github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-06 00:26:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
490 Commits 40 Branches 45 Tags
9a2c3cf0633da489a3f9d56fbfb8d8322f40c60e
Commit Graph

490 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ramon Petgrave
9a2c3cf063 update readmes 
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2025-06-27 16:30:11 +00:00
Ramon Petgrave
bded075bd1 update shas 
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2025-06-27 16:28:22 +00:00
Appu
ea584f4502 docs: add section for verify-github-attestation (#858) 
Readme update for #850

Signed-off-by: Appu Goundan <appu@google.com>
v2.7.1 v2.7.1-rc.2 		2025-06-25 17:09:44 -04:00
Ramon Petgrave
295020463f feat: Bazel not experimental (#850) 
Followup to #840 

Resolves #849 

Removes the experimental flag for verifying bazel attestations.

TODO:

- [ ] add example invocation for bazel
https://github.com/slsa-framework/slsa-verifier/pull/858#pullrequestreview-2947145690
- [ ] create a new release

---------

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2025-06-23 13:46:07 -04:00
dependabot[bot]
08d54ab1de chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates (#854) 
Bumps the npm_and_yarn group with 4 updates in the / directory:
[@octokit/plugin-paginate-rest](https://github.com/octokit/plugin-paginate-rest.js),
[@octokit/rest](https://github.com/octokit/rest.js),
[@octokit/request](https://github.com/octokit/request.js) and
[tar-fs](https://github.com/mafintosh/tar-fs).
Bumps the npm_and_yarn group with 1 update in the /actions/installer
directory: [undici](https://github.com/nodejs/undici).

Updates `@octokit/plugin-paginate-rest` from 11.3.1 to 11.4.4-cjs.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/octokit/plugin-paginate-rest.js/releases"><code>@​octokit/plugin-paginate-rest</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v11.4.4-cjs.2</h2>
<h2><a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.4.4-cjs.1...v11.4.4-cjs.2">11.4.4-cjs.2</a>
(2025-02-26)</h2>
<blockquote>
<p>[!IMPORTANT]
This is a special release to backport newer changes to CJS and address a
ReDos vulnerability</p>
</blockquote>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> update
<code>@octokit/plugin-rest-endpoint-methods</code> (<a
href="2c70eafd9d">2c70eaf</a>)</li>
</ul>
<h2>v11.4.4-cjs.1</h2>
<h2><a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.4.3...v11.4.4-cjs.1">11.4.4-cjs.1</a>
(2025-02-26)</h2>
<blockquote>
<p>[!IMPORTANT]
This is a special release to backport newer changes to CJS and address a
ReDos vulnerability</p>
</blockquote>
<h3>Bug Fixes</h3>
<ul>
<li><strong>release:</strong> set prerelease flag for correct channel
(<a
href="ce534d9de7">ce534d9</a>)
See <a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.3.1...v11.4.4-cjs.1">https://github.com/octokit/plugin-paginate-rest.js/compare/v11.3.1...v11.4.4-cjs.1</a>
for the full comparision</li>
</ul>
<h3>Reverts</h3>
<ul>
<li>Revert &quot;docs(README): update examples to use ESM (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/611">#611</a>)&quot;
(<a
href="1389b71b57">1389b71</a>)</li>
<li>Revert &quot;feat: package is now ESM (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/596">#596</a>)&quot;
(<a
href="64ba6f4c43">64ba6f4</a>)</li>
<li>Revert &quot;fix(pkg): add default fallback and types export (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/612">#612</a>)&quot;
(<a
href="27a855290a">27a8552</a>)</li>
</ul>
<h2>v11.4.3</h2>
<h2><a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.4.2...v11.4.3">11.4.3</a>
(2025-02-24)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>types:</strong> correct pagination return type for data
which is an array (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/662">#662</a>)
(<a
href="9a51aad172">9a51aad</a>),
closes <a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/661">#661</a></li>
</ul>
<h2>v11.4.2</h2>
<h2><a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.4.1...v11.4.2">11.4.2</a>
(2025-02-13)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>types:</strong> add back the pagination keys (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/653">#653</a>)
(<a
href="8b8c500a25">8b8c500</a>),
closes <a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/652">#652</a></li>
</ul>
<h2>v11.4.1</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="2c70eafd9d"><code>2c70eaf</code></a>
fix(deps): update
<code>@octokit/plugin-rest-endpoint-methods</code></li>
<li><a
href="1bf98ba726"><code>1bf98ba</code></a>
test: fixup tests</li>
<li><a
href="57d0842d1b"><code>57d0842</code></a>
build: lockfile update</li>
<li><a
href="edc198421e"><code>edc1984</code></a>
build: bump <code>devDependencies</code></li>
<li><a
href="738e4b310e"><code>738e4b3</code></a>
Merge branch 'main' into cjs</li>
<li><a
href="ce534d9de7"><code>ce534d9</code></a>
fix(release): set prerelease flag for correct channel</li>
<li><a
href="1c297ca5f8"><code>1c297ca</code></a>
chore(deps): update dependency
semantic-release-plugin-update-version-in-file...</li>
<li><a
href="60d26d94f6"><code>60d26d9</code></a>
chore(deps): update dependency prettier to v3.5.2 (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/664">#664</a>)</li>
<li><a
href="9a51aad172"><code>9a51aad</code></a>
fix(types): correct pagination return type for data which is an array
(<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/662">#662</a>)</li>
<li><a
href="8b8c500a25"><code>8b8c500</code></a>
fix(types): add back the pagination keys (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/653">#653</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.3.1...v11.4.4-cjs.2">compare
view</a></li>
</ul>
</details>
<br />

Updates `@octokit/rest` from 20.1.1 to 20.1.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/octokit/rest.js/releases"><code>@​octokit/rest</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v20.1.2</h2>
<h2><a
href="https://github.com/octokit/rest.js/compare/v20.1.1...v20.1.2">20.1.2</a>
(2025-02-26)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> bump Octokit dependencies to address ReDos
vulnerabilities, bump <code>devDependencies</code> (<a
href="https://redirect.github.com/octokit/rest.js/issues/487">#487</a>)
(<a
href="711f2ee36d">711f2ee</a>),
closes <a
href="https://redirect.github.com/octokit/rest.js/issues/486">#486</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="711f2ee36d"><code>711f2ee</code></a>
fix(deps): bump Octokit dependencies to address ReDos vulnerabilities,
bump `...</li>
<li>See full diff in <a
href="https://github.com/octokit/rest.js/compare/v20.1.1...v20.1.2">compare
view</a></li>
</ul>
</details>
<br />

Updates `@octokit/request` from 8.4.0 to 8.4.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/octokit/request.js/releases"><code>@​octokit/request</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v8.4.1</h2>
<h2><a
href="https://github.com/octokit/request.js/compare/v8.4.0...v8.4.1">8.4.1</a>
(2025-02-15)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>ReDos regex vulnerability, reported by <a
href="https://github.com/DayShift"><code>@​DayShift</code></a> (<a
href="https://redirect.github.com/octokit/request.js/issues/741">#741</a>)
(<a
href="356411e321">356411e</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="356411e321"><code>356411e</code></a>
fix: ReDos regex vulnerability, reported by <a
href="https://github.com/DayShift"><code>@​DayShift</code></a> (<a
href="https://redirect.github.com/octokit/request.js/issues/741">#741</a>)</li>
<li>See full diff in <a
href="https://github.com/octokit/request.js/compare/v8.4.0...v8.4.1">compare
view</a></li>
</ul>
</details>
<br />

Updates `@octokit/rest` from 20.1.1 to 20.1.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/octokit/rest.js/releases"><code>@​octokit/rest</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v20.1.2</h2>
<h2><a
href="https://github.com/octokit/rest.js/compare/v20.1.1...v20.1.2">20.1.2</a>
(2025-02-26)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> bump Octokit dependencies to address ReDos
vulnerabilities, bump <code>devDependencies</code> (<a
href="https://redirect.github.com/octokit/rest.js/issues/487">#487</a>)
(<a
href="711f2ee36d">711f2ee</a>),
closes <a
href="https://redirect.github.com/octokit/rest.js/issues/486">#486</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="711f2ee36d"><code>711f2ee</code></a>
fix(deps): bump Octokit dependencies to address ReDos vulnerabilities,
bump `...</li>
<li>See full diff in <a
href="https://github.com/octokit/rest.js/compare/v20.1.1...v20.1.2">compare
view</a></li>
</ul>
</details>
<br />

Updates `tar-fs` from 2.1.1 to 2.1.3
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4b7e8688a5"><code>4b7e868</code></a>
2.1.3</li>
<li><a
href="266194b94b"><code>266194b</code></a>
hardlink tweak from main</li>
<li><a
href="d97731b0e1"><code>d97731b</code></a>
2.1.2</li>
<li><a
href="fd1634e869"><code>fd1634e</code></a>
symlink tweak from main</li>
<li>See full diff in <a
href="https://github.com/mafintosh/tar-fs/compare/v2.1.1...v2.1.3">compare
view</a></li>
</ul>
</details>
<br />

Updates `@octokit/plugin-paginate-rest` from 11.3.1 to 11.4.4-cjs.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/octokit/plugin-paginate-rest.js/releases"><code>@​octokit/plugin-paginate-rest</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v11.4.4-cjs.2</h2>
<h2><a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.4.4-cjs.1...v11.4.4-cjs.2">11.4.4-cjs.2</a>
(2025-02-26)</h2>
<blockquote>
<p>[!IMPORTANT]
This is a special release to backport newer changes to CJS and address a
ReDos vulnerability</p>
</blockquote>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> update
<code>@octokit/plugin-rest-endpoint-methods</code> (<a
href="2c70eafd9d">2c70eaf</a>)</li>
</ul>
<h2>v11.4.4-cjs.1</h2>
<h2><a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.4.3...v11.4.4-cjs.1">11.4.4-cjs.1</a>
(2025-02-26)</h2>
<blockquote>
<p>[!IMPORTANT]
This is a special release to backport newer changes to CJS and address a
ReDos vulnerability</p>
</blockquote>
<h3>Bug Fixes</h3>
<ul>
<li><strong>release:</strong> set prerelease flag for correct channel
(<a
href="ce534d9de7">ce534d9</a>)
See <a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.3.1...v11.4.4-cjs.1">https://github.com/octokit/plugin-paginate-rest.js/compare/v11.3.1...v11.4.4-cjs.1</a>
for the full comparision</li>
</ul>
<h3>Reverts</h3>
<ul>
<li>Revert &quot;docs(README): update examples to use ESM (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/611">#611</a>)&quot;
(<a
href="1389b71b57">1389b71</a>)</li>
<li>Revert &quot;feat: package is now ESM (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/596">#596</a>)&quot;
(<a
href="64ba6f4c43">64ba6f4</a>)</li>
<li>Revert &quot;fix(pkg): add default fallback and types export (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/612">#612</a>)&quot;
(<a
href="27a855290a">27a8552</a>)</li>
</ul>
<h2>v11.4.3</h2>
<h2><a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.4.2...v11.4.3">11.4.3</a>
(2025-02-24)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>types:</strong> correct pagination return type for data
which is an array (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/662">#662</a>)
(<a
href="9a51aad172">9a51aad</a>),
closes <a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/661">#661</a></li>
</ul>
<h2>v11.4.2</h2>
<h2><a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.4.1...v11.4.2">11.4.2</a>
(2025-02-13)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>types:</strong> add back the pagination keys (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/653">#653</a>)
(<a
href="8b8c500a25">8b8c500</a>),
closes <a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/652">#652</a></li>
</ul>
<h2>v11.4.1</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="2c70eafd9d"><code>2c70eaf</code></a>
fix(deps): update
<code>@octokit/plugin-rest-endpoint-methods</code></li>
<li><a
href="1bf98ba726"><code>1bf98ba</code></a>
test: fixup tests</li>
<li><a
href="57d0842d1b"><code>57d0842</code></a>
build: lockfile update</li>
<li><a
href="edc198421e"><code>edc1984</code></a>
build: bump <code>devDependencies</code></li>
<li><a
href="738e4b310e"><code>738e4b3</code></a>
Merge branch 'main' into cjs</li>
<li><a
href="ce534d9de7"><code>ce534d9</code></a>
fix(release): set prerelease flag for correct channel</li>
<li><a
href="1c297ca5f8"><code>1c297ca</code></a>
chore(deps): update dependency
semantic-release-plugin-update-version-in-file...</li>
<li><a
href="60d26d94f6"><code>60d26d9</code></a>
chore(deps): update dependency prettier to v3.5.2 (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/664">#664</a>)</li>
<li><a
href="9a51aad172"><code>9a51aad</code></a>
fix(types): correct pagination return type for data which is an array
(<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/662">#662</a>)</li>
<li><a
href="8b8c500a25"><code>8b8c500</code></a>
fix(types): add back the pagination keys (<a
href="https://redirect.github.com/octokit/plugin-paginate-rest.js/issues/653">#653</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/octokit/plugin-paginate-rest.js/compare/v11.3.1...v11.4.4-cjs.2">compare
view</a></li>
</ul>
</details>
<br />

Updates `@octokit/request` from 8.4.0 to 8.4.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/octokit/request.js/releases"><code>@​octokit/request</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v8.4.1</h2>
<h2><a
href="https://github.com/octokit/request.js/compare/v8.4.0...v8.4.1">8.4.1</a>
(2025-02-15)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>ReDos regex vulnerability, reported by <a
href="https://github.com/DayShift"><code>@​DayShift</code></a> (<a
href="https://redirect.github.com/octokit/request.js/issues/741">#741</a>)
(<a
href="356411e321">356411e</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="356411e321"><code>356411e</code></a>
fix: ReDos regex vulnerability, reported by <a
href="https://github.com/DayShift"><code>@​DayShift</code></a> (<a
href="https://redirect.github.com/octokit/request.js/issues/741">#741</a>)</li>
<li>See full diff in <a
href="https://github.com/octokit/request.js/compare/v8.4.0...v8.4.1">compare
view</a></li>
</ul>
</details>
<br />

Updates `undici` from 5.28.5 to 5.29.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v5.29.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Fix tests in v5.x for Node 20 by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4104">nodejs/undici#4104</a></li>
<li>Removed clients with unrecoverable errors from the Pool <a
href="https://redirect.github.com/nodejs/undici/pull/4088">nodejs/undici#4088</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0">https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9528f6853a"><code>9528f68</code></a>
Bumped v5.29.0</li>
<li><a
href="f1d75a4e10"><code>f1d75a4</code></a>
increase timeout for redirect test</li>
<li><a
href="2d31ed61f7"><code>2d31ed6</code></a>
remove fuzzing tests</li>
<li><a
href="6b36d49cb2"><code>6b36d49</code></a>
fix redirect test in Node v16</li>
<li><a
href="648dd8f7ba"><code>648dd8f</code></a>
more fix for the wpt runner on Windows</li>
<li><a
href="a0516bae59"><code>a0516ba</code></a>
don't use internal header state for cookies (<a
href="https://redirect.github.com/nodejs/undici/issues/3295">#3295</a>)</li>
<li><a
href="87ce4af0e5"><code>87ce4af</code></a>
fix test/client for node 20</li>
<li><a
href="c2c8fd55b7"><code>c2c8fd5</code></a>
fix: accept v20 SSL specific error for alpn selection in http/2</li>
<li><a
href="82200bd10b"><code>82200bd</code></a>
[v6.x] fix wpts on windows (<a
href="https://redirect.github.com/nodejs/undici/issues/4093">#4093</a>)</li>
<li><a
href="47546fa68d"><code>47546fa</code></a>
test: fix windows wpt (<a
href="https://redirect.github.com/nodejs/undici/issues/4050">#4050</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2025-06-20 08:59:25 -04:00
Mend Renovate
09889f2e46 chore(deps): update gcr.io/distroless/base:nonroot docker digest to 0a0dc20 (#844) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `97d1521` -> `0a0dc20` |

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, on day
1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjQwLjYwLjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
 2025-06-18 20:30:59 -04:00
Mend Renovate
713575576b chore(deps): update golang:1.23 docker digest to dd5cc4b (#847) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `cc458d7` -> `dd5cc4b` |

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, on day
1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4zMy42IiwidXBkYXRlZEluVmVyIjoiNDAuNTAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2025-06-18 20:03:56 -04:00
Ramon Petgrave
4f28a9512a fix: no parallel regression tests (#855) 
Make the regression tests that do online access not run in parallel.
Besides VSA tests, all regression tests do some kind of online access of
either TUF or Rekor.

