github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-06 08:37:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
446 Commits 40 Branches 45 Tags
fa295ff0c86832a5cb1556715f3a4767ab7fb4e7
Commit Graph

446 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ramon Petgrave
fa295ff0c8 use slices.ContainsFunc 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-08-15 20:55:44 +00:00
Ramon Petgrave
552e674db7 lint 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-08-13 16:02:33 +00:00
Ramon Petgrave
bc65aede98 handle dssev001 tlog entry types 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-08-13 15:42:58 +00:00
dependabot[bot]
e8275856e0 chore(deps): bump github.com/docker/docker from 26.1.4+incompatible to 26.1.5+incompatible in the go_modules group (#798) 
Bumps the go_modules group with 1 update:
[github.com/docker/docker](https://github.com/docker/docker).

Updates `github.com/docker/docker` from 26.1.4+incompatible to
26.1.5+incompatible
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/docker/releases">github.com/docker/docker's
releases</a>.</em></p>
<blockquote>
<h2>v26.1.5</h2>
<h2>26.1.5</h2>
<h3>Security</h3>
<p>This release contains a fix for <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41110">CVE-2024-41110</a>
/ <a
href="https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq">GHSA-v23v-6jw2-98fq</a>
that impacted setups using <a
href="https://docs.docker.com/engine/extend/plugins_authorization/">authorization
plugins (AuthZ)</a>
for access control. No other changes are included in this release, and
this
release is otherwise identical for users not using AuthZ plugins.</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/moby/moby/compare/v26.1.4...v26.1.5">https://github.com/moby/moby/compare/v26.1.4...v26.1.5</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="411e817ddf"><code>411e817</code></a>
Merge commit from fork</li>
<li><a
href="9cc85eaef1"><code>9cc85ea</code></a>
If url includes scheme, urlPath will drop hostname, which would not
match the...</li>
<li><a
href="820cab90bc"><code>820cab9</code></a>
Authz plugin security fixes for 0-length content and path
validation</li>
<li><a
href="6bc49067a6"><code>6bc4906</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/48123">#48123</a>
from vvoland/v26.1-48120</li>
<li><a
href="6fbdce4b94"><code>6fbdce4</code></a>
update to go1.21.12</li>
<li><a
href="f5334644ec"><code>f533464</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47986">#47986</a>
from vvoland/v26.1-47985</li>
<li><a
href="c1d4587d76"><code>c1d4587</code></a>
builder/mobyexporter: Add missing nil check</li>
<li><a
href="d6428049a5"><code>d642804</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47940">#47940</a>
from thaJeztah/26.1_backport_api_remove_container_c...</li>
<li><a
href="daba2462f5"><code>daba246</code></a>
docs: api: image inspect: remove Container and ContainerConfig</li>
<li>See full diff in <a
href="https://github.com/docker/docker/compare/v26.1.4...v26.1.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/docker/docker&package-manager=go_modules&previous-version=26.1.4+incompatible&new-version=26.1.5+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-08-12 11:04:32 -04:00
Mend Renovate
489e79138b chore(deps): update golang:1.21 docker digest to f2eb989 (#796) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `b405b62` -> `f2eb989` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
 2024-08-05 16:21:16 +00:00
Ramon Petgrave
c789437815 feat: refactor: use sigstore-go for fetching TrustedRoot (#791) 
Uses the `sigstore-go` library for fetching the `TrustedRoot`, which
contains the Sigstore infrastructure certificates needed to validate the
leaf ephemeral certificates used to sign artifacts.

Refactors:

- replace `TrustedRootSingleton()` with `getDefaultCosignCheckOpts()`,
since only `VerifyImage()` will now need that data.
- replace `cosign.ValidateAndUnpackCert`
with`sigstoreVerify.VerifyLeafCertificate()`
- use `sync.Once` for sigstore and rekor clients, and the `TrustedRoot`

## Testing

- existing tests continue to pass
- [negative tests
](d96b977709/cli/slsa-verifier/main_regression_test.go (L450-L471))
against rekor TLogs
- manual invocations of `verify-artifact`.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-08-02 21:47:50 +00:00
Ramon Petgrave
88bcb6bff7 chore: pin yamllint, golangci-lint (#783) 
pins the yaml-lint and golangci-lint dependency used in pre-submits.

This is to fix code-scanning alerts about unpinned dependencies
-
https://github.com/slsa-framework/slsa-verifier/security/code-scanning/8
-
https://github.com/slsa-framework/slsa-verifier/security/code-scanning/21

### Testing Process

The pre-submit test that uses yamllint and golangci-lint passes

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-08-02 19:51:07 +00:00
Ramon Petgrave
7f3db9211e feat: support npm cli provenance v1 attestations (#776) 
Fixes #614, #450, #449, #515

Adds support for NPM CLIs build provenances, generated when running `npm
publish --provenance --access public` from a [GitHub Actions
workflow](5995008213/.github/workflows/npm-publish.yml (L21)).

## Testing

- added unit tests for some new helper functions
- added regression test cases

## Future work

- https://github.com/slsa-framework/slsa-verifier/issues/493, so we can
do `--print-provenance`
- implemented in
https://github.com/slsa-framework/slsa-verifier/pull/768#discussion_r1662938115

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-07-30 19:46:04 +00:00
dependabot[bot]
0b14659dde chore(deps): bump github.com/docker/docker from 24.0.9+incompatible to 26.1.4+incompatible in the go_modules group (#794) 
Bumps the go_modules group with 1 update:
[github.com/docker/docker](https://github.com/docker/docker).

