://togithub.com/GlazerMann) in [https://github.com/ppremk/lfs-warning/pull/148](https://togithub.com/ppremk/lfs-warning/pull/148) - Fixing README to match repo move by [@&#8203;samthebest](https://togithub.com/samthebest) in [https://github.com/ppremk/lfs-warning/pull/153](https://togithub.com/ppremk/lfs-warning/pull/153) - Update CODEOWNERS by [@&#8203;rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/158](https://togithub.com/ppremk/lfs-warning/pull/158) - Bump http-cache-semantics from 4.1.0 to 4.1.1 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/151](https://togithub.com/ppremk/lfs-warning/pull/151) - Bump [@&#8203;babel/traverse](https://togithub.com/babel/traverse) from 7.15.4 to 7.23.4 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/159](https://togithub.com/ppremk/lfs-warning/pull/159) - Bump tough-cookie from 4.0.0 to 4.1.3 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/160](https://togithub.com/ppremk/lfs-warning/pull/160) - Bump cacheable-request and gts by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/152](https://togithub.com/ppremk/lfs-warning/pull/152) - Update emoji and convert file list to markdown list by [@&#8203;rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/161](https://togithub.com/ppremk/lfs-warning/pull/161) - Bump got and gts by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/155](https://togithub.com/ppremk/lfs-warning/pull/155) - Exclude files without blob_url when getting PR blobs by [@&#8203;rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/162](https://togithub.com/ppremk/lfs-warning/pull/162) - Support pull_request_target by [@&#8203;rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/164](https://togithub.com/ppremk/lfs-warning/pull/164) - Update-node by [@&#8203;rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/163](https://togithub.com/ppremk/lfs-warning/pull/163) - Fix text setup for the issue comment by [@&#8203;rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/166](https://togithub.com/ppremk/lfs-warning/pull/166) - Validate PR changes to make sure there are no changes missing by [@&#8203;rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/165](https://togithub.com/ppremk/lfs-warning/pull/165) - Fix emoji by [@&#8203;rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/167](https://togithub.com/ppremk/lfs-warning/pull/167) - Bump undici from 5.28.2 to 5.28.4 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/171](https://togithub.com/ppremk/lfs-warning/pull/171) #### New Contributors - [@&#8203;GlazerMann](https://togithub.com/GlazerMann) made their first contribution in [https://github.com/ppremk/lfs-warning/pull/148](https://togithub.com/ppremk/lfs-warning/pull/148) - [@&#8203;samthebest](https://togithub.com/samthebest) made their first contribution in [https://github.com/ppremk/lfs-warning/pull/153](https://togithub.com/ppremk/lfs-warning/pull/153) - [@&#8203;rajbos](https://togithub.com/rajbos) made their first contribution in [https://github.com/ppremk/lfs-warning/pull/158](https://togithub.com/ppremk/lfs-warning/pull/158) **Full Changelog**: https://github.com/ppremk/lfs-warning/compare/v3.2...v3.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.25.11`](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11) ### [`v3.25.10`](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10) ### [`v3.25.9`](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9) ### [`v3.25.8`](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8) ### [`v3.25.7`](https://togithub.com/github/codeql-action/compare/v3.25.6...v3.25.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.6...v3.25.7) ### [`v3.25.6`](https://togithub.com/github/codeql-action/compare/v3.25.5...v3.25.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.5...v3.25.6) ### [`v3.25.5`](https://togithub.com/github/codeql-action/compare/v3.25.4...v3.25.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.4...v3.25.5) ### [`v3.25.4`](https://togithub.com/github/codeql-action/compare/v3.25.3...v3.25.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.3...v3.25.4) ### [`v3.25.3`](https://togithub.com/github/codeql-action/compare/v3.25.2...v3.25.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.2...v3.25.3) ### [`v3.25.2`](https://togithub.com/github/codeql-action/compare/v3.25.1...v3.25.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.1...v3.25.2) ### [`v3.25.1`](https://togithub.com/github/codeql-action/compare/v3.25.0...v3.25.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.0...v3.25.1) ### [`v3.25.0`](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.25.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.11...v3.25.0) ### [`v3.24.11`](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.24.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.24.11) ### [`v3.24.10`](https://togithub.com/github/codeql-action/compare/v3.24.9...v3.24.