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2025-06-18 14:53:57 -04:00
Mend Renovate
1595a06d92 fix(deps): update golang.org/x/exp digest to dcc06ee (#839) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/exp | require | digest | `3edf0e9` -> `dcc06ee` |

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, on day
1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNzYuMiIsInVwZGF0ZWRJblZlciI6IjQwLjUwLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2025-06-18 14:39:25 -04:00
Mend Renovate
e0b3ab793c fix(deps): update npm (#843) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[@actions/github](https://redirect.github.com/actions/toolkit/tree/main/packages/github)
([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/github))
| [`6.0.0` ->
`6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fgithub/6.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[@actions/tool-cache](https://redirect.github.com/actions/toolkit/tree/main/packages/tool-cache)
([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/tool-cache))
| [`2.0.1` ->
`2.0.2`](https://renovatebot.com/diffs/npm/@actions%2ftool-cache/2.0.1/2.0.2)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2ftool-cache/2.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2ftool-cache/2.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2ftool-cache/2.0.1/2.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2ftool-cache/2.0.1/2.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

###
[`v6.0.1`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates
[#&#8203;2043](https://redirect.github.com/actions/toolkit/pull/2043/)

</details>

<details>
<summary>actions/toolkit (@&#8203;actions/tool-cache)</summary>

###
[`v2.0.2`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/tool-cache/RELEASES.md#202)

- Update `@actions/core` to v1.11.1
[#&#8203;1872](https://redirect.github.com/actions/toolkit/pull/1872)
- Remove dependency on `uuid` package
[#&#8203;1824](https://redirect.github.com/actions/toolkit/pull/1824),
[#&#8203;1842](https://redirect.github.com/actions/toolkit/pull/1842)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, on day
1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjQwLjcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

---------

Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2025-06-18 02:56:19 -04:00
dependabot[bot]
b02ea5056c chore(deps): bump the go_modules group across 1 directory with 2 updates (#853) 
Bumps the go_modules group with 2 updates in the / directory:
[golang.org/x/crypto](https://github.com/golang/crypto) and
[golang.org/x/net](https://github.com/golang/net).

Updates `golang.org/x/crypto` from 0.32.0 to 0.35.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7292932d45"><code>7292932</code></a>
ssh: limit the size of the internal packet queue while waiting for
KEX</li>
<li><a
href="f66f74b0a4"><code>f66f74b</code></a>
acme/autocert: check host policy before probing the cache</li>
<li><a
href="b0784b7bfb"><code>b0784b7</code></a>
x509roots/fallback: drop obsolete build constraint</li>
<li><a
href="911360c8a4"><code>911360c</code></a>
all: bump golang.org/x/crypto dependencies of asm generators</li>
<li><a
href="89ff08d67c"><code>89ff08d</code></a>
all: upgrade go directive to at least 1.23.0 [generated]</li>
<li><a
href="e47973b1c1"><code>e47973b</code></a>
all: update certs for go1.24</li>
<li><a
href="9290511cd2"><code>9290511</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="fa5273e461"><code>fa5273e</code></a>
x509roots/fallback: update bundle</li>
<li><a
href="a8ea4be81f"><code>a8ea4be</code></a>
ssh: add ServerConfig.PreAuthConnCallback, ServerPreAuthConn (banner)
interface</li>
<li><a
href="71d3a4cfdb"><code>71d3a4c</code></a>
acme: support challenges that require the ACME client to send a
non-empty JSO...</li>
<li>See full diff in <a
href="https://github.com/golang/crypto/compare/v0.32.0...v0.35.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/net` from 0.34.0 to 0.38.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e1fcd82abb"><code>e1fcd82</code></a>
html: properly handle trailing solidus in unquoted attribute value in
foreign...</li>
<li><a
href="ebed060e8f"><code>ebed060</code></a>
internal/http3: fix build of tests with GOEXPERIMENT=nosynctest</li>
<li><a
href="1f1fa29e0a"><code>1f1fa29</code></a>
publicsuffix: regenerate table</li>
<li><a
href="12150816f7"><code>1215081</code></a>
http2: improve error when server sends HTTP/1</li>
<li><a
href="312450e473"><code>312450e</code></a>
html: ensure &lt;search&gt; tag closes &lt;p&gt; and update tests</li>
<li><a
href="09731f9bf9"><code>09731f9</code></a>
http2: improve handling of lost PING in Server</li>
<li><a
href="55989e24b9"><code>55989e2</code></a>
http2/h2c: use ResponseController for hijacking connections</li>
<li><a
href="2914f46773"><code>2914f46</code></a>
websocket: re-recommend gorilla/websocket</li>
<li><a
href="99b3ae0643"><code>99b3ae0</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="85d1d54551"><code>85d1d54</code></a>
go.mod: update golang.org/x dependencies</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.34.0...v0.38.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-06-18 00:10:48 -04:00
dependabot[bot]
f6be75a9c8 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 in the go_modules group (#835) 
Bumps the go_modules group with 1 update:
[github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose).

Updates `github.com/go-jose/go-jose/v4` from 4.0.4 to 4.0.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/go-jose/go-jose/releases">github.com/go-jose/go-jose/v4's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.5</h2>
<h2>What's Changed</h2>
<ul>
<li>Don't allow unbounded amounts of splits by <a
href="https://github.com/mcpherrinm"><code>@​mcpherrinm</code></a> in <a
href="https://redirect.github.com/go-jose/go-jose/pull/167">go-jose/go-jose#167</a></li>
</ul>
<p>Fixes <a
href="https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78">https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78</a></p>
<p>Various other dependency updates, small fixes, and documentation
updates in the full changelog</p>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/tgeoghegan"><code>@​tgeoghegan</code></a> made
their first contribution in <a
href="https://redirect.github.com/go-jose/go-jose/pull/161">go-jose/go-jose#161</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/go-jose/go-jose/compare/v4.0.4...v4.0.5">https://github.com/go-jose/go-jose/compare/v4.0.4...v4.0.5</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="99b346cec4"><code>99b346c</code></a>
Don't allow unbounded amounts of splits (<a
href="https://redirect.github.com/go-jose/go-jose/issues/167">#167</a>)</li>
<li><a
href="22811e77ba"><code>22811e7</code></a>
Fix broken link in README.md (<a
href="https://redirect.github.com/go-jose/go-jose/issues/161">#161</a>)</li>
<li><a
href="9dde8493b2"><code>9dde849</code></a>
Remove CLA mentions from CONTRIBUTING.md (<a
href="https://redirect.github.com/go-jose/go-jose/issues/160">#160</a>)</li>
<li><a
href="89172c5b51"><code>89172c5</code></a>
Bump golang.org/x/crypto from 0.31.0 to 0.32.0 (<a
href="https://redirect.github.com/go-jose/go-jose/issues/158">#158</a>)</li>
<li><a
href="ee05e01557"><code>ee05e01</code></a>
Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (<a
href="https://redirect.github.com/go-jose/go-jose/issues/157">#157</a>)</li>
<li><a
href="c0aef3ef5e"><code>c0aef3e</code></a>
Bump golang.org/x/crypto from 0.25.0 to 0.31.0 (<a
href="https://redirect.github.com/go-jose/go-jose/issues/156">#156</a>)</li>
<li><a
href="fdc2ceb0bb"><code>fdc2ceb</code></a>
Remove export disclaimer (<a
href="https://redirect.github.com/go-jose/go-jose/issues/146">#146</a>)</li>
<li><a
href="10c69ef86e"><code>10c69ef</code></a>
Short circuit return errors from <code>JSONWebKey.UnmarshalJSON()</code>
(<a
href="https://redirect.github.com/go-jose/go-jose/issues/141">#141</a>)</li>
<li>See full diff in <a
href="https://github.com/go-jose/go-jose/compare/v4.0.4...v4.0.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/go-jose/go-jose/v4&package-manager=go_modules&previous-version=4.0.4&new-version=4.0.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Co-authored-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2025-06-17 23:51:08 -04:00
dependabot[bot]
0c4a78d615 chore(deps): bump @octokit/request-error from 5.0.1 to 5.1.1 in /actions/installer in the npm_and_yarn group across 1 directory (#833) 
Bumps the npm_and_yarn group with 1 update in the /actions/installer
directory:
[@octokit/request-error](https://github.com/octokit/request-error.js).

Updates `@octokit/request-error` from 5.0.1 to 5.1.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/octokit/request-error.js/releases"><code>@​octokit/request-error</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v5.1.1</h2>
<h2><a
href="https://github.com/octokit/request-error.js/compare/v5.1.0...v5.1.1">5.1.1</a>
(2025-02-14)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>ReDos regex vulnerability, reported by <a
href="https://github.com/dayshift"><code>@​dayshift</code></a> (<a
href="12a14f03db">12a14f0</a>)</li>
</ul>
<h2>v5.1.0</h2>
<h1><a
href="https://github.com/octokit/request-error.js/compare/v5.0.1...v5.1.0">5.1.0</a>
(2024-04-05)</h1>
<h3>Bug Fixes</h3>
<ul>
<li>upgrade <code>@octokit/types</code> to v13 (<a
href="3af20bd58f">3af20bd</a>)</li>
</ul>
<h3>Features</h3>
<ul>
<li><strong>security:</strong> Add provenance (<a
href="https://redirect.github.com/octokit/request-error.js/issues/416">#416</a>)
(<a
href="94147e8843">94147e8</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b51ed27668"><code>b51ed27</code></a>
test: ReDos regex vulnerability, reported by <a
href="https://github.com/dayshift"><code>@​dayshift</code></a></li>
<li><a
href="12a14f03db"><code>12a14f0</code></a>
fix: ReDos regex vulnerability, reported by <a
href="https://github.com/dayshift"><code>@​dayshift</code></a></li>
<li><a
href="3af20bd58f"><code>3af20bd</code></a>
fix: upgrade <code>@octokit/types</code> to v13</li>
<li><a
href="94147e8843"><code>94147e8</code></a>
feat(security): Add provenance (<a
href="https://redirect.github.com/octokit/request-error.js/issues/416">#416</a>)</li>
<li>See full diff in <a
href="https://github.com/octokit/request-error.js/compare/v5.0.1...v5.1.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@octokit/request-error&package-manager=npm_and_yarn&previous-version=5.0.1&new-version=5.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Co-authored-by: github-actions <github-actions@github.com>
 2025-06-17 13:59:21 -04:00
Ramon Petgrave
f727ad5b49 fix: less parallelism (#851) 
Makes tests less parallel, hopefully avoiding rate-limit issues.


https://github.com/slsa-framework/slsa-verifier/actions/runs/15706985127/job/44255340266#step:6:1324

```log
Verifying artifact testdata/gha_generic/v1.4.0/binary-linux-amd64-workflow_dispatch: FAILED: error searching rekor entries: Post "https://rekor.sigstore.dev/api/v1/log/entries/retrieve": POST https://rekor.sigstore.dev/api/v1/log/entries/retrieve giving up after 1 attempt(s): context deadline exceeded
```

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2025-06-17 13:15:35 -04:00
Mend Renovate
f5b9bade66 chore(deps): update golang:1.23 docker digest to cc458d7 (#838) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `51a6466` -> `cc458d7` |

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, on day
1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNzYuMiIsInVwZGF0ZWRJblZlciI6IjQwLjE2LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
 2025-05-22 14:09:50 -04:00
Appu
a481a1974e feat: verify provenance for bcr modules produced by trusted reusable workflows (#840) 
@fweikert these are the changes I think might be needed to get this to
work (it's somewhat hacky, I'm not sure I've fully covered what's
needed).

@ramonpetgrave64 is this kinda what's needed?

This now adds the `verify-github-attestation` sub command. Use this
instead of `verify-artifact`.

---------

Signed-off-by: Appu Goundan <appu@google.com>
Signed-off-by: Appu <appu@google.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
v2.7.1-rc.1 		2025-04-10 14:09:09 -04:00
Ramon Petgrave
b53bd9415b chore: update test files for v2.1.0 (#836) 
Similar to #758, we are updating the test files.

Errors for checking the tag in attestations are slightly different. Unit
tests are adjusted with the new test cases.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2025-02-27 14:33:44 -05:00
Ville Skyttä
9108dc2890 docs(npm): "exmaple" spelling fix (#832) 
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
 2025-02-14 16:46:36 -05:00
Ramon Petgrave
9825851f50 chore: Update docs for v2.7.0 (#829) 
#label:release v2.7.0

Updates docs to reference the new v2.7.0 release.

**How to verify**

Clone the repo and run the script described in
https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#verify-provenance.
```
git clone git@github.com:slsa-framework/slsa-verifier.git
cd slsa-verifier
chmod +x verify-release.sh
GH_TOKEN=`gh auth token` bash verify-release.sh v2.7.0
```

Using the temp directory logged from the above command

```
cd <logged temp directory from running verify-release.sh>
sha256sum * | grep -v "intoto"      
36694b43ab23be234add09272e5faf77349d7e267bf65c01dc9bcdf58c4f496e  slsa-verifier-darwin-amd64
84d9122ce12e0c79080844285fd5c4976407ed3463e434a1b21b0979c46b1e55  slsa-verifier-darwin-arm64
499befb675efcca9001afe6e5156891b91e71f9c07ab120a8943979f85cc82e6  slsa-verifier-linux-amd64
dc3845d7605f666a0938389c1c5735230e50b32a547867ffd351fb14df928167  slsa-verifier-linux-arm64
61ff8b1cca6ac0012b0ba906367836f64a389444766be437df2a69f71285f43b  slsa-verifier-windows-amd64.exe
ddf58798049599c44caf299b6a9cf8a41760daa94ee208bdae8aa78fc75dcb2b  slsa-verifier-windows-arm64.exe
```

Confirm your output checksums matches those in this PR's changes for
SHA256SUM.md.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2025-02-10 12:36:28 -05:00
dependabot[bot]
6657aada08 chore(deps): bump undici from 5.28.4 to 5.28.5 in /actions/installer in the npm_and_yarn group across 1 directory (#827) 
Bumps the npm_and_yarn group with 1 update in the /actions/installer
directory: [undici](https://github.com/nodejs/undici).

