Ramon Petgrave
c789437815
feat: refactor: use sigstore-go for fetching TrustedRoot ( #791 )
...
Uses the `sigstore-go` library for fetching the `TrustedRoot`, which
contains the Sigstore infrastructure certificates needed to validate the
leaf ephemeral certificates used to sign artifacts.
Refactors:
- replace `TrustedRootSingleton()` with `getDefaultCosignCheckOpts()`,
since only `VerifyImage()` will now need that data.
- replace `cosign.ValidateAndUnpackCert`
with`sigstoreVerify.VerifyLeafCertificate()`
- use `sync.Once` for sigstore and rekor clients, and the `TrustedRoot`
## Testing
- existing tests continue to pass
- [negative tests
](d96b977709/cli/slsa-verifier/main_regression_test.go (L450-L471)ramon.petgrave64@gmail.com >
2024-08-02 21:47:50 +00:00
Ramon Petgrave
88bcb6bff7
chore: pin yamllint, golangci-lint ( #783 )
...
pins the yaml-lint and golangci-lint dependency used in pre-submits.
This is to fix code-scanning alerts about unpinned dependencies
-
https://github.com/slsa-framework/slsa-verifier/security/code-scanning/8
-
https://github.com/slsa-framework/slsa-verifier/security/code-scanning/21
### Testing Process
The pre-submit test that uses yamllint and golangci-lint passes
---------
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
2024-08-02 19:51:07 +00:00
Ramon Petgrave
3714a2a468
fix: use tag for the builder in the release workflow ( #788 )
...
The slsa-github-generator's workflow ref needs to be pinned by tag, not
by hash.
Fixes this error
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9893912259/job/27330429383#step:4:17
```
Verifying slsa-verifier-linux-arm64 using slsa-verifier-linux-arm64.intoto.jsonl
Verified signature against tlog entry index 110869188 at URL: 24296fb24b32398091+ramonpetgrave64@users.noreply.github.com >
2024-07-11 12:34:52 -04:00
Mend Renovate
1049da4841
chore(deps): update github-actions ( #786 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout ) | action |
patch | `v4.1.1` -> `v4.1.7` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action )
| action | minor | `v4.2.5` -> `v4.3.3` |
|
[actions/download-artifact](https://togithub.com/actions/download-artifact )
| action | patch | `v4.1.4` -> `v4.1.7` |
| [actions/setup-go](https://togithub.com/actions/setup-go ) | action |
patch | `v5.0.0` -> `v5.0.1` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact )
| action | patch | `v4.3.1` -> `v4.3.3` |
|
[actionsdesk/lfs-warning](https://togithub.com/actionsdesk/lfs-warning )
| action | minor | `v3.2` -> `v3.3` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | minor | `v3.24.9` -> `v3.25.11` |
|
[golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action )
| action | pinDigest | -> `d6238b0` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action ) |
action | patch | `v2.3.1` -> `v2.3.3` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator )
| action | pinDigest | -> `c747fe7` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier )
| action | minor | `v2.4.1` -> `v2.5.1` |
---
### Release Notes
<details>
<summary>actions/checkout (actions/checkout)</summary>
###
[`v4.1.7`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.6...v4.1.7 )
- Bump the minor-npm-dependencies group across 1 directory with 4
updates by [@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/checkout/pull/1739 ](https://togithub.com/actions/checkout/pull/1739 )
- Bump actions/checkout from 3 to 4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/checkout/pull/1697 ](https://togithub.com/actions/checkout/pull/1697 )
- Check out other refs/\* by commit by
[@​orhantoy](https://togithub.com/orhantoy ) in
[https://github.com/actions/checkout/pull/1774 ](https://togithub.com/actions/checkout/pull/1774 )
- Pin actions/checkout's own workflows to a known, good, stable version.
by [@​jww3](https://togithub.com/jww3 ) in
[https://github.com/actions/checkout/pull/1776 ](https://togithub.com/actions/checkout/pull/1776 )
###
[`v4.1.6`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v416 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.5...v4.1.6 )
- Check platform to set archive extension appropriately by
[@​cory-miller](https://togithub.com/cory-miller ) in
[https://github.com/actions/checkout/pull/1732 ](https://togithub.com/actions/checkout/pull/1732 )
###
[`v4.1.5`](https://togithub.com/actions/checkout/releases/tag/v4.1.5 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.4...v4.1.5 )
#### What's Changed
- Update NPM dependencies by
[@​cory-miller](https://togithub.com/cory-miller ) in
[https://github.com/actions/checkout/pull/1703 ](https://togithub.com/actions/checkout/pull/1703 )
- Bump github/codeql-action from 2 to 3 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/checkout/pull/1694 ](https://togithub.com/actions/checkout/pull/1694 )
- Bump actions/setup-node from 1 to 4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/checkout/pull/1696 ](https://togithub.com/actions/checkout/pull/1696 )
- Bump actions/upload-artifact from 2 to 4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/checkout/pull/1695 ](https://togithub.com/actions/checkout/pull/1695 )
- README: Suggest `user.email` to be
`41898282+github-actions[bot]@​users.noreply.github.com` by
[@​cory-miller](https://togithub.com/cory-miller ) in
[https://github.com/actions/checkout/pull/1707 ](https://togithub.com/actions/checkout/pull/1707 )
**Full Changelog**:
https://github.com/actions/checkout/compare/v4.1.4...v4.1.5
###
[`v4.1.4`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v414 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.3...v4.1.4 )
- Disable `extensions.worktreeConfig` when disabling `sparse-checkout`
by [@​jww3](https://togithub.com/jww3 ) in
[https://github.com/actions/checkout/pull/1692 ](https://togithub.com/actions/checkout/pull/1692 )
- Add dependabot config by
[@​cory-miller](https://togithub.com/cory-miller ) in
[https://github.com/actions/checkout/pull/1688 ](https://togithub.com/actions/checkout/pull/1688 )
- Bump the minor-actions-dependencies group with 2 updates by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/checkout/pull/1693 ](https://togithub.com/actions/checkout/pull/1693 )
- Bump word-wrap from 1.2.3 to 1.2.5 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/checkout/pull/1643 ](https://togithub.com/actions/checkout/pull/1643 )
###
[`v4.1.3`](https://togithub.com/actions/checkout/releases/tag/v4.1.3 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.2...v4.1.3 )
#### What's Changed
- Update `actions/checkout` version in `update-main-version.yml` by
[@​jww3](https://togithub.com/jww3 ) in
[https://github.com/actions/checkout/pull/1650 ](https://togithub.com/actions/checkout/pull/1650 )
- Check git version before attempting to disable `sparse-checkout` by
[@​jww3](https://togithub.com/jww3 ) in
[https://github.com/actions/checkout/pull/1656 ](https://togithub.com/actions/checkout/pull/1656 )
- Add SSH user parameter by
[@​cory-miller](https://togithub.com/cory-miller ) in
[https://github.com/actions/checkout/pull/1685 ](https://togithub.com/actions/checkout/pull/1685 )
**Full Changelog**:
https://github.com/actions/checkout/compare/v4.1.2...v4.1.3
###
[`v4.1.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.1...v4.1.2 )
- Fix: Disable sparse checkout whenever `sparse-checkout` option is not
present [@​dscho](https://togithub.com/dscho ) in
[https://github.com/actions/checkout/pull/1598 ](https://togithub.com/actions/checkout/pull/1598 )
</details>
<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>
###
[`v4.3.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.3 ):
Notes for v4.3.3
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3 )
#### What's Changed
- Allow slashes in purl package names by
[@​juxtin](https://togithub.com/juxtin ) in
[https://github.com/actions/dependency-review-action/pull/765 ](https://togithub.com/actions/dependency-review-action/pull/765 )
- use the v3 version of the deps.dev API by
[@​josieang](https://togithub.com/josieang ) in
[https://github.com/actions/dependency-review-action/pull/741 ](https://togithub.com/actions/dependency-review-action/pull/741 )
- PR with suggestions - \[Improvement]: Help streamline / simplify
dependency review action README by
[@​am-stead](https://togithub.com/am-stead ) in
[https://github.com/actions/dependency-review-action/pull/773 ](https://togithub.com/actions/dependency-review-action/pull/773 )
- fix show-openssf-scorecard-levels input by
[@​ramann](https://togithub.com/ramann ) in
[https://github.com/actions/dependency-review-action/pull/776 ](https://togithub.com/actions/dependency-review-action/pull/776 )
- Updates to the contribution guidelines by
[@​jonjanego](https://togithub.com/jonjanego ) in
[https://github.com/actions/dependency-review-action/pull/778 ](https://togithub.com/actions/dependency-review-action/pull/778 )
- Create issue templates by
[@​jonjanego](https://togithub.com/jonjanego ) in
[https://github.com/actions/dependency-review-action/pull/777 ](https://togithub.com/actions/dependency-review-action/pull/777 )
- Fix the max comment length issue by
[@​jhutchings1](https://togithub.com/jhutchings1 ) and
[@​elireisman](https://togithub.com/elireisman ) in
[https://github.com/actions/dependency-review-action/pull/767 ](https://togithub.com/actions/dependency-review-action/pull/767 )
- Bump project version to 4.3.3 in prep for a release by
[@​elireisman](https://togithub.com/elireisman ) in
[https://github.com/actions/dependency-review-action/pull/781 ](https://togithub.com/actions/dependency-review-action/pull/781 )
#### New Contributors
- [@​josieang](https://togithub.com/josieang ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/741 ](https://togithub.com/actions/dependency-review-action/pull/741 )
- [@​am-stead](https://togithub.com/am-stead ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/773 ](https://togithub.com/actions/dependency-review-action/pull/773 )
- [@​ramann](https://togithub.com/ramann ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/776 ](https://togithub.com/actions/dependency-review-action/pull/776 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3
###
[`v4.3.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.2 )
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2 )
#### What's Changed
- Fix package-url parsing for allow-dependencies-licenses by
[@​juxtin](https://togithub.com/juxtin ) in
[https://github.com/actions/dependency-review-action/pull/761 ](https://togithub.com/actions/dependency-review-action/pull/761 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2
###
[`v4.3.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.1 )
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.0...v4.3.1 )
#### What's Changed
This release fixes some bugs related to package-url parsing that were
introduced in 4.3.0. See
[https://github.com/actions/dependency-review-action/pull/753 ](https://togithub.com/actions/dependency-review-action/pull/753 ).
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/V4.3.0...v4.3.1
###
[`v4.3.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.0 )
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.5...v4.3.0 )
#### New Features
- The `deny-packages` option can now be used without a version number to
exclude *all* versions of a package.