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.9...v3.24.10) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.3) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.2...v2.3.3) > \[!NOTE]\ > There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to github.com/ossf/scorecard/v5 (v5.0.0-rc1) by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1366](https://togithub.com/ossf/scorecard-action/pull/1366) - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1374](https://togithub.com/ossf/scorecard-action/pull/1374) - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0.20240509182734-7ce860946928 by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1377](https://togithub.com/ossf/scorecard-action/pull/1377) For a full changelist of what these include, see the [v5.0.0-rc1](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc1) and [v5.0.0-rc2](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc2) release notes. ##### Documentation - 📖 Move token discussion out of main README. by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1279](https://togithub.com/ossf/scorecard-action/pull/1279) - 📖 link to `ossf/scorecard` workflow instead of maintaining an example by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1352](https://togithub.com/ossf/scorecard-action/pull/1352) - 📖 update api links to new scorecard.dev site by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1376](https://togithub.com/ossf/scorecard-action/pull/1376) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.3 ### [`v2.3.2`](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2) </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.5.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.5.1) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1) #### What's Changed - feat: Add cosign registry opts for provenance registry by [@&#8203;saisatishkarra](https://togithub.com/saisatishkarra) in [https://github.com/slsa-framework/slsa-verifier/pull/729](https://togithub.com/slsa-framework/slsa-verifier/pull/729) and [https://github.com/slsa-framework/slsa-verifier/pull/736](https://togithub.com/slsa-framework/slsa-verifier/pull/736) - feat: Add support for DSSE Rekor type by [@&#8203;haydentherapper](https://togithub.com/haydentherapper) in [https://github.com/slsa-framework/slsa-verifier/pull/742](https://togithub.com/slsa-framework/slsa-verifier/pull/742) #### New Contributors - [@&#8203;saisatishkarra](https://togithub.com/saisatishkarra) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/729](https://togithub.com/slsa-framework/slsa-verifier/pull/729) - [@&#8203;ramonpetgrave64](https://togithub.com/ramonpetgrave64) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/737](https://togithub.com/slsa-framework/slsa-verifier/pull/737) - [@&#8203;haydentherapper](https://togithub.com/haydentherapper) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/742](https://togithub.com/slsa-framework/slsa-verifier/pull/742) **Full Changelog**: https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-07-01 17:21:38 +00:00
Mend Renovate	903cddc5c3	fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 (#787) ... [](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [org.apache.maven:maven-core](https://maven.apache.org/) | `3.9.6` -> `3.9.8` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->	2024-07-01 12:43:35 -04:00
Mend Renovate	4bab78a528	chore(deps): update npm dev (#650) ... [](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [@types/node](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`18.19.28` -> `18.19.33`](https://renovatebot.com/diffs/npm/@types%2fnode/18.19.28/18.19.33) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [eslint](https://eslint.org) ([source](https://togithub.com/eslint/eslint)) | [`^8.57.0` -> `8.57.0`](https://renovatebot.com/diffs/npm/eslint/8.57.0/8.57.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | devDependencies | pin | | [eslint-plugin-prettier](https://togithub.com/prettier/eslint-plugin-prettier) | [`^5.1.3` -> `5.1.3`](https://renovatebot.com/diffs/npm/eslint-plugin-prettier/5.1.3/5.1.3) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | devDependencies | pin | | [markdown-toc](https://togithub.com/jonschlinkert/markdown-toc) | [`^1.2.0` -> `1.2.0`](https://renovatebot.com/diffs/npm/markdown-toc/1.2.0/1.2.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | devDependencies | pin | | [renovate](https://renovatebot.com) ([source](https://togithub.com/renovatebot/renovate)) | [`37.363.4` -> `37.374.1`](https://renovatebot.com/diffs/npm/renovate/37.363.4/37.374.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | devDependencies | minor | | [typescript](https://www.typescriptlang.org/) ([source](https://togithub.com/Microsoft/TypeScript)) | [`^5.4.3` -> `5.4.3`](https://renovatebot.com/diffs/npm/typescript/5.4.3/5.4.3) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | devDependencies | pin | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`^7.5.0` -> `7.5.0`](https://renovatebot.com/diffs/npm/typescript-eslint/7.5.0/7.5.