Updates `undici` from 5.28.4 to 5.28.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v5.28.5</h2>
<h1>⚠️ Security Release ⚠️</h1>
<p>Fixes CVE CVE-2025-22150 <a
href="https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975">https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975</a>
(embargoed until 22-01-2025).</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5">https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6139ed2e0c"><code>6139ed2</code></a>
Bumped v5.28.5</li>
<li><a
href="711e207727"><code>711e207</code></a>
Backport of c2d78cd</li>
<li>See full diff in <a
href="https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=undici&package-manager=npm_and_yarn&previous-version=5.28.4&new-version=5.28.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions <github-actions@github.com>
v2.7.0-rc.1 v2.7.0 		2025-01-28 19:21:01 +00:00
Mend Renovate
d72d368a1b chore(deps): update gcr.io/distroless/base:nonroot docker digest to 97d1521 (#814) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `e5260be` -> `97d1521` |

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMzUuMiIsInVwZGF0ZWRJblZlciI6IjM5LjkyLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
 2025-01-28 19:03:18 +00:00
Mend Renovate
961bce150e fix(deps): update golang.org/x/exp digest to 3edf0e9 (#815) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/exp | require | digest | `225e2ab` -> `3edf0e9` |

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMzUuMiIsInVwZGF0ZWRJblZlciI6IjM5LjEyNS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
 2025-01-28 13:44:59 -05:00
Mend Renovate
90efbaaeb1 chore(deps): update golang:1.23 docker digest to 51a6466 (#822) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `574185e` -> `51a6466` |

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44NS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTA3LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
 2025-01-21 20:13:59 +00:00
Mend Renovate
2d6982fb07 fix(deps): update go (#825) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/google/go-containerregistry](https://redirect.github.com/google/go-containerregistry)
| `v0.20.2` -> `v0.20.3` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgoogle%2fgo-containerregistry/v0.20.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgoogle%2fgo-containerregistry/v0.20.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgoogle%2fgo-containerregistry/v0.20.2/v0.20.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgoogle%2fgo-containerregistry/v0.20.2/v0.20.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/secure-systems-lab/go-securesystemslib](https://redirect.github.com/secure-systems-lab/go-securesystemslib)
| `v0.8.0` -> `v0.9.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsecure-systems-lab%2fgo-securesystemslib/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsecure-systems-lab%2fgo-securesystemslib/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsecure-systems-lab%2fgo-securesystemslib/v0.8.0/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsecure-systems-lab%2fgo-securesystemslib/v0.8.0/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/cosign/v2](https://redirect.github.com/sigstore/cosign)
| `v2.2.4` -> `v2.4.1` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fcosign%2fv2/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fcosign%2fv2/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4/v2.4.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/fulcio](https://redirect.github.com/sigstore/fulcio)
| `v1.4.5` -> `v1.6.5` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2ffulcio/v1.6.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2ffulcio/v1.6.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2ffulcio/v1.4.5/v1.6.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2ffulcio/v1.4.5/v1.6.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/protobuf-specs](https://redirect.github.com/sigstore/protobuf-specs)
| `v0.3.2` -> `v0.3.3` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fprotobuf-specs/v0.3.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fprotobuf-specs/v0.3.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fprotobuf-specs/v0.3.2/v0.3.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fprotobuf-specs/v0.3.2/v0.3.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/rekor](https://redirect.github.com/sigstore/rekor)
| `v1.3.6` -> `v1.3.8` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2frekor/v1.3.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2frekor/v1.3.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2frekor/v1.3.6/v1.3.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2frekor/v1.3.6/v1.3.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/sigstore/sigstore](https://redirect.github.com/sigstore/sigstore)
| `v1.8.9` -> `v1.8.12` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fsigstore/v1.8.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fsigstore/v1.8.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fsigstore/v1.8.9/v1.8.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fsigstore/v1.8.9/v1.8.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[github.com/slsa-framework/slsa-github-generator](https://redirect.github.com/slsa-framework/slsa-github-generator)
| `v1.9.0` -> `v1.10.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fslsa-framework%2fslsa-github-generator/v1.10.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fslsa-framework%2fslsa-github-generator/v1.10.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fslsa-framework%2fslsa-github-generator/v1.9.0/v1.10.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fslsa-framework%2fslsa-github-generator/v1.9.0/v1.10.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| golang.org/x/mod | `v0.21.0` -> `v0.22.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fmod/v0.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/golang.org%2fx%2fmod/v0.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/golang.org%2fx%2fmod/v0.21.0/v0.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fmod/v0.21.0/v0.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[google.golang.org/protobuf](https://redirect.github.com/protocolbuffers/protobuf-go)
| `v1.34.2` -> `v1.36.3` |
[![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fprotobuf/v1.36.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/google.golang.org%2fprotobuf/v1.36.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/google.golang.org%2fprotobuf/v1.34.2/v1.36.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fprotobuf/v1.34.2/v1.36.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[sigs.k8s.io/release-utils](https://redirect.github.com/kubernetes-sigs/release-utils)
| `v0.8.4` -> `v0.9.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/sigs.k8s.io%2frelease-utils/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/sigs.k8s.io%2frelease-utils/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/sigs.k8s.io%2frelease-utils/v0.8.4/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/sigs.k8s.io%2frelease-utils/v0.8.4/v0.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>google/go-containerregistry
(github.com/google/go-containerregistry)</summary>

###
[`v0.20.3`](https://redirect.github.com/google/go-containerregistry/releases/tag/v0.20.3)

[Compare
Source](https://redirect.github.com/google/go-containerregistry/compare/v0.20.2...v0.20.3)

#### What's Changed

- remote/transport: Make bearer transport go-routine-safe by
[@&#8203;2opremio](https://redirect.github.com/2opremio) in
[https://github.com/google/go-containerregistry/pull/1806](https://redirect.github.com/google/go-containerregistry/pull/1806)
- Expose compare package by
[@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) in
[https://github.com/google/go-containerregistry/pull/2001](https://redirect.github.com/google/go-containerregistry/pull/2001)
- fix: redact.URL uses (\*URL).Redacted to omit basic-auth password by
[@&#8203;bmoylan](https://redirect.github.com/bmoylan) in
[https://github.com/google/go-containerregistry/pull/1947](https://redirect.github.com/google/go-containerregistry/pull/1947)
- bump actions to latest by
[@&#8203;ajayk](https://redirect.github.com/ajayk) in
[https://github.com/google/go-containerregistry/pull/2011](https://redirect.github.com/google/go-containerregistry/pull/2011)
- don't pin chainguard-dev/actions by
[@&#8203;imjasonh](https://redirect.github.com/imjasonh) in
[https://github.com/google/go-containerregistry/pull/2025](https://redirect.github.com/google/go-containerregistry/pull/2025)
- Check for 406 status code when handling referrers API endpoint
response by [@&#8203;malancas](https://redirect.github.com/malancas) in
[https://github.com/google/go-containerregistry/pull/2026](https://redirect.github.com/google/go-containerregistry/pull/2026)
- mutate: Create a defensive annotations copy by
[@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) in
[https://github.com/google/go-containerregistry/pull/2030](https://redirect.github.com/google/go-containerregistry/pull/2030)
- Detect zstd in crane append by
[@&#8203;jonjohnsonjr](https://redirect.github.com/jonjohnsonjr) in
[https://github.com/google/go-containerregistry/pull/2023](https://redirect.github.com/google/go-containerregistry/pull/2023)
- bump deps using hack/bump-deps.sh by
[@&#8203;imjasonh](https://redirect.github.com/imjasonh) in
[https://github.com/google/go-containerregistry/pull/2042](https://redirect.github.com/google/go-containerregistry/pull/2042)

#### New Contributors

- [@&#8203;bmoylan](https://redirect.github.com/bmoylan) made their
first contribution in
[https://github.com/google/go-containerregistry/pull/1947](https://redirect.github.com/google/go-containerregistry/pull/1947)
- [@&#8203;ajayk](https://redirect.github.com/ajayk) made their first
contribution in
[https://github.com/google/go-containerregistry/pull/2011](https://redirect.github.com/google/go-containerregistry/pull/2011)
- [@&#8203;malancas](https://redirect.github.com/malancas) made their
first contribution in
[https://github.com/google/go-containerregistry/pull/2026](https://redirect.github.com/google/go-containerregistry/pull/2026)

**Full Changelog**:
https://github.com/google/go-containerregistry/compare/v0.20.2...v0.20.3

</details>

<details>
<summary>secure-systems-lab/go-securesystemslib
(github.com/secure-systems-lab/go-securesystemslib)</summary>

###
[`v0.9.0`](https://redirect.github.com/secure-systems-lab/go-securesystemslib/compare/v0.8.0...v0.9.0)

[Compare
Source](https://redirect.github.com/secure-systems-lab/go-securesystemslib/compare/v0.8.0...v0.9.0)

</details>

<details>
<summary>sigstore/cosign (github.com/sigstore/cosign/v2)</summary>

###
[`v2.4.1`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v241)

[Compare
Source](https://redirect.github.com/sigstore/cosign/compare/v2.4.0...v2.4.1)

v2.4.1 largely contains bug fixes and updates dependencies.

#### Features

-   Added fuzzing coverage to multiple packages

#### Bug Fixes

- Fix bug in attest-blob when using a timestamp authority with new
bundles
([#&#8203;3877](https://redirect.github.com/sigstore/cosign/issues/3877))
- fix: documentation link for installation guide
([#&#8203;3884](https://redirect.github.com/sigstore/cosign/issues/3884))

#### Contributors

-   AdamKorcz
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Hayden B
-   Hemil K
-   Sota Sugiura
-   Zach Steindler

###
[`v2.4.0`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v240)

[Compare
Source](https://redirect.github.com/sigstore/cosign/compare/v2.3.0...v2.4.0)

v2.4.0 begins the modernization of the Cosign client, which includes:

-   Support for the newer Sigstore specification-compliant bundle format
- Support for providing trust roots (e.g. Fulcio certificates, Rekor
keys)
    through a trust root file, instead of many different flags
- Conformance test suite integration to verify signing and verification
behavior

In future updates, we'll include:

- General support for the trust root file, instead of only when using
the bundle
    format during verification
-   Simplification of trust root flags and deprecation of the
    Cosign-specific bundle format
-   Bundle support with container signing

We have also moved nightly Cosign container builds to GHCR instead of
GCR.

#### Features

- Add new bundle support to `verify-blob` and `verify-blob-attestation`
([#&#8203;3796](https://redirect.github.com/sigstore/cosign/issues/3796))
- Adding protobuf bundle support to sign-blob and attest-blob
([#&#8203;3752](https://redirect.github.com/sigstore/cosign/issues/3752))
- Bump sigstore/sigstore to support `email_verified` as string or
boolean
([#&#8203;3819](https://redirect.github.com/sigstore/cosign/issues/3819))
- Conformance testing for cosign
([#&#8203;3806](https://redirect.github.com/sigstore/cosign/issues/3806))
- move incremental builds per commit to GHCR instead of GCR
([#&#8203;3808](https://redirect.github.com/sigstore/cosign/issues/3808))
- Add support for recording creation timestamp for cosign attest
([#&#8203;3797](https://redirect.github.com/sigstore/cosign/issues/3797))
- Include SCT verification failure details in error message
([#&#8203;3799](https://redirect.github.com/sigstore/cosign/issues/3799))

#### Contributors

-   Bob Callaway
-   Hayden B
-   Slavek Kabrda
-   Zach Steindler
-   Zsolt Horvath

###
[`v2.3.0`](https://redirect.github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v230)

[Compare
Source](https://redirect.github.com/sigstore/cosign/compare/v2.2.4...v2.3.0)

#### Features

- Add PayloadProvider interface to decouple AttestationToPayloadJSON
from oci.Signature interface
([#&#8203;3693](https://redirect.github.com/sigstore/cosign/issues/3693))
- add registry options to cosign save
([#&#8203;3645](https://redirect.github.com/sigstore/cosign/issues/3645))
- Add debug providers command.
([#&#8203;3728](https://redirect.github.com/sigstore/cosign/issues/3728))
- Make config layers in ociremote mountable
([#&#8203;3741](https://redirect.github.com/sigstore/cosign/issues/3741))
- upgrade to go1.22
([#&#8203;3739](https://redirect.github.com/sigstore/cosign/issues/3739))
- adds tsa cert chain check for env var or tuf targets.
([#&#8203;3600](https://redirect.github.com/sigstore/cosign/issues/3600))
- add --ca-roots and --ca-intermediates flags to 'cosign verify'
([#&#8203;3464](https://redirect.github.com/sigstore/cosign/issues/3464))
- add handling of keyless verification for all verify commands
([#&#8203;3761](https://redirect.github.com/sigstore/cosign/issues/3761))

#### Bug Fixes

- fix: close attestationFile
([#&#8203;3679](https://redirect.github.com/sigstore/cosign/issues/3679))
- Set `bundleVerified` to true after Rekor verification (Resolves
[#&#8203;3740](https://redirect.github.com/sigstore/cosign/issues/3740))
([#&#8203;3745](https://redirect.github.com/sigstore/cosign/issues/3745))

#### Documentation

- Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign
([#&#8203;3776](https://redirect.github.com/sigstore/cosign/issues/3776))

#### Testing

- Refactor KMS E2E tests
([#&#8203;3684](https://redirect.github.com/sigstore/cosign/issues/3684))
- Remove sign_blob_test.sh test
([#&#8203;3707](https://redirect.github.com/sigstore/cosign/issues/3707))
- Remove KMS E2E test script
([#&#8203;3702](https://redirect.github.com/sigstore/cosign/issues/3702))
- Refactor insecure registry E2E tests
([#&#8203;3701](https://redirect.github.com/sigstore/cosign/issues/3701))

#### Contributors

-   Billy Lynch
-   bminahan73
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Cody Soyland
-   Colleen Murphy
-   Dmitry Savintsev
-   guangwu
-   Hayden B
-   Hector Fernandez
-   ian hundere
-   Jason Power
-   Jon Johnson
-   Max Lambrecht
-   Meeki1l

</details>

<details>
<summary>sigstore/fulcio (github.com/sigstore/fulcio)</summary>

###
[`v1.6.5`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v165)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.4...v1.6.5)

#### Features

- use go1.23.2
([#&#8203;1834](https://redirect.github.com/sigstore/fulcio/issues/1834))
- fallback to json default cfg path if yaml does not exist
([#&#8203;1810](https://redirect.github.com/sigstore/fulcio/issues/1810))
- Include IDP type and subject domain in configuration API response
([#&#8203;1824](https://redirect.github.com/sigstore/fulcio/issues/1824))

#### Documentation

- Update OIDC claim mapping table to reflect the current state
([#&#8203;1801](https://redirect.github.com/sigstore/fulcio/issues/1801))

#### Contributors

-   Aditya Sirish
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Hayden B
-   Nina
-   Richard Fan

###
[`v1.6.4`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v164)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.3...v1.6.4)

#### Features

- use go1.22.6 to build fulcio
([#&#8203;1793](https://redirect.github.com/sigstore/fulcio/issues/1793))

#### Bugs

- Revert "If custom server url exists, use that instead of the default
one."
([#&#8203;1791](https://redirect.github.com/sigstore/fulcio/issues/1791))

#### Contributors

-   Carlos Tadeu Panato Junior
-   Fredrik Skogman

###
[`v1.6.3`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v163)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.2...v1.6.3)

#### Features

- If custom server url exists, use that instead of the default one.
([#&#8203;1776](https://redirect.github.com/sigstore/fulcio/issues/1776))

#### Contributors

-   Fredrik Skogman
-   Javan Lacerda

###
[`v1.6.2`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v162)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.1...v1.6.2)

#### Bug Fixes

- fix: adding ci provider for meta-issuers
([#&#8203;1767](https://redirect.github.com/sigstore/fulcio/issues/1767))

#### Contributors

-   Javan Lacerda

###
[`v1.6.1`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v161)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.6.0...v1.6.1)

#### Bug Fixes

- fix: removing surplus slash, making logs richer
([#&#8203;1762](https://redirect.github.com/sigstore/fulcio/issues/1762))

#### Contributors

-   Javan Lacerda

###
[`v1.6.0`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v160)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.5.1...v1.6.0)

v1.6.0 adds support for onboarding CI identity providers via
configuration
rather than code changes, which should greatly simplify the onboarding
process.

