saisatishkarra
9b2467f836
feat: fixes #724 : add input for --provenance-repository while image verification ( #736 )
...
@laurentsimon Added a new image verification cmd input
`--provenance-repository`
This replicates the feature of the `COSIGN_REPOSITORY` environment
variable when provenance is stored in a different repository/registry
Order of precedence:
- If input `--provenance-repository` is set, leverages the non-empty
input value
- If the env variable `COSIGN_REPOSITORY` is set, it is NOT consumed
README edit :
https://github.com/slsa-framework/slsa-verifier/pull/736/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R280
---------
Signed-off-by: saisatishkarra <saisatish.karra@konghq.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2024-01-22 18:10:11 +00:00
Ramon Petgrave
ceaebee236
fix : #642 : don't use go-cmp for outputting diff ( #737 )
...
Previously we used the go-cmp's Diff for displaying a human-friendly
diff between two structs in an error message.
I had intended to do a json print of the structs and do a line-by-line
diff. There is an internal library for calculating text diff, but I
don't see any external functions that expose it to make it available for
our use: https://pkg.go.dev/golang.org/x/tools/internal/diff
Instead, this we will simply display both structs in their own "actual"
and "expected" sections. The user can use their other tools to find a
human-friendly diff.
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
2024-01-17 10:05:28 -08:00
Ian Lewis
b804933f00
chore: Remove ianlewis from CODEOWNERS ( #732 )
...
I'm not really contributing to slsa-verifier anymore.
Signed-off-by: Ian Lewis <ianlewis@google.com >
2024-01-16 08:32:34 -08:00
saisatishkarra
f09d99f91c
feat: Add cosign registry opts for provenance registry ( #729 )
...
triggered on specification of COSIGN_REPOSITORY env
---------
Signed-off-by: saisatishkarra <saisatish.karra@konghq.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2024-01-04 01:39:42 +00:00
laurentsimon
e77e0855b1
chore: Remove asraa from CODEOWNERS ( #728 )
...
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2024-01-03 18:25:45 +00:00
laurentsimon
eecb791ed8
chore: Fix renovate.json ( #727 )
...
Should fix https://github.com/slsa-framework/slsa-verifier/issues/726
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2024-01-03 10:03:46 -08:00
Ian Lewis
fcc8bf32f5
ci: Make renovate schedule monthly ( #725 )
...
Makes renovate create PRs for dependency updates monthly rather than
weekly.
https://docs.renovatebot.com/presets-schedule/#schedulemonthly
Also sets vulnerability PRs to be scheduled daily.
https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-12-05 15:55:59 -08:00
Mend Renovate
b72da83344
chore(deps): update github-actions ( #695 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout ) | action |
minor | `v3.5.3` -> `v3.6.0` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action )
| action | minor | `v3.0.7` -> `v3.1.0` |
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| patch | `v3.8.0` -> `v3.8.1` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact )
| action | patch | `v3.1.2` -> `v3.1.3` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | minor | `v2.21.4` -> `v2.22.1` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action ) |
action | minor | `v2.2.0` -> `v2.3.0` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator )
| action | minor | `v1.8.0` -> `v1.9.0` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier )
| action | minor | `v2.3.0` -> `v2.4.0` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/checkout (actions/checkout)</summary>
###
[`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0 )
- [Fix: Mark test scripts with Bash'isms to be run via
Bash](https://togithub.com/actions/checkout/pull/1377 )
- [Add option to fetch tags even if fetch-depth >
0](https://togithub.com/actions/checkout/pull/579 )
</details>
<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>
###
[`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0 ):
3.1.0
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0 )
#### What's New
Added support for dependencies submitted through the [dependency
submission
API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together ).
This includes two new configuration parameters:
`retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`.
#### What's Changed
- Fix(docs): Correct action input name by
[@​oerd](https://togithub.com/oerd ) in
[https://github.com/actions/dependency-review-action/pull/551 ](https://togithub.com/actions/dependency-review-action/pull/551 )
#### New Contributors
- [@​oerd](https://togithub.com/oerd ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/551 ](https://togithub.com/actions/dependency-review-action/pull/551 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.0
###
[`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8 ):
3.0.8
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8 )
#### What's Changed
Added `on-failure` option to `comment-summary-in-pr` setting by
[@​sgmurphy](https://togithub.com/sgmurphy ) in
[https://github.com/actions/dependency-review-action/pull/540 ](https://togithub.com/actions/dependency-review-action/pull/540 )
Previous configuration files using `true`/`false` for
`comment-summary-in-pr` will be mapped automatically to the new values,
but we encourage you to update to `always`/`on-failure`/`never`.
#### New Contributors
- [@​sgmurphy](https://togithub.com/sgmurphy ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/540 ](https://togithub.com/actions/dependency-review-action/pull/540 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.8
</details>
<details>
<summary>actions/setup-node (actions/setup-node)</summary>
###
[`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1 )
[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1 )
#### What's Changed
In scope of this release, the filter was removed within the cache-save
step by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov )
in
[https://github.com/actions/setup-node/pull/831 ](https://togithub.com/actions/setup-node/pull/831 ).
It is filtered and checked in the toolkit/cache library.