#### What's Changed
- Fix action variable name for scorecard by
[@​lukehinds](https://togithub.com/lukehinds ) in
[https://github.com/actions/dependency-review-action/pull/735 ](https://togithub.com/actions/dependency-review-action/pull/735 )
- Fix extra https:// in summary by
[@​jhutchings1](https://togithub.com/jhutchings1 ) in
[https://github.com/actions/dependency-review-action/pull/748 ](https://togithub.com/actions/dependency-review-action/pull/748 )
- Bump typescript from 5.3.3 to 5.4.5 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/744 ](https://togithub.com/actions/dependency-review-action/pull/744 )
- Bump eslint-plugin-github from 4.10.1 to 4.10.2 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/737 ](https://togithub.com/actions/dependency-review-action/pull/737 )
- Show denied packages with red X by
[@​juxtin](https://togithub.com/juxtin ) in
[https://github.com/actions/dependency-review-action/pull/750 ](https://togithub.com/actions/dependency-review-action/pull/750 )
- deny-packages configuration option can deny specified version or all
packages by [@​febuiles](https://togithub.com/febuiles ) and
[@​bteng22](https://togithub.com/bteng22 ) in
[https://github.com/actions/dependency-review-action/pull/733 ](https://togithub.com/actions/dependency-review-action/pull/733 )
#### New Contributors
- [@​bteng22](https://togithub.com/bteng22 ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/733 ](https://togithub.com/actions/dependency-review-action/pull/733 )
- [@​lukehinds](https://togithub.com/lukehinds ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/735 ](https://togithub.com/actions/dependency-review-action/pull/735 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.5...V4.3.0
</details>
<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>
###
[`v4.1.7`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.7 )
[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.6...v4.1.7 )
#### What's Changed
- Update
[@​actions/artifact](https://togithub.com/actions/artifact )
dependency by [@​bethanyj28](https://togithub.com/bethanyj28 ) in
[https://github.com/actions/download-artifact/pull/325 ](https://togithub.com/actions/download-artifact/pull/325 )
**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4.1.6...v4.1.7
###
[`v4.1.6`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.6 )
[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.5...v4.1.6 )
#### What's Changed
- updating `@actions/artifact` dependency to v2.1.6 by
[@​eggyhead](https://togithub.com/eggyhead ) in
[https://github.com/actions/download-artifact/pull/324 ](https://togithub.com/actions/download-artifact/pull/324 )
**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4.1.5...v4.1.6
###
[`v4.1.5`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.5 )
[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.4...v4.1.5 )
#### What's Changed
- Update readme with v3/v2/v1 deprecation notice by
[@​robherley](https://togithub.com/robherley ) in
[https://github.com/actions/download-artifact/pull/322 ](https://togithub.com/actions/download-artifact/pull/322 )
- Update dependencies `@actions/core` to v1.10.1 and `@actions/artifact`
to v2.1.5
**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4.1.4...v4.1.5
</details>
<details>
<summary>actions/setup-go (actions/setup-go)</summary>
###
[`v5.0.1`](https://togithub.com/actions/setup-go/releases/tag/v5.0.1 )
[Compare
Source](https://togithub.com/actions/setup-go/compare/v5.0.0...v5.0.1 )
#### What's Changed
- Bump undici from 5.28.2 to 5.28.3 and dependencies upgrade by
[@​dependabot](https://togithub.com/dependabot ) ,
[@​HarithaVattikuti](https://togithub.com/HarithaVattikuti ) in
[https://github.com/actions/setup-go/pull/465 ](https://togithub.com/actions/setup-go/pull/465 )
- Update documentation with latest V5 release notes by
[@​ab](https://togithub.com/ab ) in
[https://github.com/actions/setup-go/pull/459 ](https://togithub.com/actions/setup-go/pull/459 )
- Update version documentation by
[@​178inaba](https://togithub.com/178inaba ) in
[https://github.com/actions/setup-go/pull/458 ](https://togithub.com/actions/setup-go/pull/458 )
- Documentation update of `actions/setup-go` to v5 by
[@​chenrui333](https://togithub.com/chenrui333 ) in
[https://github.com/actions/setup-go/pull/449 ](https://togithub.com/actions/setup-go/pull/449 )
#### New Contributors
- [@​ab](https://togithub.com/ab ) made their first contribution in
[https://github.com/actions/setup-go/pull/459 ](https://togithub.com/actions/setup-go/pull/459 )
**Full Changelog**:
https://github.com/actions/setup-go/compare/v5.0.0...v5.0.1
</details>
<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>
###
[`v4.3.3`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.3 )
[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.2...v4.3.3 )
##### What's Changed
- updating `@actions/artifact` dependency to v2.1.6 by
[@​eggyhead](https://togithub.com/eggyhead ) in
[https://github.com/actions/upload-artifact/pull/565 ](https://togithub.com/actions/upload-artifact/pull/565 )
**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.3.2...v4.3.3
###
[`v4.3.2`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.2 )
[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.1...v4.3.2 )
#### What's Changed
- Update release-new-action-version.yml by
[@​konradpabjan](https://togithub.com/konradpabjan ) in
[https://github.com/actions/upload-artifact/pull/516 ](https://togithub.com/actions/upload-artifact/pull/516 )
- Minor fix to the migration readme by
[@​andrewakim](https://togithub.com/andrewakim ) in
[https://github.com/actions/upload-artifact/pull/523 ](https://togithub.com/actions/upload-artifact/pull/523 )
- Update readme with v3/v2/v1 deprecation notice by
[@​robherley](https://togithub.com/robherley ) in
[https://github.com/actions/upload-artifact/pull/561 ](https://togithub.com/actions/upload-artifact/pull/561 )
- updating `@actions/artifact` dependency to v2.1.5 and `@actions/core`
to v1.0.1 by [@​eggyhead](https://togithub.com/eggyhead ) in
[https://github.com/actions/upload-artifact/pull/562 ](https://togithub.com/actions/upload-artifact/pull/562 )
#### New Contributors
- [@​andrewakim](https://togithub.com/andrewakim ) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/523 ](https://togithub.com/actions/upload-artifact/pull/523 )
**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.3.1...v4.3.2
</details>
<details>
<summary>actionsdesk/lfs-warning (actionsdesk/lfs-warning)</summary>
### [`v3.3`](https://togithub.com/ppremk/lfs-warning/releases/tag/v3.3 )
[Compare
Source](https://togithub.com/actionsdesk/lfs-warning/compare/v3.2...v3.3 )
#### What's Changed
- update node js to 16 by
[@​GlazerMann](https://togithub.com/GlazerMann ) in
[https://github.com/ppremk/lfs-warning/pull/148 ](https://togithub.com/ppremk/lfs-warning/pull/148 )
- Fixing README to match repo move by
[@​samthebest](https://togithub.com/samthebest ) in
[https://github.com/ppremk/lfs-warning/pull/153 ](https://togithub.com/ppremk/lfs-warning/pull/153 )
- Update CODEOWNERS by [@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ppremk/lfs-warning/pull/158 ](https://togithub.com/ppremk/lfs-warning/pull/158 )
- Bump http-cache-semantics from 4.1.0 to 4.1.1 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/ppremk/lfs-warning/pull/151 ](https://togithub.com/ppremk/lfs-warning/pull/151 )
- Bump [@​babel/traverse](https://togithub.com/babel/traverse )
from 7.15.4 to 7.23.4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/ppremk/lfs-warning/pull/159 ](https://togithub.com/ppremk/lfs-warning/pull/159 )
- Bump tough-cookie from 4.0.0 to 4.1.3 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/ppremk/lfs-warning/pull/160 ](https://togithub.com/ppremk/lfs-warning/pull/160 )
- Bump cacheable-request and gts by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/ppremk/lfs-warning/pull/152 ](https://togithub.com/ppremk/lfs-warning/pull/152 )
- Update emoji and convert file list to markdown list by
[@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ppremk/lfs-warning/pull/161 ](https://togithub.com/ppremk/lfs-warning/pull/161 )
- Bump got and gts by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/ppremk/lfs-warning/pull/155 ](https://togithub.com/ppremk/lfs-warning/pull/155 )
- Exclude files without blob_url when getting PR blobs by
[@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ppremk/lfs-warning/pull/162 ](https://togithub.com/ppremk/lfs-warning/pull/162 )
- Support pull_request_target by
[@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ppremk/lfs-warning/pull/164 ](https://togithub.com/ppremk/lfs-warning/pull/164 )
- Update-node by [@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ppremk/lfs-warning/pull/163 ](https://togithub.com/ppremk/lfs-warning/pull/163 )
- Fix text setup for the issue comment by
[@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ppremk/lfs-warning/pull/166 ](https://togithub.com/ppremk/lfs-warning/pull/166 )
- Validate PR changes to make sure there are no changes missing by
[@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ppremk/lfs-warning/pull/165 ](https://togithub.com/ppremk/lfs-warning/pull/165 )
- Fix emoji by [@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ppremk/lfs-warning/pull/167 ](https://togithub.com/ppremk/lfs-warning/pull/167 )
- Bump undici from 5.28.2 to 5.28.4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/ppremk/lfs-warning/pull/171 ](https://togithub.com/ppremk/lfs-warning/pull/171 )
#### New Contributors
- [@​GlazerMann](https://togithub.com/GlazerMann ) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/148 ](https://togithub.com/ppremk/lfs-warning/pull/148 )
- [@​samthebest](https://togithub.com/samthebest ) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/153 ](https://togithub.com/ppremk/lfs-warning/pull/153 )
- [@​rajbos](https://togithub.com/rajbos ) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/158 ](https://togithub.com/ppremk/lfs-warning/pull/158 )
**Full Changelog**:
https://github.com/ppremk/lfs-warning/compare/v3.2...v3.3
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v3.25.11`](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11 )
###
[`v3.25.10`](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10 )
###
[`v3.25.9`](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9 )
###
[`v3.25.8`](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8 )
###
[`v3.25.7`](https://togithub.com/github/codeql-action/compare/v3.25.6...v3.25.7 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.6...v3.25.7 )
###
[`v3.25.6`](https://togithub.com/github/codeql-action/compare/v3.25.5...v3.25.6 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.5...v3.25.6 )
###
[`v3.25.5`](https://togithub.com/github/codeql-action/compare/v3.25.4...v3.25.5 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.4...v3.25.5 )
###
[`v3.25.4`](https://togithub.com/github/codeql-action/compare/v3.25.3...v3.25.4 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.3...v3.25.4 )
###
[`v3.25.3`](https://togithub.com/github/codeql-action/compare/v3.25.2...v3.25.3 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.2...v3.25.3 )
###
[`v3.25.2`](https://togithub.com/github/codeql-action/compare/v3.25.1...v3.25.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.1...v3.25.2 )
###
[`v3.25.1`](https://togithub.com/github/codeql-action/compare/v3.25.0...v3.25.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.0...v3.25.1 )
###
[`v3.25.0`](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.25.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.11...v3.25.0 )
###
[`v3.24.11`](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.24.11 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.24.11 )
###
[`v3.24.10`](https://togithub.com/github/codeql-action/compare/v3.24.9...v3.24.10 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.9...v3.24.10 )
</details>
<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>
###
[`v2.3.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.3 )
[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.2...v2.3.3 )
> \[!NOTE]\
> There is no v2.3.2 release as a step was skipped in the release
process. This was fixed and re-released under the v2.3.3 tag
#### What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to
github.com/ossf/scorecard/v5 (v5.0.0-rc1) by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1366 ](https://togithub.com/ossf/scorecard-action/pull/1366 )
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to
v5.0.0-rc2 by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1374 ](https://togithub.com/ossf/scorecard-action/pull/1374 )
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to
v5.0.0-rc2.0.20240509182734-7ce860946928 by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1377 ](https://togithub.com/ossf/scorecard-action/pull/1377 )
For a full changelist of what these include, see the
[v5.0.0-rc1](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc1 )
and
[v5.0.0-rc2](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc2 )
release notes.