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | devDependencies | pin | --- ### Release Notes <details> <summary>renovatebot/renovate (renovate)</summary> ### [`v37.374.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.374.1) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.374.0...37.374.1) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.6 ([#&#8203;29212](https://togithub.com/renovatebot/renovate/issues/29212)) ([f4eeaaa](f4eeaaaff6)) ### [`v37.374.0`](https://togithub.com/renovatebot/renovate/compare/37.373.0...fe62e80aebe988dd9dcbe47d3e5eee225ec3904d) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.373.0...37.374.0) ### [`v37.373.0`](https://togithub.com/renovatebot/renovate/compare/37.372.1...25255596d63a03a312885aba1b25fdfd7b76c7a4) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.372.1...37.373.0) ### [`v37.372.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.372.1) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.372.0...37.372.1) ##### Bug Fixes - **packageRules:** prPriority should only be in packageRules ([#&#8203;29201](https://togithub.com/renovatebot/renovate/issues/29201)) ([70f1f93](70f1f93823)) ### [`v37.372.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.372.0) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.371.1...37.372.0) ##### Features - **util/package-rules:** allow glob pattens in match{Current,New}Value ([#&#8203;29168](https://togithub.com/renovatebot/renovate/issues/29168)) ([56856d4](56856d4a46)) ##### Bug Fixes - **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.14 ([#&#8203;29199](https://togithub.com/renovatebot/renovate/issues/29199)) ([4edd63a](4edd63a297)) - **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.5 ([#&#8203;29200](https://togithub.com/renovatebot/renovate/issues/29200)) ([757574b](757574b931)) ##### Miscellaneous Chores - **deps:** update ghcr.io/containerbase/devcontainer docker tag to v10.6.14 ([#&#8203;29198](https://togithub.com/renovatebot/renovate/issues/29198)) ([a8855d8](a8855d811c)) ### [`v37.371.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.371.1) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.371.0...37.371.1) ##### Bug Fixes - **pdm:** change pdm update strategy to eager ([#&#8203;29183](https://togithub.com/renovatebot/renovate/issues/29183)) ([2f335b6](2f335b61f4)) ##### Miscellaneous Chores - **deps:** update dependency [@&#8203;swc/core](https://togithub.com/swc/core) to v1.5.7 ([#&#8203;29192](https://togithub.com/renovatebot/renovate/issues/29192)) ([436fa71](436fa71ce4)) - **deps:** update linters to v7.10.0 ([#&#8203;29196](https://togithub.com/renovatebot/renovate/issues/29196)) ([ab36239](ab36239421)) - log when \_PROXY values detected ([#&#8203;29191](https://togithub.com/renovatebot/renovate/issues/29191)) ([e281931](e28193134a)) ### [`v37.371.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.371.0) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.370.0...37.371.0) ##### Features - **asdf:** Add rebar3 to asdf manager ([#&#8203;29188](https://togithub.com/renovatebot/renovate/issues/29188)) ([2e6c563](2e6c5636ea)) ##### Miscellaneous Chores - **deps:** update linters ([#&#8203;29193](https://togithub.com/renovatebot/renovate/issues/29193)) ([f59c7f3](f59c7f3162)) ### [`v37.370.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.370.0) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.369.1...37.370.0) ##### Features - **self-hosted:** `mergeConfidenceEndpoint` and `mergeConfidenceDatasources` ([#&#8203;28880](https://togithub.com/renovatebot/renovate/issues/28880)) ([044dc0f](044dc0fa28)) ### [`v37.369.1`](https://togithub.com/renovatebot/renovate/compare/37.369.0...ae15a51554828bb3891268c16f180124a90ade55) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.369.0...37.369.1) ### [`v37.369.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.369.0) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.10...37.369.0) ##### Features - **datasource:** `sourceUrl` & `releaseTimestamp` support ([#&#8203;29122](https://togithub.com/renovatebot/renovate/issues/29122)) ([d0b77e5](d0b77e584a)) ### [`v37.368.10`](https://togithub.com/renovatebot/renovate/compare/37.368.9...3c75e4bfb3e6786508f57ead837af102d468f4ab) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.9...37.368.10) ### [`v37.368.9`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.9) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.8...37.368.9) ##### Bug Fixes - **homebrew:** handle new github archive url format ([#&#8203;29138](https://togithub.com/renovatebot/renovate/issues/29138)) ([e035f05](e035f0562d)) ### [`v37.368.8`](https://togithub.com/renovatebot/renovate/compare/37.368.7...5b88dd6a31c24880da2b2dc5915916a8f3e4f6e8) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.7...37.368.8) ### [`v37.368.7`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.7) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.6...37.368.7) ##### Bug Fixes - **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.12 ([#&#8203;29157](https://togithub.com/renovatebot/renovate/issues/29157)) ([4a1e758](4a1e75889f)) ##### Documentation - **readme:** better alt text, add toggleable list of companies/projects that use Renovate ([#&#8203;29022](https://togithub.com/renovatebot/renovate/issues/29022)) ([f8f5184](f8f518493d)) ##### Miscellaneous Chores - **deps:** update containerbase/internal-tools action to v3.0.88 ([#&#8203;29149](https://togithub.com/renovatebot/renovate/issues/29149)) ([92686aa](92686aa201)) ### [`v37.368.6`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.6) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.5...37.368.6) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.3 ([#&#8203;29143](https://togithub.com/renovatebot/renovate/issues/29143)) ([7f6964c](7f6964cea9)) ### [`v37.368.5`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.5) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.4...37.368.5) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.2 ([#&#8203;29142](https://togithub.com/renovatebot/renovate/issues/29142)) ([c23c70f](c23c70fc8b)) ##### Miscellaneous Chores - **deps:** update dependency rimraf to v5.0.7 ([#&#8203;29141](https://togithub.com/renovatebot/renovate/issues/29141)) ([483bfc2](483bfc28f5)) ### [`v37.368.4`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.4) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.3...37.368.4) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.1 ([#&#8203;29140](https://togithub.com/renovatebot/renovate/issues/29140)) ([947bf17](947bf17aea)) ##### Miscellaneous Chores - **deps:** update dependency rimraf to v5.0.6 ([#&#8203;29139](https://togithub.com/renovatebot/renovate/issues/29139)) ([a2ba884](a2ba88412c)) ### [`v37.368.3`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.3) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.2...37.368.3) ##### Bug Fixes - **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.11 ([#&#8203;29134](https://togithub.com/renovatebot/renovate/issues/29134)) ([8216f20](8216f205dc)) ##### Documentation - **config:** warn about spaces in `schedule` ([#&#8203;29121](https://togithub.com/renovatebot/renovate/issues/29121)) ([ebfb48d](ebfb48d416)) ##### Miscellaneous Chores - **deps:** update ghcr.io/containerbase/devcontainer docker tag to v10.6.11 ([#&#8203;29133](https://togithub.com/renovatebot/renovate/issues/29133)) ([463226b](463226b1ed)) ### [`v37.368.2`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.2) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.1...37.368.2) ##### Bug Fixes - **gomod:** treat v0 pseudo version updates as digest updates ([#&#8203;29042](https://togithub.com/renovatebot/renovate/issues/29042)) ([6f8cde4](6f8cde4e67)) ### [`v37.368.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.1) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.368.0...37.368.1) ##### Miscellaneous Chores - **deps:** update actions/checkout action to v4.1.6 ([#&#8203;29126](https://togithub.com/renovatebot/renovate/issues/29126)) ([f951139](f951139409)) ##### Build System - **deps:** update dependency glob to v10.3.15 ([#&#8203;29125](https://togithub.com/renovatebot/renovate/issues/29125)) ([dc7d73f](dc7d73f98f)) ### [`v37.368.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.0) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.367.0...37.368.0) ##### Features - **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.0 ([#&#8203;29124](https://togithub.com/renovatebot/renovate/issues/29124)) ([676e1ef](676e1ef47f)) ##### Build System - **deps:** update dependency glob to v10.3.14 ([#&#8203;29123](https://togithub.com/renovatebot/renovate/issues/29123)) ([40a6b4d](40a6b4d290)) ### [`v37.367.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.367.0) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.366.1...37.367.0) ##### Features - **presets:** add replacements for ZAP org moves ([#&#8203;29117](https://togithub.com/renovatebot/renovate/issues/29117)) ([7df1dc7](7df1dc77ae)) ### [`v37.366.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.366.1) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.366.0...37.366.1) ##### Build System - **deps:** update dependency jsonata to v2.0.5 ([#&#8203;29116](https://togithub.com/renovatebot/renovate/issues/29116)) ([8bbde23](8bbde23579)) ### [`v37.366.