Updates `github.com/docker/docker` from 24.0.9+incompatible to
26.1.4+incompatible
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/docker/releases">github.com/docker/docker's
releases</a>.</em></p>
<blockquote>
<h2>v26.1.4</h2>
<h2>26.1.4</h2>
<p>For a full list of pull requests and changes in this release, refer
to the relevant GitHub milestones:</p>
<ul>
<li><a
href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A26.1.4">docker/cli,
26.1.4 milestone</a></li>
<li><a
href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A26.1.4">moby/moby,
26.1.4 milestone</a></li>
<li>Deprecated and removed features, see <a
href="https://github.com/docker/cli/blob/v26.1.4/docs/deprecated.md">Deprecated
Features</a>.</li>
<li>Changes to the Engine API, see <a
href="https://github.com/moby/moby/blob/v26.1.4/docs/api/version-history.md">API
version history</a>.</li>
</ul>
<h3>Security</h3>
<p>This release updates the Go runtime to 1.21.11 which contains
security fixes for:</p>
<ul>
<li><a
href="https://redirect.github.com/golang/go/issues/66869">CVE-2024-24789</a></li>
<li><a
href="https://redirect.github.com/golang/go/issues/67680">CVE-2024-24790</a></li>
<li>A symlink time of check to time of use race condition during
directory removal reported by Addison Crump (<a
href="https://github.com/addisoncrump"><code>@​addisoncrump</code></a>).</li>
</ul>
<h3>Bug fixes and enhancements</h3>
<ul>
<li>Fixed an issue where promoting a node immediately after another node
was demoted could cause the promotion to fail. <a
href="https://redirect.github.com/moby/moby/pull/47870">moby/moby#47870</a></li>
<li>Prevent the daemon log from being spammed with <code>superfluous
response.WriteHeader call ...</code> messages.. <a
href="https://redirect.github.com/moby/moby/pull/47843">moby/moby#47843</a></li>
<li>Don't show empty hints when plugins return an empty hook message. <a
href="https://redirect.github.com/docker/cli/pull/5083">docker/cli#5083</a></li>
<li>Added <code>ContextType: &quot;moby&quot;</code> to the context
list/inspect output to address a compatibility issue with Visual Studio
Container Tools. <a
href="https://redirect.github.com/docker/cli/pull/5095">docker/cli#5095</a></li>
<li>Fix a compatibility issue with Visual Studio Container Tools. <a
href="https://redirect.github.com/docker/cli/pull/5095">docker/cli#5095</a></li>
</ul>
<h3>Packaging updates</h3>
<ul>
<li>Update containerd (static binaries only) to <a
href="https://github.com/containerd/containerd/releases/tag/v1.7.17">v1.7.17</a>.
<a
href="https://redirect.github.com/moby/moby/pull/47841">moby/moby#47841</a></li>
<li><a
href="https://redirect.github.com/golang/go/issues/66869">CVE-2024-24789</a>,
<a
href="https://redirect.github.com/golang/go/issues/67680">CVE-2024-24790</a>:
Update Go runtime to 1.21.11. <a
href="https://redirect.github.com/moby/moby/pull/47904">moby/moby#47904</a></li>
<li>Update Compose to <a
href="https://github.com/docker/compose/releases/tag/v2.27.1">v2.27.1</a>.
<a
href="https://redirect.github.com/docker/docker-ce-packaging/pull/1022">docker/docker-ce-packages#1022</a></li>
<li>Update Buildx to <a
href="https://github.com/docker/buildx/releases/tag/v0.14.1">v0.14.1</a>.
<a
href="https://redirect.github.com/docker/docker-ce-packaging/pull/1021">docker/docker-ce-packages#1021</a></li>
</ul>
<h2>v26.1.3</h2>
<h2>26.1.3</h2>
<p>For a full list of pull requests and changes in this release, refer
to the relevant GitHub milestones:</p>
<ul>
<li><a
href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A26.1.3">docker/cli,
26.1.3 milestone</a></li>
<li><a
href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A26.1.3">moby/moby,
26.1.3 milestone</a></li>
<li>Deprecated and removed features, see <a
href="https://github.com/docker/cli/blob/v26.1.3/docs/deprecated.md">Deprecated
Features</a>.</li>
<li>Changes to the Engine API, see <a
href="https://github.com/moby/moby/blob/v26.1.3/docs/api/version-history.md">API
version history</a>.</li>
</ul>
<h3>Bug fixes and enhancements</h3>
<ul>
<li>Fix a regression that prevented the use of DNS servers within a
<code>--internal</code> network. <a
href="https://redirect.github.com/moby/moby/pull/47832">moby/moby#47832</a></li>
<li>When the internal DNS server's own address is supplied as an
external server address, ignore it to avoid unproductive recursion. <a
href="https://redirect.github.com/moby/moby/pull/47833">moby/moby#47833</a></li>
</ul>
<h3>Packaging updates</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="de5c9cf0b9"><code>de5c9cf</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47912">#47912</a>
from thaJeztah/26.1_backport_vendor_containerd_1.7.18</li>
<li><a
href="c62dcf8ab1"><code>c62dcf8</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47911">#47911</a>
from thaJeztah/26.1_backport_bump_containerd_binary...</li>
<li><a
href="17315a20ee"><code>17315a2</code></a>
vendor: github.com/containerd/containerd v1.7.18</li>
<li><a
href="cbd94183ab"><code>cbd9418</code></a>
update containerd binary to v1.7.18</li>
<li><a
href="fb9f72aeb6"><code>fb9f72a</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47904">#47904</a>
from thaJeztah/26.1_backport_bump_go1.21.11</li>
<li><a
href="3115daaa91"><code>3115daa</code></a>
update to go1.21.11</li>
<li><a
href="2861734174"><code>2861734</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47892">#47892</a>
from thaJeztah/26.1_backport_api_docs_network_confi...</li>
<li><a
href="9c95aea306"><code>9c95aea</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47893">#47893</a>
from thaJeztah/26.1_backport_bump_docker_py</li>
<li><a
href="3e09e197a7"><code>3e09e19</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47894">#47894</a>
from thaJeztah/26.1_backport_vendor_containerd_v1.7.17</li>
<li><a
href="65b679ac9c"><code>65b679a</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/47889">#47889</a>
from thaJeztah/26.1_backport_platforms_err_handling</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/docker/compare/v24.0.9...v26.1.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/docker/docker&package-manager=go_modules&previous-version=24.0.9+incompatible&new-version=26.1.4+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-07-30 10:22:23 -04:00
Hayden B
40153f57a2 chore: Update CODEOWNERS to use teams (#793) 
This will assign teams rather than individuals to PRs.

Signed-off-by: Hayden B <hblauzvern@google.com>
 2024-07-23 18:18:55 -04:00
Ramon Petgrave
d96b977709 chore: v2.6.0: update docs (#789) 
#label:release v2.6.0

# How to Verify

Clone the repo and run the script described in
https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#verify-provenance.
```
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ bash verify-release.sh v2.6.0
```

This will download the release files and verify the binaries. Confirm
that the output hashes matches those in this PR's SHA256SUM.md
-
https://github.com/slsa-framework/slsa-verifier/pull/789/files#diff-7834ca792905514302a0630d1c57dc1d330569a18fc2fff4aac6129efb00f4ccR1-R8

---------

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-07-17 12:21:44 -04:00
Ramon Petgrave
3714a2a468 fix: use tag for the builder in the release workflow (#788) 
The slsa-github-generator's workflow ref needs to be pinned by tag, not
by hash.

Fixes this error

-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9893912259/job/27330429383#step:4:17

```
Verifying slsa-verifier-linux-arm64 using slsa-verifier-linux-arm64.intoto.jsonl
Verified signature against tlog entry index 110869188 at URL: 24296fb24b120088fe641b8e84
Verifying artifact slsa-verifier-linux-arm64: FAILED: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""

FAILED: SLSA verification failed: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""
```

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
v2.6.0-rc.1 v2.6.0 		2024-07-11 12:34:52 -04:00
Ramon Petgrave
208ac12589 feat: vsa support (#777) 
Fixes #542

Adds support for VSAs.

## Testing process

- added some unit an end-to-end tests
- manually invoking

    ```
    go run ./cli/slsa-verifier/ verify-vsa \
    --subject-digest gce_image_id:8970095005306000053 \
--attestation-path
./cli/slsa-verifier/testdata/vsa/gce/v1/gke-gce-pre.bcid-vsa.jsonl \
--verifier-id
https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1 \
--resource-uri
gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre
\
    --verified-level BCID_L1 \
    --verified-level SLSA_BUILD_LEVEL_2 \
--public-key-path
./cli/slsa-verifier/testdata/vsa/gce/v1/vsa_signing_public_key.pem \
    --public-key-id keystore://76574:prod:vsa_signing_public_key \
    --print-attestation



{"_type":"https://in-toto.io/Statement/v1","predicateType":"https://slsa.dev/verification_summary/v1","predicate":{"timeVerified":"2024-06-12T07:24:34.351608Z","verifier":{"id":"https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1"},"verificationResult":"PASSED","verifiedLevels":["BCID_L1","SLSA_BUILD_LEVEL_2"],"resourceUri":"gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre","policy":{"uri":"googlefile:/google_src/files/642513192/depot/google3/production/security/bcid/software/gce_image/gke/vm_images.sw_policy.textproto"}},"subject":[{"name":"_","digest":{"gce_image_id":"8970095005306000053"}}]}
    Verifying VSA: PASSED
    
    PASSED: SLSA verification passed
    ```

TODOS:
- open issue on the in_toto attestations repo about the incorrect json
[fields](36c1129542/go/predicates/vsa/v1/vsa.pb.go (L26-L40))
for vsa 1.0

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-07-10 21:25:16 -04:00
Mend Renovate
1049da4841 chore(deps): update github-actions (#786) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
patch | `v4.1.1` -> `v4.1.7` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | minor | `v4.2.5` -> `v4.3.3` |
|
[actions/download-artifact](https://togithub.com/actions/download-artifact)
| action | patch | `v4.1.4` -> `v4.1.7` |
| [actions/setup-go](https://togithub.com/actions/setup-go) | action |
patch | `v5.0.0` -> `v5.0.1` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | patch | `v4.3.1` -> `v4.3.3` |
|
[actionsdesk/lfs-warning](https://togithub.com/actionsdesk/lfs-warning)
| action | minor | `v3.2` -> `v3.3` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | minor | `v3.24.9` -> `v3.25.11` |
|
[golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action)
| action | pinDigest | -> `d6238b0` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.3.1` -> `v2.3.3` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator)
| action | pinDigest | -> `c747fe7` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier)
| action | minor | `v2.4.1` -> `v2.5.1` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.7`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.6...v4.1.7)