##### Documentation
- 📖 Move token discussion out of main README. by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1279 ](https://togithub.com/ossf/scorecard-action/pull/1279 )
- 📖 link to `ossf/scorecard` workflow instead of maintaining an
example by [@​spencerschrock](https://togithub.com/spencerschrock )
in
[https://github.com/ossf/scorecard-action/pull/1352 ](https://togithub.com/ossf/scorecard-action/pull/1352 )
- 📖 update api links to new scorecard.dev site by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1376 ](https://togithub.com/ossf/scorecard-action/pull/1376 )
**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.3
###
[`v2.3.2`](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2 )
[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2 )
</details>
<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>
###
[`v2.5.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.5.1 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1 )
#### What's Changed
- feat: Add cosign registry opts for provenance registry by
[@​saisatishkarra](https://togithub.com/saisatishkarra ) in
[https://github.com/slsa-framework/slsa-verifier/pull/729 ](https://togithub.com/slsa-framework/slsa-verifier/pull/729 )
and
[https://github.com/slsa-framework/slsa-verifier/pull/736 ](https://togithub.com/slsa-framework/slsa-verifier/pull/736 )
- feat: Add support for DSSE Rekor type by
[@​haydentherapper](https://togithub.com/haydentherapper ) in
[https://github.com/slsa-framework/slsa-verifier/pull/742 ](https://togithub.com/slsa-framework/slsa-verifier/pull/742 )
#### New Contributors
- [@​saisatishkarra](https://togithub.com/saisatishkarra ) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/729 ](https://togithub.com/slsa-framework/slsa-verifier/pull/729 )
- [@​ramonpetgrave64](https://togithub.com/ramonpetgrave64 ) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/737 ](https://togithub.com/slsa-framework/slsa-verifier/pull/737 )
- [@​haydentherapper](https://togithub.com/haydentherapper ) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/742 ](https://togithub.com/slsa-framework/slsa-verifier/pull/742 )
**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
2024-07-01 17:21:38 +00:00
Ramon Petgrave
18c5f13b3e
fix: signoff commit ( #767 )
...
Followup to https://github.com/slsa-framework/slsa-verifier/pull/760
Fix the .github/workflows/update-actions-dist-post-commit.yml workflow
to also signoff commit
# Testing
- [x] Invoked this PR's branch copy of the workflow against #717 , and it
did signoff the commit.
-
9670f76ab832398091+ramonpetgrave64@users.noreply.github.com >
2024-05-22 16:45:20 +00:00
Ramon Petgrave
b55bf59ce4
fix: use pr_number as env variable ( #771 )
...
changing the update-dist workflow to use the `pr_number` input as an env
variable to avoid [script
injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks ).
Our workflows are only invokable by our trusted maintainers so we should
be okay. This is just an extra hardening measure.
Open issue
https://github.com/actions/runner/issues/1070#issuecomment-2113287699
## Testing
I confirmed the issue by invoking the workflow with `650 && echo SCRIPT
INJECTION`, and it did also do the extra `echo` command.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36
after invoking the workflow again with this PR's version, the problem is
mitigated.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
2024-05-22 12:20:16 -04:00
Ian Lewis
87b5bae6d4
chore: Update Renovate config ( #769 )
...
# Summary
Updates renovate config to use the
[`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices )
preset rather than the `config:base` preset since `config:base` seems to
be deprecated.
Also updates the `schedule` config to use the
[`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly )
preset.
Also adds a pre-submit to run the
[`renovate-config-validator`](https://docs.renovatebot.com/config-validation/ )
to ensure that renovate config is valid. This pre-submit will need to be
made required in the repository branch protection rule for `main` in the
repository settings after this PR is merged.
---------
Signed-off-by: Ian Lewis <ianmlewis@gmail.com >
Signed-off-by: Ian Lewis <ianlewis@google.com >
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
2024-05-16 07:13:09 +09:00
Ian Lewis
138a2348fc
chore: fix pr-title-checker ( #770 )
...
Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version
comment.
Signed-off-by: Ian Lewis <ianlewis@google.com >
2024-05-15 12:10:15 -04:00
Ramon Petgrave
23160d82c0
feat: workflow to update actions dist ( #760 )
...
Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.
> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!
## Testing.
Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
- https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
- https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits
---------
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
2024-05-06 17:56:35 -04:00
Ramon Petgrave
bcc39bf21a
chore(deps): update npm dev (major) ( #753 )
...
Redo of https://github.com/slsa-framework/slsa-verifier/pull/654
- Fix dev-dependencies related to es-lint that the renovate-bot couldn't
auto-fix
- a few commas automatically added by the new linter
- use node20 for tests to avoid caompatibility warnings
```
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@typescript-eslint/parser@7.5.0',
npm WARN EBADENGINE required: { node: '^18.18.0 || >=20.0.0' },
npm WARN EBADENGINE current: { node: 'v16.20.2', npm: '8.19.4' }
npm WARN EBADENGINE }
```
---------
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com >
Co-authored-by: Mend Renovate <bot@renovateapp.com >
2024-04-02 17:44:08 -07:00
Mend Renovate
a8e21d5a83
chore(deps): update github-actions (major) ( #719 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout ) | action |
major | `v3.6.0` -> `v4.1.1` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action )
| action | major | `v3.1.5` -> `v4.2.5` |
|
[actions/download-artifact](https://togithub.com/actions/download-artifact )
| action | major | `v3.0.2` -> `v4.1.4` |
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| major | `v3` -> `v4` |
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| major | `v3.8.2` -> `v4.0.2` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact )
| action | major | `v3.1.3` -> `v4.3.1` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | major | `v2.24.8` -> `v3.24.9` |
|
[golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action )
| action | major | `v3` -> `v4` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/checkout (actions/checkout)</summary>
###
[`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1 )
##### What's Changed
- Update CODEOWNERS to Launch team by
[@​joshmgross](https://togithub.com/joshmgross ) in
[https://github.com/actions/checkout/pull/1510 ](https://togithub.com/actions/checkout/pull/1510 )
- Correct link to GitHub Docs by
[@​peterbe](https://togithub.com/peterbe ) in
[https://github.com/actions/checkout/pull/1511 ](https://togithub.com/actions/checkout/pull/1511 )
- Link to release page from what's new section by
[@​cory-miller](https://togithub.com/cory-miller ) in
[https://github.com/actions/checkout/pull/1514 ](https://togithub.com/actions/checkout/pull/1514 )
##### New Contributors
- [@​joshmgross](https://togithub.com/joshmgross ) made their first
contribution in
[https://github.com/actions/checkout/pull/1510 ](https://togithub.com/actions/checkout/pull/1510 )
- [@​peterbe](https://togithub.com/peterbe ) made their first
contribution in
[https://github.com/actions/checkout/pull/1511 ](https://togithub.com/actions/checkout/pull/1511 )
**Full Changelog**:
https://github.com/actions/checkout/compare/v4.1.0...v4.1.1
###
[`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0 )
- [Add support for partial checkout
filters](https://togithub.com/actions/checkout/pull/1396 )
###
[`v4.0.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v3.6.0...v4.0.0 )
- [Support fetching without the --progress
option](https://togithub.com/actions/checkout/pull/1067 )
- [Update to node20](https://togithub.com/actions/checkout/pull/1436 )
</details>
<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>
###
[`v4.2.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.5 ):
4.2.5
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5 )
#### What's Changed
- Fixed a bug where some configuration options in external files were
not being properly picked up --
[https://github.com/actions/dependency-review-action/pull/722 ](https://togithub.com/actions/dependency-review-action/pull/722 )
- Bump eslint from 8.56.0 to 8.57.0
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5
###
[`v4.2.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.4 )
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4 )
#### What's Changed
Fixed a bug in the output of OpenSSF cards for GitHub Actions.
#### New Contributors
- [@​sporkmonger](https://togithub.com/sporkmonger ) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/721 ](https://togithub.com/actions/dependency-review-action/pull/721 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4
###
[`v4.2.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.3 ):
4.2.3
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3 )
#### What's Changed
- Set comment as output by [@​jsoref](https://togithub.com/jsoref )
in
[https://github.com/actions/dependency-review-action/pull/698 ](https://togithub.com/actions/dependency-review-action/pull/698 )
- Add support for calculating OpenSSF Scorecards by
[@​jhutchings1](https://togithub.com/jhutchings1 ) in
[https://github.com/actions/dependency-review-action/pull/709 ](https://togithub.com/actions/dependency-review-action/pull/709 )
- Add outputs for the changes data by
[@​laughedelic](https://togithub.com/laughedelic ) in
[https://github.com/actions/dependency-review-action/pull/707 ](https://togithub.com/actions/dependency-review-action/pull/707 )
#### New Contributors
- [@​jhutchings1](https://togithub.com/jhutchings1 ) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/709 ](https://togithub.com/actions/dependency-review-action/pull/709 )
- [@​laughedelic](https://togithub.com/laughedelic ) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/707 ](https://togithub.com/actions/dependency-review-action/pull/707 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3
###
[`v4.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.3 ):
4.1.3
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3 )
Fixes a bug in 4.1.2 that would introduce comments in every pull
request, regardless of the user's configuration (see
[https://github.com/actions/dependency-review-action/issues/697 ](https://togithub.com/actions/dependency-review-action/issues/697 )).