#### Features

- CiProvider as a new OIDCIssuer type
([#&#8203;1729](https://redirect.github.com/sigstore/fulcio/issues/1729))
- Add TLS support for CTLog
([#&#8203;1718](https://redirect.github.com/sigstore/fulcio/issues/1718))
- Added support for email_verified being a string or bool
([#&#8203;1744](https://redirect.github.com/sigstore/fulcio/issues/1744))

#### Documentation

- Update IDP requirements
([#&#8203;1742](https://redirect.github.com/sigstore/fulcio/issues/1742))

#### Public Good Instance Configuration

- Move codefresh and buildkite to ci-provider identity
([#&#8203;1743](https://redirect.github.com/sigstore/fulcio/issues/1743))
- Move gitlab to ci-provider
([#&#8203;1740](https://redirect.github.com/sigstore/fulcio/issues/1740))
- Migrate github to ci provider flow
([#&#8203;1738](https://redirect.github.com/sigstore/fulcio/issues/1738))
- add Hellō provider
([#&#8203;1739](https://redirect.github.com/sigstore/fulcio/issues/1739))
- Move configuration to yaml format
([#&#8203;1720](https://redirect.github.com/sigstore/fulcio/issues/1720))
- Removes identity providers federation
([#&#8203;1736](https://redirect.github.com/sigstore/fulcio/issues/1736))

#### Contributors

-   Andrew Block
-   cpanato
-   Dick Hardt
-   Firas Ghanmi
-   Hayden B
-   Javan Lacerda
-   Matt Moore

###
[`v1.5.1`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v151)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.5.0...v1.5.1)

#### Bug Fixes

- Surface the right `Name()` from our principal.
([#&#8203;1726](https://redirect.github.com/sigstore/fulcio/issues/1726))

#### Contributors

-   Matt Moore

###
[`v1.5.0`](https://redirect.github.com/sigstore/fulcio/blob/HEAD/CHANGELOG.md#v150)

[Compare
Source](https://redirect.github.com/sigstore/fulcio/compare/v1.4.5...v1.5.0)

#### Features

- Add Chainguard OIDC provider.
([#&#8203;1703](https://redirect.github.com/sigstore/fulcio/issues/1703))
- Adding support for configuration from yaml file
([#&#8203;1687](https://redirect.github.com/sigstore/fulcio/issues/1687))
- Upgrade go to 1.22
([#&#8203;1625](https://redirect.github.com/sigstore/fulcio/issues/1625))

#### Documentation

- oid-info: fix table render
([#&#8203;1662](https://redirect.github.com/sigstore/fulcio/issues/1662))
- docs: Fix extensions for digest values requiring a type prefix
([#&#8203;1661](https://redirect.github.com/sigstore/fulcio/issues/1661))

#### Contributors

-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Facundo Tuesca
-   Javan Lacerda
-   Matt Moore
-   Tomas Turek
-   William Woodruff

</details>

<details>
<summary>sigstore/protobuf-specs
(github.com/sigstore/protobuf-specs)</summary>

###
[`v0.3.3`](https://redirect.github.com/sigstore/protobuf-specs/compare/v0.3.2...v0.3.3)

[Compare
Source](https://redirect.github.com/sigstore/protobuf-specs/compare/v0.3.2...v0.3.3)

</details>

<details>
<summary>sigstore/rekor (github.com/sigstore/rekor)</summary>

###
[`v1.3.8`](https://redirect.github.com/sigstore/rekor/blob/HEAD/CHANGELOG.md#v138)

[Compare
Source](https://redirect.github.com/sigstore/rekor/compare/v1.3.7...v1.3.8)

#### Bug Fixes

- fix zizmor issues
([#&#8203;2298](https://redirect.github.com/sigstore/rekor/issues/2298))
- remove unneeded value in log message
([#&#8203;2282](https://redirect.github.com/sigstore/rekor/issues/2282))

#### Quality Enhancements

-   chore: relax go directive to permit 1.22.x
- fetch minisign from homebrew instead of custom ppa
([#&#8203;2329](https://redirect.github.com/sigstore/rekor/issues/2329))
-   fix(ci): simplify GOVERSION extraction
-   chore(deps): bump actions pins to latest
- Updates go and golangci-lint
([#&#8203;2302](https://redirect.github.com/sigstore/rekor/issues/2302))
- update builder to use go1.23.4
([#&#8203;2301](https://redirect.github.com/sigstore/rekor/issues/2301))
-   clean up spaces
- log request body on 500 error to aid debugging
([#&#8203;2283](https://redirect.github.com/sigstore/rekor/issues/2283))

#### Contributors

-   Appu Goundan
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Dominic Evans
-   sgpinkus

###
[`v1.3.7`](https://redirect.github.com/sigstore/rekor/blob/HEAD/CHANGELOG.md#v137)

[Compare
Source](https://redirect.github.com/sigstore/rekor/compare/v1.3.6...v1.3.7)

#### New Features

- log request body on 500 error to aid debugging
([#&#8203;2283](https://redirect.github.com/sigstore/rekor/issues/2283))
- Add support for signing with Tink keyset
([#&#8203;2228](https://redirect.github.com/sigstore/rekor/issues/2228))
- Add public key hash check in Signed Note verification
([#&#8203;2214](https://redirect.github.com/sigstore/rekor/issues/2214))
- update Trillian TLS configuration
([#&#8203;2202](https://redirect.github.com/sigstore/rekor/issues/2202))
- Add TLS support for Trillian server
([#&#8203;2164](https://redirect.github.com/sigstore/rekor/issues/2164))
- Replace docker-compose with plugin if available
([#&#8203;2153](https://redirect.github.com/sigstore/rekor/issues/2153))
- Add flags to backfill script
([#&#8203;2146](https://redirect.github.com/sigstore/rekor/issues/2146))
- Unset DisableKeepalive for backfill HTTP client
([#&#8203;2137](https://redirect.github.com/sigstore/rekor/issues/2137))
- Add script to delete indexes from Redis
([#&#8203;2120](https://redirect.github.com/sigstore/rekor/issues/2120))
- Run CREATE statement in backfill script
([#&#8203;2109](https://redirect.github.com/sigstore/rekor/issues/2109))
- Add MySQL support to backfill script
([#&#8203;2081](https://redirect.github.com/sigstore/rekor/issues/2081))
- Run e2e tests on mysql and redis index backends
([#&#8203;2079](https://redirect.github.com/sigstore/rekor/issues/2079))

#### Bug Fixes

- remove unneeded value in log message
([#&#8203;2282](https://redirect.github.com/sigstore/rekor/issues/2282))
- Add error message when computing consistency proof
([#&#8203;2278](https://redirect.github.com/sigstore/rekor/issues/2278))
- fix validation error handling on API
([#&#8203;2217](https://redirect.github.com/sigstore/rekor/issues/2217))
- fix error in pretty-printed inclusion proof from verify subcommand
([#&#8203;2210](https://redirect.github.com/sigstore/rekor/issues/2210))
- Fix index scripts
([#&#8203;2203](https://redirect.github.com/sigstore/rekor/issues/2203))
-   fix failing sharding test
- Better error handling in backfill script
([#&#8203;2148](https://redirect.github.com/sigstore/rekor/issues/2148))
- Batch entries in cleanup script
([#&#8203;2158](https://redirect.github.com/sigstore/rekor/issues/2158))
- Add missing workflow for index cleanup test
([#&#8203;2121](https://redirect.github.com/sigstore/rekor/issues/2121))
- hashedrekord: fix schema $id
([#&#8203;2092](https://redirect.github.com/sigstore/rekor/issues/2092))

#### Contributors

-   Aditya Sirish
-   Bob Callaway
-   Colleen Murphy
-   cpanato
-   Firas Ghanmi
-   Hayden B
-   Hojoung (Brian) Jang
-   William Woodruff

</details>

<details>
<summary>sigstore/sigstore (github.com/sigstore/sigstore)</summary>

###
[`v1.8.12`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.12)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.11...v1.8.12)

#### What's Changed

- build(deps): Bump google.golang.org/api from 0.210.0 to 0.212.0 in
/pkg/signature/kms/gcp by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1912](https://redirect.github.com/sigstore/sigstore/pull/1912)
- build(deps): Bump google.golang.org/protobuf from 1.35.2 to 1.36.0 in
/pkg/signature/kms/gcp by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1911](https://redirect.github.com/sigstore/sigstore/pull/1911)
- build(deps): Bump actions/setup-go from 5.1.0 to 5.2.0 in the all
group by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1909](https://redirect.github.com/sigstore/sigstore/pull/1909)
- build(deps): Bump google.golang.org/api from 0.212.0 to 0.214.0 in
/pkg/signature/kms/gcp by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1917](https://redirect.github.com/sigstore/sigstore/pull/1917)
- build(deps): Bump hashicorp/vault from 1.18.2 to 1.18.3 in /test/e2e
in the all group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1915](https://redirect.github.com/sigstore/sigstore/pull/1915)
- build(deps): Bump the gomod group across 2 directories with 5 updates
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1916](https://redirect.github.com/sigstore/sigstore/pull/1916)
- build(deps): Bump cloud.google.com/go/kms from 1.20.3 to 1.20.4 in
/pkg/signature/kms/gcp in the gomod group across 1 directory by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1920](https://redirect.github.com/sigstore/sigstore/pull/1920)
- build(deps): Bump github.com/coreos/go-oidc/v3 from 3.11.0 to 3.12.0
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1924](https://redirect.github.com/sigstore/sigstore/pull/1924)
- build(deps): Bump golang.org/x/oauth2 from 0.24.0 to 0.25.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1921](https://redirect.github.com/sigstore/sigstore/pull/1921)
- build(deps): Bump golang.org/x/term from 0.27.0 to 0.28.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1922](https://redirect.github.com/sigstore/sigstore/pull/1922)
- build(deps): Bump golang.org/x/crypto from 0.31.0 to 0.32.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1923](https://redirect.github.com/sigstore/sigstore/pull/1923)
- build(deps): Bump golang.org/x/crypto from 0.28.0 to 0.31.0 in
/test/fuzz by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1908](https://redirect.github.com/sigstore/sigstore/pull/1908)
- build(deps): Bump github.com/secure-systems-lab/go-securesystemslib
from 0.8.0 to 0.9.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1910](https://redirect.github.com/sigstore/sigstore/pull/1910)
- build(deps): Bump the tools group across 1 directory with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1913](https://redirect.github.com/sigstore/sigstore/pull/1913)
- cleanup ci by [@&#8203;cpanato](https://redirect.github.com/cpanato)
in
[https://github.com/sigstore/sigstore/pull/1927](https://redirect.github.com/sigstore/sigstore/pull/1927)

**Full Changelog**:
https://github.com/sigstore/sigstore/compare/v1.8.11...v1.8.12

###
[`v1.8.11`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.11)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.10...v1.8.11)

#### What's Changed

-   several dependabot updates
- Replace custom auth code with `azidentity.NewDefaultCredential` for
Azure KMS client by
[@&#8203;malancas](https://redirect.github.com/malancas) in
[https://github.com/sigstore/sigstore/pull/1888](https://redirect.github.com/sigstore/sigstore/pull/1888)
- fix: set go module directive to 1.22.0 by
[@&#8203;dnwe](https://redirect.github.com/dnwe) in
[https://github.com/sigstore/sigstore/pull/1878](https://redirect.github.com/sigstore/sigstore/pull/1878)

#### New Contributors

- [@&#8203;dnwe](https://redirect.github.com/dnwe) made their first
contribution in
[https://github.com/sigstore/sigstore/pull/1878](https://redirect.github.com/sigstore/sigstore/pull/1878)

**Full Changelog**:
https://github.com/sigstore/sigstore/compare/v1.8.10...v1.8.11

###
[`v1.8.10`](https://redirect.github.com/sigstore/sigstore/releases/tag/v1.8.10)

[Compare
Source](https://redirect.github.com/sigstore/sigstore/compare/v1.8.9...v1.8.10)

#### What's Changed

- fix(kms): fix CreateKey may panic when using GCP KMS by
[@&#8203;mozillazg](https://redirect.github.com/mozillazg) in
[https://github.com/sigstore/sigstore/pull/1829](https://redirect.github.com/sigstore/sigstore/pull/1829)
- update to go1.22.7 and ci job by
[@&#8203;cpanato](https://redirect.github.com/cpanato) in
[https://github.com/sigstore/sigstore/pull/1847](https://redirect.github.com/sigstore/sigstore/pull/1847)
- Mark TUF client as deprecated by
[@&#8203;haydentherapper](https://redirect.github.com/haydentherapper)
in
[https://github.com/sigstore/sigstore/pull/1858](https://redirect.github.com/sigstore/sigstore/pull/1858)
- bump to go 1.22.8 by
[@&#8203;cpanato](https://redirect.github.com/cpanato) in
[https://github.com/sigstore/sigstore/pull/1865](https://redirect.github.com/sigstore/sigstore/pull/1865)

and several dependencies updates

#### New Contributors

- [@&#8203;mozillazg](https://redirect.github.com/mozillazg) made their
first contribution in
[https://github.com/sigstore/sigstore/pull/1829](https://redirect.github.com/sigstore/sigstore/pull/1829)

**Full Changelog**:
https://github.com/sigstore/sigstore/compare/v1.8.9...v1.8.10

</details>

<details>
<summary>slsa-framework/slsa-github-generator
(github.com/slsa-framework/slsa-github-generator)</summary>

###
[`v1.10.0`](https://redirect.github.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100)

[Compare
Source](https://redirect.github.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0)

Release
[v1.10.0](https://redirect.github.com/slsa-framework/slsa-github-generator/releases/tag/v1.10.0)
includes bug fixes and new features.

See the [full change
list](https://redirect.github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0).

##### v1.10.0: TUF fix

- The cosign TUF roots were fixed
([#&#8203;3350](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/3350)).
More details
[here](https://redirect.github.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid).

##### v1.10.0: Gradle Builder

- The Gradle Builder was fixed when the project root is the same as the
repository root
([#&#8203;2727](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/2727))

##### v1.10.0: Go Builder

- The `go-version-file` input was fixed so that it can find the `go.mod`
file

([#&#8203;2661](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/2661))

##### v1.10.0: Container Generator

- A new `provenance-repository` input was added to allow reading
provenance from
a different container repository than the image itself
([#&#8203;2956](https://redirect.github.com/slsa-framework/slsa-github-generator/issues/2956))

###
[`v1.9.1`](https://redirect.github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1)

[Compare
Source](https://redirect.github.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1)

**This is an un-finalized release.**

See the [CHANGELOG](./CHANGELOG.md) for details.