- Bump the minor-npm-dependencies group across 1 directory with 4
updates by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1739](https://togithub.com/actions/checkout/pull/1739)
- Bump actions/checkout from 3 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1697](https://togithub.com/actions/checkout/pull/1697)
- Check out other refs/\* by commit by
[@&#8203;orhantoy](https://togithub.com/orhantoy) in
[https://github.com/actions/checkout/pull/1774](https://togithub.com/actions/checkout/pull/1774)
- Pin actions/checkout's own workflows to a known, good, stable version.
by [@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1776](https://togithub.com/actions/checkout/pull/1776)

###
[`v4.1.6`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v416)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.5...v4.1.6)

- Check platform to set archive extension appropriately by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1732](https://togithub.com/actions/checkout/pull/1732)

###
[`v4.1.5`](https://togithub.com/actions/checkout/releases/tag/v4.1.5)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.4...v4.1.5)

#### What's Changed

- Update NPM dependencies by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1703](https://togithub.com/actions/checkout/pull/1703)
- Bump github/codeql-action from 2 to 3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1694](https://togithub.com/actions/checkout/pull/1694)
- Bump actions/setup-node from 1 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1696](https://togithub.com/actions/checkout/pull/1696)
- Bump actions/upload-artifact from 2 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1695](https://togithub.com/actions/checkout/pull/1695)
- README: Suggest `user.email` to be
`41898282+github-actions[bot]@&#8203;users.noreply.github.com` by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1707](https://togithub.com/actions/checkout/pull/1707)

**Full Changelog**:
https://github.com/actions/checkout/compare/v4.1.4...v4.1.5

###
[`v4.1.4`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v414)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.3...v4.1.4)

- Disable `extensions.worktreeConfig` when disabling `sparse-checkout`
by [@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1692](https://togithub.com/actions/checkout/pull/1692)
- Add dependabot config by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1688](https://togithub.com/actions/checkout/pull/1688)
- Bump the minor-actions-dependencies group with 2 updates by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1693](https://togithub.com/actions/checkout/pull/1693)
- Bump word-wrap from 1.2.3 to 1.2.5 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1643](https://togithub.com/actions/checkout/pull/1643)

###
[`v4.1.3`](https://togithub.com/actions/checkout/releases/tag/v4.1.3)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.2...v4.1.3)

#### What's Changed

- Update `actions/checkout` version in `update-main-version.yml` by
[@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1650](https://togithub.com/actions/checkout/pull/1650)
- Check git version before attempting to disable `sparse-checkout` by
[@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1656](https://togithub.com/actions/checkout/pull/1656)
- Add SSH user parameter by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1685](https://togithub.com/actions/checkout/pull/1685)

**Full Changelog**:
https://github.com/actions/checkout/compare/v4.1.2...v4.1.3

###
[`v4.1.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.1...v4.1.2)

- Fix: Disable sparse checkout whenever `sparse-checkout` option is not
present [@&#8203;dscho](https://togithub.com/dscho) in
[https://github.com/actions/checkout/pull/1598](https://togithub.com/actions/checkout/pull/1598)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.3.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.3):
Notes for v4.3.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3)

#### What's Changed

- Allow slashes in purl package names by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/765](https://togithub.com/actions/dependency-review-action/pull/765)
- use the v3 version of the deps.dev API by
[@&#8203;josieang](https://togithub.com/josieang) in
[https://github.com/actions/dependency-review-action/pull/741](https://togithub.com/actions/dependency-review-action/pull/741)
- PR with suggestions - \[Improvement]: Help streamline / simplify
dependency review action README by
[@&#8203;am-stead](https://togithub.com/am-stead) in
[https://github.com/actions/dependency-review-action/pull/773](https://togithub.com/actions/dependency-review-action/pull/773)
- fix show-openssf-scorecard-levels input by
[@&#8203;ramann](https://togithub.com/ramann) in
[https://github.com/actions/dependency-review-action/pull/776](https://togithub.com/actions/dependency-review-action/pull/776)
- Updates to the contribution guidelines by
[@&#8203;jonjanego](https://togithub.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/778](https://togithub.com/actions/dependency-review-action/pull/778)
- Create issue templates by
[@&#8203;jonjanego](https://togithub.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/777](https://togithub.com/actions/dependency-review-action/pull/777)
- Fix the max comment length issue by
[@&#8203;jhutchings1](https://togithub.com/jhutchings1) and
[@&#8203;elireisman](https://togithub.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/767](https://togithub.com/actions/dependency-review-action/pull/767)
- Bump project version to 4.3.3 in prep for a release by
[@&#8203;elireisman](https://togithub.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/781](https://togithub.com/actions/dependency-review-action/pull/781)

#### New Contributors

- [@&#8203;josieang](https://togithub.com/josieang) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/741](https://togithub.com/actions/dependency-review-action/pull/741)
- [@&#8203;am-stead](https://togithub.com/am-stead) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/773](https://togithub.com/actions/dependency-review-action/pull/773)
- [@&#8203;ramann](https://togithub.com/ramann) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/776](https://togithub.com/actions/dependency-review-action/pull/776)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3

###
[`v4.3.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.2)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2)

#### What's Changed

- Fix package-url parsing for allow-dependencies-licenses by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/761](https://togithub.com/actions/dependency-review-action/pull/761)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2

###
[`v4.3.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.1)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.0...v4.3.1)

#### What's Changed

This release fixes some bugs related to package-url parsing that were
introduced in 4.3.0. See
[https://github.com/actions/dependency-review-action/pull/753](https://togithub.com/actions/dependency-review-action/pull/753).

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/V4.3.0...v4.3.1

###
[`v4.3.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.0)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.5...v4.3.0)

#### New Features

- The `deny-packages` option can now be used without a version number to
exclude *all* versions of a package.

#### What's Changed

- Fix action variable name for scorecard by
[@&#8203;lukehinds](https://togithub.com/lukehinds) in
[https://github.com/actions/dependency-review-action/pull/735](https://togithub.com/actions/dependency-review-action/pull/735)
- Fix extra https:// in summary by
[@&#8203;jhutchings1](https://togithub.com/jhutchings1) in
[https://github.com/actions/dependency-review-action/pull/748](https://togithub.com/actions/dependency-review-action/pull/748)
- Bump typescript from 5.3.3 to 5.4.5 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/744](https://togithub.com/actions/dependency-review-action/pull/744)
- Bump eslint-plugin-github from 4.10.1 to 4.10.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/737](https://togithub.com/actions/dependency-review-action/pull/737)
- Show denied packages with red X by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/750](https://togithub.com/actions/dependency-review-action/pull/750)
- deny-packages configuration option can deny specified version or all
packages by [@&#8203;febuiles](https://togithub.com/febuiles) and
[@&#8203;bteng22](https://togithub.com/bteng22) in
[https://github.com/actions/dependency-review-action/pull/733](https://togithub.com/actions/dependency-review-action/pull/733)

#### New Contributors

- [@&#8203;bteng22](https://togithub.com/bteng22) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/733](https://togithub.com/actions/dependency-review-action/pull/733)
- [@&#8203;lukehinds](https://togithub.com/lukehinds) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/735](https://togithub.com/actions/dependency-review-action/pull/735)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.5...V4.3.0

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.7`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.7)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.6...v4.1.7)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact)
dependency by [@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/325](https://togithub.com/actions/download-artifact/pull/325)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4.1.6...v4.1.7

###
[`v4.1.6`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.6)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.5...v4.1.6)

#### What's Changed

- updating `@actions/artifact` dependency to v2.1.6 by
[@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/download-artifact/pull/324](https://togithub.com/actions/download-artifact/pull/324)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4.1.5...v4.1.6

###
[`v4.1.5`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.5)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.4...v4.1.5)

#### What's Changed

- Update readme with v3/v2/v1 deprecation notice by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/download-artifact/pull/322](https://togithub.com/actions/download-artifact/pull/322)
- Update dependencies `@actions/core` to v1.10.1 and `@actions/artifact`
to v2.1.5