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.366.0) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.365.0...37.366.0) ##### Features - **datasource:** Add python-version datasource ([#&#8203;27583](https://togithub.com/renovatebot/renovate/issues/27583)) ([c8aacc4](c8aacc4c05)) - Support custom artifact notice ([#&#8203;28957](https://togithub.com/renovatebot/renovate/issues/28957)) ([1c8eb34](1c8eb34876)) ### [`v37.365.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.365.0) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.364.0...37.365.0) ##### Features - **presets/workarounds:** add bitnami docker versioning ([#&#8203;29112](https://togithub.com/renovatebot/renovate/issues/29112)) ([66de046](66de0465e9)) ### [`v37.364.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.364.0) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.363.9...37.364.0) ##### Features - **presets:** add strum to monorepos ([#&#8203;29109](https://togithub.com/renovatebot/renovate/issues/29109)) ([20716b0](20716b0609)) ##### Miscellaneous Chores - **deps:** update containerbase/internal-tools action to v3.0.87 ([#&#8203;29108](https://togithub.com/renovatebot/renovate/issues/29108)) ([e03a5cf](e03a5cf0cb)) ##### Tests - **osgi:** Use "codeBlock" for tests ([#&#8203;29110](https://togithub.com/renovatebot/renovate/issues/29110)) ([2429a07](2429a07eef)) ### [`v37.363.9`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.9) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.363.8...37.363.9) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.11.2 ([#&#8203;29099](https://togithub.com/renovatebot/renovate/issues/29099)) ([99ba857](99ba857374)) ##### Documentation - **config:** add note about GnuPG v2.4 usage ([#&#8203;29067](https://togithub.com/renovatebot/renovate/issues/29067)) ([88fd212](88fd2124ff)) ### [`v37.363.8`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.8) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.363.7...37.363.8) ##### Bug Fixes - **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.10 ([#&#8203;29096](https://togithub.com/renovatebot/renovate/issues/29096)) ([1254f6a](1254f6a662)) ##### Documentation - **bot comparison:** dependabot-core switched to MIT license ([#&#8203;29095](https://togithub.com/renovatebot/renovate/issues/29095)) ([d9cd961](d9cd9612ec)) - Update Swissquote article with information on the scheduler and dashboards ([#&#8203;29030](https://togithub.com/renovatebot/renovate/issues/29030)) ([01f9861](01f9861069)) ### [`v37.363.7`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.7) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.363.6...37.363.7) ##### Miscellaneous Chores - **deps:** update ghcr.io/containerbase/devcontainer docker tag to v10.6.10 ([#&#8203;29091](https://togithub.com/renovatebot/renovate/issues/29091)) ([dba9ad3](dba9ad3353)) ##### Build System - **deps:** update dependency zod to v3.23.8 ([#&#8203;29090](https://togithub.com/renovatebot/renovate/issues/29090)) ([caedb6f](caedb6f452)) ### [`v37.363.6`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.6) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.363.5...37.363.6) ##### Bug Fixes - **datasource/github-runners:** add Ubuntu 24.04 Noble Numbat as unstable ([#&#8203;29088](https://togithub.com/renovatebot/renovate/issues/29088)) ([e291ef0](e291ef0dbd)) ### [`v37.363.5`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.5) [Compare Source](https://togithub.com/renovatebot/renovate/compare/37.363.4...37.363.5) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.11.1 ([#&#8203;29079](https://togithub.com/renovatebot/renovate/issues/29079)) ([945c4cf](945c4cf8ba)) ##### Miscellaneous Chores - **deps:** update codecov/codecov-action action to v4.4.0 ([#&#8203;29080](https://togithub.com/renovatebot/renovate/issues/29080)) ([78edb5b](78edb5b0f8)) ##### Build System - **deps:** update dependency zod to v3.23.7 ([#&#8203;29077](https://togithub.com/renovatebot/renovate/issues/29077)) ([ead5d55](ead5d55a49)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM3LjM2OC4xMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-06-27 18:54:52 +00:00
Mend Renovate	163abe52e2	chore(deps): update golang:1.21 docker digest to b405b62 (#774) ... [](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | digest | `d83472f` -> `b405b62` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzcuOCIsInVwZGF0ZWRJblZlciI6IjM3LjQxMy4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->	2024-06-27 18:37:34 +00:00
Ramon Petgrave	2f70fef663	fix: make download-artifacts.sh more flexible (#761) ... Making the `download-artifacts.sh` script be more useful. Before, it would error upon seeing some zip files that it doesn't expect to be in the GH release. I think the script is just a bit outdated. But for now, I think we should bypass that, since the script is already written to know which of the final files within the archives are actually needed. related PR https://github.com/slsa-framework/slsa-github-generator/pull/3589 Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-06-27 17:22:49 +00:00