</details>

<details>
<summary>protocolbuffers/protobuf-go
(google.golang.org/protobuf)</summary>

###
[`v1.36.3`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.3)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.2...v1.36.3)

**Full Changelog**:
https://github.com/protocolbuffers/protobuf-go/compare/v1.36.2...v1.36.3

Bug fixes:
[CL/642575](https://go-review.googlesource.com/c/protobuf/+/642575):
reflect/protodesc: fix panic when working with dynamicpb
[CL/641036](https://go-review.googlesource.com/c/protobuf/+/641036):
cmd/protoc-gen-go: remove json struct tags from unexported fields

User-visible changes:
[CL/641876](https://go-review.googlesource.com/c/protobuf/+/641876):
proto: add example for GetExtension, SetExtension
[CL/642015](https://go-review.googlesource.com/c/protobuf/+/642015):
runtime/protolazy: replace internal doc link with external link

Maintenance:
[CL/641635](https://go-review.googlesource.com/c/protobuf/+/641635):
all: split flags.ProtoLegacyWeak out of flags.ProtoLegacy
[CL/641019](https://go-review.googlesource.com/c/protobuf/+/641019):
internal/impl: remove unused exporter parameter
[CL/641018](https://go-review.googlesource.com/c/protobuf/+/641018):
internal/impl: switch to reflect.Value.IsZero
[CL/641035](https://go-review.googlesource.com/c/protobuf/+/641035):
internal/impl: clean up unneeded Go<1.12 MapRange() alternative
[CL/641017](https://go-review.googlesource.com/c/protobuf/+/641017):
types/dynamicpb: switch atomicExtFiles to atomic.Uint64 type

###
[`v1.36.2`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.2)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.1...v1.36.2)

**Full Changelog**:
https://github.com/protocolbuffers/protobuf-go/compare/v1.36.1...v1.36.2

Bug fixes:
[CL/638515](https://go-review.googlesource.com/c/protobuf/+/638515):
internal/impl: fix WhichOneof() to work with synthetic oneofs

###
[`v1.36.1`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.1)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.0...v1.36.1)

**Full Changelog**:
https://github.com/protocolbuffers/protobuf-go/compare/v1.36.0...v1.36.1

Bug fixes:
[CL/638495](https://go-review.googlesource.com/c/protobuf/+/638495):
internal/impl: revert IsSynthetic() check to fix panic

Maintenance:
[CL/637475](https://go-review.googlesource.com/c/protobuf/+/637475):
internal/errors: delete compatibility code for Go before 1.13

###
[`v1.36.0`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.36.0)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.35.2...v1.36.0)

**Full Changelog**:
https://github.com/protocolbuffers/protobuf-go/compare/v1.35.2...v1.36.0

User-visible changes:

[CL/635139](https://go-review.googlesource.com/c/protobuf/+/635139):
src/google/protobuf: document UnmarshalJSON / API level behavior
[CL/635138](https://go-review.googlesource.com/c/protobuf/+/635138):
reflect/protoreflect: use \[] syntax to reference method
[CL/635137](https://go-review.googlesource.com/c/protobuf/+/635137):
proto: add reference to size semantics with lazy decoding to comment
[CL/634818](https://go-review.googlesource.com/c/protobuf/+/634818):
compiler/protogen: allow overriding API level from --go_opt
[CL/634817](https://go-review.googlesource.com/c/protobuf/+/634817):
cmd/protoc-gen-go: generate \_protoopaque variant for hybrid
[CL/634816](https://go-review.googlesource.com/c/protobuf/+/634816):
all: regenerate.bash for Opaque API
[CL/634815](https://go-review.googlesource.com/c/protobuf/+/634815):
all: Release the Opaque API
[CL/634015](https://go-review.googlesource.com/c/protobuf/+/634015):
types/descriptorpb: regenerate using latest protobuf v29.1 release
[CL/632735](https://go-review.googlesource.com/c/protobuf/+/632735):
internal/impl: skip synthetic oneofs in messageInfo
[CL/627876](https://go-review.googlesource.com/c/protobuf/+/627876):
all: start v1.35.2-devel

###
[`v1.35.2`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.35.2)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.35.1...v1.35.2)

**Full Changelog**:
https://github.com/protocolbuffers/protobuf-go/compare/v1.35.1...v1.35.2

Maintenance:

[CL/623115](https://go-review.googlesource.com/c/protobuf/+/623115):
proto: refactor equal_test from explicit table to use makeMessages()
[CL/623116](https://go-review.googlesource.com/c/protobuf/+/623116):
encoding/prototext: use testmessages_test.go approach, too
[CL/623117](https://go-review.googlesource.com/c/protobuf/+/623117):
internal/testprotos/test: add nested message field with \[lazy=true]
[CL/624415](https://go-review.googlesource.com/c/protobuf/+/624415):
proto: switch messageset_test to use makeMessages() injection point
[CL/624416](https://go-review.googlesource.com/c/protobuf/+/624416):
internal/impl: fix TestMarshalMessageSetLazyRace (was a no-op!)

User-visible changes:

[CL/618395](https://go-review.googlesource.com/c/protobuf/+/618395):
encoding/protojson: allow missing value for Any of type Empty
[CL/618979](https://go-review.googlesource.com/c/protobuf/+/618979):
all: implement strip_enum_prefix editions feature
[CL/622575](https://go-review.googlesource.com/c/protobuf/+/622575):
testing/protocmp: document behavior when combining Ignore and Sort

###
[`v1.35.1`](https://redirect.github.com/protocolbuffers/protobuf-go/releases/tag/v1.35.1)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.35.0...v1.35.1)

**Full Changelog**:
https://github.com/protocolbuffers/protobuf-go/compare/v1.34.2...v1.35.1

Maintenance:

- [CL/606755](https://go-review.googlesource.com/c/protobuf/+/606755):
all: remove unused purego support
- [CL/608316](https://go-review.googlesource.com/c/protobuf/+/608316):
all: set Go language version to Go 1.21

User-visible changes:

- [CL/587536](https://go-review.googlesource.com/c/protobuf/+/587536):
protojson: include field name in error messages
- [CL/597055](https://go-review.googlesource.com/c/protobuf/+/597055):
compiler/protogen: always report editions support level of the plugin
- [CL/596539](https://go-review.googlesource.com/c/protobuf/+/596539):
all: plumb the lazy option into filedesc.Field and .Extension
- [CL/601775](https://go-review.googlesource.com/c/protobuf/+/601775):
types/known/structpb: add support for more types and json.Number
- [CL/607995](https://go-review.googlesource.com/c/protobuf/+/607995):
proto: extend documentation of GetExtension, SetExtension
- [CL/609035](https://go-review.googlesource.com/c/protobuf/+/609035):
proto: implement proto.Equal fast-path

Bug fixes:

- [CL/595337](https://go-review.googlesource.com/c/protobuf/+/595337):
reflect/protodesc: fix handling of delimited extensions in editions
- [CL/602055](https://go-review.googlesource.com/c/protobuf/+/602055):
internal/cmd/generate-protos: fix pkg check for editions features
- [CL/603015](https://go-review.googlesource.com/c/protobuf/+/603015):
internal: generate extension numbers, fix editions parsing

###
[`v1.35.0`](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.34.2...v1.35.0)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.34.2...v1.35.0)

</details>

<details>
<summary>kubernetes-sigs/release-utils
(sigs.k8s.io/release-utils)</summary>

###
[`v0.9.0`](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.5...v0.9.0)

[Compare
Source](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.5...v0.9.0)

###
[`v0.8.5`](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.4...v0.8.5)

[Compare
Source](https://redirect.github.com/kubernetes-sigs/release-utils/compare/v0.8.4...v0.8.5)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44NS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTA3LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
 2025-01-21 14:57:32 -05:00
dependabot[bot]
32a562e05a chore(deps): bump golang.org/x/net from 0.27.0 to 0.33.0 in the go_modules group (#826) 
Bumps the go_modules group with 1 update:
[golang.org/x/net](https://github.com/golang/net).

Updates `golang.org/x/net` from 0.27.0 to 0.33.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="dfc720dfe0"><code>dfc720d</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="8e66b04771"><code>8e66b04</code></a>
html: use strings.EqualFold instead of lowering ourselves</li>
<li><a
href="b935f7b5d7"><code>b935f7b</code></a>
html: avoid endless loop on error token</li>
<li><a
href="9af49ef148"><code>9af49ef</code></a>
route: remove unused sizeof* consts</li>
<li><a
href="6705db9a4d"><code>6705db9</code></a>
quic: clean up crypto streams when dropping packet protection keys</li>
<li><a
href="4ef7588d2b"><code>4ef7588</code></a>
quic: handle ACK frame in packet which drops number space</li>
<li><a
href="552d8ac903"><code>552d8ac</code></a>
Revert &quot;route: change from syscall to x/sys/unix&quot;</li>
<li><a
href="13a7c0108b"><code>13a7c01</code></a>
Revert &quot;route: remove unused sizeof* consts on freebsd&quot;</li>
<li><a
href="285e1cf665"><code>285e1cf</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="d0a1049b7e"><code>d0a1049</code></a>
route: remove unused sizeof* consts on freebsd</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.27.0...v0.33.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/net&package-manager=go_modules&previous-version=0.27.0&new-version=0.33.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-01-21 14:12:21 -05:00
Mend Renovate
417bde6e6f chore(deps): update github-actions (#823) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-go](https://redirect.github.com/actions/setup-go) |
action | minor | `v5.1.0` -> `v5.3.0` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v4.4.3` -> `v4.6.0` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v3.27.6` -> `v3.28.1` |
|
[golangci/golangci-lint-action](https://redirect.github.com/golangci/golangci-lint-action)
| action | minor | `v6.1.1` -> `v6.2.0` |

---

### Release Notes

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v5.3.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.3.0)

[Compare
Source](https://redirect.github.com/actions/setup-go/compare/v5.2.0...v5.3.0)

##### What's Changed

- Use the new cache service: upgrade `@actions/cache` to `^4.0.0` by
[@&#8203;Link-](https://redirect.github.com/Link-) in
[https://github.com/actions/setup-go/pull/531](https://redirect.github.com/actions/setup-go/pull/531)
- Configure Dependabot settings by
[@&#8203;HarithaVattikuti](https://redirect.github.com/HarithaVattikuti)
in
[https://github.com/actions/setup-go/pull/530](https://redirect.github.com/actions/setup-go/pull/530)
- Document update - permission section by
[@&#8203;HarithaVattikuti](https://redirect.github.com/HarithaVattikuti)
in
[https://github.com/actions/setup-go/pull/533](https://redirect.github.com/actions/setup-go/pull/533)
- Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/setup-go/pull/534](https://redirect.github.com/actions/setup-go/pull/534)

##### New Contributors

- [@&#8203;Link-](https://redirect.github.com/Link-) made their first
contribution in
[https://github.com/actions/setup-go/pull/531](https://redirect.github.com/actions/setup-go/pull/531)

**Full Changelog**:
https://github.com/actions/setup-go/compare/v5...v5.3.0

###
[`v5.2.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.2.0)

[Compare
Source](https://redirect.github.com/actions/setup-go/compare/v5.1.0...v5.2.0)

#### What's Changed

- Leveraging the raw API to retrieve the version-manifest, as it does
not impose a rate limit and hence facilitates unrestricted consumption
without the need for a token for Github Enterprise Servers by
[@&#8203;Shegox](https://redirect.github.com/Shegox) in
[https://github.com/actions/setup-go/pull/496](https://redirect.github.com/actions/setup-go/pull/496)

#### New Contributors

- [@&#8203;Shegox](https://redirect.github.com/Shegox) made their first
contribution in
[https://github.com/actions/setup-go/pull/496](https://redirect.github.com/actions/setup-go/pull/496)

**Full Changelog**:
https://github.com/actions/setup-go/compare/v5...v5.2.0

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.6.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.6.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.5.0...v4.6.0)

#### What's Changed

- Expose env vars to control concurrency and timeout by
[@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in
[https://github.com/actions/upload-artifact/pull/662](https://redirect.github.com/actions/upload-artifact/pull/662)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.6.0

###
[`v4.5.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.4.3...v4.5.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.3...v4.5.0)

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.28.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.28.0...v3.28.1)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 3.28.1 - 10 Jan 2025

- CodeQL Action v2 is now deprecated, and is no longer updated or
supported. For better performance, improved security, and new features,
upgrade to v3. For more information, see [this changelog
post](https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/).
[#&#8203;2677](https://redirect.github.com/github/codeql-action/pull/2677)
- Update default CodeQL bundle version to 2.20.1.
[#&#8203;2678](https://redirect.github.com/github/codeql-action/pull/2678)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.1/CHANGELOG.md)
for more information.

###
[`v3.28.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.9...v3.28.0)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.28.0 - 20 Dec 2024

- Bump the minimum CodeQL bundle version to 2.15.5.
[#&#8203;2655](https://redirect.github.com/github/codeql-action/pull/2655)
- Don't fail in the unusual case that a file is on the search path.
[#&#8203;2660](https://redirect.github.com/github/codeql-action/pull/2660).

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.0/CHANGELOG.md)
for more information.

###
[`v3.27.9`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.9)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.8...v3.27.9)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.9 - 12 Dec 2024

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.9/CHANGELOG.md)
for more information.

###
[`v3.27.8`](https://redirect.github.com/github/codeql-action/compare/v3.27.7...v3.27.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.7...v3.27.8)

###
[`v3.27.7`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.6...v3.27.7)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.7 - 10 Dec 2024

- We are rolling out a change in December 2024 that will extract the
CodeQL bundle directly to the toolcache to improve performance.
[#&#8203;2631](https://redirect.github.com/github/codeql-action/pull/2631)
- Update default CodeQL bundle version to 2.20.0.
[#&#8203;2636](https://redirect.github.com/github/codeql-action/pull/2636)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.7/CHANGELOG.md)
for more information.