**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.8.1
</details>
<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>
###
[`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3 )
[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3 )
#### What's Changed
- chore(github): remove trailing whitespaces by
[@​ljmf00](https://togithub.com/ljmf00 ) in
[https://github.com/actions/upload-artifact/pull/313 ](https://togithub.com/actions/upload-artifact/pull/313 )
- Bump [@​actions/artifact](https://togithub.com/actions/artifact )
version to v1.1.2 by
[@​bethanyj28](https://togithub.com/bethanyj28 ) in
[https://github.com/actions/upload-artifact/pull/436 ](https://togithub.com/actions/upload-artifact/pull/436 )
**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v3...v3.1.3
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1 )
###
[`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0 )
###
[`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9 )
###
[`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8 )
###
[`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7 )
###
[`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6 )
###
[`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5 )
</details>
<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>
###
[`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0 )
[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0 )
#### What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0
by [@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1270 ](https://togithub.com/ossf/scorecard-action/pull/1270 )
- For a full changelist of what this includes, see the
[v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0 ) and
[v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0 )
release notes
- ✨ Send rekor tlog index to webapp when publishing results by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1169 ](https://togithub.com/ossf/scorecard-action/pull/1169 )
- 🐛 Prevent url clipping for GHES instances by
[@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ossf/scorecard-action/pull/1225 ](https://togithub.com/ossf/scorecard-action/pull/1225 )
##### Documentation
- 📖 Update access rights needed to see the results in code scanning
by [@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ossf/scorecard-action/pull/1229 ](https://togithub.com/ossf/scorecard-action/pull/1229 )
- 📖 Add package comments. by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1221 ](https://togithub.com/ossf/scorecard-action/pull/1221 )
- 📖 Add SECURITY.md file by
[@​david-a-wheeler](https://togithub.com/david-a-wheeler ) in
[https://github.com/ossf/scorecard-action/pull/1250 ](https://togithub.com/ossf/scorecard-action/pull/1250 )
- 📖 Fix typo in token input docs by
[@​aabouzaid](https://togithub.com/aabouzaid ) in
[https://github.com/ossf/scorecard-action/pull/1258 ](https://togithub.com/ossf/scorecard-action/pull/1258 )
#### New Contributors
- [@​david-a-wheeler](https://togithub.com/david-a-wheeler ) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1250 ](https://togithub.com/ossf/scorecard-action/pull/1250 )
- [@​aabouzaid](https://togithub.com/aabouzaid ) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1258 ](https://togithub.com/ossf/scorecard-action/pull/1258 )
**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0
</details>
<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>
###
[`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0 )
Release \[v1.9.0] includes bug fixes and new features.
See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0 ).
##### v1.9.0: BYOB framework (beta)
- **New**: A [new
framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md )
to turn GitHub Actions into SLSA compliant builders.
##### v1.9.0: Maven builder (beta)
- **New**: A [Maven
builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven )
to build Java projects and publish to Maven central.
##### v1.9.0: Gradle builder (beta)
- **New**: A [Gradle
builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle )
to build Java projects and publish to Maven central.
##### v1.9.0: JReleaser builder
- **New**: A [JReleaser
builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java )
that wraps the official [JReleaser
Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java ).
</details>
<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>
###
[`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0 )
#### Summary
Support for BYOB-based builders released in
https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0
#### What's Changed
- chore: Update SHA256SUM.md for v2.3.0 by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/592 ](https://togithub.com/slsa-framework/slsa-verifier/pull/592 )
- docs: Make npm package version and name non-optional by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/591 ](https://togithub.com/slsa-framework/slsa-verifier/pull/591 )
- docs: npm provenance verification from GitHub runner by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/595 ](https://togithub.com/slsa-framework/slsa-verifier/pull/595 )
- chore(deps): update dependency
[@​types/node](https://togithub.com/types/node ) to v18.16.9 by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/596 ](https://togithub.com/slsa-framework/slsa-verifier/pull/596 )
- chore(deps): update github-actions by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/597 ](https://togithub.com/slsa-framework/slsa-verifier/pull/597 )
- chore(deps): update dependency jasmine to v5 by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/598 ](https://togithub.com/slsa-framework/slsa-verifier/pull/598 )
- feat: BYOB verification support by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/604 ](https://togithub.com/slsa-framework/slsa-verifier/pull/604 )
- feat: Support for v1.0 verification in BYOB by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/609 ](https://togithub.com/slsa-framework/slsa-verifier/pull/609 )
- feat: Use env variable to retrieve trigger workflow by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/615 ](https://togithub.com/slsa-framework/slsa-verifier/pull/615 )
- test: Add test data for v1.6.0 by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/612 ](https://togithub.com/slsa-framework/slsa-verifier/pull/612 )
- fix: Verify the TRW tag is a semver tag by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/619 ](https://togithub.com/slsa-framework/slsa-verifier/pull/619 )
- chore: Don't be verbose with tests locally by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/620 ](https://togithub.com/slsa-framework/slsa-verifier/pull/620 )
- fix: use ExternalParameters\["source"] for the Source URI for SLSA
v1.0 provenance by [@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/621 ](https://togithub.com/slsa-framework/slsa-verifier/pull/621 )
- test: re-generate container-based tests by
[@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/627 ](https://togithub.com/slsa-framework/slsa-verifier/pull/627 )
- fix: revert to using resolvedDepdendencies for source verification by