Mend Renovate	b69efeea0b	fix(deps): update golang.org/x/exp digest to 7f521ea (#775) ... [](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang.org/x/exp | require | digest | `2478ac8` -> `7f521ea` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzcuOCIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->	2024-06-27 17:07:30 +00:00
dependabot[bot]	34ab203678	chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates (#784) ... Bumps the npm_and_yarn group with 1 update in the / directory: [braces](https://github.com/micromatch/braces). Bumps the npm_and_yarn group with 2 updates in the /actions/installer directory: [braces](https://github.com/micromatch/braces) and [undici](https://github.com/nodejs/undici). Updates `braces` from 3.0.2 to 3.0.3 <details> <summary>Commits</summary> <ul> <li><a href="74b2db2938"><code>74b2db2</code></a> 3.0.3</li> <li><a href="88f1429a0f"><code>88f1429</code></a> update eslint. lint, fix unit tests.</li> <li><a href="415d660c30"><code>415d660</code></a> Snyk js braces 6838727 (<a href="https://redirect.github.com/micromatch/braces/issues/40">#40</a>)</li> <li><a href="190510f79d"><code>190510f</code></a> fix tests, skip 1 test in test/braces.expand</li> <li><a href="716eb9f12d"><code>716eb9f</code></a> readme bump</li> <li><a href="a5851e57f4"><code>a5851e5</code></a> Merge pull request <a href="https://redirect.github.com/micromatch/braces/issues/37">#37</a> from coderaiser/fix/vulnerability</li> <li><a href="2092bd1fb1"><code>2092bd1</code></a> feature: braces: add maxSymbols (<a href="https://github.com/micromatch/braces/issues/">https://github.com/micromatch/braces/issues/</a>...</li> <li><a href="9f5b4cf473"><code>9f5b4cf</code></a> fix: vulnerability (<a href="https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727">https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727</a>)</li> <li><a href="98414f9f1f"><code>98414f9</code></a> remove funding file</li> <li><a href="665ab5d561"><code>665ab5d</code></a> update keepEscaping doc (<a href="https://redirect.github.com/micromatch/braces/issues/27">#27</a>)</li> <li>Additional commits viewable in <a href="https://github.com/micromatch/braces/compare/3.0.2...3.0.3">compare view</a></li> </ul> </details> <br /> Updates `braces` from 3.0.2 to 3.0.3 <details> <summary>Commits</summary> <ul> <li><a href="74b2db2938"><code>74b2db2</code></a> 3.0.3</li> <li><a href="88f1429a0f"><code>88f1429</code></a> update eslint. lint, fix unit tests.</li> <li><a href="415d660c30"><code>415d660</code></a> Snyk js braces 6838727 (<a href="https://redirect.github.com/micromatch/braces/issues/40">#40</a>)</li> <li><a href="190510f79d"><code>190510f</code></a> fix tests, skip 1 test in test/braces.expand</li> <li><a href="716eb9f12d"><code>716eb9f</code></a> readme bump</li> <li><a href="a5851e57f4"><code>a5851e5</code></a> Merge pull request <a href="https://redirect.github.com/micromatch/braces/issues/37">#37</a> from coderaiser/fix/vulnerability</li> <li><a href="2092bd1fb1"><code>2092bd1</code></a> feature: braces: add maxSymbols (<a href="https://github.com/micromatch/braces/issues/">https://github.com/micromatch/braces/issues/</a>...</li> <li><a href="9f5b4cf473"><code>9f5b4cf</code></a> fix: vulnerability (<a href="https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727">https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727</a>)</li> <li><a href="98414f9f1f"><code>98414f9</code></a> remove funding file</li> <li><a href="665ab5d561"><code>665ab5d</code></a> update keepEscaping doc (<a href="https://redirect.github.com/micromatch/braces/issues/27">#27</a>)</li> <li>Additional commits viewable in <a href="https://github.com/micromatch/braces/compare/3.0.2...3.0.3">compare view</a></li> </ul> </details> <br /> Updates `undici` from 5.28.3 to 5.28.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v5.28.4</h2> <h2>⚠️ Security Release ⚠️</h2> <ul> <li>Fixes <a href="https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7">https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7</a> CVE-2024-30260</li> <li>Fixes <a href="https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672">https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672</a> CVE-2024-30261</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="fb98306907"><code>fb98306</code></a> Bumped v5.28.4</li> <li><a href="2b39440bd9"><code>2b39440</code></a> Merge pull request from GHSA-9qxr-qj54-h672</li> <li><a href="64e3402da4"><code>64e3402</code></a> Merge pull request from GHSA-m4v8-wqvr-p9f7</li> <li><a href="723c4e7280"><code>723c4e7</code></a> Revert &quot;build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (<a href="https://redirect.github.com/nodejs/undici/issues/2389">#2389</a>)&quot;</li> <li><a href="0e9d54b2c2"><code>0e9d54b</code></a> skip failing test due to Node.js changes</li> <li>See full diff in <a href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: github-actions <github-actions@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-06-27 12:03:26 -04:00