</details>

<details>
<summary>golangci/golangci-lint-action
(golangci/golangci-lint-action)</summary>

###
[`v6.2.0`](https://redirect.github.com/golangci/golangci-lint-action/releases/tag/v6.2.0)

[Compare
Source](https://redirect.github.com/golangci/golangci-lint-action/compare/v6.1.1...v6.2.0)

<!-- Release notes generated using configuration in .github/release.yml
at v6.2.0 -->

#### What's Changed

##### Changes

- chore: use new build tag syntax by
[@&#8203;alexandear](https://redirect.github.com/alexandear) in
[https://github.com/golangci/golangci-lint-action/pull/1133](https://redirect.github.com/golangci/golangci-lint-action/pull/1133)
- feat: support linux arm64 public preview by
[@&#8203;ldez](https://redirect.github.com/ldez) in
[https://github.com/golangci/golangci-lint-action/pull/1144](https://redirect.github.com/golangci/golangci-lint-action/pull/1144)

##### Documentation

- docs: update local development instructions by
[@&#8203;dmitris](https://redirect.github.com/dmitris) in
[https://github.com/golangci/golangci-lint-action/pull/1125](https://redirect.github.com/golangci/golangci-lint-action/pull/1125)

##### Dependencies

- build(deps-dev): bump the dev-dependencies group with 3 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1112](https://redirect.github.com/golangci/golangci-lint-action/pull/1112)
- build(deps): bump the dependencies group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1113](https://redirect.github.com/golangci/golangci-lint-action/pull/1113)
- build(deps-dev): bump the dev-dependencies group with 3 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1114](https://redirect.github.com/golangci/golangci-lint-action/pull/1114)
- build(deps): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from 22.7.4
to 22.7.5 in the dependencies group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1115](https://redirect.github.com/golangci/golangci-lint-action/pull/1115)
- build(deps-dev): bump the dev-dependencies group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1117](https://redirect.github.com/golangci/golangci-lint-action/pull/1117)
- build(deps): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from 22.7.5
to 22.7.7 in the dependencies group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1118](https://redirect.github.com/golangci/golangci-lint-action/pull/1118)
- build(deps-dev): bump the dev-dependencies group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1119](https://redirect.github.com/golangci/golangci-lint-action/pull/1119)
- build(deps): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from 22.7.7
to 22.8.1 in the dependencies group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1120](https://redirect.github.com/golangci/golangci-lint-action/pull/1120)
- build(deps-dev): bump the dev-dependencies group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1122](https://redirect.github.com/golangci/golangci-lint-action/pull/1122)
- build(deps): bump the dependencies group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1123](https://redirect.github.com/golangci/golangci-lint-action/pull/1123)
- build(deps-dev): bump the dev-dependencies group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1126](https://redirect.github.com/golangci/golangci-lint-action/pull/1126)
- build(deps): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from 22.8.7
to 22.9.0 in the dependencies group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1127](https://redirect.github.com/golangci/golangci-lint-action/pull/1127)
- build(deps-dev): bump the dev-dependencies group with 3 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1128](https://redirect.github.com/golangci/golangci-lint-action/pull/1128)
- build(deps): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from 22.9.0
to 22.9.3 in the dependencies group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1130](https://redirect.github.com/golangci/golangci-lint-action/pull/1130)
- build(deps): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from 22.9.3
to 22.10.1 in the dependencies group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1131](https://redirect.github.com/golangci/golangci-lint-action/pull/1131)
- build(deps-dev): bump the dev-dependencies group across 1 directory
with 4 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1132](https://redirect.github.com/golangci/golangci-lint-action/pull/1132)
- build(deps-dev): bump the dev-dependencies group with 3 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1134](https://redirect.github.com/golangci/golangci-lint-action/pull/1134)
- build(deps): bump
[@&#8203;actions/cache](https://redirect.github.com/actions/cache) from
3.3.0 to 4.0.0 in the dependencies group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1135](https://redirect.github.com/golangci/golangci-lint-action/pull/1135)
- build(deps-dev): bump the dev-dependencies group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1136](https://redirect.github.com/golangci/golangci-lint-action/pull/1136)
- build(deps): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
22.10.1 to 22.10.2 in the dependencies group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1137](https://redirect.github.com/golangci/golangci-lint-action/pull/1137)
- build(deps-dev): bump the dev-dependencies group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1138](https://redirect.github.com/golangci/golangci-lint-action/pull/1138)
- build(deps-dev): bump the dev-dependencies group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1139](https://redirect.github.com/golangci/golangci-lint-action/pull/1139)
- build(deps-dev): bump the dev-dependencies group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1141](https://redirect.github.com/golangci/golangci-lint-action/pull/1141)
- build(deps): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
22.10.2 to 22.10.5 in the dependencies group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1142](https://redirect.github.com/golangci/golangci-lint-action/pull/1142)
- build(deps-dev): bump the dev-dependencies group with 3 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golangci/golangci-lint-action/pull/1143](https://redirect.github.com/golangci/golangci-lint-action/pull/1143)

#### New Contributors

- [@&#8203;dmitris](https://redirect.github.com/dmitris) made their
first contribution in
[https://github.com/golangci/golangci-lint-action/pull/1125](https://redirect.github.com/golangci/golangci-lint-action/pull/1125)
- [@&#8203;alexandear](https://redirect.github.com/alexandear) made
their first contribution in
[https://github.com/golangci/golangci-lint-action/pull/1133](https://redirect.github.com/golangci/golangci-lint-action/pull/1133)

**Full Changelog**:
https://github.com/golangci/golangci-lint-action/compare/v6.1.1...v6.2.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44NS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTA3LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
 2025-01-21 11:16:33 -05:00
Mend Renovate
b6645ca106 fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.15.1 (#824) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[org.apache.maven.plugin-tools:maven-plugin-annotations](https://maven.apache.org/plugin-tools)
| `3.11.0` -> `3.15.1` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.15.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.15.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.11.0/3.15.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.11.0/3.15.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44NS4wIiwidXBkYXRlZEluVmVyIjoiMzkuODUuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
 2025-01-02 15:43:27 -05:00
Mend Renovate
d2384e2eca fix(deps): update dependency org.apache.maven:maven-core to v3.9.9 (#816) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-core](https://maven.apache.org/) | `3.9.8` ->
`3.9.9` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-core/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-core/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-core/3.9.8/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-core/3.9.8/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-12-13 11:32:01 +00:00
dependabot[bot]
8bdd724323 chore(deps): bump golang.org/x/crypto from 0.27.0 to 0.31.0 in the go_modules group (#821) 
Bumps the go_modules group with 1 update:
[golang.org/x/crypto](https://github.com/golang/crypto).

Updates `golang.org/x/crypto` from 0.27.0 to 0.31.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b4f1988a35"><code>b4f1988</code></a>
ssh: make the public key cache a 1-entry FIFO cache</li>
<li><a
href="7042ebcbe0"><code>7042ebc</code></a>
openpgp/clearsign: just use rand.Reader in tests</li>
<li><a
href="3e90321ac7"><code>3e90321</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="8c4e668694"><code>8c4e668</code></a>
x509roots/fallback: update bundle</li>
<li><a
href="6018723c74"><code>6018723</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="71ed71b4fa"><code>71ed71b</code></a>
README: don't recommend go get</li>
<li><a
href="750a45fe5e"><code>750a45f</code></a>
sha3: add MarshalBinary, AppendBinary, and UnmarshalBinary</li>
<li><a
href="36b172546b"><code>36b1725</code></a>
sha3: avoid trailing permutation</li>
<li><a
href="80ea76eb17"><code>80ea76e</code></a>
sha3: fix padding for long cSHAKE parameters</li>
<li><a
href="c17aa50fbd"><code>c17aa50</code></a>
sha3: avoid buffer copy</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.27.0...v0.31.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/crypto&package-manager=go_modules&previous-version=0.27.0&new-version=0.31.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-12-13 06:15:03 -05:00
dependabot[bot]
4200507dd2 chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.0.0 to 2.0.1 in the go_modules group (#820) 
Bumps the go_modules group with 1 update:
[github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf).

Updates `github.com/theupdateframework/go-tuf/v2` from 2.0.0 to 2.0.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/theupdateframework/go-tuf/releases">github.com/theupdateframework/go-tuf/v2's
releases</a>.</em></p>
<blockquote>
<h2>v2.0.1</h2>
<h2>What's Changed</h2>
<h3>Security</h3>
<ul>
<li>Fix incorrect delegation lookups that can make go-tuf download the
wrong artifact by <a
href="https://github.com/rdimitrov"><code>@​rdimitrov</code></a> (Thanks
to <a href="https://github.com/AdamKorcz"><code>@​AdamKorcz</code></a>
for reporting it). This fixes CVE-2024-47534 <a
href="https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j">GHSA-4f8r-qqr9-fq8j</a></li>
</ul>
<h3>Other</h3>
<ul>
<li>Update MAINTAINERS.md by <a
href="https://github.com/trishankatdatadog"><code>@​trishankatdatadog</code></a>
in <a
href="https://redirect.github.com/theupdateframework/go-tuf/pull/647">theupdateframework/go-tuf#647</a></li>
<li>Update the staging TUF repo in the multi-repo example by <a
href="https://github.com/rdimitrov"><code>@​rdimitrov</code></a> in <a
href="https://redirect.github.com/theupdateframework/go-tuf/pull/650">theupdateframework/go-tuf#650</a></li>
<li>Fix branch name in multi-repo client example by <a
href="https://github.com/rdimitrov"><code>@​rdimitrov</code></a> in <a
href="https://redirect.github.com/theupdateframework/go-tuf/pull/651">theupdateframework/go-tuf#651</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/theupdateframework/go-tuf/compare/v2.0.0...v2.0.1">https://github.com/theupdateframework/go-tuf/compare/v2.0.0...v2.0.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6c47391ef3"><code>6c47391</code></a>
Fix branch name in multi-repo client example (<a
href="https://redirect.github.com/theupdateframework/go-tuf/issues/651">#651</a>)</li>
<li><a
href="eee48422ef"><code>eee4842</code></a>
Update the staging TUF repo in the multi-repo example (<a
href="https://redirect.github.com/theupdateframework/go-tuf/issues/650">#650</a>)</li>
<li><a
href="f36420caba"><code>f36420c</code></a>
Merge commit from fork</li>
<li><a
href="f95222bdd2"><code>f95222b</code></a>
Update MAINTAINERS.md (<a
href="https://redirect.github.com/theupdateframework/go-tuf/issues/647">#647</a>)</li>
<li>See full diff in <a
href="https://github.com/theupdateframework/go-tuf/compare/v2.0.0...v2.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/theupdateframework/go-tuf/v2&package-manager=go_modules&previous-version=2.0.0&new-version=2.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-12-05 17:43:59 +00:00
Mend Renovate
84e5c03318 fix(deps): update dependency @actions/core to v1.11.1 (#819) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[@actions/core](https://redirect.github.com/actions/toolkit/tree/main/packages/core)
([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/core))
| [`1.10.1` ->
`1.11.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.1/1.11.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fcore/1.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fcore/1.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fcore/1.10.1/1.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fcore/1.10.1/1.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/core)</summary>

###
[`v1.11.1`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1111)

- Fix uses of `crypto.randomUUID` on Node 18 and earlier
[#&#8203;1842](https://redirect.github.com/actions/toolkit/pull/1842)

###
[`v1.11.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1110)

- Add platform info utilities
[#&#8203;1551](https://redirect.github.com/actions/toolkit/pull/1551)
- Remove dependency on `uuid` package
[#&#8203;1824](https://redirect.github.com/actions/toolkit/pull/1824)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

---------

Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-12-05 12:27:39 -05:00
Mend Renovate
e6b1b817c1 chore(deps): update golang docker tag to v1.23 (#818) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | minor | `1.21` -> `1.23` |

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-12-04 18:16:02 +00:00
Mend Renovate
190fddac0e chore(deps): update github-actions (#817) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | minor | `v4.1.7` -> `v4.2.2` |
|
[actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action)
| action | minor | `v4.3.3` -> `v4.5.0` |
|
[actions/download-artifact](https://redirect.github.com/actions/download-artifact)
| action | patch | `v4.1.7` -> `v4.1.8` |
| [actions/setup-go](https://redirect.github.com/actions/setup-go) |
action | minor | `v5.0.2` -> `v5.1.0` |
| [actions/setup-go](https://redirect.github.com/actions/setup-go) |
action | minor | `v5.0.1` -> `v5.1.0` |
| [actions/setup-node](https://redirect.github.com/actions/setup-node) |
action | minor | `v4.0.2` -> `v4.1.0` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v4.3.3` -> `v4.4.3` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v3.25.11` -> `v3.27.6` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | minor | `v2.3.3` -> `v2.4.0` |
|
[slsa-framework/slsa-verifier](https://redirect.github.com/slsa-framework/slsa-verifier)
| action | minor | `v2.5.1` -> `v2.6.0` |
|
[thehanimo/pr-title-checker](https://redirect.github.com/thehanimo/pr-title-checker)
| action | patch | `v1.4.2` -> `v1.4.3` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.2.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v422)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.2.1...v4.2.2)

- `url-helper.ts` now leverages well-known environment variables by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/checkout/pull/1941](https://redirect.github.com/actions/checkout/pull/1941)
- Expand unit test coverage for `isGhes` by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/checkout/pull/1946](https://redirect.github.com/actions/checkout/pull/1946)

###
[`v4.2.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v421)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.2.0...v4.2.1)

- Check out other refs/\* by commit if provided, fall back to ref by
[@&#8203;orhantoy](https://redirect.github.com/orhantoy) in
[https://github.com/actions/checkout/pull/1924](https://redirect.github.com/actions/checkout/pull/1924)

###
[`v4.2.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v420)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.1.7...v4.2.0)

- Add Ref and Commit outputs by
[@&#8203;lucacome](https://redirect.github.com/lucacome) in
[https://github.com/actions/checkout/pull/1180](https://redirect.github.com/actions/checkout/pull/1180)
- Dependency updates by
[@&#8203;dependabot-](https://redirect.github.com/dependabot-)
[https://github.com/actions/checkout/pull/1777](https://redirect.github.com/actions/checkout/pull/1777),
[https://github.com/actions/checkout/pull/1872](https://redirect.github.com/actions/checkout/pull/1872)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.5.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.5.0)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.4.0...v4.5.0)

#### What's Changed

- Bump got from 14.4.2 to 14.4.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/844](https://redirect.github.com/actions/dependency-review-action/pull/844)
- Bump nodemon from 3.1.0 to 3.1.7 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/847](https://redirect.github.com/actions/dependency-review-action/pull/847)
- Bump [@&#8203;vercel/ncc](https://redirect.github.com/vercel/ncc) from
0.38.1 to 0.38.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/849](https://redirect.github.com/actions/dependency-review-action/pull/849)
- Overriding the cross-spawn dependency to use a safe version by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/850](https://redirect.github.com/actions/dependency-review-action/pull/850)
- fix: add summary comment on failure when warn-only: true by
[@&#8203;ebickle](https://redirect.github.com/ebickle) in
[https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827)
- Prepare for 4.5.0 release by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/851](https://redirect.github.com/actions/dependency-review-action/pull/851)

#### New Contributors

- [@&#8203;ebickle](https://redirect.github.com/ebickle) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4...v4.5.0

###
[`v4.4.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.4.0)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0)

#### What's Changed

- Fix for merge_group event bug by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/846](https://redirect.github.com/actions/dependency-review-action/pull/846)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0

###
[`v4.3.5`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.5)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5)

#### What's Changed

- fix: getRefs function to handle merge_group events by
[@&#8203;louis-bompart](https://redirect.github.com/louis-bompart) in
[https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766)
- Create pull_request_template.md by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/794](https://redirect.github.com/actions/dependency-review-action/pull/794)
- Update CONTRIBUTING.md by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/793](https://redirect.github.com/actions/dependency-review-action/pull/793)
- Bump [@&#8203;types/node](https://redirect.github.com/types/node) from
20.11.28 to 20.16.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/815](https://redirect.github.com/actions/dependency-review-action/pull/815)
- Upgrade transitive micromatch library by
[@&#8203;elireisman](https://redirect.github.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/829](https://redirect.github.com/actions/dependency-review-action/pull/829)
- Do not list changed dependencies in summary by
[@&#8203;hmaurer](https://redirect.github.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/828](https://redirect.github.com/actions/dependency-review-action/pull/828)
- Update stale.yaml by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/832](https://redirect.github.com/actions/dependency-review-action/pull/832)
- Bump got from 14.4.1 to 14.4.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/822](https://redirect.github.com/actions/dependency-review-action/pull/822)
- Bump eslint-plugin-jest and ts-jest by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840)

#### New Contributors

- [@&#8203;louis-bompart](https://redirect.github.com/louis-bompart)
made their first contribution in
[https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766)
- [@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah)
made their first contribution in
[https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5

###
[`v4.3.4`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.4)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4)

#### What's Changed

- Include all added dependencies in scorecard entries by
[@&#8203;elireisman](https://redirect.github.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/783](https://redirect.github.com/actions/dependency-review-action/pull/783)
- Update SPDX Expression Parsing by
[@&#8203;febuiles](https://redirect.github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/719](https://redirect.github.com/actions/dependency-review-action/pull/719)
- This PR is a significant refactor of SPDX expression parsing that
*may* fix some bugs, but unfortunately there are several related known
issues that remain unresolved as of this version.