[@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/629 ](https://togithub.com/slsa-framework/slsa-verifier/pull/629 )
- refactor: Provenance tests by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/628 ](https://togithub.com/slsa-framework/slsa-verifier/pull/628 )
- fix(deps): update module github.com/sigstore/rekor to v1.2.0
\[security] by [@​renovate-bot](https://togithub.com/renovate-bot )
in
[https://github.com/slsa-framework/slsa-verifier/pull/622 ](https://togithub.com/slsa-framework/slsa-verifier/pull/622 )
- fix: only allow hashes of 256 bits or more by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/633 ](https://togithub.com/slsa-framework/slsa-verifier/pull/633 )
- fix: builder ID verification for testing by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/635 ](https://togithub.com/slsa-framework/slsa-verifier/pull/635 )
- feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance
format by [@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/634 ](https://togithub.com/slsa-framework/slsa-verifier/pull/634 )
- chore: update toc in README.md by
[@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/636 ](https://togithub.com/slsa-framework/slsa-verifier/pull/636 )
- fix: allow workflow_dispatch to trigger release.yml by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/637 ](https://togithub.com/slsa-framework/slsa-verifier/pull/637 )
- test: add tests for v1.7.0 builders by
[@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/638 ](https://togithub.com/slsa-framework/slsa-verifier/pull/638 )
- chore(deps): update github-actions by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/607 ](https://togithub.com/slsa-framework/slsa-verifier/pull/607 )
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859 )
by [@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/567 ](https://togithub.com/slsa-framework/slsa-verifier/pull/567 )
- fix(deps): update github.com/sigstore/protobuf-specs digest to
[`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406 )
by [@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/606 ](https://togithub.com/slsa-framework/slsa-verifier/pull/606 )
- chore(deps): update npm dev by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/608 ](https://togithub.com/slsa-framework/slsa-verifier/pull/608 )
- chore(deps): update golang:1.19 docker digest to
[`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84 )
by [@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/583 ](https://togithub.com/slsa-framework/slsa-verifier/pull/583 )
- feat: Verify provenance by build type by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/632 ](https://togithub.com/slsa-framework/slsa-verifier/pull/632 )
- refactor: Use Go 1.20 by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/643 ](https://togithub.com/slsa-framework/slsa-verifier/pull/643 )
- test: Add more ProvenanceFromEnvelope tests by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/640 ](https://togithub.com/slsa-framework/slsa-verifier/pull/640 )
- fix: pre-submit: e2e-cli.sh artifact download by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/646 ](https://togithub.com/slsa-framework/slsa-verifier/pull/646 )
- refactor: Add more git utils by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/645 ](https://togithub.com/slsa-framework/slsa-verifier/pull/645 )
- refactor: Use full builder id by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/648 ](https://togithub.com/slsa-framework/slsa-verifier/pull/648 )
- feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/644 ](https://togithub.com/slsa-framework/slsa-verifier/pull/644 )
- chore(deps): update github-actions by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/651 ](https://togithub.com/slsa-framework/slsa-verifier/pull/651 )
- feat: move maven-plugin from slsa-github-generator by
[@​AdamKorcz](https://togithub.com/AdamKorcz ) in
[https://github.com/slsa-framework/slsa-verifier/pull/664 ](https://togithub.com/slsa-framework/slsa-verifier/pull/664 )
- docs: Fix maven-plugin README by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/671 ](https://togithub.com/slsa-framework/slsa-verifier/pull/671 )
- feat: Verification for when sha1 is specified in BYOB TRW by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/641 ](https://togithub.com/slsa-framework/slsa-verifier/pull/641 )
- docs: Add example for maven verification plugin by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/676 ](https://togithub.com/slsa-framework/slsa-verifier/pull/676 )
- chore: Add Kris to codeowners by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/678 ](https://togithub.com/slsa-framework/slsa-verifier/pull/678 )
- feat: Print byob builder by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/677 ](https://togithub.com/slsa-framework/slsa-verifier/pull/677 )
- test: Add test data for v1.8.0 by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/681 ](https://togithub.com/slsa-framework/slsa-verifier/pull/681 )
- chore(deps): update github-actions by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/666 ](https://togithub.com/slsa-framework/slsa-verifier/pull/666 )
- feat: Non-compulsory BuilderID for BYOB Builders by
[@​enteraga6](https://togithub.com/enteraga6 ) in
[https://github.com/slsa-framework/slsa-verifier/pull/674 ](https://togithub.com/slsa-framework/slsa-verifier/pull/674 )
- chore(deps): update golang docker tag to v1.21 by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/687 ](https://togithub.com/slsa-framework/slsa-verifier/pull/687 )
- chore(deps): update github-actions by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/686 ](https://togithub.com/slsa-framework/slsa-verifier/pull/686 )
- feat: GCB refactor for v1.0 support by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/682 ](https://togithub.com/slsa-framework/slsa-verifier/pull/682 )
- feat: Allow byob builders ref at main for e2e tests by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/689 ](https://togithub.com/slsa-framework/slsa-verifier/pull/689 )
- feat: Update doc and code for Maven plugin by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/680 ](https://togithub.com/slsa-framework/slsa-verifier/pull/680 )
- feat: gcb v1.0 support by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/691 ](https://togithub.com/slsa-framework/slsa-verifier/pull/691 )
- feat: v1.9.0 regression tests by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/696 ](https://togithub.com/slsa-framework/slsa-verifier/pull/696 )
- fix: release failure by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/697 ](https://togithub.com/slsa-framework/slsa-verifier/pull/697 )
#### New Contributors
- [@​AdamKorcz](https://togithub.com/AdamKorcz ) made their first
contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/664 ](https://togithub.com/slsa-framework/slsa-verifier/pull/664 )
- [@​enteraga6](https://togithub.com/enteraga6 ) made their first
contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/674 ](https://togithub.com/slsa-framework/slsa-verifier/pull/674 )
**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-12-01 22:18:37 +00:00
laurentsimon
e986dfc0ff
feat: Digest for new release ( #722 )
...