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3
###
[`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2 ):
4.1.2
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2 )
#### What's Changed
- Expose dependency comment content by
[@​jsoref](https://togithub.com/jsoref ) in
[https://github.com/actions/dependency-review-action/pull/696 ](https://togithub.com/actions/dependency-review-action/pull/696 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2
###
[`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1 ):
4.1.1
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1 )
#### What's Changed
- Bump `undici` to fix
[GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g )
- Bump [@​types/node](https://togithub.com/types/node ) from
20.11.17 to 20.11.19 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/693 ](https://togithub.com/actions/dependency-review-action/pull/693 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1
###
[`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0 ):
4.1.0
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0 )
#### What's Changed
- Add `warn-only` by [@​tgrall](https://togithub.com/tgrall ) in
[https://github.com/actions/dependency-review-action/pull/432 ](https://togithub.com/actions/dependency-review-action/pull/432 )
Added a new configuration option (`warn-only`, boolean) that makes the
action always succeed while still displaying found vulnerabilities in
the log.
- Create stale.yaml by
[@​jonjanego](https://togithub.com/jonjanego ) in
[https://github.com/actions/dependency-review-action/pull/671 ](https://togithub.com/actions/dependency-review-action/pull/671 )
- Use manual codeql config by
[@​juxtin](https://togithub.com/juxtin ) in
[https://github.com/actions/dependency-review-action/pull/678 ](https://togithub.com/actions/dependency-review-action/pull/678 )
- Multiple dependency updates (see the changelog below for more
information)
#### New Contributors
- [@​jonjanego](https://togithub.com/jonjanego ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/671 ](https://togithub.com/actions/dependency-review-action/pull/671 )
- [@​tgrall](https://togithub.com/tgrall ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/432 ](https://togithub.com/actions/dependency-review-action/pull/432 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4...v4.1.0
###
[`v4.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.0.0 )
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0 )
- Update action to Node 20 by
[@​takost](https://togithub.com/takost ) in
[https://github.com/actions/dependency-review-action/pull/639 ](https://togithub.com/actions/dependency-review-action/pull/639 )
- Dependabot updates, see the full changelog for more details.
#### New Contributors
- [@​takost](https://togithub.com/takost ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/639 ](https://togithub.com/actions/dependency-review-action/pull/639 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0
</details>
<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>
###
[`v4.1.4`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.4 )
[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.3...v4.1.4 )
##### What's Changed
- Update
[@​actions/artifact](https://togithub.com/actions/artifact ) by
[@​bethanyj28](https://togithub.com/bethanyj28 ) in
[https://github.com/actions/download-artifact/pull/307 ](https://togithub.com/actions/download-artifact/pull/307 )
**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.4
###
[`v4.1.3`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.3 )
[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.2...v4.1.3 )
##### What's Changed
- Update release-new-action-version.yml by
[@​konradpabjan](https://togithub.com/konradpabjan ) in
[https://github.com/actions/download-artifact/pull/292 ](https://togithub.com/actions/download-artifact/pull/292 )
- Update toolkit dependency with updated unzip logic by
[@​bethanyj28](https://togithub.com/bethanyj28 ) in
[https://github.com/actions/download-artifact/pull/299 ](https://togithub.com/actions/download-artifact/pull/299 )
- Update
[@​actions/artifact](https://togithub.com/actions/artifact ) by
[@​bethanyj28](https://togithub.com/bethanyj28 ) in
[https://github.com/actions/download-artifact/pull/303 ](https://togithub.com/actions/download-artifact/pull/303 )
##### New Contributors
- [@​bethanyj28](https://togithub.com/bethanyj28 ) made their first
contribution in
[https://github.com/actions/download-artifact/pull/299 ](https://togithub.com/actions/download-artifact/pull/299 )
**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.3
###
[`v4.1.2`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.2 )
[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.1...v4.1.2 )
- Bump
[@​actions/artifacts](https://togithub.com/actions/artifacts ) to
latest version to include [updated GHES host
check](https://togithub.com/actions/toolkit/pull/1648 )
###
[`v4.1.1`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.1 )
[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.0...v4.1.1 )
- Fix transient request timeouts
[https://github.com/actions/download-artifact/issues/249 ](https://togithub.com/actions/download-artifact/issues/249 )
- Bump `@actions/artifacts` to latest version
###
[`v4.1.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.0 )
[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.0.0...v4.1.0 )
#### What's Changed
- Some cleanup by [@​robherley](https://togithub.com/robherley ) in
[https://github.com/actions/download-artifact/pull/247 ](https://togithub.com/actions/download-artifact/pull/247 )
- Fix default for run-id by [@​stchr](https://togithub.com/stchr )
in
[https://github.com/actions/download-artifact/pull/252 ](https://togithub.com/actions/download-artifact/pull/252 )
- Support pattern matching to filter artifacts & merge to same directory
by [@​robherley](https://togithub.com/robherley ) in
[https://github.com/actions/download-artifact/pull/259 ](https://togithub.com/actions/download-artifact/pull/259 )
#### New Contributors
- [@​stchr](https://togithub.com/stchr ) made their first
contribution in
[https://github.com/actions/download-artifact/pull/252 ](https://togithub.com/actions/download-artifact/pull/252 )
**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.0
###
[`v4.0.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.0.0 )
[Compare
Source](https://togithub.com/actions/download-artifact/compare/v3.0.2...v4.0.0 )
#### What's Changed
The release of upload-artifact@v4 and download-artifact@v4 are major
changes to the backend architecture of Artifacts. They have numerous
performance and behavioral improvements.
ℹ️ However, this is a major update that includes breaking changes.
Artifacts created with versions v3 and below are not compatible with the
v4 actions. Uploads and downloads *must* use the same major actions
versions. There are also key differences from previous versions that may
require updates to your workflows.
For more information, please see:
1. The
[changelog](https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/ )
post.
2. The
[README](https://togithub.com/actions/download-artifact/blob/main/README.md ).
3. The [migration
documentation](https://togithub.com/actions/upload-artifact/blob/main/docs/MIGRATION.md ).
4. As well as the underlying npm package,
[@​actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact )
documentation.
#### New Contributors
- [@​bflad](https://togithub.com/bflad ) made their first
contribution in
[https://github.com/actions/download-artifact/pull/194 ](https://togithub.com/actions/download-artifact/pull/194 )
**Full Changelog**:
https://github.com/actions/download-artifact/compare/v3...v4.0.0
</details>
<details>
<summary>actions/setup-node (actions/setup-node)</summary>
### [`v4`](https://togithub.com/actions/setup-node/compare/v3...v4 )
[Compare
Source](https://togithub.com/actions/setup-node/compare/v3...v4 )
</details>
<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>
###
[`v4.3.1`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.1 )
[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.0...v4.3.1 )
- Bump
[@​actions/artifacts](https://togithub.com/actions/artifacts ) to
latest version to include [updated GHES host
check](https://togithub.com/actions/toolkit/pull/1648 )
###
[`v4.3.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.0 )
[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.2.0...v4.3.0 )
##### What's Changed
- Reorganize upload code in prep for merge logic & add more tests by
[@​robherley](https://togithub.com/robherley ) in
[https://github.com/actions/upload-artifact/pull/504 ](https://togithub.com/actions/upload-artifact/pull/504 )
- Add sub-action to merge artifacts by
[@​robherley](https://togithub.com/robherley ) in
[https://github.com/actions/upload-artifact/pull/505 ](https://togithub.com/actions/upload-artifact/pull/505 )
**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.3.0
###
[`v4.2.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.2.0 )
[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.1.0...v4.2.0 )
##### What's Changed
- Ability to overwrite an Artifact by
[@​robherley](https://togithub.com/robherley ) in
[https://github.com/actions/upload-artifact/pull/501 ](https://togithub.com/actions/upload-artifact/pull/501 )
**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.2.0
###
[`v4.1.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.1.0 )
[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.0.0...v4.1.0 )
#### What's Changed
- Add migrations docs by
[@​robherley](https://togithub.com/robherley ) in
[https://github.com/actions/upload-artifact/pull/482 ](https://togithub.com/actions/upload-artifact/pull/482 )
- Update README.md by
[@​samuelwine](https://togithub.com/samuelwine ) in
[https://github.com/actions/upload-artifact/pull/492 ](https://togithub.com/actions/upload-artifact/pull/492 )
- Support artifact-url output by
[@​konradpabjan](https://togithub.com/konradpabjan ) in
[https://github.com/actions/upload-artifact/pull/496 ](https://togithub.com/actions/upload-artifact/pull/496 )
- Update readme to reflect new 500 artifact per job limit by
[@​robherley](https://togithub.com/robherley ) in
[https://github.com/actions/upload-artifact/pull/497 ](https://togithub.com/actions/upload-artifact/pull/497 )
#### New Contributors
- [@​samuelwine](https://togithub.com/samuelwine ) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/492 ](https://togithub.com/actions/upload-artifact/pull/492 )
**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.1.0
###
[`v4.0.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.0.0 )
[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v3.1.3...v4.0.0 )
#### What's Changed
The release of upload-artifact@v4 and download-artifact@v4 are major
changes to the backend architecture of Artifacts. They have numerous
performance and behavioral improvements.
For more information, see the
[@​actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact )
documentation.