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4.1.4...v4.1.5

</details>

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v5.0.1`](https://togithub.com/actions/setup-go/releases/tag/v5.0.1)

[Compare
Source](https://togithub.com/actions/setup-go/compare/v5.0.0...v5.0.1)

#### What's Changed

- Bump undici from 5.28.2 to 5.28.3 and dependencies upgrade by
[@&#8203;dependabot](https://togithub.com/dependabot) ,
[@&#8203;HarithaVattikuti](https://togithub.com/HarithaVattikuti) in
[https://github.com/actions/setup-go/pull/465](https://togithub.com/actions/setup-go/pull/465)
- Update documentation with latest V5 release notes by
[@&#8203;ab](https://togithub.com/ab) in
[https://github.com/actions/setup-go/pull/459](https://togithub.com/actions/setup-go/pull/459)
- Update version documentation by
[@&#8203;178inaba](https://togithub.com/178inaba) in
[https://github.com/actions/setup-go/pull/458](https://togithub.com/actions/setup-go/pull/458)
- Documentation update of `actions/setup-go` to v5 by
[@&#8203;chenrui333](https://togithub.com/chenrui333) in
[https://github.com/actions/setup-go/pull/449](https://togithub.com/actions/setup-go/pull/449)

#### New Contributors

- [@&#8203;ab](https://togithub.com/ab) made their first contribution in
[https://github.com/actions/setup-go/pull/459](https://togithub.com/actions/setup-go/pull/459)

**Full Changelog**:
https://github.com/actions/setup-go/compare/v5.0.0...v5.0.1

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.3.3`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.3)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.2...v4.3.3)

##### What's Changed

- updating `@actions/artifact` dependency to v2.1.6 by
[@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/upload-artifact/pull/565](https://togithub.com/actions/upload-artifact/pull/565)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.3.2...v4.3.3

###
[`v4.3.2`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.2)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.1...v4.3.2)

#### What's Changed

- Update release-new-action-version.yml by
[@&#8203;konradpabjan](https://togithub.com/konradpabjan) in
[https://github.com/actions/upload-artifact/pull/516](https://togithub.com/actions/upload-artifact/pull/516)
- Minor fix to the migration readme by
[@&#8203;andrewakim](https://togithub.com/andrewakim) in
[https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523)
- Update readme with v3/v2/v1 deprecation notice by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/561](https://togithub.com/actions/upload-artifact/pull/561)
- updating `@actions/artifact` dependency to v2.1.5 and `@actions/core`
to v1.0.1 by [@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/upload-artifact/pull/562](https://togithub.com/actions/upload-artifact/pull/562)

#### New Contributors

- [@&#8203;andrewakim](https://togithub.com/andrewakim) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.3.1...v4.3.2

</details>

<details>
<summary>actionsdesk/lfs-warning (actionsdesk/lfs-warning)</summary>

### [`v3.3`](https://togithub.com/ppremk/lfs-warning/releases/tag/v3.3)

[Compare
Source](https://togithub.com/actionsdesk/lfs-warning/compare/v3.2...v3.3)

#### What's Changed

- update node js to 16 by
[@&#8203;GlazerMann](https://togithub.com/GlazerMann) in
[https://github.com/ppremk/lfs-warning/pull/148](https://togithub.com/ppremk/lfs-warning/pull/148)
- Fixing README to match repo move by
[@&#8203;samthebest](https://togithub.com/samthebest) in
[https://github.com/ppremk/lfs-warning/pull/153](https://togithub.com/ppremk/lfs-warning/pull/153)
- Update CODEOWNERS by [@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/158](https://togithub.com/ppremk/lfs-warning/pull/158)
- Bump http-cache-semantics from 4.1.0 to 4.1.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/151](https://togithub.com/ppremk/lfs-warning/pull/151)
- Bump [@&#8203;babel/traverse](https://togithub.com/babel/traverse)
from 7.15.4 to 7.23.4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/159](https://togithub.com/ppremk/lfs-warning/pull/159)
- Bump tough-cookie from 4.0.0 to 4.1.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/160](https://togithub.com/ppremk/lfs-warning/pull/160)
- Bump cacheable-request and gts by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/152](https://togithub.com/ppremk/lfs-warning/pull/152)
- Update emoji and convert file list to markdown list by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/161](https://togithub.com/ppremk/lfs-warning/pull/161)
- Bump got and gts by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/155](https://togithub.com/ppremk/lfs-warning/pull/155)
- Exclude files without blob_url when getting PR blobs by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/162](https://togithub.com/ppremk/lfs-warning/pull/162)
- Support pull_request_target by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/164](https://togithub.com/ppremk/lfs-warning/pull/164)
- Update-node by [@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/163](https://togithub.com/ppremk/lfs-warning/pull/163)
- Fix text setup for the issue comment by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/166](https://togithub.com/ppremk/lfs-warning/pull/166)
- Validate PR changes to make sure there are no changes missing by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/165](https://togithub.com/ppremk/lfs-warning/pull/165)
- Fix emoji by [@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/167](https://togithub.com/ppremk/lfs-warning/pull/167)
- Bump undici from 5.28.2 to 5.28.4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/171](https://togithub.com/ppremk/lfs-warning/pull/171)

#### New Contributors

- [@&#8203;GlazerMann](https://togithub.com/GlazerMann) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/148](https://togithub.com/ppremk/lfs-warning/pull/148)
- [@&#8203;samthebest](https://togithub.com/samthebest) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/153](https://togithub.com/ppremk/lfs-warning/pull/153)
- [@&#8203;rajbos](https://togithub.com/rajbos) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/158](https://togithub.com/ppremk/lfs-warning/pull/158)

**Full Changelog**:
https://github.com/ppremk/lfs-warning/compare/v3.2...v3.3

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.25.11`](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11)

###
[`v3.25.10`](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10)

###
[`v3.25.9`](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9)

###
[`v3.25.8`](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8)

###
[`v3.25.7`](https://togithub.com/github/codeql-action/compare/v3.25.6...v3.25.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.6...v3.25.7)

###
[`v3.25.6`](https://togithub.com/github/codeql-action/compare/v3.25.5...v3.25.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.5...v3.25.6)

###
[`v3.25.5`](https://togithub.com/github/codeql-action/compare/v3.25.4...v3.25.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.4...v3.25.5)

###
[`v3.25.4`](https://togithub.com/github/codeql-action/compare/v3.25.3...v3.25.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.3...v3.25.4)

###
[`v3.25.3`](https://togithub.com/github/codeql-action/compare/v3.25.2...v3.25.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.2...v3.25.3)

###
[`v3.25.2`](https://togithub.com/github/codeql-action/compare/v3.25.1...v3.25.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.1...v3.25.2)

###
[`v3.25.1`](https://togithub.com/github/codeql-action/compare/v3.25.0...v3.25.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.0...v3.25.1)

###
[`v3.25.0`](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.25.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.11...v3.25.0)

###
[`v3.24.11`](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.24.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.24.11)

###
[`v3.24.10`](https://togithub.com/github/codeql-action/compare/v3.24.9...v3.24.10)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.9...v3.24.10)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.3)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.2...v2.3.3)

> \[!NOTE]\
> There is no v2.3.2 release as a step was skipped in the release
process. This was fixed and re-released under the v2.3.3 tag

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to
github.com/ossf/scorecard/v5 (v5.0.0-rc1) by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1366](https://togithub.com/ossf/scorecard-action/pull/1366)
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to
v5.0.0-rc2 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1374](https://togithub.com/ossf/scorecard-action/pull/1374)
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to
v5.0.0-rc2.0.20240509182734-7ce860946928 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1377](https://togithub.com/ossf/scorecard-action/pull/1377)

For a full changelist of what these include, see the
[v5.0.0-rc1](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc1)
and
[v5.0.0-rc2](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc2)
release notes.