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.8`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.8)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.7...v4.1.8)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/download-artifact/pull/341](https://redirect.github.com/actions/download-artifact/pull/341)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.8

</details>

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v5.1.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.1.0)

[Compare
Source](https://redirect.github.com/actions/setup-go/compare/v5.0.2...v5.1.0)

##### What's Changed

- Add workflow file for publishing releases to immutable action package
by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500)
- Upgrade IA Publish by
[@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/setup-go/pull/502](https://redirect.github.com/actions/setup-go/pull/502)
- Add architecture to cache key by
[@&#8203;Zxilly](https://redirect.github.com/Zxilly) in
[https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493)
This addresses issues with caching by adding the architecture (arch) to
the cache key, ensuring that cache keys are accurate to prevent
conflicts.
Note: This change may break previous cache keys as they will no longer
be compatible with the new format.
- Enhance workflows and Upgrade micromatch Dependency by
[@&#8203;priyagupta108](https://redirect.github.com/priyagupta108) in
[https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510)

**Bug Fixes**

- Revise `isGhes` logic by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511)

##### New Contributors

- [@&#8203;Zxilly](https://redirect.github.com/Zxilly) made their first
contribution in
[https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493)
- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their
first contribution in
[https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500)
- [@&#8203;jww3](https://redirect.github.com/jww3) made their first
contribution in
[https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511)
- [@&#8203;priyagupta108](https://redirect.github.com/priyagupta108)
made their first contribution in
[https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510)

**Full Changelog**:
https://github.com/actions/setup-go/compare/v5...v5.1.0

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v4.1.0`](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0)

###
[`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

###
[`v4.0.3`](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.4.3`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.3)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3)

##### What's Changed

- Undo indirect dependency updates from
[#&#8203;627](https://redirect.github.com/actions/upload-artifact/issues/627)
by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in
[https://github.com/actions/upload-artifact/pull/632](https://redirect.github.com/actions/upload-artifact/pull/632)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3

###
[`v4.4.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.2)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2)

##### What's Changed

- Bump `@actions/artifact` to 2.1.11 by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/627](https://redirect.github.com/actions/upload-artifact/pull/627)
    -   Includes fix for relative symlinks not resolving properly

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2

###
[`v4.4.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.1)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1)

##### What's Changed

- Add a section about hidden files by
[@&#8203;joshmgross](https://redirect.github.com/joshmgross) in
[https://github.com/actions/upload-artifact/pull/607](https://redirect.github.com/actions/upload-artifact/pull/607)
- Add workflow file for publishing releases to immutable action package
by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621)
- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
to latest version, includes symlink and timeout fixes by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/625](https://redirect.github.com/actions/upload-artifact/pull/625)

##### New Contributors

- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their
first contribution in
[https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1

###
[`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

###
[`v4.3.6`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

###
[`v4.3.5`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

###
[`v4.3.4`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.4)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4)

##### What's Changed

- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/584](https://redirect.github.com/actions/upload-artifact/pull/584)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.27.6`](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6)

###
[`v3.27.5`](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5)

###
[`v3.27.4`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.3...v3.27.4)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.4 - 14 Nov 2024

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.4/CHANGELOG.md)
for more information.

###
[`v3.27.3`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.2...v3.27.3)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.3 - 12 Nov 2024

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.3/CHANGELOG.md)
for more information.

###
[`v3.27.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.1...v3.27.2)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.2 - 12 Nov 2024

- Fixed an issue where setting up the CodeQL tools would sometimes fail
with the message "Invalid value 'undefined' for header 'authorization'".
[#&#8203;2590](https://redirect.github.com/github/codeql-action/pull/2590)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.2/CHANGELOG.md)
for more information.

###
[`v3.27.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.0...v3.27.1)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.1 - 08 Nov 2024

- The CodeQL Action now downloads bundles compressed using Zstandard on
GitHub Enterprise Server when using Linux or macOS runners. This speeds
up the installation of the CodeQL tools. This feature is already
available to GitHub.com users.
[#&#8203;2573](https://redirect.github.com/github/codeql-action/pull/2573)
- Update default CodeQL bundle version to 2.19.3.
[#&#8203;2576](https://redirect.github.com/github/codeql-action/pull/2576)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.1/CHANGELOG.md)
for more information.

###
[`v3.27.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.13...v3.27.0)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.0 - 22 Oct 2024

- Bump the minimum CodeQL bundle version to 2.14.6.
[#&#8203;2549](https://redirect.github.com/github/codeql-action/pull/2549)
- Fix an issue where the `upload-sarif` Action would fail with
"upload-sarif post-action step failed: Input required and not supplied:
token" when called in a composite Action that had a different set of
inputs to the ones expected by the `upload-sarif` Action.
[#&#8203;2557](https://redirect.github.com/github/codeql-action/pull/2557)
- Update default CodeQL bundle version to 2.19.2.
[#&#8203;2552](https://redirect.github.com/github/codeql-action/pull/2552)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.0/CHANGELOG.md)
for more information.

###
[`v3.26.13`](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13)

###
[`v3.26.12`](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12)

###
[`v3.26.11`](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11)

###
[`v3.26.10`](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10)

###
[`v3.26.9`](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9)

###
[`v3.26.8`](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

###
[`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

###
[`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

###
[`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

###
[`v3.26.4`](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

###
[`v3.26.3`](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

###
[`v3.26.2`](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

###
[`v3.26.1`](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

###
[`v3.26.0`](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

###
[`v3.25.15`](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

###
[`v3.25.14`](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

###
[`v3.25.13`](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

###
[`v3.25.12`](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0).
Of special note to Scorecard Action is the Maintainer Annotation
feature, which can be used to suppress some Code Scanning false
positives. Alerts will not be generated for any Scorecard Check with an
annotation.

- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410)
- 🐛 lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.6.0`](https://redirect.github.com/slsa-framework/slsa-verifier/releases/tag/v2.6.0)

[Compare
Source](https://redirect.github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0)

#### What's Changed

- chore: Update doc and digests for v2.5.1 by
[@&#8203;laurentsimon](https://redirect.github.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/748](https://redirect.github.com/slsa-framework/slsa-verifier/pull/748)
- fix(deps): update module google.golang.org/protobuf to v1.33.0
\[security] by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/743](https://redirect.github.com/slsa-framework/slsa-verifier/pull/743)
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/718](https://redirect.github.com/slsa-framework/slsa-verifier/pull/718)
- chore: Update
[@&#8203;actions/github](https://redirect.github.com/actions/github) v6
by [@&#8203;laurentsimon](https://redirect.github.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/749](https://redirect.github.com/slsa-framework/slsa-verifier/pull/749)
- fix: use sigstore/pkg/fulcioroots to lessen deps by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/746](https://redirect.github.com/slsa-framework/slsa-verifier/pull/746)
- feat: add ramonpetgrave64 as CODEOWNER by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/750](https://redirect.github.com/slsa-framework/slsa-verifier/pull/750)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`1a8ece8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/1a8ece8)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/701](https://redirect.github.com/slsa-framework/slsa-verifier/pull/701)
- chore(deps): update github-actions (major) by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/719](https://redirect.github.com/slsa-framework/slsa-verifier/pull/719)
- fix(deps): update dependency org.apache.maven:maven-plugin-api to
v3.9.6 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/751](https://redirect.github.com/slsa-framework/slsa-verifier/pull/751)
- chore(deps): update npm dev (major) by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/753](https://redirect.github.com/slsa-framework/slsa-verifier/pull/753)
- fix(deps): update dependency
org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/752](https://redirect.github.com/slsa-framework/slsa-verifier/pull/752)
- feat: fixes
[#&#8203;547](https://redirect.github.com/slsa-framework/slsa-verifier/issues/547):
add npm sigstore-tuf suport by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/731](https://redirect.github.com/slsa-framework/slsa-verifier/pull/731)
- fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4
\[security] by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/723](https://redirect.github.com/slsa-framework/slsa-verifier/pull/723)
- chore(deps): update golang:1.21 docker digest to
[`81811f8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/81811f8)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/693](https://redirect.github.com/slsa-framework/slsa-verifier/pull/693)
- chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/758](https://redirect.github.com/slsa-framework/slsa-verifier/pull/758)
- chore(deps): update golang:1.21 docker digest to
[`d83472f`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/d83472f)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/764](https://redirect.github.com/slsa-framework/slsa-verifier/pull/764)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`53745e9`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/53745e9)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/763](https://redirect.github.com/slsa-framework/slsa-verifier/pull/763)
- feat: workflow to update actions dist by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/760](https://redirect.github.com/slsa-framework/slsa-verifier/pull/760)
- fix(deps): update dependency
[@&#8203;actions/core](https://redirect.github.com/actions/core) to
v1.10.1 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/717](https://redirect.github.com/slsa-framework/slsa-verifier/pull/717)
- chore: fix pr-title-checker by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/770](https://redirect.github.com/slsa-framework/slsa-verifier/pull/770)
- chore: Update Renovate config by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/769](https://redirect.github.com/slsa-framework/slsa-verifier/pull/769)
- fix: use pr_number as env variable by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/771](https://redirect.github.com/slsa-framework/slsa-verifier/pull/771)
- fix: signoff commit by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/767](https://redirect.github.com/slsa-framework/slsa-verifier/pull/767)
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/781](https://redirect.github.com/slsa-framework/slsa-verifier/pull/781)
- chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to
0.7.7 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/782](https://redirect.github.com/slsa-framework/slsa-verifier/pull/782)
- chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/779](https://redirect.github.com/slsa-framework/slsa-verifier/pull/779)
- chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/780](https://redirect.github.com/slsa-framework/slsa-verifier/pull/780)
- chore(deps): bump the npm_and_yarn group across 2 directories with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/slsa-framework/slsa-verifier/pull/784](https://redirect.github.com/slsa-framework/slsa-verifier/pull/784)
- fix(deps): update golang.org/x/exp digest to
[`7f521ea`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/7f521ea)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/775](https://redirect.github.com/slsa-framework/slsa-verifier/pull/775)
- fix: make download-artifacts.sh more flexible by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/761](https://redirect.github.com/slsa-framework/slsa-verifier/pull/761)
- chore(deps): update golang:1.21 docker digest to
[`b405b62`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/b405b62)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/774](https://redirect.github.com/slsa-framework/slsa-verifier/pull/774)
- chore(deps): update npm dev by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/650](https://redirect.github.com/slsa-framework/slsa-verifier/pull/650)
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/787](https://redirect.github.com/slsa-framework/slsa-verifier/pull/787)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/786](https://redirect.github.com/slsa-framework/slsa-verifier/pull/786)
- feat: vsa support by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/777](https://redirect.github.com/slsa-framework/slsa-verifier/pull/777)
- fix: use tag for the builder in the release workflow by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/788](https://redirect.github.com/slsa-framework/slsa-verifier/pull/788)

**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0

</details>

<details>
<summary>thehanimo/pr-title-checker
(thehanimo/pr-title-checker)</summary>

###
[`v1.4.3`](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3)

[Compare
Source](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
 2024-12-04 13:00:06 -05:00
Ramon Petgrave
17f79583c5 fix: fix method for getting leaf certs in Bundle v0.3 (#813) 
Followup to
https://github.com/slsa-framework/slsa-github-generator/pull/3777

This PR adds a missing modification for getting the leaf certificate in
the new Bundle format v0.3.

In my original experiments, I did have this method in a dev branch, but
neglected to include it in the final PR.
-
https://github.com/slsa-framework/slsa-verifier/compare/main...verify-sigstore-go-Bundlev3#diff-a9bfffae1bd0d145e950805e7a35b8e65adc7a68affa605b484f4831097b989cR98-R107
 - https://github.com/slsa-framework/slsa-verifier/pull/799/files

## Testing

- I re-used the same attestation file from a failing workflow for unit
tests and manual invocation.
-
https://github.com/slsa-framework/example-package/actions/runs/11511156484

## Followup

- Finish finding a way to test changes within PRs.
-
https://github.com/slsa-framework/slsa-github-generator/pull/3777#discussion_r1795254767
  - https://github.com/slsa-framework/slsa-verifier/pull/797

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-10-29 16:43:56 -04:00
dependabot[bot]
70f3c9a079 chore(deps): bump github.com/sigstore/sigstore-go from 0.6.1 to 0.6.2 in the go_modules group across 1 directory (#812) 
Bumps the go_modules group with 1 update in the / directory:
[github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go).

Updates `github.com/sigstore/sigstore-go` from 0.6.1 to 0.6.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sigstore/sigstore-go/releases">github.com/sigstore/sigstore-go's
releases</a>.</em></p>
<blockquote>
<h2>v0.6.2</h2>
<p>This is a minor release to enable better error handling in the gh
CLI.</p>
<h2>What's Changed</h2>
<ul>
<li>Use sentinel errors bundle validation in <code>validateBundle</code>
func by <a
href="https://github.com/malancas"><code>@​malancas</code></a> in <a
href="https://redirect.github.com/sigstore/sigstore-go/pull/291">sigstore/sigstore-go#291</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/sigstore/sigstore-go/compare/v0.6.1...v0.6.2">https://github.com/sigstore/sigstore-go/compare/v0.6.1...v0.6.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0726854518"><code>0726854</code></a>
Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (<a
href="https://redirect.github.com/sigstore/sigstore-go/issues/289">#289</a>)</li>
<li><a
href="8c0e75bb62"><code>8c0e75b</code></a>
Use sentinel errors bundle validation in <code>validateBundle</code>
func (<a
href="https://redirect.github.com/sigstore/sigstore-go/issues/291">#291</a>)</li>
<li>See full diff in <a
href="https://github.com/sigstore/sigstore-go/compare/v0.6.1...v0.6.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/sigstore/sigstore-go&package-manager=go_modules&previous-version=0.6.1&new-version=0.6.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-10-15 17:02:39 +00:00
Mend Renovate
ba80473d23 chore(deps): update gcr.io/distroless/base:nonroot docker digest to e5260be (#795) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `53745e9` -> `e5260be` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM4LjgwLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
 2024-10-15 16:45:28 +00:00
Mend Renovate
f42f81fc35 fix(deps): update module github.com/sigstore/sigstore-go to v0.6.1 [security] (#805) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/sigstore/sigstore-go](https://redirect.github.com/sigstore/sigstore-go)
| `v0.5.1` -> `v0.6.1` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fsigstore-go/v0.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fsigstore-go/v0.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fsigstore-go/v0.5.1/v0.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fsigstore-go/v0.5.1/v0.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-45395](https://redirect.github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq)

### Impact

sigstore-go is susceptible to a denial of service attack when a verifier
is provided a maliciously crafted Sigstore Bundle containing large
amounts of verifiable data, in the form of signed transparency log
entries, RFC 3161 timestamps, and attestation subjects. The verification
of these data structures is computationally expensive. This can be used
to consume excessive CPU resources, leading to a denial of service
attack. TUF's security model labels this type of vulnerability an
"Endless data attack," and can lead to verification failing to complete
and disrupting services that rely on sigstore-go for verification.