#### New Contributors
- [@​vmjoseph](https://togithub.com/vmjoseph ) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/464 ](https://togithub.com/actions/upload-artifact/pull/464 )
**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v3...v4.0.0
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v3.24.9`](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9 )
###
[`v3.24.8`](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8 )
###
[`v3.24.7`](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7 )
###
[`v3.24.6`](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6 )
###
[`v3.24.5`](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5 )
###
[`v3.24.4`](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4 )
###
[`v3.24.3`](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3 )
###
[`v3.24.2`](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2 )
###
[`v3.24.1`](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1 )
###
[`v3.24.0`](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0 )
###
[`v3.23.2`](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2 )
###
[`v3.23.1`](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1 )
###
[`v3.23.0`](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0 )
###
[`v3.22.12`](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12 )
###
[`v3.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.11...v3.22.11 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.9...v3.22.11 )
###
[`v2.24.9`](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9 )
</details>
<details>
<summary>golangci/golangci-lint-action
(golangci/golangci-lint-action)</summary>
###
[`v4`](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4 )
[Compare
Source](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4 )
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2024-04-01 15:26:46 +00:00
Mend Renovate
594b179564
chore(deps): update github-actions ( #741 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action )
| action | patch | `v3.1.0` -> `v3.1.5` |
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| patch | `v3.8.1` -> `v3.8.2` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | minor | `v2.22.1` -> `v2.24.8` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action ) |
action | patch | `v2.3.0` -> `v2.3.1` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator )
| action | minor | `v1.9.0` -> `v1.10.0` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier )
| action | patch | `v2.4.0` -> `v2.4.1` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>
###
[`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5 ):
3.1.5
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5 )
#### What's Changed
- Smaller `per_page` when requesting diff by
[@​hmaurer](https://togithub.com/hmaurer ) in
[https://github.com/actions/dependency-review-action/pull/649 ](https://togithub.com/actions/dependency-review-action/pull/649 )
- Update dependencies:
- Bump
[@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser )
from 6.10.0 to 6.13.1 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/630 ](https://togithub.com/actions/dependency-review-action/pull/630 )
- Bump prettier from 3.0.3 to 3.1.0 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/629 ](https://togithub.com/actions/dependency-review-action/pull/629 )
- Bump [@​types/jest](https://togithub.com/types/jest ) from 29.5.8
to 29.5.11 by [@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/637 ](https://togithub.com/actions/dependency-review-action/pull/637 )
- Bump nodemon from 3.0.1 to 3.0.2 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/636 ](https://togithub.com/actions/dependency-review-action/pull/636 )
- Replace pip -> pypi in PURL examples by
[@​febuiles](https://togithub.com/febuiles ) in
[https://github.com/actions/dependency-review-action/pull/638 ](https://togithub.com/actions/dependency-review-action/pull/638 )
- Bump
[@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin )
from 6.12.0 to 6.15.0 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/644 ](https://togithub.com/actions/dependency-review-action/pull/644 )
- Bump eslint from 8.53.0 to 8.56.0 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/640 ](https://togithub.com/actions/dependency-review-action/pull/640 )
- Bump
[@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser )
from 6.13.1 to 6.16.0 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/645 ](https://togithub.com/actions/dependency-review-action/pull/645 )
- Bump prettier from 3.1.0 to 3.1.1 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/646 ](https://togithub.com/actions/dependency-review-action/pull/646 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5
###
[`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4 ):
3.1.4
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4 )
#### What's Changed
- Fixed a
[bug](https://togithub.com/actions/dependency-review-action/issues/618 )
with severity filtering when using the `allow_ghsas` option:
[https://github.com/actions/dependency-review-action/pull/623 ](https://togithub.com/actions/dependency-review-action/pull/623 ).
- Updates dependencies:
- Bump [@​types/node](https://togithub.com/types/node ) from
16.18.61 to 16.18.62 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/619 ](https://togithub.com/actions/dependency-review-action/pull/619 )
action/pull/620
- Bump
[@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin )
from 6.11.0 to 6.12.0 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/625 ](https://togithub.com/actions/dependency-review-action/pull/625 )
- Bump typescript from 5.2.2 to 5.3.2 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/dependency-review-action/pull/624 ](https://togithub.com/actions/dependency-review-action/pull/624 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.4
###
[`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3 ):
3.1.3
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3 )
#### What's Changed
- Fixes purl "version must be percent-encoded" by
[@​theztefan](https://togithub.com/theztefan ) in
[https://github.com/actions/dependency-review-action/pull/617 ](https://togithub.com/actions/dependency-review-action/pull/617 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.3
###
[`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2 ):
3.1.2
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2 )
#### What's Changed
- Fix a regression for setups using self-hosted runners behind HTTP
proxies:[@​febuiles](https://togithub.com/febuiles ) in
[https://github.com/actions/dependency-review-action/pull/611 ](https://togithub.com/actions/dependency-review-action/pull/611 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.2
###
[`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1 ):
3.1.1
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1 )
#### What's Changed
- Update a bunch of dependencies, including major version upgrades for
`octokit`, `@actions/github` and `typescript`.
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1
</details>
<details>
<summary>actions/setup-node (actions/setup-node)</summary>
###
[`v3.8.2`](https://togithub.com/actions/setup-node/releases/tag/v3.8.2 )
[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.8.1...v3.8.2 )
##### What's Changed
- Update semver by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/861 ](https://togithub.com/actions/setup-node/pull/861 )
- Update temp directory creation by
[@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) in
[https://github.com/actions/setup-node/pull/859 ](https://togithub.com/actions/setup-node/pull/859 )
- Bump [@​babel/traverse](https://togithub.com/babel/traverse )
from 7.15.4 to 7.23.2 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-node/pull/870 ](https://togithub.com/actions/setup-node/pull/870 )
- Add notice about binaries not being updated yet by
[@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) in
[https://github.com/actions/setup-node/pull/872 ](https://togithub.com/actions/setup-node/pull/872 )
- Update toolkit cache and core by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) and
[@​seongwon-privatenote](https://togithub.com/seongwon-privatenote )
in
[https://github.com/actions/setup-node/pull/875 ](https://togithub.com/actions/setup-node/pull/875 )
**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.8.2
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.24.8`](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8 )
###
[`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7 )
###
[`v2.24.6`](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6 )
###
[`v2.24.5`](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5 )
###
[`v2.24.4`](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4 )
###
[`v2.24.3`](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3 )
###
[`v2.24.2`](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2 )
###
[`v2.24.1`](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1 )
###
[`v2.24.0`](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0 )
###
[`v2.23.2`](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2 )
###
[`v2.23.1`](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1 )
###
[`v2.23.0`](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0 )
###
[`v2.22.12`](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12 )
###
[`v2.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11 )
###
[`v2.22.10`](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10 )
###
[`v2.22.9`](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9 )
###
[`v2.22.8`](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8 )
###
[`v2.22.7`](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7 )
###
[`v2.22.6`](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6 )
###
[`v2.22.5`](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5 )
###
[`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4 )
###
[`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3 )
###
[`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2 )
</details>
<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>
###
[`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1 )
[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1 )
#### What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1282 ](https://togithub.com/ossf/scorecard-action/pull/1282 )
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1 )
release notes
**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1
</details>
<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>
###
[`v1.10.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0 )
Release \[v1.10.0] includes bug fixes and new features.
See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0 ).
##### v1.10.0: TUF fix
- The cosign TUF roots were fixed
([#​3350](https://togithub.com/slsa-framework/slsa-github-generator/issues/3350 )).
More details
[here](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid ).
##### v1.10.0: Gradle Builder
- The Gradle Builder was fixed when the project root is the same as the
repository root
([#​2727](https://togithub.com/slsa-framework/slsa-github-generator/issues/2727 ))
##### v1.10.0: Go Builder
- The `go-version-file` input was fixed so that it can find the `go.mod`
file
([#​2661](https://togithub.com/slsa-framework/slsa-github-generator/issues/2661 ))
##### v1.10.0: Container Generator
- A new `provenance-repository` input was added to allow reading
provenance from
a different container repository than the image itself
([#​2956](https://togithub.com/slsa-framework/slsa-github-generator/issues/2956 ))
###
[`v1.9.1`](https://togithub.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1 )
**This is an un-finalized release.**
See the [CHANGELOG](./CHANGELOG.md) for details.
</details>
<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>
###
[`v2.4.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.1 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1 )
#### What's Changed
- Fix a verification issue when verifying npm's publish attestations -
Low severity
https://github.com/slsa-framework/slsa-verifier/security/advisories/GHSA-r2xv-vpr2-42m9 .
This part of the code remains *experimental*.
#### New Contributors
- [@​trishankatdatadog](https://togithub.com/trishankatdatadog )
made their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/702 ](https://togithub.com/slsa-framework/slsa-verifier/pull/702 )
**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2MS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2024-03-22 00:59:31 -07:00
Ramon Petgrave
74119b2a7f
fix(deps): update go to 1.21 ( #738 )
...
Fixing the existing PR
https://github.com/slsa-framework/slsa-verifier/pull/498 to also change
the github actions to use the go 1.21 sourced directly from `go.mod`.
-
07e64b653f/.github/workflows/builder_go_slsa3.yml (L56)https://github.com/actions/setup-go?tab=readme-ov-file#getting-go-version-from-the-gomod-file
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/7559933600/job/20584856777?pr=498
> ...
Error: We were unable to automatically build your code. Please replace
the call to the autobuild action with your custom build steps.
Encountered a fatal error while running
"/opt/hostedtoolcache/CodeQL/2.15.5/x64/codeql/go/tools/autobuild.sh".
Exit code was 1 and error was: 2024/01/17 18:06:58 Autobuilder was built
with go1.21.5, environment has go1.20.12
...
Also fixing some more lint checks about repeated strings
---------
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com >
Co-authored-by: Mend Renovate <bot@renovateapp.com >
2024-01-24 09:29:20 -08:00
Mend Renovate
b72da83344
chore(deps): update github-actions ( #695 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout ) | action |
minor | `v3.5.3` -> `v3.6.0` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action )
| action | minor | `v3.0.7` -> `v3.1.0` |
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| patch | `v3.8.0` -> `v3.8.1` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact )
| action | patch | `v3.1.2` -> `v3.1.3` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | minor | `v2.21.4` -> `v2.22.1` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action ) |
action | minor | `v2.2.0` -> `v2.3.0` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator )
| action | minor | `v1.8.0` -> `v1.9.0` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier )
| action | minor | `v2.3.0` -> `v2.4.0` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/checkout (actions/checkout)</summary>
###
[`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360 )
[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0 )
- [Fix: Mark test scripts with Bash'isms to be run via
Bash](https://togithub.com/actions/checkout/pull/1377 )
- [Add option to fetch tags even if fetch-depth >
0](https://togithub.com/actions/checkout/pull/579 )
</details>
<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>
###
[`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0 ):
3.1.0
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0 )
#### What's New
Added support for dependencies submitted through the [dependency
submission
API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together ).
This includes two new configuration parameters:
`retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`.
#### What's Changed
- Fix(docs): Correct action input name by
[@​oerd](https://togithub.com/oerd ) in
[https://github.com/actions/dependency-review-action/pull/551 ](https://togithub.com/actions/dependency-review-action/pull/551 )
#### New Contributors
- [@​oerd](https://togithub.com/oerd ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/551 ](https://togithub.com/actions/dependency-review-action/pull/551 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.0
###
[`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8 ):
3.0.8
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8 )
#### What's Changed
Added `on-failure` option to `comment-summary-in-pr` setting by
[@​sgmurphy](https://togithub.com/sgmurphy ) in
[https://github.com/actions/dependency-review-action/pull/540 ](https://togithub.com/actions/dependency-review-action/pull/540 )
Previous configuration files using `true`/`false` for
`comment-summary-in-pr` will be mapped automatically to the new values,
but we encourage you to update to `always`/`on-failure`/`never`.
#### New Contributors
- [@​sgmurphy](https://togithub.com/sgmurphy ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/540 ](https://togithub.com/actions/dependency-review-action/pull/540 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.8
</details>
<details>
<summary>actions/setup-node (actions/setup-node)</summary>
###
[`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1 )
[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1 )
#### What's Changed
In scope of this release, the filter was removed within the cache-save
step by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov )
in
[https://github.com/actions/setup-node/pull/831 ](https://togithub.com/actions/setup-node/pull/831 ).
It is filtered and checked in the toolkit/cache library.