##### Documentation

- 📖 Move token discussion out of main README. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1279](https://togithub.com/ossf/scorecard-action/pull/1279)
- 📖 link to `ossf/scorecard` workflow instead of maintaining an
example by [@&#8203;spencerschrock](https://togithub.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1352](https://togithub.com/ossf/scorecard-action/pull/1352)
- 📖 update api links to new scorecard.dev site by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1376](https://togithub.com/ossf/scorecard-action/pull/1376)

**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.3

###
[`v2.3.2`](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2)

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.5.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.5.1)

[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1)

#### What's Changed

- feat: Add cosign registry opts for provenance registry by
[@&#8203;saisatishkarra](https://togithub.com/saisatishkarra) in
[https://github.com/slsa-framework/slsa-verifier/pull/729](https://togithub.com/slsa-framework/slsa-verifier/pull/729)
and
[https://github.com/slsa-framework/slsa-verifier/pull/736](https://togithub.com/slsa-framework/slsa-verifier/pull/736)
- feat: Add support for DSSE Rekor type by
[@&#8203;haydentherapper](https://togithub.com/haydentherapper) in
[https://github.com/slsa-framework/slsa-verifier/pull/742](https://togithub.com/slsa-framework/slsa-verifier/pull/742)

#### New Contributors

- [@&#8203;saisatishkarra](https://togithub.com/saisatishkarra) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/729](https://togithub.com/slsa-framework/slsa-verifier/pull/729)
- [@&#8203;ramonpetgrave64](https://togithub.com/ramonpetgrave64) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/737](https://togithub.com/slsa-framework/slsa-verifier/pull/737)
- [@&#8203;haydentherapper](https://togithub.com/haydentherapper) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/742](https://togithub.com/slsa-framework/slsa-verifier/pull/742)

**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-07-01 17:21:38 +00:00
Mend Renovate
903cddc5c3 fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 (#787) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-core](https://maven.apache.org/) | `3.9.6` ->
`3.9.8` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-core/3.9.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-core/3.9.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-core/3.9.6/3.9.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-core/3.9.6/3.9.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
 2024-07-01 12:43:35 -04:00
Mend Renovate
4bab78a528 chore(deps): update npm dev (#650) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence | Type |
Update |
|---|---|---|---|---|---|---|---|
|
[@types/node](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node)
([source](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node))
| [`18.19.28` ->
`18.19.33`](https://renovatebot.com/diffs/npm/@types%2fnode/18.19.28/18.19.33)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fnode/18.19.33?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@types%2fnode/18.19.33?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@types%2fnode/18.19.28/18.19.33?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fnode/18.19.28/18.19.33?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | patch |
| [eslint](https://eslint.org)
([source](https://togithub.com/eslint/eslint)) | [`^8.57.0` ->
`8.57.0`](https://renovatebot.com/diffs/npm/eslint/8.57.0/8.57.0) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/eslint/8.57.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/eslint/8.57.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/eslint/8.57.0/8.57.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint/8.57.0/8.57.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | pin |
|
[eslint-plugin-prettier](https://togithub.com/prettier/eslint-plugin-prettier)
| [`^5.1.3` ->
`5.1.3`](https://renovatebot.com/diffs/npm/eslint-plugin-prettier/5.1.3/5.1.3)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/eslint-plugin-prettier/5.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/eslint-plugin-prettier/5.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/eslint-plugin-prettier/5.1.3/5.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint-plugin-prettier/5.1.3/5.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | pin |
| [markdown-toc](https://togithub.com/jonschlinkert/markdown-toc) |
[`^1.2.0` ->
`1.2.0`](https://renovatebot.com/diffs/npm/markdown-toc/1.2.0/1.2.0) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/markdown-toc/1.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/markdown-toc/1.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/markdown-toc/1.2.0/1.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/markdown-toc/1.2.0/1.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | pin |
| [renovate](https://renovatebot.com)
([source](https://togithub.com/renovatebot/renovate)) | [`37.363.4` ->
`37.374.1`](https://renovatebot.com/diffs/npm/renovate/37.363.4/37.374.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/renovate/37.374.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/renovate/37.374.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/renovate/37.363.4/37.374.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/renovate/37.363.4/37.374.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | minor |
| [typescript](https://www.typescriptlang.org/)
([source](https://togithub.com/Microsoft/TypeScript)) | [`^5.4.3` ->
`5.4.3`](https://renovatebot.com/diffs/npm/typescript/5.4.3/5.4.3) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/typescript/5.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/typescript/5.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/typescript/5.4.3/5.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/typescript/5.4.3/5.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | pin |
|
[typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint)
([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint))
| [`^7.5.0` ->
`7.5.0`](https://renovatebot.com/diffs/npm/typescript-eslint/7.5.0/7.5.0)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/typescript-eslint/7.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/typescript-eslint/7.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/typescript-eslint/7.5.0/7.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/typescript-eslint/7.5.0/7.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | pin |

---

### Release Notes

<details>
<summary>renovatebot/renovate (renovate)</summary>

###
[`v37.374.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.374.1)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.374.0...37.374.1)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.6
([#&#8203;29212](https://togithub.com/renovatebot/renovate/issues/29212))
([f4eeaaa](f4eeaaaff6))

###
[`v37.374.0`](https://togithub.com/renovatebot/renovate/compare/37.373.0...fe62e80aebe988dd9dcbe47d3e5eee225ec3904d)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.373.0...37.374.0)

###
[`v37.373.0`](https://togithub.com/renovatebot/renovate/compare/37.372.1...25255596d63a03a312885aba1b25fdfd7b76c7a4)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.372.1...37.373.0)

###
[`v37.372.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.372.1)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.372.0...37.372.1)

##### Bug Fixes

- **packageRules:** prPriority should only be in packageRules
([#&#8203;29201](https://togithub.com/renovatebot/renovate/issues/29201))
([70f1f93](70f1f93823))

###
[`v37.372.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.372.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.371.1...37.372.0)

##### Features

- **util/package-rules:** allow glob pattens in match{Current,New}Value
([#&#8203;29168](https://togithub.com/renovatebot/renovate/issues/29168))
([56856d4](56856d4a46))

##### Bug Fixes

- **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.14
([#&#8203;29199](https://togithub.com/renovatebot/renovate/issues/29199))
([4edd63a](4edd63a297))
- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.5
([#&#8203;29200](https://togithub.com/renovatebot/renovate/issues/29200))
([757574b](757574b931))

##### Miscellaneous Chores

- **deps:** update ghcr.io/containerbase/devcontainer docker tag to
v10.6.14
([#&#8203;29198](https://togithub.com/renovatebot/renovate/issues/29198))
([a8855d8](a8855d811c))

###
[`v37.371.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.371.1)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.371.0...37.371.1)

##### Bug Fixes

- **pdm:** change pdm update strategy to eager
([#&#8203;29183](https://togithub.com/renovatebot/renovate/issues/29183))
([2f335b6](2f335b61f4))

##### Miscellaneous Chores

- **deps:** update dependency
[@&#8203;swc/core](https://togithub.com/swc/core) to v1.5.7
([#&#8203;29192](https://togithub.com/renovatebot/renovate/issues/29192))
([436fa71](436fa71ce4))
- **deps:** update linters to v7.10.0
([#&#8203;29196](https://togithub.com/renovatebot/renovate/issues/29196))
([ab36239](ab36239421))
- log when \_PROXY values detected
([#&#8203;29191](https://togithub.com/renovatebot/renovate/issues/29191))
([e281931](e28193134a))

###
[`v37.371.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.371.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.370.0...37.371.0)

##### Features

- **asdf:** Add rebar3 to asdf manager
([#&#8203;29188](https://togithub.com/renovatebot/renovate/issues/29188))
([2e6c563](2e6c5636ea))

##### Miscellaneous Chores

- **deps:** update linters
([#&#8203;29193](https://togithub.com/renovatebot/renovate/issues/29193))
([f59c7f3](f59c7f3162))

###
[`v37.370.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.370.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.369.1...37.370.0)

##### Features

- **self-hosted:** `mergeConfidenceEndpoint` and
`mergeConfidenceDatasources`
([#&#8203;28880](https://togithub.com/renovatebot/renovate/issues/28880))
([044dc0f](044dc0fa28))