#label:release v2.4.1
How to LGTM this PR:
Ensure you have installed the GitHub client from https://cli.github.com .
If it is not installed in your `PATH`, set `export GH=/path/to/your/gh`
Set your `export GH_TOKEN=...`
Use [verify-release.sh](./verify-release.sh) script in this repository:
```
bash verify-release v2.4.1
```
Once it completes, you will see the last line `Verifying artifact
/tmp/tmp.SomeRanDOm/` and do:
```bash
sha256sum /tmp/tmp.SomeRanDOm/* | grep -v intoto
```
This will print out the hashes. Compare them to the changes in this PR
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-11-07 17:23:25 -08:00
laurentsimon
7e1e47d7d7
docs: update release doc and rm binary ( #716 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-10-16 13:44:13 -07:00
Mend Renovate
a7d5c7b0f1
fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.5 ( #669 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-plugin-api](https://maven.apache.org/ ) |
`3.6.3` -> `3.9.5` |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzcuMC4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-10-10 02:06:04 +00:00
Mend Renovate
088a626879
fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.9.0 ( #667 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[org.apache.maven.plugin-tools:maven-plugin-annotations](https://maven.apache.org/plugin-tools )
| `3.6.0` -> `3.9.0` |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzYuMTEuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-10-10 01:00:37 +00:00
laurentsimon
2184d9d604
chore: bump versions ( #715 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-10-10 00:27:33 +00:00
laurentsimon
3b171c4140
feat: Address unresolved comments from #705 ( #708 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/707
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-10-09 23:17:48 +00:00
dependabot[bot]
8602109f3f
chore(deps): bump org.apache.maven:maven-core from 3.2.5 to 3.8.1 in /experimental/maven-plugin ( #713 )
...
Bumps [org.apache.maven:maven-core](https://github.com/apache/maven )
from 3.2.5 to 3.8.1.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="05c21c65bdd295dc362fa46906806adad8a3e1c56aa1f4acf5907d53ad32899465aeecfa79cb22e4e5f6634e1709f77da9b0https://github.com/apache/maven/compare/maven-3.2.5...maven-3.8.1 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-09 23:04:57 +00:00
laurentsimon
417b7aacc6
feat: Rename verifySubjectDigest function ( #712 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/711
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-10-10 07:37:38 +09:00
Mend Renovate
0e5b3a3d11
fix(deps): update golang.org/x/exp digest to 7918f67 ( #694 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/exp | require | digest | `10a5072` -> `7918f67` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuMC4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-10-09 09:59:53 -07:00
Trishank Karthik Kuppusamy
92e23214ec
docs: Propose a security policy ( #710 )
...
Propose a security policy (largely
[borrowed](35c71e42cd/docs/SECURITY.mdhttps://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository ).
Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com >
2023-10-03 09:49:43 -07:00
laurentsimon
f6ae402f45
fix: npm publish verification ( #705 )
...
- adding support for IEEE P1363 formatted signatures
- fix the npm publish attestation bug. The verification always return
success, because it was not using PAE signature
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com >
2023-10-02 10:12:51 -07:00
laurentsimon
54010d9735
fix: Support npm v2 format ( #704 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/703
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-09-21 17:10:01 -07:00
Trishank Karthik Kuppusamy
e2c7ca1325
feat: Add homebrew formula to README ( #702 )
...
Add installation using Homebrew on macOS
---------
Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com >
2023-09-21 14:36:52 -07:00
laurentsimon
d23c97947e
chore: Update doc for v2.4.0 ( #699 )
...
How to LGTM this PR (I'll work on a proper doc for this in
https://github.com/slsa-framework/slsa-github-generator/issues/112 ):
1. Clone repo
```
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ bash verify-release.sh v2.4.0 # NOTE: use the file in _this_ PR.
# Note down the path to the temporary dir use. The bash script will print its first line as "INFO: using dir: /tmp/tmp.VaYi6HfbmL"
```
2. Run command below and compare to SHA256SUM.md in this PR
```
$sha256sum /tmp/tmp.VaYi6HfbmL/*
```
The output hash should be the hash I'm updating to in this PR. If they
match, LGTM. If they don't, someone tampered with the released binary
and don't LGTM
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
2023-08-25 12:09:40 -07:00
laurentsimon
886eb4b109
fix: link to installer Action ( #698 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-25 16:56:09 +00:00
laurentsimon
73d1bcba98
fix: release failure ( #697 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-24 15:58:45 -07:00
laurentsimon
80c7d86183
feat: v1.9.0 regression tests ( #696 )
...