**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.8.1
</details>
<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>
###
[`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3 )
[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3 )
#### What's Changed
- chore(github): remove trailing whitespaces by
[@​ljmf00](https://togithub.com/ljmf00 ) in
[https://github.com/actions/upload-artifact/pull/313 ](https://togithub.com/actions/upload-artifact/pull/313 )
- Bump [@​actions/artifact](https://togithub.com/actions/artifact )
version to v1.1.2 by
[@​bethanyj28](https://togithub.com/bethanyj28 ) in
[https://github.com/actions/upload-artifact/pull/436 ](https://togithub.com/actions/upload-artifact/pull/436 )
**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v3...v3.1.3
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1 )
###
[`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0 )
###
[`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9 )
###
[`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8 )
###
[`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7 )
###
[`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6 )
###
[`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5 )
</details>
<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>
###
[`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0 )
[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0 )
#### What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0
by [@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1270 ](https://togithub.com/ossf/scorecard-action/pull/1270 )
- For a full changelist of what this includes, see the
[v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0 ) and
[v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0 )
release notes
- ✨ Send rekor tlog index to webapp when publishing results by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1169 ](https://togithub.com/ossf/scorecard-action/pull/1169 )
- 🐛 Prevent url clipping for GHES instances by
[@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ossf/scorecard-action/pull/1225 ](https://togithub.com/ossf/scorecard-action/pull/1225 )
##### Documentation
- 📖 Update access rights needed to see the results in code scanning
by [@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/ossf/scorecard-action/pull/1229 ](https://togithub.com/ossf/scorecard-action/pull/1229 )
- 📖 Add package comments. by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1221 ](https://togithub.com/ossf/scorecard-action/pull/1221 )
- 📖 Add SECURITY.md file by
[@​david-a-wheeler](https://togithub.com/david-a-wheeler ) in
[https://github.com/ossf/scorecard-action/pull/1250 ](https://togithub.com/ossf/scorecard-action/pull/1250 )
- 📖 Fix typo in token input docs by
[@​aabouzaid](https://togithub.com/aabouzaid ) in
[https://github.com/ossf/scorecard-action/pull/1258 ](https://togithub.com/ossf/scorecard-action/pull/1258 )
#### New Contributors
- [@​david-a-wheeler](https://togithub.com/david-a-wheeler ) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1250 ](https://togithub.com/ossf/scorecard-action/pull/1250 )
- [@​aabouzaid](https://togithub.com/aabouzaid ) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1258 ](https://togithub.com/ossf/scorecard-action/pull/1258 )
**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0
</details>
<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>
###
[`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0 )
Release \[v1.9.0] includes bug fixes and new features.
See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0 ).
##### v1.9.0: BYOB framework (beta)
- **New**: A [new
framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md )
to turn GitHub Actions into SLSA compliant builders.
##### v1.9.0: Maven builder (beta)
- **New**: A [Maven
builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven )
to build Java projects and publish to Maven central.
##### v1.9.0: Gradle builder (beta)
- **New**: A [Gradle
builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle )
to build Java projects and publish to Maven central.
##### v1.9.0: JReleaser builder
- **New**: A [JReleaser
builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java )
that wraps the official [JReleaser
Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java ).
</details>
<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>
###
[`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0 )
#### Summary
Support for BYOB-based builders released in
https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0
#### What's Changed
- chore: Update SHA256SUM.md for v2.3.0 by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/592 ](https://togithub.com/slsa-framework/slsa-verifier/pull/592 )
- docs: Make npm package version and name non-optional by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/591 ](https://togithub.com/slsa-framework/slsa-verifier/pull/591 )
- docs: npm provenance verification from GitHub runner by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/595 ](https://togithub.com/slsa-framework/slsa-verifier/pull/595 )
- chore(deps): update dependency
[@​types/node](https://togithub.com/types/node ) to v18.16.9 by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/596 ](https://togithub.com/slsa-framework/slsa-verifier/pull/596 )
- chore(deps): update github-actions by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/597 ](https://togithub.com/slsa-framework/slsa-verifier/pull/597 )
- chore(deps): update dependency jasmine to v5 by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/598 ](https://togithub.com/slsa-framework/slsa-verifier/pull/598 )
- feat: BYOB verification support by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/604 ](https://togithub.com/slsa-framework/slsa-verifier/pull/604 )
- feat: Support for v1.0 verification in BYOB by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/609 ](https://togithub.com/slsa-framework/slsa-verifier/pull/609 )
- feat: Use env variable to retrieve trigger workflow by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/615 ](https://togithub.com/slsa-framework/slsa-verifier/pull/615 )
- test: Add test data for v1.6.0 by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/612 ](https://togithub.com/slsa-framework/slsa-verifier/pull/612 )
- fix: Verify the TRW tag is a semver tag by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/619 ](https://togithub.com/slsa-framework/slsa-verifier/pull/619 )
- chore: Don't be verbose with tests locally by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/620 ](https://togithub.com/slsa-framework/slsa-verifier/pull/620 )
- fix: use ExternalParameters\["source"] for the Source URI for SLSA
v1.0 provenance by [@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/621 ](https://togithub.com/slsa-framework/slsa-verifier/pull/621 )
- test: re-generate container-based tests by
[@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/627 ](https://togithub.com/slsa-framework/slsa-verifier/pull/627 )
- fix: revert to using resolvedDepdendencies for source verification by
[@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/629 ](https://togithub.com/slsa-framework/slsa-verifier/pull/629 )
- refactor: Provenance tests by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/628 ](https://togithub.com/slsa-framework/slsa-verifier/pull/628 )
- fix(deps): update module github.com/sigstore/rekor to v1.2.0
\[security] by [@​renovate-bot](https://togithub.com/renovate-bot )
in
[https://github.com/slsa-framework/slsa-verifier/pull/622 ](https://togithub.com/slsa-framework/slsa-verifier/pull/622 )
- fix: only allow hashes of 256 bits or more by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/633 ](https://togithub.com/slsa-framework/slsa-verifier/pull/633 )
- fix: builder ID verification for testing by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/635 ](https://togithub.com/slsa-framework/slsa-verifier/pull/635 )
- feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance
format by [@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/634 ](https://togithub.com/slsa-framework/slsa-verifier/pull/634 )
- chore: update toc in README.md by
[@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/636 ](https://togithub.com/slsa-framework/slsa-verifier/pull/636 )
- fix: allow workflow_dispatch to trigger release.yml by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/637 ](https://togithub.com/slsa-framework/slsa-verifier/pull/637 )
- test: add tests for v1.7.0 builders by
[@​asraa](https://togithub.com/asraa ) in
[https://github.com/slsa-framework/slsa-verifier/pull/638 ](https://togithub.com/slsa-framework/slsa-verifier/pull/638 )
- chore(deps): update github-actions by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/607 ](https://togithub.com/slsa-framework/slsa-verifier/pull/607 )
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859 )
by [@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/567 ](https://togithub.com/slsa-framework/slsa-verifier/pull/567 )
- fix(deps): update github.com/sigstore/protobuf-specs digest to
[`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406 )
by [@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/606 ](https://togithub.com/slsa-framework/slsa-verifier/pull/606 )
- chore(deps): update npm dev by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/608 ](https://togithub.com/slsa-framework/slsa-verifier/pull/608 )
- chore(deps): update golang:1.19 docker digest to
[`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84 )
by [@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/583 ](https://togithub.com/slsa-framework/slsa-verifier/pull/583 )
- feat: Verify provenance by build type by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/632 ](https://togithub.com/slsa-framework/slsa-verifier/pull/632 )
- refactor: Use Go 1.20 by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/643 ](https://togithub.com/slsa-framework/slsa-verifier/pull/643 )
- test: Add more ProvenanceFromEnvelope tests by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/640 ](https://togithub.com/slsa-framework/slsa-verifier/pull/640 )
- fix: pre-submit: e2e-cli.sh artifact download by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/646 ](https://togithub.com/slsa-framework/slsa-verifier/pull/646 )
- refactor: Add more git utils by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/645 ](https://togithub.com/slsa-framework/slsa-verifier/pull/645 )
- refactor: Use full builder id by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/648 ](https://togithub.com/slsa-framework/slsa-verifier/pull/648 )
- feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/644 ](https://togithub.com/slsa-framework/slsa-verifier/pull/644 )
- chore(deps): update github-actions by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/651 ](https://togithub.com/slsa-framework/slsa-verifier/pull/651 )
- feat: move maven-plugin from slsa-github-generator by
[@​AdamKorcz](https://togithub.com/AdamKorcz ) in
[https://github.com/slsa-framework/slsa-verifier/pull/664 ](https://togithub.com/slsa-framework/slsa-verifier/pull/664 )
- docs: Fix maven-plugin README by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/671 ](https://togithub.com/slsa-framework/slsa-verifier/pull/671 )
- feat: Verification for when sha1 is specified in BYOB TRW by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/641 ](https://togithub.com/slsa-framework/slsa-verifier/pull/641 )
- docs: Add example for maven verification plugin by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/676 ](https://togithub.com/slsa-framework/slsa-verifier/pull/676 )
- chore: Add Kris to codeowners by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/678 ](https://togithub.com/slsa-framework/slsa-verifier/pull/678 )
- feat: Print byob builder by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/677 ](https://togithub.com/slsa-framework/slsa-verifier/pull/677 )
- test: Add test data for v1.8.0 by
[@​ianlewis](https://togithub.com/ianlewis ) in
[https://github.com/slsa-framework/slsa-verifier/pull/681 ](https://togithub.com/slsa-framework/slsa-verifier/pull/681 )
- chore(deps): update github-actions by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/666 ](https://togithub.com/slsa-framework/slsa-verifier/pull/666 )
- feat: Non-compulsory BuilderID for BYOB Builders by
[@​enteraga6](https://togithub.com/enteraga6 ) in
[https://github.com/slsa-framework/slsa-verifier/pull/674 ](https://togithub.com/slsa-framework/slsa-verifier/pull/674 )
- chore(deps): update golang docker tag to v1.21 by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/687 ](https://togithub.com/slsa-framework/slsa-verifier/pull/687 )
- chore(deps): update github-actions by
[@​renovate-bot](https://togithub.com/renovate-bot ) in
[https://github.com/slsa-framework/slsa-verifier/pull/686 ](https://togithub.com/slsa-framework/slsa-verifier/pull/686 )
- feat: GCB refactor for v1.0 support by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/682 ](https://togithub.com/slsa-framework/slsa-verifier/pull/682 )
- feat: Allow byob builders ref at main for e2e tests by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/689 ](https://togithub.com/slsa-framework/slsa-verifier/pull/689 )
- feat: Update doc and code for Maven plugin by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/680 ](https://togithub.com/slsa-framework/slsa-verifier/pull/680 )
- feat: gcb v1.0 support by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/691 ](https://togithub.com/slsa-framework/slsa-verifier/pull/691 )
- feat: v1.9.0 regression tests by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/696 ](https://togithub.com/slsa-framework/slsa-verifier/pull/696 )
- fix: release failure by
[@​laurentsimon](https://togithub.com/laurentsimon ) in
[https://github.com/slsa-framework/slsa-verifier/pull/697 ](https://togithub.com/slsa-framework/slsa-verifier/pull/697 )
#### New Contributors
- [@​AdamKorcz](https://togithub.com/AdamKorcz ) made their first
contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/664 ](https://togithub.com/slsa-framework/slsa-verifier/pull/664 )
- [@​enteraga6](https://togithub.com/enteraga6 ) made their first
contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/674 ](https://togithub.com/slsa-framework/slsa-verifier/pull/674 )
**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-12-01 22:18:37 +00:00
laurentsimon
73d1bcba98
fix: release failure ( #697 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-24 15:58:45 -07:00
Mend Renovate
b9a0e6babf
chore(deps): update github-actions ( #686 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action )
| action | patch | `v3.0.6` -> `v3.0.7` |
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| minor | `v3.7.0` -> `v3.8.0` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | patch | `v2.21.3` -> `v2.21.4` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>
###
[`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7 ):
3.0.7
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7 )
#### What's Changed
- Make GHES support / setup more clear by
[@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/actions/dependency-review-action/pull/534 ](https://togithub.com/actions/dependency-review-action/pull/534 )
- Add an option to deny packages or groups of packages by
[@​adrienpessu](https://togithub.com/adrienpessu ) in
[https://github.com/actions/dependency-review-action/pull/544 ](https://togithub.com/actions/dependency-review-action/pull/544 )
#### New Contributors
- [@​rajbos](https://togithub.com/rajbos ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/534 ](https://togithub.com/actions/dependency-review-action/pull/534 )
- [@​adrienpessu](https://togithub.com/adrienpessu ) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/544 ](https://togithub.com/actions/dependency-review-action/pull/544 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.7
</details>
<details>
<summary>actions/setup-node (actions/setup-node)</summary>
###
[`v3.8.0`](https://togithub.com/actions/setup-node/releases/tag/v3.8.0 )
[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.7.0...v3.8.0 )
#### What's Changed
##### Bug fixes:
- Add check for existing paths by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/803 ](https://togithub.com/actions/setup-node/pull/803 )
- Resolve SymbolicLink by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/809 ](https://togithub.com/actions/setup-node/pull/809 )
- Change passing logic for cache input by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/816 ](https://togithub.com/actions/setup-node/pull/816 )
- Fix armv7 cache issue by
[@​louislam](https://togithub.com/louislam ) in
[https://github.com/actions/setup-node/pull/794 ](https://togithub.com/actions/setup-node/pull/794 )
- Update check-dist workflow name by
[@​sinchang](https://togithub.com/sinchang ) in
[https://github.com/actions/setup-node/pull/710 ](https://togithub.com/actions/setup-node/pull/710 )
##### Feature implementations:
- feat: handling the case where "node" is used for tool-versions file.