dependabot[bot]	9fb6f246f8	chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer (#780) ... Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3. <details> <summary>Commits</summary> <ul> <li><a href="74b2db2938"><code>74b2db2</code></a> 3.0.3</li> <li><a href="88f1429a0f"><code>88f1429</code></a> update eslint. lint, fix unit tests.</li> <li><a href="415d660c30"><code>415d660</code></a> Snyk js braces 6838727 (<a href="https://redirect.github.com/micromatch/braces/issues/40">#40</a>)</li> <li><a href="190510f79d"><code>190510f</code></a> fix tests, skip 1 test in test/braces.expand</li> <li><a href="716eb9f12d"><code>716eb9f</code></a> readme bump</li> <li><a href="a5851e57f4"><code>a5851e5</code></a> Merge pull request <a href="https://redirect.github.com/micromatch/braces/issues/37">#37</a> from coderaiser/fix/vulnerability</li> <li><a href="2092bd1fb1"><code>2092bd1</code></a> feature: braces: add maxSymbols (<a href="https://github.com/micromatch/braces/issues/">https://github.com/micromatch/braces/issues/</a>...</li> <li><a href="9f5b4cf473"><code>9f5b4cf</code></a> fix: vulnerability (<a href="https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727">https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727</a>)</li> <li><a href="98414f9f1f"><code>98414f9</code></a> remove funding file</li> <li><a href="665ab5d561"><code>665ab5d</code></a> update keepEscaping doc (<a href="https://redirect.github.com/micromatch/braces/issues/27">#27</a>)</li> <li>Additional commits viewable in <a href="https://github.com/micromatch/braces/compare/3.0.2...3.0.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-06-27 15:37:36 +00:00
dependabot[bot]	96619e48c2	chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer (#779) ... Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v5.28.4</h2> <h2>⚠️ Security Release ⚠️</h2> <ul> <li>Fixes <a href="https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7">https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7</a> CVE-2024-30260</li> <li>Fixes <a href="https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672">https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672</a> CVE-2024-30261</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="fb98306907"><code>fb98306</code></a> Bumped v5.28.4</li> <li><a href="2b39440bd9"><code>2b39440</code></a> Merge pull request from GHSA-9qxr-qj54-h672</li> <li><a href="64e3402da4"><code>64e3402</code></a> Merge pull request from GHSA-m4v8-wqvr-p9f7</li> <li><a href="723c4e7280"><code>723c4e7</code></a> Revert &quot;build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (<a href="https://redirect.github.com/nodejs/undici/issues/2389">#2389</a>)&quot;</li> <li><a href="0e9d54b2c2"><code>0e9d54b</code></a> skip failing test due to Node.js changes</li> <li>See full diff in <a href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: github-actions <github-actions@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-06-27 14:28:25 +00:00
dependabot[bot]	56bc29bf2e	chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 (#782) ... Bumps [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp) from 0.7.5 to 0.7.7. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md">github.com/hashicorp/go-retryablehttp's changelog</a>.</em></p> <blockquote> <h2>0.7.7 (May 30, 2024)</h2> <p>BUG FIXES:</p> <ul> <li>client: avoid potentially leaking URL-embedded basic authentication credentials in logs (<a href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/158">#158</a>)</li> </ul> <h2>0.7.6 (May 9, 2024)</h2> <p>ENHANCEMENTS:</p> <ul> <li>client: support a <code>RetryPrepare</code> function for modifying the request before retrying (<a href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/216">#216</a>)</li> <li>client: support HTTP-date values for <code>Retry-After</code> header value (<a href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/138">#138</a>)</li> <li>client: avoid reading entire body when the body is a <code>*bytes.Reader</code> (<a href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/197">#197</a>)</li> </ul> <p>BUG FIXES:</p> <ul> <li>client: fix a broken check for invalid server certificate in go 1.20+ (<a href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/210">#210</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="1542b31176"><code>1542b31</code></a> v0.7.7</li> <li><a href="defb9f441d"><code>defb9f4</code></a> v0.7.7</li> <li><a href="a99f07beb3"><code>a99f07b</code></a> Merge pull request <a href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/158">#158</a> from dany74q/danny/redacted-url-in-logs</li> <li><a href="8a28c574da"><code>8a28c57</code></a> Merge branch 'main' into danny/redacted-url-in-logs</li> <li><a href="86e852df43"><code>86e852d</code></a> Merge pull request <a href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/227">#227</a> from hashicorp/dependabot/github_actions/actions/chec...