###
[`v37.369.1`](https://togithub.com/renovatebot/renovate/compare/37.369.0...ae15a51554828bb3891268c16f180124a90ade55)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.369.0...37.369.1)

###
[`v37.369.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.369.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.10...37.369.0)

##### Features

- **datasource:** `sourceUrl` & `releaseTimestamp` support
([#&#8203;29122](https://togithub.com/renovatebot/renovate/issues/29122))
([d0b77e5](d0b77e584a))

###
[`v37.368.10`](https://togithub.com/renovatebot/renovate/compare/37.368.9...3c75e4bfb3e6786508f57ead837af102d468f4ab)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.9...37.368.10)

###
[`v37.368.9`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.9)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.8...37.368.9)

##### Bug Fixes

- **homebrew:** handle new github archive url format
([#&#8203;29138](https://togithub.com/renovatebot/renovate/issues/29138))
([e035f05](e035f0562d))

###
[`v37.368.8`](https://togithub.com/renovatebot/renovate/compare/37.368.7...5b88dd6a31c24880da2b2dc5915916a8f3e4f6e8)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.7...37.368.8)

###
[`v37.368.7`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.7)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.6...37.368.7)

##### Bug Fixes

- **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.12
([#&#8203;29157](https://togithub.com/renovatebot/renovate/issues/29157))
([4a1e758](4a1e75889f))

##### Documentation

- **readme:** better alt text, add toggleable list of companies/projects
that use Renovate
([#&#8203;29022](https://togithub.com/renovatebot/renovate/issues/29022))
([f8f5184](f8f518493d))

##### Miscellaneous Chores

- **deps:** update containerbase/internal-tools action to v3.0.88
([#&#8203;29149](https://togithub.com/renovatebot/renovate/issues/29149))
([92686aa](92686aa201))

###
[`v37.368.6`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.6)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.5...37.368.6)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.3
([#&#8203;29143](https://togithub.com/renovatebot/renovate/issues/29143))
([7f6964c](7f6964cea9))

###
[`v37.368.5`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.5)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.4...37.368.5)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.2
([#&#8203;29142](https://togithub.com/renovatebot/renovate/issues/29142))
([c23c70f](c23c70fc8b))

##### Miscellaneous Chores

- **deps:** update dependency rimraf to v5.0.7
([#&#8203;29141](https://togithub.com/renovatebot/renovate/issues/29141))
([483bfc2](483bfc28f5))

###
[`v37.368.4`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.4)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.3...37.368.4)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.1
([#&#8203;29140](https://togithub.com/renovatebot/renovate/issues/29140))
([947bf17](947bf17aea))

##### Miscellaneous Chores

- **deps:** update dependency rimraf to v5.0.6
([#&#8203;29139](https://togithub.com/renovatebot/renovate/issues/29139))
([a2ba884](a2ba88412c))

###
[`v37.368.3`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.3)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.2...37.368.3)

##### Bug Fixes

- **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.11
([#&#8203;29134](https://togithub.com/renovatebot/renovate/issues/29134))
([8216f20](8216f205dc))

##### Documentation

- **config:** warn about spaces in `schedule`
([#&#8203;29121](https://togithub.com/renovatebot/renovate/issues/29121))
([ebfb48d](ebfb48d416))

##### Miscellaneous Chores

- **deps:** update ghcr.io/containerbase/devcontainer docker tag to
v10.6.11
([#&#8203;29133](https://togithub.com/renovatebot/renovate/issues/29133))
([463226b](463226b1ed))

###
[`v37.368.2`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.2)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.1...37.368.2)

##### Bug Fixes

- **gomod:** treat v0 pseudo version updates as digest updates
([#&#8203;29042](https://togithub.com/renovatebot/renovate/issues/29042))
([6f8cde4](6f8cde4e67))

###
[`v37.368.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.1)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.368.0...37.368.1)

##### Miscellaneous Chores

- **deps:** update actions/checkout action to v4.1.6
([#&#8203;29126](https://togithub.com/renovatebot/renovate/issues/29126))
([f951139](f951139409))

##### Build System

- **deps:** update dependency glob to v10.3.15
([#&#8203;29125](https://togithub.com/renovatebot/renovate/issues/29125))
([dc7d73f](dc7d73f98f))

###
[`v37.368.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.368.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.367.0...37.368.0)

##### Features

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.12.0
([#&#8203;29124](https://togithub.com/renovatebot/renovate/issues/29124))
([676e1ef](676e1ef47f))

##### Build System

- **deps:** update dependency glob to v10.3.14
([#&#8203;29123](https://togithub.com/renovatebot/renovate/issues/29123))
([40a6b4d](40a6b4d290))

###
[`v37.367.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.367.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.366.1...37.367.0)

##### Features

- **presets:** add replacements for ZAP org moves
([#&#8203;29117](https://togithub.com/renovatebot/renovate/issues/29117))
([7df1dc7](7df1dc77ae))

###
[`v37.366.1`](https://togithub.com/renovatebot/renovate/releases/tag/37.366.1)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.366.0...37.366.1)

##### Build System

- **deps:** update dependency jsonata to v2.0.5
([#&#8203;29116](https://togithub.com/renovatebot/renovate/issues/29116))
([8bbde23](8bbde23579))

###
[`v37.366.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.366.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.365.0...37.366.0)

##### Features

- **datasource:** Add python-version datasource
([#&#8203;27583](https://togithub.com/renovatebot/renovate/issues/27583))
([c8aacc4](c8aacc4c05))
- Support custom artifact notice
([#&#8203;28957](https://togithub.com/renovatebot/renovate/issues/28957))
([1c8eb34](1c8eb34876))

###
[`v37.365.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.365.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.364.0...37.365.0)

##### Features

- **presets/workarounds:** add bitnami docker versioning
([#&#8203;29112](https://togithub.com/renovatebot/renovate/issues/29112))
([66de046](66de0465e9))

###
[`v37.364.0`](https://togithub.com/renovatebot/renovate/releases/tag/37.364.0)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.9...37.364.0)

##### Features

- **presets:** add strum to monorepos
([#&#8203;29109](https://togithub.com/renovatebot/renovate/issues/29109))
([20716b0](20716b0609))

##### Miscellaneous Chores

- **deps:** update containerbase/internal-tools action to v3.0.87
([#&#8203;29108](https://togithub.com/renovatebot/renovate/issues/29108))
([e03a5cf](e03a5cf0cb))

##### Tests

- **osgi:** Use "codeBlock" for tests
([#&#8203;29110](https://togithub.com/renovatebot/renovate/issues/29110))
([2429a07](2429a07eef))

###
[`v37.363.9`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.9)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.8...37.363.9)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.11.2
([#&#8203;29099](https://togithub.com/renovatebot/renovate/issues/29099))
([99ba857](99ba857374))

##### Documentation

- **config:** add note about GnuPG v2.4 usage
([#&#8203;29067](https://togithub.com/renovatebot/renovate/issues/29067))
([88fd212](88fd2124ff))

###
[`v37.363.8`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.8)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.7...37.363.8)

##### Bug Fixes

- **deps:** update ghcr.io/containerbase/sidecar docker tag to v10.6.10
([#&#8203;29096](https://togithub.com/renovatebot/renovate/issues/29096))
([1254f6a](1254f6a662))

##### Documentation

- **bot comparison:** dependabot-core switched to MIT license
([#&#8203;29095](https://togithub.com/renovatebot/renovate/issues/29095))
([d9cd961](d9cd9612ec))
- Update Swissquote article with information on the scheduler and
dashboards
([#&#8203;29030](https://togithub.com/renovatebot/renovate/issues/29030))
([01f9861](01f9861069))

###
[`v37.363.7`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.7)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.6...37.363.7)

##### Miscellaneous Chores

- **deps:** update ghcr.io/containerbase/devcontainer docker tag to
v10.6.10
([#&#8203;29091](https://togithub.com/renovatebot/renovate/issues/29091))
([dba9ad3](dba9ad3353))

##### Build System

- **deps:** update dependency zod to v3.23.8
([#&#8203;29090](https://togithub.com/renovatebot/renovate/issues/29090))
([caedb6f](caedb6f452))