by [@​xytis](https://togithub.com/xytis ) in
[https://github.com/actions/setup-node/pull/812 ](https://togithub.com/actions/setup-node/pull/812 )
##### Documentation changes:
- Refer to semver package name in README.md by
[@​olleolleolle](https://togithub.com/olleolleolle ) in
[https://github.com/actions/setup-node/pull/808 ](https://togithub.com/actions/setup-node/pull/808 )
##### Update dependencies:
- Update toolkit cache to fix zstd by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/804 ](https://togithub.com/actions/setup-node/pull/804 )
- Bump tough-cookie and
[@​azure/ms-rest-js](https://togithub.com/azure/ms-rest-js ) by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-node/pull/802 ](https://togithub.com/actions/setup-node/pull/802 )
- Bump semver from 6.1.2 to 6.3.1 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-node/pull/807 ](https://togithub.com/actions/setup-node/pull/807 )
- Bump word-wrap from 1.2.3 to 1.2.4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-node/pull/815 ](https://togithub.com/actions/setup-node/pull/815 )
#### New Contributors
- [@​olleolleolle](https://togithub.com/olleolleolle ) made their
first contribution in
[https://github.com/actions/setup-node/pull/808 ](https://togithub.com/actions/setup-node/pull/808 )
- [@​louislam](https://togithub.com/louislam ) made their first
contribution in
[https://github.com/actions/setup-node/pull/794 ](https://togithub.com/actions/setup-node/pull/794 )
- [@​sinchang](https://togithub.com/sinchang ) made their first
contribution in
[https://github.com/actions/setup-node/pull/710 ](https://togithub.com/actions/setup-node/pull/710 )
- [@​xytis](https://togithub.com/xytis ) made their first
contribution in
[https://github.com/actions/setup-node/pull/812 ](https://togithub.com/actions/setup-node/pull/812 )
**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.8.0
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.21.4`](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4 )
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40MC4zIiwidXBkYXRlZEluVmVyIjoiMzYuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-08-14 22:44:36 +00:00
Mend Renovate
57e3f65b43
chore(deps): update github-actions ( #666 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-go](https://togithub.com/actions/setup-go ) | action |
minor | `v4.0.1` -> `v4.1.0` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | minor | `v2.20.4` -> `v2.21.3` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator )
| action | minor | `v1.7.0` -> `v1.8.0` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/setup-go (actions/setup-go)</summary>
###
[`v4.1.0`](https://togithub.com/actions/setup-go/releases/tag/v4.1.0 )
[Compare
Source](https://togithub.com/actions/setup-go/compare/v4.0.1...v4.1.0 )
##### What's Changed
In scope of this release, slow installation on Windows was fixed by
[@​dsame](https://togithub.com/dsame ) in
[https://github.com/actions/setup-go/pull/393 ](https://togithub.com/actions/setup-go/pull/393 )
and OS version was added to `primaryKey` for Ubuntu runners to avoid
conflicts
([https://github.com/actions/setup-go/pull/383 ](https://togithub.com/actions/setup-go/pull/383 ))
This release also includes the following changes:
- Remove implicit dependencies by
[@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) in
[https://github.com/actions/setup-go/pull/378 ](https://togithub.com/actions/setup-go/pull/378 )
- Update action.yml by [@​mkelly](https://togithub.com/mkelly ) in
[https://github.com/actions/setup-go/pull/379 ](https://togithub.com/actions/setup-go/pull/379 )
- Added a description that go-version should be specified as a string
type by [@​n3xem](https://togithub.com/n3xem ) in
[https://github.com/actions/setup-go/pull/367 ](https://togithub.com/actions/setup-go/pull/367 )
- Add note about YAML parsing versions by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-go/pull/382 ](https://togithub.com/actions/setup-go/pull/382 )
- Automatic update of configuration files from 05/23/2023 by
[@​github-actions](https://togithub.com/github-actions ) in
[https://github.com/actions/setup-go/pull/377 ](https://togithub.com/actions/setup-go/pull/377 )
- Bump tough-cookie and
[@​azure/ms-rest-js](https://togithub.com/azure/ms-rest-js ) by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-go/pull/392 ](https://togithub.com/actions/setup-go/pull/392 )
- Bump word-wrap from 1.2.3 to 1.2.4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-go/pull/397 ](https://togithub.com/actions/setup-go/pull/397 )
- Bump semver from 6.3.0 to 6.3.1 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-go/pull/396 ](https://togithub.com/actions/setup-go/pull/396 )
##### New Contributors
- [@​mkelly](https://togithub.com/mkelly ) made their first
contribution in
[https://github.com/actions/setup-go/pull/379 ](https://togithub.com/actions/setup-go/pull/379 )
- [@​n3xem](https://togithub.com/n3xem ) made their first
contribution in
[https://github.com/actions/setup-go/pull/367 ](https://togithub.com/actions/setup-go/pull/367 )
**Full Changelog**:
https://github.com/actions/setup-go/compare/v4...v4.1.0
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.21.3`](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3 )
###
[`v2.21.2`](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2 )
###
[`v2.21.1`](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1 )
###
[`v2.21.0`](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0 )
</details>
<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>
###
[`v1.8.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v180 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0 )
Release \[v1.8.0] includes bug fixes and new features.
See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0 ).
##### v1.8.0: Generic Generator
- **Added**: A new
[`base64-subjects-as-file`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.8.0/internal/builders/generic/README.md#workflow-inputs )
was added to allow for specifying a large subject list.
##### v1.8.0: Node.js Builder (beta)
- **Fixed**: Publishing for non-scoped packages was fixed (See
[#​2359](https://togithub.com/slsa-framework/slsa-github-generator/issues/2359 ))
- **Fixed**: Documentation was updated to clarify that the GitHub
Actions
`deployment` event is not supported.
- **Changed**: The file extension for the generated provenance file was
changed
from `.sigstore` to `.build.slsa` in order to make it easier to identify
provenance files regardless of file format.
- **Fixed**: The publish action was fixed to address an issue with the
package
name when using Node 16.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzYuMjcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-08-09 08:24:24 +09:00
laurentsimon
9aa2319ef0
feat: Print byob builder ( #677 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/672
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-02 18:34:13 +00:00
Mend Renovate
59f6ba3e00
chore(deps): update github-actions ( #651 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| minor | `v3.6.0` -> `v3.7.0` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | minor | `v2.3.6` -> `v2.20.4` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action ) |
action | minor | `v2.1.3` -> `v2.2.0` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/setup-node (actions/setup-node)</summary>
###
[`v3.7.0`](https://togithub.com/actions/setup-node/releases/tag/v3.7.0 )
[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.6.0...v3.7.0 )
##### What's Changed
In scope of this release we added a logic to save an additional cache
path for yarn 3 ([related pull
request](https://togithub.com/actions/setup-node/pull/744 ) and [feature
request](https://togithub.com/actions/setup-node/issues/325 )). Moreover,
we added functionality to use all the sub directories derived from
`cache-dependency-path` input and add detect all dependencies
directories to cache (related [pull
request](https://togithub.com/actions/setup-node/pull/735 ) and [feature
request](https://togithub.com/actions/setup-node/issues/488 )).