Add regression tests for BYOB releae.
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-24 09:20:57 -07:00
laurentsimon
58eede7e66
feat: gcb v1.0 support ( #691 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/683
This is a large PR, but there is not much new code.
The code adding support for v1.0 is under:
- verifiers/internal/gcb/slsaprovenance/v1.0/*
- verifiers/internal/gcb/slsaprovenance/provenance.go
The rest is mostly some re-factoring needed
Remaining is regression tests, tracked in
https://github.com/slsa-framework/slsa-verifier/issues/690
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
2023-08-18 17:32:58 +00:00
laurentsimon
4b59ce4050
feat: Update doc and code for Maven plugin ( #680 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-16 01:46:57 +00:00
laurentsimon
2a24d8e0f1
feat: Allow byob builders ref at main for e2e tests ( #689 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-16 00:57:17 +00:00
laurentsimon
9aef8ff8aa
feat: GCB refactor for v1.0 support ( #682 )
...
In anticipation for GCB's v1.0 support, this PR re-factors the code to
look similar to GHA's code
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
2023-08-15 18:15:49 +00:00
Mend Renovate
b9a0e6babf
chore(deps): update github-actions ( #686 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action )
| action | patch | `v3.0.6` -> `v3.0.7` |
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| minor | `v3.7.0` -> `v3.8.0` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | patch | `v2.21.3` -> `v2.21.4` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>
###
[`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7 ):
3.0.7
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7 )
#### What's Changed
- Make GHES support / setup more clear by
[@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/actions/dependency-review-action/pull/534 ](https://togithub.com/actions/dependency-review-action/pull/534 )
- Add an option to deny packages or groups of packages by
[@​adrienpessu](https://togithub.com/adrienpessu ) in
[https://github.com/actions/dependency-review-action/pull/544 ](https://togithub.com/actions/dependency-review-action/pull/544 )
#### New Contributors
- [@​rajbos](https://togithub.com/rajbos ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/534 ](https://togithub.com/actions/dependency-review-action/pull/534 )
- [@​adrienpessu](https://togithub.com/adrienpessu ) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/544 ](https://togithub.com/actions/dependency-review-action/pull/544 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.7
</details>
<details>
<summary>actions/setup-node (actions/setup-node)</summary>
###
[`v3.8.0`](https://togithub.com/actions/setup-node/releases/tag/v3.8.0 )
[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.7.0...v3.8.0 )
#### What's Changed
##### Bug fixes:
- Add check for existing paths by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/803 ](https://togithub.com/actions/setup-node/pull/803 )
- Resolve SymbolicLink by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/809 ](https://togithub.com/actions/setup-node/pull/809 )
- Change passing logic for cache input by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/816 ](https://togithub.com/actions/setup-node/pull/816 )
- Fix armv7 cache issue by
[@​louislam](https://togithub.com/louislam ) in
[https://github.com/actions/setup-node/pull/794 ](https://togithub.com/actions/setup-node/pull/794 )
- Update check-dist workflow name by
[@​sinchang](https://togithub.com/sinchang ) in
[https://github.com/actions/setup-node/pull/710 ](https://togithub.com/actions/setup-node/pull/710 )
##### Feature implementations:
- feat: handling the case where "node" is used for tool-versions file.
by [@​xytis](https://togithub.com/xytis ) in
[https://github.com/actions/setup-node/pull/812 ](https://togithub.com/actions/setup-node/pull/812 )
##### Documentation changes:
- Refer to semver package name in README.md by
[@​olleolleolle](https://togithub.com/olleolleolle ) in
[https://github.com/actions/setup-node/pull/808 ](https://togithub.com/actions/setup-node/pull/808 )
##### Update dependencies:
- Update toolkit cache to fix zstd by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/804 ](https://togithub.com/actions/setup-node/pull/804 )
- Bump tough-cookie and
[@​azure/ms-rest-js](https://togithub.com/azure/ms-rest-js ) by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-node/pull/802 ](https://togithub.com/actions/setup-node/pull/802 )
- Bump semver from 6.1.2 to 6.3.1 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-node/pull/807 ](https://togithub.com/actions/setup-node/pull/807 )
- Bump word-wrap from 1.2.3 to 1.2.4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-node/pull/815 ](https://togithub.com/actions/setup-node/pull/815 )
#### New Contributors
- [@​olleolleolle](https://togithub.com/olleolleolle ) made their
first contribution in
[https://github.com/actions/setup-node/pull/808 ](https://togithub.com/actions/setup-node/pull/808 )
- [@​louislam](https://togithub.com/louislam ) made their first
contribution in
[https://github.com/actions/setup-node/pull/794 ](https://togithub.com/actions/setup-node/pull/794 )
- [@​sinchang](https://togithub.com/sinchang ) made their first
contribution in
[https://github.com/actions/setup-node/pull/710 ](https://togithub.com/actions/setup-node/pull/710 )
- [@​xytis](https://togithub.com/xytis ) made their first
contribution in
[https://github.com/actions/setup-node/pull/812 ](https://togithub.com/actions/setup-node/pull/812 )
**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.8.0
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.21.4`](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4 )
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40MC4zIiwidXBkYXRlZEluVmVyIjoiMzYuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-08-14 22:44:36 +00:00
Mend Renovate
9d7646a7af
chore(deps): update golang docker tag to v1.21 ( #687 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | minor | `1.19` -> `1.21` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40MC4zIiwidXBkYXRlZEluVmVyIjoiMzYuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-08-14 15:34:48 -07:00
Noah Elzner
8bcf1f0525
feat: Non-compulsory BuilderID for BYOB Builders ( #674 )
...