</li> <li><a href="47fe99e646"><code>47fe99e</code></a> Bump actions/checkout from 4.1.5 to 4.1.6</li> <li><a href="490fc06be0"><code>490fc06</code></a> Merge pull request <a href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/226">#226</a> from testwill/ioutil</li> <li><a href="f3e9417dbf"><code>f3e9417</code></a> chore: remove refs to deprecated io/ioutil</li> <li><a href="d969eaa9c9"><code>d969eaa</code></a> Merge pull request <a href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/225">#225</a> from hashicorp/manicminer-patch-2</li> <li><a href="2ad8ed4a1d"><code>2ad8ed4</code></a> v0.7.6</li> <li>Additional commits viewable in <a href="https://github.com/hashicorp/go-retryablehttp/compare/v0.7.5...v0.7.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-06-26 22:19:00 +00:00
dependabot[bot]	b54e813948	chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 (#781) ... Bumps [golang.org/x/net](https://github.com/golang/net) from 0.22.0 to 0.23.0. <details> <summary>Commits</summary> <ul> <li><a href="c48da13158"><code>c48da13</code></a> http2: fix TestServerContinuationFlood flakes</li> <li><a href="762b58d1cf"><code>762b58d</code></a> http2: fix tipos in comment</li> <li><a href="ba872109ef"><code>ba87210</code></a> http2: close connections when receiving too many headers</li> <li><a href="ebc8168ac8"><code>ebc8168</code></a> all: fix some typos</li> <li><a href="3678185f8a"><code>3678185</code></a> http2: make TestCanonicalHeaderCacheGrowth faster</li> <li><a href="448c44f928"><code>448c44f</code></a> http2: remove clientTester</li> <li><a href="c7877ac421"><code>c7877ac</code></a> http2: convert the remaining clientTester tests to testClientConn</li> <li><a href="d8870b0bf2"><code>d8870b0</code></a> http2: use synthetic time in TestIdleConnTimeout</li> <li><a href="d73acffdc9"><code>d73acff</code></a> http2: only set up deadline when Server.IdleTimeout is positive</li> <li><a href="89f602b7bb"><code>89f602b</code></a> http2: validate client/outgoing trailers</li> <li>Additional commits viewable in <a href="https://github.com/golang/net/compare/v0.22.0...v0.23.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-verifier/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-06-26 18:06:19 -04:00
Ramon Petgrave	18c5f13b3e	fix: signoff commit (#767) ... Followup to https://github.com/slsa-framework/slsa-verifier/pull/760 Fix the .github/workflows/update-actions-dist-post-commit.yml workflow to also signoff commit # Testing - [x] Invoked this PR's branch copy of the workflow against #717, and it did signoff the commit. - 9670f76ab8 Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-05-22 16:45:20 +00:00
Ramon Petgrave	b55bf59ce4	fix: use pr_number as env variable (#771) ... changing the update-dist workflow to use the `pr_number` input as an env variable to avoid [script injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks). Our workflows are only invokable by our trusted maintainers so we should be okay. This is just an extra hardening measure. Open issue https://github.com/actions/runner/issues/1070#issuecomment-2113287699 ## Testing I confirmed the issue by invoking the workflow with `650 && echo SCRIPT INJECTION`, and it did also do the extra `echo` command. - https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36 after invoking the workflow again with this PR's version, the problem is mitigated. - https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8 - https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7 Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-05-22 12:20:16 -04:00
Ian Lewis	87b5bae6d4	chore: Update Renovate config (#769) ... # Summary Updates renovate config to use the [`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices) preset rather than the `config:base` preset since `config:base` seems to be deprecated. Also updates the `schedule` config to use the [`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly) preset. Also adds a pre-submit to run the [`renovate-config-validator`](https://docs.renovatebot.com/config-validation/) to ensure that renovate config is valid. This pre-submit will need to be made required in the repository branch protection rule for `main` in the repository settings after this PR is merged. --------- Signed-off-by: Ian Lewis <ianmlewis@gmail.com> Signed-off-by: Ian Lewis <ianlewis@google.com> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-05-16 07:13:09 +09:00
Ian Lewis	138a2348fc	chore: fix pr-title-checker (#770) ... Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version comment. Signed-off-by: Ian Lewis <ianlewis@google.com>	2024-05-15 12:10:15 -04:00