##### Besides, we made such changes as:
- Replace workflow badge with new badge by
[@​jongwooo](https://togithub.com/jongwooo ) in
[https://github.com/actions/setup-node/pull/653 ](https://togithub.com/actions/setup-node/pull/653 )
- Fix a minor typo by [@​phanan](https://togithub.com/phanan ) in
[https://github.com/actions/setup-node/pull/662 ](https://togithub.com/actions/setup-node/pull/662 )
- docs: fix typo in advanced-usage.md by
[@​remarkablemark](https://togithub.com/remarkablemark ) in
[https://github.com/actions/setup-node/pull/697 ](https://togithub.com/actions/setup-node/pull/697 )
- bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by
[@​domdomegg](https://togithub.com/domdomegg ) in
[https://github.com/actions/setup-node/pull/718 ](https://togithub.com/actions/setup-node/pull/718 )
- Update to node 18.x by
[@​feelepxyz](https://togithub.com/feelepxyz ) in
[https://github.com/actions/setup-node/pull/751 ](https://togithub.com/actions/setup-node/pull/751 )
- Remove implicit dependencies by
[@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) in
[https://github.com/actions/setup-node/pull/758 ](https://togithub.com/actions/setup-node/pull/758 )
- Fix description about ensuring workflow access to private package by
[@​x86chi](https://togithub.com/x86chi ) in
[https://github.com/actions/setup-node/pull/704 ](https://togithub.com/actions/setup-node/pull/704 )
##### New Contributors
- [@​jongwooo](https://togithub.com/jongwooo ) made their first
contribution in
[https://github.com/actions/setup-node/pull/653 ](https://togithub.com/actions/setup-node/pull/653 )
- [@​phanan](https://togithub.com/phanan ) made their first
contribution in
[https://github.com/actions/setup-node/pull/662 ](https://togithub.com/actions/setup-node/pull/662 )
- [@​remarkablemark](https://togithub.com/remarkablemark ) made
their first contribution in
[https://github.com/actions/setup-node/pull/697 ](https://togithub.com/actions/setup-node/pull/697 )
- [@​domdomegg](https://togithub.com/domdomegg ) made their first
contribution in
[https://github.com/actions/setup-node/pull/718 ](https://togithub.com/actions/setup-node/pull/718 )
- [@​feelepxyz](https://togithub.com/feelepxyz ) made their first
contribution in
[https://github.com/actions/setup-node/pull/751 ](https://togithub.com/actions/setup-node/pull/751 )
- [@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) made
their first contribution in
[https://github.com/actions/setup-node/pull/758 ](https://togithub.com/actions/setup-node/pull/758 )
- [@​x86chi](https://togithub.com/x86chi ) made their first
contribution in
[https://github.com/actions/setup-node/pull/704 ](https://togithub.com/actions/setup-node/pull/704 )
**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.7.0
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.20.4`](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4 )
###
[`v2.20.3`](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3 )
###
[`v2.20.2`](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2 )
###
[`v2.20.1`](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1 )
###
[`v2.20.0`](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0 )
</details>
<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>
###
[`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0 )
[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0 )
#### What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1192 ](https://togithub.com/ossf/scorecard-action/pull/1192 )
#### Scorecard Result Viewer
Thanks to contributions from
[@​cynthia-sg](https://togithub.com/cynthia-sg ) and
[@​tegioz](https://togithub.com/tegioz ) at
[CLOMonitor](https://togithub.com/cncf/clomonitor ), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri= <project-url>`.
-
[https://github.com/ossf/scorecard-webapp/pull/406 ](https://togithub.com/ossf/scorecard-webapp/pull/406 )
-
[https://github.com/ossf/scorecard-webapp/pull/422 ](https://togithub.com/ossf/scorecard-webapp/pull/422 )
As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard )
Checkout our
[README](08b4669551/README.md (scorecard-badge)08b4669551/README.md (workflow-restrictions)https://github.com/ossf/scorecard-action/pull/1156 ](https://togithub.com/ossf/scorecard-action/pull/1156 ),
resolved
[https://github.com/ossf/scorecard-action/issues/1150 ](https://togithub.com/ossf/scorecard-action/issues/1150 ))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191 ](https://togithub.com/ossf/scorecard-action/pull/1191 ))
#### Docs
- 📖 Update README to accept fine-grained tokens by
[@​pnacht](https://togithub.com/pnacht ) in
[https://github.com/ossf/scorecard-action/pull/1175 ](https://togithub.com/ossf/scorecard-action/pull/1175 )
- 📖 Update installation instructions to match current GitHub UI by
[@​joycebrum](https://togithub.com/joycebrum ) in
[https://github.com/ossf/scorecard-action/pull/1153 ](https://togithub.com/ossf/scorecard-action/pull/1153 )
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
#### New Contributors
- [@​bobcallaway](https://togithub.com/bobcallaway ) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140 ](https://togithub.com/ossf/scorecard-action/pull/1140 )
- [@​pnacht](https://togithub.com/pnacht ) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175 ](https://togithub.com/ossf/scorecard-action/pull/1175 )
**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-07-18 10:51:23 +09:00
Ian Lewis
e2b1828894
fix: pre-submit: e2e-cli.sh artifact download ( #646 )
...
Updates #647
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-29 10:05:12 -07:00
Ian Lewis
f025c630ac
refactor: Use Go 1.20 ( #643 )
...
Fixes #589
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-26 10:49:52 +09:00
Mend Renovate
3ee6cee147
chore(deps): update github-actions ( #607 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-06-12 09:44:31 +09:00
Ian Lewis
c39b10c4c9
fix: allow workflow_dispatch to trigger release.yml ( #637 )
...
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-08 22:49:25 +09:00
laurentsimon
bda35e0238
feat: BYOB verification support ( #604 )
...
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-05-23 01:41:17 +00:00
Mend Renovate
52a48d18af
chore(deps): update github-actions ( #597 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-05-15 04:05:12 +00:00
Mend Renovate
8da58c6c6d
chore(deps): update github/codeql-action action to v2.3.3 ( #585 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Co-authored-by: asraa <asraa@google.com >
2023-05-08 16:30:17 +00:00
Mend Renovate
515b41ca3f
chore(deps): update github/codeql-action action to v2.3.2 ( #569 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-05-01 09:48:55 +09:00
Mend Renovate
e1ea1da472
chore(deps): update github-actions ( #560 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-04-18 10:52:54 +09:00
Mend Renovate
9c3152fe9f
chore(deps): update github-actions ( #544 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
2023-04-11 02:09:29 +00:00
Ian Lewis
f96d91bdd2
fix: Support pre-releases on trusted repos ( #552 )
...
Support pre-releases on trusted repos
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-04-11 08:54:33 +09:00
asraa
b01cb9d69c
chore: report scheduled release workflow failures ( #543 )
...
* chore: report scheduled release workflow failures
Signed-off-by: Asra Ali <asraa@google.com >
* fix: fix yamllint
Signed-off-by: Asra Ali <asraa@google.com >
* empty commit
Signed-off-by: Asra Ali <asraa@google.com >
---------
Signed-off-by: Asra Ali <asraa@google.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-03-24 23:40:49 +00:00
Mend Renovate
ed7976a0d4
chore(deps): update github-actions ( #529 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-03-24 14:36:38 +00:00
Mend Renovate
c4400c7475
chore(deps): update github-actions (major) ( #536 )
...
chore(deps): update github-actions
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-03-24 08:33:31 -05:00
Batuhan Apaydın
5c377787ec
feat: verification for provenance ( #537 )
...
* verification for provenance
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com >
* Fix linter warnings
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
---------
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-03-21 19:11:35 -07:00
Ian Lewis
a1be080731
fix: Update references check ( #533 )
...
Fix references check
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-03-17 09:54:07 -05:00
laurentsimon
20b06426ff
docs: update installation to cover the Action and to receive updates ( #523 )
...
docs: update installation to cover the Action and to receive updates (#523 )
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-03-10 15:46:04 -06:00
Mend Renovate
9f57e6add9
chore(deps): update github-actions ( #502 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
2023-03-06 00:48:50 +00:00
laurentsimon
82a12591ff
feat: npm default runner support ( #495 )
...
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
* update
Signed-off-by: laurentsimon <laurentsimon@google.com >
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-03-02 21:53:29 +00:00
Mend Renovate
13b4c3e75b
chore(deps): update github/codeql-action action to v2.2.4 ( #480 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-02-13 14:36:07 +00:00
Mend Renovate
9578b3838e
chore(deps): update github-actions ( #460 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-01-30 05:33:14 -08:00
Pedro Nacht
5deacad765
ci: Ensure all version references are up-to-date prior to release ( #447 )
...
* Create references.sh
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com >
* WIP: check docs in pre-submits
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com >
* Clean up
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com >
* Fix based on comments
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com >
* Add instructions to RELEASE.md
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com >
* Check references match version in PR body
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com >
---------
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-01-27 23:12:37 +00:00
Mend Renovate
5eea7c5537
chore(deps): update github/codeql-action action to v2.1.39 ( #452 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Co-authored-by: asraa <asraa@google.com >
2023-01-25 15:59:45 +00:00
Mend Renovate
71e72f0a1f
chore(deps): update github/codeql-action action to v2.1.38 ( #444 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-01-16 10:37:41 +09:00
Ian Lewis
1da39d7e06
ci: Add javascript to CodeQL analysis ( #413 )
...
Signed-off-by: Ian Lewis <ianlewis@google.com >
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-01-11 10:21:11 -06:00
Mend Renovate
b06fbf5b04
chore(deps): update github-actions ( #436 )
...
* chore(deps): update github-actions
Signed-off-by: Renovate Bot <bot@renovateapp.com >
* Use tag for actions/upload-artifact
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Co-authored-by: asraa <asraa@google.com >
2023-01-09 15:28:47 +00:00
Shunsuke Suzuki
325f12aabf
chore: release assets for multiple platforms ( #434 )
...
* chore: release assets for multiple platforms
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
* ci: release assets for windows and macOS
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
* ci: add configuration files for macOS and windows
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
* ci: remove a workflow job `if-failed`
This job is unneeded anymore.
https://github.com/slsa-framework/slsa-verifier/pull/434#discussion_r1063427948
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
* ci: move configuration files to a directory `.slsa-goreleaser`
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-01-07 00:56:30 +00:00
Shunsuke Suzuki
a4d4074bf6
ci: fix a deprecation warning ( #435 )
...
> args
> The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com >
2023-01-06 08:14:29 -06:00
Ian Lewis
452dcfac5f
ci: Add large file pre-submit check ( #433 )
...
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-01-06 09:29:13 +09:00
asraa
bad943298a
ci: add verifier e2e presubmit that runs CLI at main ( #430 )
...
* ci: add verifier e2e presubmit that runs CLI at main
Signed-off-by: Asra Ali <asraa@google.com >
Signed-off-by: Asra Ali <asraa@google.com >
2023-01-05 16:02:54 +00:00
Mend Renovate
652ec10cf9
chore(deps): update ossf/scorecard-action action to v2.1.2 ( #417 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Signed-off-by: Renovate Bot <bot@renovateapp.com >
Co-authored-by: asraa <asraa@google.com >
2023-01-03 20:16:07 +00:00