/cc @mihaimaruseac
/cc @laurentsimon
Based off the prefix of the BuilderID within the provenance, if the
builder use to build the artifact is one of the BYOB builders of
slsa-framework/slsa-github-generator repo, the --builderid flag is not
need and is handled automatically. This was done to increase access to
users since before the automatic pickup of the builder-id would get the
delegator.
Test cases that cover verifyProvenance will need to be complete after
the v1.8.0 release of slsa-framework/slsa-github-generator.
The main structure that is changed is the ExpectedBuilderPath is
hardcoded now to slsa-framework builders within
`/cli/slsa-verifier/verify/verify_artifact.go `. This can later be
changed now if needed to be an input like the other fields of
`provenanceOpts` populated during `verify_artifact.go`. The added
function within `provenance.go`, `verifyBuilderIDPath` is called during
`verifyProvenance` to check this path within `provenanceOpts`. Upon
failure of this function, expected and received BuilderID's are also
outputted.
closes #659
makes use of discussion on closed pr #673
---------
Signed-off-by: Noah Elzner <elzner@google.com >
Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-08-11 14:20:58 +00:00
Mend Renovate
57e3f65b43
chore(deps): update github-actions ( #666 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-go](https://togithub.com/actions/setup-go ) | action |
minor | `v4.0.1` -> `v4.1.0` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | minor | `v2.20.4` -> `v2.21.3` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator )
| action | minor | `v1.7.0` -> `v1.8.0` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/setup-go (actions/setup-go)</summary>
###
[`v4.1.0`](https://togithub.com/actions/setup-go/releases/tag/v4.1.0 )
[Compare
Source](https://togithub.com/actions/setup-go/compare/v4.0.1...v4.1.0 )
##### What's Changed
In scope of this release, slow installation on Windows was fixed by
[@​dsame](https://togithub.com/dsame ) in
[https://github.com/actions/setup-go/pull/393 ](https://togithub.com/actions/setup-go/pull/393 )
and OS version was added to `primaryKey` for Ubuntu runners to avoid
conflicts
([https://github.com/actions/setup-go/pull/383 ](https://togithub.com/actions/setup-go/pull/383 ))
This release also includes the following changes:
- Remove implicit dependencies by
[@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) in
[https://github.com/actions/setup-go/pull/378 ](https://togithub.com/actions/setup-go/pull/378 )
- Update action.yml by [@​mkelly](https://togithub.com/mkelly ) in
[https://github.com/actions/setup-go/pull/379 ](https://togithub.com/actions/setup-go/pull/379 )
- Added a description that go-version should be specified as a string
type by [@​n3xem](https://togithub.com/n3xem ) in
[https://github.com/actions/setup-go/pull/367 ](https://togithub.com/actions/setup-go/pull/367 )
- Add note about YAML parsing versions by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-go/pull/382 ](https://togithub.com/actions/setup-go/pull/382 )
- Automatic update of configuration files from 05/23/2023 by
[@​github-actions](https://togithub.com/github-actions ) in
[https://github.com/actions/setup-go/pull/377 ](https://togithub.com/actions/setup-go/pull/377 )
- Bump tough-cookie and
[@​azure/ms-rest-js](https://togithub.com/azure/ms-rest-js ) by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-go/pull/392 ](https://togithub.com/actions/setup-go/pull/392 )
- Bump word-wrap from 1.2.3 to 1.2.4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-go/pull/397 ](https://togithub.com/actions/setup-go/pull/397 )
- Bump semver from 6.3.0 to 6.3.1 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-go/pull/396 ](https://togithub.com/actions/setup-go/pull/396 )
##### New Contributors
- [@​mkelly](https://togithub.com/mkelly ) made their first
contribution in
[https://github.com/actions/setup-go/pull/379 ](https://togithub.com/actions/setup-go/pull/379 )
- [@​n3xem](https://togithub.com/n3xem ) made their first
contribution in
[https://github.com/actions/setup-go/pull/367 ](https://togithub.com/actions/setup-go/pull/367 )
**Full Changelog**:
https://github.com/actions/setup-go/compare/v4...v4.1.0
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.21.3`](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3 )
###
[`v2.21.2`](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2 )
###
[`v2.21.1`](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1 )
###
[`v2.21.0`](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0 )
</details>
<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>
###
[`v1.8.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v180 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0 )
Release \[v1.8.0] includes bug fixes and new features.
See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0 ).