###
[`v37.363.6`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.6)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.5...37.363.6)

##### Bug Fixes

- **datasource/github-runners:** add Ubuntu 24.04 Noble Numbat as
unstable
([#&#8203;29088](https://togithub.com/renovatebot/renovate/issues/29088))
([e291ef0](e291ef0dbd))

###
[`v37.363.5`](https://togithub.com/renovatebot/renovate/releases/tag/37.363.5)

[Compare
Source](https://togithub.com/renovatebot/renovate/compare/37.363.4...37.363.5)

##### Bug Fixes

- **deps:** update ghcr.io/renovatebot/base-image docker tag to v2.11.1
([#&#8203;29079](https://togithub.com/renovatebot/renovate/issues/29079))
([945c4cf](945c4cf8ba))

##### Miscellaneous Chores

- **deps:** update codecov/codecov-action action to v4.4.0
([#&#8203;29080](https://togithub.com/renovatebot/renovate/issues/29080))
([78edb5b](78edb5b0f8))

##### Build System

- **deps:** update dependency zod to v3.23.7
([#&#8203;29077](https://togithub.com/renovatebot/renovate/issues/29077))
([ead5d55](ead5d55a49))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM3LjM2OC4xMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-06-27 18:54:52 +00:00
Mend Renovate
163abe52e2 chore(deps): update golang:1.21 docker digest to b405b62 (#774) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `d83472f` -> `b405b62` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzcuOCIsInVwZGF0ZWRJblZlciI6IjM3LjQxMy4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
 2024-06-27 18:37:34 +00:00
Ramon Petgrave
2f70fef663 fix: make download-artifacts.sh more flexible (#761) 
Making the `download-artifacts.sh` script be more useful.

Before, it would error upon seeing some zip files that it doesn't expect
to be in the GH release. I think the script is just a bit outdated. But
for now, I think we should bypass that, since the script is already
written to know which of the final files within the archives are
actually needed.

related PR
https://github.com/slsa-framework/slsa-github-generator/pull/3589

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-27 17:22:49 +00:00
Mend Renovate
b69efeea0b fix(deps): update golang.org/x/exp digest to 7f521ea (#775) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/exp | require | digest | `2478ac8` -> `7f521ea` |

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzcuOCIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
 2024-06-27 17:07:30 +00:00
dependabot[bot]
34ab203678 chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates (#784) 
Bumps the npm_and_yarn group with 1 update in the / directory:
[braces](https://github.com/micromatch/braces).
Bumps the npm_and_yarn group with 2 updates in the /actions/installer
directory: [braces](https://github.com/micromatch/braces) and
[undici](https://github.com/nodejs/undici).

Updates `braces` from 3.0.2 to 3.0.3
<details>
<summary>Commits</summary>
<ul>
<li><a
href="74b2db2938"><code>74b2db2</code></a>
3.0.3</li>
<li><a
href="88f1429a0f"><code>88f1429</code></a>
update eslint. lint, fix unit tests.</li>
<li><a
href="415d660c30"><code>415d660</code></a>
Snyk js braces 6838727 (<a
href="https://redirect.github.com/micromatch/braces/issues/40">#40</a>)</li>
<li><a
href="190510f79d"><code>190510f</code></a>
fix tests, skip 1 test in test/braces.expand</li>
<li><a
href="716eb9f12d"><code>716eb9f</code></a>
readme bump</li>
<li><a
href="a5851e57f4"><code>a5851e5</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/braces/issues/37">#37</a>
from coderaiser/fix/vulnerability</li>
<li><a
href="2092bd1fb1"><code>2092bd1</code></a>
feature: braces: add maxSymbols (<a
href="https://github.com/micromatch/braces/issues/">https://github.com/micromatch/braces/issues/</a>...</li>
<li><a
href="9f5b4cf473"><code>9f5b4cf</code></a>
fix: vulnerability (<a
href="https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727">https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727</a>)</li>
<li><a
href="98414f9f1f"><code>98414f9</code></a>
remove funding file</li>
<li><a
href="665ab5d561"><code>665ab5d</code></a>
update keepEscaping doc (<a
href="https://redirect.github.com/micromatch/braces/issues/27">#27</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/micromatch/braces/compare/3.0.2...3.0.3">compare
view</a></li>
</ul>
</details>
<br />

Updates `braces` from 3.0.2 to 3.0.3
<details>
<summary>Commits</summary>
<ul>
<li><a
href="74b2db2938"><code>74b2db2</code></a>
3.0.3</li>
<li><a
href="88f1429a0f"><code>88f1429</code></a>
update eslint. lint, fix unit tests.</li>
<li><a
href="415d660c30"><code>415d660</code></a>
Snyk js braces 6838727 (<a
href="https://redirect.github.com/micromatch/braces/issues/40">#40</a>)</li>
<li><a
href="190510f79d"><code>190510f</code></a>
fix tests, skip 1 test in test/braces.expand</li>
<li><a
href="716eb9f12d"><code>716eb9f</code></a>
readme bump</li>
<li><a
href="a5851e57f4"><code>a5851e5</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/braces/issues/37">#37</a>
from coderaiser/fix/vulnerability</li>
<li><a
href="2092bd1fb1"><code>2092bd1</code></a>
feature: braces: add maxSymbols (<a
href="https://github.com/micromatch/braces/issues/">https://github.com/micromatch/braces/issues/</a>...</li>
<li><a
href="9f5b4cf473"><code>9f5b4cf</code></a>
fix: vulnerability (<a
href="https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727">https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727</a>)</li>
<li><a
href="98414f9f1f"><code>98414f9</code></a>
remove funding file</li>
<li><a
href="665ab5d561"><code>665ab5d</code></a>
update keepEscaping doc (<a
href="https://redirect.github.com/micromatch/braces/issues/27">#27</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/micromatch/braces/compare/3.0.2...3.0.3">compare
view</a></li>
</ul>
</details>
<br />