The vulnerable loops are in the verification functions in the package
`github.com/sigstore/sigstore-go/pkg/verify`. The first is the DSSE
envelope verification loop in `verifyEnvelopeWithArtifact`, which
decodes all the digests in an attestation can be found here:


725e508ed4/pkg/verify/signature.go (L183-L193)

The next loop is in the `VerifyArtifactTransparencyLog` function, which
verifies all the signed entries in a bundle:


725e508ed4/pkg/verify/tlog.go (L74-L178)

The next loop is the `VerifyTimestampAuthority` function, which verifies
all the RFC 3161 timestamps in a bundle:


725e508ed4/pkg/verify/tsa.go (L59-L68)

### Patches

This vulnerability is addressed with sigstore-go 0.6.1, which adds hard
limits to the number of verifiable data structures that can be processed
in a bundle. Verification will fail if a bundle has data that exceeds
these limits. The limits are:

- 32 signed transparency log entries
- 32 RFC 3161 timestamps
- 1024 attestation subjects
- 32 digests per attestation subject

These limits are intended to be high enough to accommodate the vast
majority of use cases, while preventing the verification of maliciously
crafted bundles that contain large amounts of verifiable data.

### Workarounds

The best way to mitigate the risk is to upgrade to sigstore-go 0.6.1 or
later. Users who are vulnerable but unable to quickly upgrade may
consider adding manual bundle validation to enforce limits similar to
those in the referenced patch prior to calling sigstore-go's
verification functions.

---

### Release Notes

<details>
<summary>sigstore/sigstore-go
(github.com/sigstore/sigstore-go)</summary>

###
[`v0.6.1`](https://redirect.github.com/sigstore/sigstore-go/releases/tag/v0.6.1)

[Compare
Source](https://redirect.github.com/sigstore/sigstore-go/compare/v0.6.0...v0.6.1)

#### What's Changed

v0.6.1 resolves a security advisory for a denial of service. See
https://github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq
for more information.

- Add fuzz tests for bundle, tlog and verify packages by
[@&#8203;AdamKorcz](https://redirect.github.com/AdamKorcz) in
[https://github.com/sigstore/sigstore-go/pull/272](https://redirect.github.com/sigstore/sigstore-go/pull/272)
- Add the ability to contruct TrustRoot from targets by
[@&#8203;bkabrda](https://redirect.github.com/bkabrda) in
[https://github.com/sigstore/sigstore-go/pull/247](https://redirect.github.com/sigstore/sigstore-go/pull/247)
- add oss-fuzz build script by
[@&#8203;AdamKorcz](https://redirect.github.com/AdamKorcz) in
[https://github.com/sigstore/sigstore-go/pull/278](https://redirect.github.com/sigstore/sigstore-go/pull/278)
- Fix proof of key possession generation by
[@&#8203;adityasaky](https://redirect.github.com/adityasaky) in
[https://github.com/sigstore/sigstore-go/pull/283](https://redirect.github.com/sigstore/sigstore-go/pull/283)
- Add additional validation for nil elements in Bundles by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/285](https://redirect.github.com/sigstore/sigstore-go/pull/285)
- Add hard limits for number of TSA entries, Tlog entries, and
attestation subjects/digests by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/286](https://redirect.github.com/sigstore/sigstore-go/pull/286)

**Full Changelog**:
https://github.com/sigstore/sigstore-go/compare/v0.6.0...v0.6.1

###
[`v0.6.0`](https://redirect.github.com/sigstore/sigstore-go/releases/tag/v0.6.0)

[Compare
Source](https://redirect.github.com/sigstore/sigstore-go/compare/v0.5.1...v0.6.0)

As folks use sigstore-go in more cases, we continue to make fixes and do
some minor API interface changes.

Because we are pre-1.0.0 these were made as breaking changes. After
1.0.0 we will provide deprecation notices and smoother migration paths.
There may be more minor interface changes between now and v1.0.0.

#### Breaking Changes

-   In `pkg/bundle/bundle.go`
    -   `ProtobufBundle` is now `Bundle`
    -   `NewProtobufBundle` is now `NewBundle`
-   In `pkg/bundle/signature_content.go`
- Use `Statement()` type was from
`github.com/in-toto/in-toto-golang/in_toto` now comes from
`github.com/in-toto/attestation/go/v1`

#### What's Changed

- feat: add support for additional transparency log key types by
[@&#8203;vishal-chdhry](https://redirect.github.com/vishal-chdhry) in
[https://github.com/sigstore/sigstore-go/pull/197](https://redirect.github.com/sigstore/sigstore-go/pull/197)
- feat: use GetLogEntryByIndex to query rekor by
[@&#8203;vishal-chdhry](https://redirect.github.com/vishal-chdhry) in
[https://github.com/sigstore/sigstore-go/pull/188](https://redirect.github.com/sigstore/sigstore-go/pull/188)
- feat: add validation of required fields in the bundle by
[@&#8203;vishal-chdhry](https://redirect.github.com/vishal-chdhry) in
[https://github.com/sigstore/sigstore-go/pull/189](https://redirect.github.com/sigstore/sigstore-go/pull/189)
- Rename ProtobufBundle to Bundle by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/251](https://redirect.github.com/sigstore/sigstore-go/pull/251)
- Fix verify DSSE bundles (after signing) by
[@&#8203;steiza](https://redirect.github.com/steiza) in
[https://github.com/sigstore/sigstore-go/pull/258](https://redirect.github.com/sigstore/sigstore-go/pull/258)
- Fix crash with missing checkpoint by
[@&#8203;haydentherapper](https://redirect.github.com/haydentherapper)
in
[https://github.com/sigstore/sigstore-go/pull/260](https://redirect.github.com/sigstore/sigstore-go/pull/260)
- Add file pattern to CODEOWNERS by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/269](https://redirect.github.com/sigstore/sigstore-go/pull/269)
- Use example.com and remove trademark from tests by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/267](https://redirect.github.com/sigstore/sigstore-go/pull/267)
- Add deprecation message for ProtobufBundle by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/271](https://redirect.github.com/sigstore/sigstore-go/pull/271)
- Switch in-toto library to github.com/in-toto/attestation by
[@&#8203;codysoyland](https://redirect.github.com/codysoyland) in
[https://github.com/sigstore/sigstore-go/pull/274](https://redirect.github.com/sigstore/sigstore-go/pull/274)

**Full Changelog**:
https://github.com/sigstore/sigstore-go/compare/v0.5.1...v0.6.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguMTE1LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
 2024-10-10 19:48:14 +00:00
Kyle Colantonio
d758bd3718 feat(action): Updating to Node20 (#811) 
This PR relates to the discussion from
https://github.com/slsa-framework/slsa-verifier/issues/806 regarding the
Node16 deprecation notice.

There are no changes to the `dist/` folder with the change to Node20
(used `v20.17.0`) - this is completely drop-in.

Signed-off-by: Kyle Colantonio <k@yle.sh>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-10-10 15:30:23 -04:00
Ramon Petgrave
4cd7d4802e chore: update go and golanci lint (#810) 
This PR updates go to 1.23.1 and updates golanci-lint to v1.61.1, while
fixing new lint errors.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-10-10 13:07:08 -04:00
Mend Renovate
9093b4fd79 fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.9 (#809) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-plugin-api](https://maven.apache.org/) |
`3.9.6` -> `3.9.9` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-plugin-api/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-plugin-api/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-plugin-api/3.9.6/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-plugin-api/3.9.6/3.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC45Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguOTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-10-07 17:09:17 +00:00
Mend Renovate
8fff4c861d chore(deps): update golang:1.21 docker digest to 4746d26 (#802) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `f2eb989` -> `4746d26` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41Ni4wIiwidXBkYXRlZEluVmVyIjoiMzguNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
 2024-10-07 16:22:25 +00:00
Mend Renovate
9868d0ae94 chore(deps): update dependency pyyaml to v6.0.2 (#808) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [pyyaml](https://pyyaml.org/)
([source](https://redirect.github.com/yaml/pyyaml)) | `==6.0.1` ->
`==6.0.2` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/pyyaml/6.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/pyyaml/6.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/pyyaml/6.0.1/6.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/pyyaml/6.0.1/6.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>yaml/pyyaml (pyyaml)</summary>

###
[`v6.0.2`](https://redirect.github.com/yaml/pyyaml/releases/tag/6.0.2)

[Compare
Source](https://redirect.github.com/yaml/pyyaml/compare/6.0.1...6.0.2)

#### What's Changed

-   Support for Cython 3.x and Python 3.13.

**Full Changelog**: https://github.com/yaml/pyyaml/compare/6.0.1...6.0.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC45Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguOTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-10-07 07:26:38 +00:00
Mend Renovate
090586f5aa fix(deps): update golang.org/x/exp digest to 225e2ab (#803) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/exp | require | digest | `7f521ea` -> `225e2ab` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41Ni4wIiwidXBkYXRlZEluVmVyIjoiMzguOTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
 2024-10-07 03:12:18 -04:00
Ramon Petgrave
767ecf9e0a feat: handle dssev001 tlog entry types (#799) 
re: https://github.com/slsa-framework/slsa-github-generator/issues/3750

Rekor TLog entries can now be of the type dsse v0.0.1, as when what's
returned when using sigstore-go's `Bundle()`.

This is to support eventual Sigstore Bundles produced by
slsa-github-generator's "generic" generator, which will likely use
sigstore-go's Bundle to produce attestations

-
https://github.com/slsa-framework/slsa-github-generator/compare/main...ramonpetgrave64-internal-builder-sigstore-bundlev2#diff-b186a0c5d9ae459b11b694f05455568453699670926d21cad06cafec3dbf895eR101
-
https://github.com/slsa-framework/slsa-github-generator/actions/runs/10359750833

## Tesing

- Added unit tests with stub data
- manual invocations to very both new and old attestations and bundles,
with some modifications for testing purposes
-
https://github.com/slsa-framework/slsa-verifier/compare/main...verify-sigstore-go-Bundlev3#diff-94741068472ee694a12811cd704179dd478a9fa20a3bf45cf6ea2d4406214dc2R179

## Followup

Finish the work to produce bundles from the generic generators
-
https://github.com/slsa-framework/slsa-github-generator/compare/main...ramonpetgrave64-internal-builder-sigstore-bundlev2#diff-b186a0c5d9ae459b11b694f05455568453699670926d21cad06cafec3dbf895eR101

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-08-24 03:31:43 +00:00
Bob Callaway
b92dabfb1c feat: set user-agent header on Rekor requests (#801) 
This is part of an effort to track clients of Sigstore infrastructure,
and their versions.

Signed-off-by: Bob Callaway <bcallaway@google.com>
 2024-08-23 18:42:14 +07:00
Mend Renovate
1694bbf872 chore(config): migrate renovate config (#800) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

The Renovate config in this repository needs migrating. Typically this
is because one or more configuration options you are using have been
renamed.

You don't need to merge this PR right away, because Renovate will
continue to migrate these fields internally each time it runs. But later
some of these fields may be fully deprecated and the migrations removed.
So it's a good idea to merge this migration PR soon.





🔕 **Ignore**: Close this PR and you won't be reminded about config
migration again, but one day your current config may no longer be valid.

 Got questions? Does something look wrong to you? Please don't hesitate
to [request help
here](https://togithub.com/renovatebot/renovate/discussions).


---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).
 2024-08-14 00:02:10 -04:00
Ramon Petgrave
3f37511042 chore: fix vuln: override autolinker ^4.0.0 (#785) 
fixes
https://github.com/slsa-framework/slsa-verifier/security/code-scanning/11

markdown-toc's latest v1.2.0 is still vulnerable via a transitive
dependency, but hasn't received updates in a long time.

This PR overrides one of the other transitive dependencies to a
non-vulnerable version.

more info here
https://github.com/jonschlinkert/markdown-toc/issues/156#issuecomment-2197630000

# Testing process

- Manually invoked `make markdown-toc` and it did succeed, while also
adding a missing header in the README.
 - Made a few typos in the headers and markdown-toc did fix them.
 - Cloned markdown-toc, added the override, and its unit tests passed

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-08-13 19:08:24 +00:00
dependabot[bot]
e8275856e0 chore(deps): bump github.com/docker/docker from 26.1.4+incompatible to 26.1.5+incompatible in the go_modules group (#798) 
Bumps the go_modules group with 1 update:
[github.com/docker/docker](https://github.com/docker/docker).

Updates `github.com/docker/docker` from 26.1.4+incompatible to
26.1.5+incompatible
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/docker/releases">github.com/docker/docker's
releases</a>.</em></p>
<blockquote>
<h2>v26.1.5</h2>
<h2>26.1.5</h2>
<h3>Security</h3>
<p>This release contains a fix for <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41110">CVE-2024-41110</a>
/ <a
href="https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq">GHSA-v23v-6jw2-98fq</a>
that impacted setups using <a
href="https://docs.docker.com/engine/extend/plugins_authorization/">authorization
plugins (AuthZ)</a>
for access control. No other changes are included in this release, and
this
release is otherwise identical for users not using AuthZ plugins.</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/moby/moby/compare/v26.1.4...v26.1.5">https://github.com/moby/moby/compare/v26.1.4...v26.1.5</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="411e817ddf"><code>411e817</code></a>
Merge commit from fork</li>
<li><a
href="9cc85eaef1"><code>9cc85ea</code></a>
If url includes scheme, urlPath will drop hostname, which would not
match the...</li>
<li><a
href="820cab90bc"><code>820cab9</code></a>
Authz plugin security fixes for 0-length content and path
validation</li>
<li><a
href="6bc49067a6"><code>6bc4906</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/48123">#48123</a>
from vvoland/v26.1-48120</li>
<li><a
href="6fbdce4b94"><code>6fbdce4</code></a>
update to go1.21.12</li>
<li><a
href="f5334644ec"><code>f533464</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47986">#47986</a>
from vvoland/v26.1-47985</li>
<li><a
href="c1d4587d76"><code>c1d4587</code></a>
builder/mobyexporter: Add missing nil check</li>
<li><a
href="d6428049a5"><code>d642804</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47940">#47940</a>
from thaJeztah/26.1_backport_api_remove_container_c...</li>
<li><a
href="daba2462f5"><code>daba246</code></a>
docs: api: image inspect: remove Container and ContainerConfig</li>
<li>See full diff in <a
href="https://github.com/docker/docker/compare/v26.1.4...v26.1.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/docker/docker&package-manager=go_modules&previous-version=26.1.4+incompatible&new-version=26.1.5+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-08-12 11:04:32 -04:00
Mend Renovate
489e79138b chore(deps): update golang:1.21 docker digest to f2eb989 (#796) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `b405b62` -> `f2eb989` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
 2024-08-05 16:21:16 +00:00
Ramon Petgrave
c789437815 feat: refactor: use sigstore-go for fetching TrustedRoot (#791) 
Uses the `sigstore-go` library for fetching the `TrustedRoot`, which
contains the Sigstore infrastructure certificates needed to validate the
leaf ephemeral certificates used to sign artifacts.

Refactors:

- replace `TrustedRootSingleton()` with `getDefaultCosignCheckOpts()`,
since only `VerifyImage()` will now need that data.
- replace `cosign.ValidateAndUnpackCert`
with`sigstoreVerify.VerifyLeafCertificate()`
- use `sync.Once` for sigstore and rekor clients, and the `TrustedRoot`

## Testing

- existing tests continue to pass
- [negative tests
](d96b977709/cli/slsa-verifier/main_regression_test.go (L450-L471))
against rekor TLogs
- manual invocations of `verify-artifact`.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-08-02 21:47:50 +00:00