##### v1.8.0: Generic Generator
- **Added**: A new
[`base64-subjects-as-file`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.8.0/internal/builders/generic/README.md#workflow-inputs )
was added to allow for specifying a large subject list.
##### v1.8.0: Node.js Builder (beta)
- **Fixed**: Publishing for non-scoped packages was fixed (See
[#​2359](https://togithub.com/slsa-framework/slsa-github-generator/issues/2359 ))
- **Fixed**: Documentation was updated to clarify that the GitHub
Actions
`deployment` event is not supported.
- **Changed**: The file extension for the generated provenance file was
changed
from `.sigstore` to `.build.slsa` in order to make it easier to identify
provenance files regardless of file format.
- **Fixed**: The publish action was fixed to address an issue with the
package
name when using Node 16.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzYuMjcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-08-09 08:24:24 +09:00
Ian Lewis
612f4e525f
test: Add test data for v1.8.0 ( #681 )
...
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-08-08 13:58:30 +09:00
laurentsimon
9aa2319ef0
feat: Print byob builder ( #677 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/672
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-02 18:34:13 +00:00
laurentsimon
6affdbb81c
chore: Add Kris to codeowners ( #678 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-02 16:04:53 +00:00
laurentsimon
4d0ebdcbee
docs: Add example for maven verification plugin ( #676 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/675
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-02 11:55:09 +09:00
Ian Lewis
e7fc7a4621
feat: Verification for when sha1 is specified in BYOB TRW ( #641 )
...
Fixes #600
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-07-25 11:29:15 +09:00
laurentsimon
66ae6bcdf6
docs: Fix maven-plugin README ( #671 )
...
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-07-25 00:56:29 +00:00
AdamKorcz
1d65178d65
move maven-plugin from slsa-github-generator ( #664 )
...
Adds the maven plugin from
https://github.com/slsa-framework/slsa-github-generator/pull/2439
Signed-off-by: AdamKorcz <adam@adalogics.com >
2023-07-21 22:40:01 +00:00
Mend Renovate
59f6ba3e00
chore(deps): update github-actions ( #651 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| minor | `v3.6.0` -> `v3.7.0` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | minor | `v2.3.6` -> `v2.20.4` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action ) |
action | minor | `v2.1.3` -> `v2.2.0` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/setup-node (actions/setup-node)</summary>
###
[`v3.7.0`](https://togithub.com/actions/setup-node/releases/tag/v3.7.0 )
[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.6.0...v3.7.0 )
##### What's Changed
In scope of this release we added a logic to save an additional cache
path for yarn 3 ([related pull
request](https://togithub.com/actions/setup-node/pull/744 ) and [feature
request](https://togithub.com/actions/setup-node/issues/325 )). Moreover,
we added functionality to use all the sub directories derived from
`cache-dependency-path` input and add detect all dependencies
directories to cache (related [pull
request](https://togithub.com/actions/setup-node/pull/735 ) and [feature
request](https://togithub.com/actions/setup-node/issues/488 )).
##### Besides, we made such changes as:
- Replace workflow badge with new badge by
[@​jongwooo](https://togithub.com/jongwooo ) in
[https://github.com/actions/setup-node/pull/653 ](https://togithub.com/actions/setup-node/pull/653 )
- Fix a minor typo by [@​phanan](https://togithub.com/phanan ) in
[https://github.com/actions/setup-node/pull/662 ](https://togithub.com/actions/setup-node/pull/662 )
- docs: fix typo in advanced-usage.md by
[@​remarkablemark](https://togithub.com/remarkablemark ) in
[https://github.com/actions/setup-node/pull/697 ](https://togithub.com/actions/setup-node/pull/697 )
- bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by
[@​domdomegg](https://togithub.com/domdomegg ) in
[https://github.com/actions/setup-node/pull/718 ](https://togithub.com/actions/setup-node/pull/718 )
- Update to node 18.x by
[@​feelepxyz](https://togithub.com/feelepxyz ) in
[https://github.com/actions/setup-node/pull/751 ](https://togithub.com/actions/setup-node/pull/751 )
- Remove implicit dependencies by
[@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) in
[https://github.com/actions/setup-node/pull/758 ](https://togithub.com/actions/setup-node/pull/758 )
- Fix description about ensuring workflow access to private package by
[@​x86chi](https://togithub.com/x86chi ) in
[https://github.com/actions/setup-node/pull/704 ](https://togithub.com/actions/setup-node/pull/704 )
##### New Contributors
- [@​jongwooo](https://togithub.com/jongwooo ) made their first
contribution in
[https://github.com/actions/setup-node/pull/653 ](https://togithub.com/actions/setup-node/pull/653 )
- [@​phanan](https://togithub.com/phanan ) made their first
contribution in
[https://github.com/actions/setup-node/pull/662 ](https://togithub.com/actions/setup-node/pull/662 )
- [@​remarkablemark](https://togithub.com/remarkablemark ) made
their first contribution in
[https://github.com/actions/setup-node/pull/697 ](https://togithub.com/actions/setup-node/pull/697 )
- [@​domdomegg](https://togithub.com/domdomegg ) made their first
contribution in
[https://github.com/actions/setup-node/pull/718 ](https://togithub.com/actions/setup-node/pull/718 )
- [@​feelepxyz](https://togithub.com/feelepxyz ) made their first
contribution in
[https://github.com/actions/setup-node/pull/751 ](https://togithub.com/actions/setup-node/pull/751 )
- [@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) made
their first contribution in
[https://github.com/actions/setup-node/pull/758 ](https://togithub.com/actions/setup-node/pull/758 )
- [@​x86chi](https://togithub.com/x86chi ) made their first
contribution in
[https://github.com/actions/setup-node/pull/704 ](https://togithub.com/actions/setup-node/pull/704 )
**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.7.0
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.20.4`](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4 )
###
[`v2.20.3`](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3 )
###
[`v2.20.2`](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2 )
###
[`v2.20.1`](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1 )
###
[`v2.20.0`](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0 )
</details>
<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>
###
[`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0 )
[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0 )
#### What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1192 ](https://togithub.com/ossf/scorecard-action/pull/1192 )
#### Scorecard Result Viewer
Thanks to contributions from
[@​cynthia-sg](https://togithub.com/cynthia-sg ) and
[@​tegioz](https://togithub.com/tegioz ) at
[CLOMonitor](https://togithub.com/cncf/clomonitor ), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri= <project-url>`.
-
[https://github.com/ossf/scorecard-webapp/pull/406 ](https://togithub.com/ossf/scorecard-webapp/pull/406 )
-
[https://github.com/ossf/scorecard-webapp/pull/422 ](https://togithub.com/ossf/scorecard-webapp/pull/422 )
As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard )
Checkout our
[README](08b4669551/README.md (scorecard-badge)08b4669551/README.md (workflow-restrictions)https://github.com/ossf/scorecard-action/pull/1156 ](https://togithub.com/ossf/scorecard-action/pull/1156 ),
resolved
[https://github.com/ossf/scorecard-action/issues/1150 ](https://togithub.com/ossf/scorecard-action/issues/1150 ))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191 ](https://togithub.com/ossf/scorecard-action/pull/1191 ))
#### Docs
- 📖 Update README to accept fine-grained tokens by
[@​pnacht](https://togithub.com/pnacht ) in
[https://github.com/ossf/scorecard-action/pull/1175 ](https://togithub.com/ossf/scorecard-action/pull/1175 )
- 📖 Update installation instructions to match current GitHub UI by
[@​joycebrum](https://togithub.com/joycebrum ) in
[https://github.com/ossf/scorecard-action/pull/1153 ](https://togithub.com/ossf/scorecard-action/pull/1153 )
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
#### New Contributors
- [@​bobcallaway](https://togithub.com/bobcallaway ) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140 ](https://togithub.com/ossf/scorecard-action/pull/1140 )
- [@​pnacht](https://togithub.com/pnacht ) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175 ](https://togithub.com/ossf/scorecard-action/pull/1175 )
**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-07-18 10:51:23 +09:00
laurentsimon
c6d12b745c
feat: Use tags vX.Y.Z-<language> for JReleaser builders ( #644 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-07-10 16:42:48 +00:00
Ian Lewis
1778495466
refactor: Use full builder id ( #648 )
...
Internally use full builder IDs including server url rather than worflow
ref as a path. This should hopefully avoid confusion between dealing
with builder IDs and `GITHUB_WORKFLOW_REF` which only contains the path
portion. `GITHUB_WORKFLOW_REF` is the only thing that doesn't include
the domain/server url part of the workflow/builder ID. The Fulcio OID
claims include the full url.
Code extracted from #641
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-07-10 06:23:48 +00:00
Ian Lewis
965f5784c1
refactor: Add more git utils ( #645 )
...
Adds the functions `NormalizeGitURI`, `ParseGitURIAndRef`, and
`ValidateGitRef`. `ParseGitRef` was updated to be permissive of the ref
type whereas `ValidateGitRef` validates that the type is of a given
type.
Code extracted from #641
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-07-01 09:03:52 +09:00
Ian Lewis
e2b1828894
fix: pre-submit: e2e-cli.sh artifact download ( #646 )
...
Updates #647
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-29 10:05:12 -07:00
Ian Lewis
90f4f23e1e
test: Add more ProvenanceFromEnvelope tests ( #640 )
...
Fixes #573
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-26 02:03:34 +00:00
Ian Lewis
f025c630ac
refactor: Use Go 1.20 ( #643 )
...
Fixes #589
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-26 10:49:52 +09:00
Ian Lewis
d2dc8193ae
feat: Verify provenance by build type ( #632 )
...
Fixes #473
Updates handling of provenance by providing implementations based on
[buildType](https://slsa.dev/provenance/v1#buildType ) since this
determines how to interpret parameters and dependencies. This is done
because we need a way to interpret parameters not just based on the
predicateType. The 3 major build types with format differences are:
- non-BYOB SLSA v0.2
- BYOB SLSA v0.2
- BYOB SLSA v1.0
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-16 09:54:20 +09:00
Mend Renovate
7aa6533540
chore(deps): update golang:1.19 docker digest to 83f9f84 ( #583 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-06-12 05:06:28 +00:00
Mend Renovate
658d91aa82
chore(deps): update npm dev ( #608 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-06-12 13:47:38 +09:00