Updates `undici` from 5.28.3 to 5.28.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v5.28.4</h2>
<h2>⚠️ Security Release ⚠️</h2>
<ul>
<li>Fixes <a
href="https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7">https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7</a>
CVE-2024-30260</li>
<li>Fixes <a
href="https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672">https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672</a>
CVE-2024-30261</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="fb98306907"><code>fb98306</code></a>
Bumped v5.28.4</li>
<li><a
href="2b39440bd9"><code>2b39440</code></a>
Merge pull request from GHSA-9qxr-qj54-h672</li>
<li><a
href="64e3402da4"><code>64e3402</code></a>
Merge pull request from GHSA-m4v8-wqvr-p9f7</li>
<li><a
href="723c4e7280"><code>723c4e7</code></a>
Revert &quot;build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (<a
href="https://redirect.github.com/nodejs/undici/issues/2389">#2389</a>)&quot;</li>
<li><a
href="0e9d54b2c2"><code>0e9d54b</code></a>
skip failing test due to Node.js changes</li>
<li>See full diff in <a
href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-06-27 12:03:26 -04:00
dependabot[bot]
9fb6f246f8 chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer (#780) 
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to
3.0.3.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="74b2db2938"><code>74b2db2</code></a>
3.0.3</li>
<li><a
href="88f1429a0f"><code>88f1429</code></a>
update eslint. lint, fix unit tests.</li>
<li><a
href="415d660c30"><code>415d660</code></a>
Snyk js braces 6838727 (<a
href="https://redirect.github.com/micromatch/braces/issues/40">#40</a>)</li>
<li><a
href="190510f79d"><code>190510f</code></a>
fix tests, skip 1 test in test/braces.expand</li>
<li><a
href="716eb9f12d"><code>716eb9f</code></a>
readme bump</li>
<li><a
href="a5851e57f4"><code>a5851e5</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/braces/issues/37">#37</a>
from coderaiser/fix/vulnerability</li>
<li><a
href="2092bd1fb1"><code>2092bd1</code></a>
feature: braces: add maxSymbols (<a
href="https://github.com/micromatch/braces/issues/">https://github.com/micromatch/braces/issues/</a>...</li>
<li><a
href="9f5b4cf473"><code>9f5b4cf</code></a>
fix: vulnerability (<a
href="https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727">https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727</a>)</li>
<li><a
href="98414f9f1f"><code>98414f9</code></a>
remove funding file</li>
<li><a
href="665ab5d561"><code>665ab5d</code></a>
update keepEscaping doc (<a
href="https://redirect.github.com/micromatch/braces/issues/27">#27</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/micromatch/braces/compare/3.0.2...3.0.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=braces&package-manager=npm_and_yarn&previous-version=3.0.2&new-version=3.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-27 15:37:36 +00:00
dependabot[bot]
96619e48c2 chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer (#779) 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v5.28.4</h2>
<h2>⚠️ Security Release ⚠️</h2>
<ul>
<li>Fixes <a
href="https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7">https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7</a>
CVE-2024-30260</li>
<li>Fixes <a
href="https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672">https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672</a>
CVE-2024-30261</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="fb98306907"><code>fb98306</code></a>
Bumped v5.28.4</li>
<li><a
href="2b39440bd9"><code>2b39440</code></a>
Merge pull request from GHSA-9qxr-qj54-h672</li>
<li><a
href="64e3402da4"><code>64e3402</code></a>
Merge pull request from GHSA-m4v8-wqvr-p9f7</li>
<li><a
href="723c4e7280"><code>723c4e7</code></a>
Revert &quot;build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (<a
href="https://redirect.github.com/nodejs/undici/issues/2389">#2389</a>)&quot;</li>
<li><a
href="0e9d54b2c2"><code>0e9d54b</code></a>
skip failing test due to Node.js changes</li>
<li>See full diff in <a
href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=undici&package-manager=npm_and_yarn&previous-version=5.28.3&new-version=5.28.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-06-27 14:28:25 +00:00
dependabot[bot]
56bc29bf2e chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 (#782) 
Bumps
[github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp)
from 0.7.5 to 0.7.7.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md">github.com/hashicorp/go-retryablehttp's
changelog</a>.</em></p>
<blockquote>
<h2>0.7.7 (May 30, 2024)</h2>
<p>BUG FIXES:</p>
<ul>
<li>client: avoid potentially leaking URL-embedded basic authentication
credentials in logs (<a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/158">#158</a>)</li>
</ul>
<h2>0.7.6 (May 9, 2024)</h2>
<p>ENHANCEMENTS:</p>
<ul>
<li>client: support a <code>RetryPrepare</code> function for modifying
the request before retrying (<a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/216">#216</a>)</li>
<li>client: support HTTP-date values for <code>Retry-After</code> header
value (<a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/138">#138</a>)</li>
<li>client: avoid reading entire body when the body is a
<code>*bytes.Reader</code> (<a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/197">#197</a>)</li>
</ul>
<p>BUG FIXES:</p>
<ul>
<li>client: fix a broken check for invalid server certificate in go
1.20+ (<a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/210">#210</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1542b31176"><code>1542b31</code></a>
v0.7.7</li>
<li><a
href="defb9f441d"><code>defb9f4</code></a>
v0.7.7</li>
<li><a
href="a99f07beb3"><code>a99f07b</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/158">#158</a>
from dany74q/danny/redacted-url-in-logs</li>
<li><a
href="8a28c574da"><code>8a28c57</code></a>
Merge branch 'main' into danny/redacted-url-in-logs</li>
<li><a
href="86e852df43"><code>86e852d</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/227">#227</a>
from hashicorp/dependabot/github_actions/actions/chec...</li>
<li><a
href="47fe99e646"><code>47fe99e</code></a>
Bump actions/checkout from 4.1.5 to 4.1.6</li>
<li><a
href="490fc06be0"><code>490fc06</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/226">#226</a>
from testwill/ioutil</li>
<li><a
href="f3e9417dbf"><code>f3e9417</code></a>
chore: remove refs to deprecated io/ioutil</li>
<li><a
href="d969eaa9c9"><code>d969eaa</code></a>
Merge pull request <a
href="https://redirect.github.com/hashicorp/go-retryablehttp/issues/225">#225</a>
from hashicorp/manicminer-patch-2</li>
<li><a
href="2ad8ed4a1d"><code>2ad8ed4</code></a>
v0.7.6</li>
<li>Additional commits viewable in <a
href="https://github.com/hashicorp/go-retryablehttp/compare/v0.7.5...v0.7.7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/hashicorp/go-retryablehttp&package-manager=go_modules&previous-version=0.7.5&new-version=0.7.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-26 22:19:00 +00:00
dependabot[bot]
b54e813948 chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 (#781) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.22.0 to
0.23.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c48da13158"><code>c48da13</code></a>
http2: fix TestServerContinuationFlood flakes</li>
<li><a
href="762b58d1cf"><code>762b58d</code></a>
http2: fix tipos in comment</li>
<li><a
href="ba872109ef"><code>ba87210</code></a>
http2: close connections when receiving too many headers</li>
<li><a
href="ebc8168ac8"><code>ebc8168</code></a>
all: fix some typos</li>
<li><a
href="3678185f8a"><code>3678185</code></a>
http2: make TestCanonicalHeaderCacheGrowth faster</li>
<li><a
href="448c44f928"><code>448c44f</code></a>
http2: remove clientTester</li>
<li><a
href="c7877ac421"><code>c7877ac</code></a>
http2: convert the remaining clientTester tests to testClientConn</li>
<li><a
href="d8870b0bf2"><code>d8870b0</code></a>
http2: use synthetic time in TestIdleConnTimeout</li>
<li><a
href="d73acffdc9"><code>d73acff</code></a>
http2: only set up deadline when Server.IdleTimeout is positive</li>
<li><a
href="89f602b7bb"><code>89f602b</code></a>
http2: validate client/outgoing trailers</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/net/compare/v0.22.0...v0.23.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/net&package-manager=go_modules&previous-version=0.22.0&new-version=0.23.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-26 18:06:19 -04:00
Ramon Petgrave
18c5f13b3e fix: signoff commit (#767) 
Followup to https://github.com/slsa-framework/slsa-verifier/pull/760

Fix the .github/workflows/update-actions-dist-post-commit.yml workflow
to also signoff commit

# Testing

- [x] Invoked this PR's branch copy of the workflow against #717, and it
did signoff the commit.
-
9670f76ab8

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 16:45:20 +00:00
Ramon Petgrave
b55bf59ce4 fix: use pr_number as env variable (#771) 
changing the update-dist workflow to use the `pr_number` input as an env
variable to avoid [script
injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks).

Our workflows are only invokable by our trusted maintainers so we should
be okay. This is just an extra hardening measure.

Open issue
https://github.com/actions/runner/issues/1070#issuecomment-2113287699

## Testing

I confirmed the issue by invoking the workflow with `650 && echo SCRIPT
INJECTION`, and it did also do the extra `echo` command.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36

after invoking the workflow again with this PR's version, the problem is
mitigated.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 12:20:16 -04:00
Ian Lewis
87b5bae6d4 chore: Update Renovate config (#769) 
# Summary

Updates renovate config to use the
[`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices)
preset rather than the `config:base` preset since `config:base` seems to
be deprecated.

Also updates the `schedule` config to use the
[`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly)
preset.

Also adds a pre-submit to run the
[`renovate-config-validator`](https://docs.renovatebot.com/config-validation/)
to ensure that renovate config is valid. This pre-submit will need to be
made required in the repository branch protection rule for `main` in the
repository settings after this PR is merged.

---------

Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-16 07:13:09 +09:00
Ian Lewis
138a2348fc chore: fix pr-title-checker (#770) 
Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version
comment.

Signed-off-by: Ian Lewis <ianlewis@google.com>
 2024-05-15 12:10:15 -04:00
Mend Renovate
e7a8f74b9c fix(deps): update dependency @actions/core to v1.10.1 (#717) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[@actions/core](https://togithub.com/actions/toolkit/tree/main/packages/core)
([source](https://togithub.com/actions/toolkit/tree/HEAD/packages/core))
| [`1.10.0` ->
`1.10.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.0/1.10.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/core)</summary>

###
[`v1.10.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1101)

- Fix error message reference in oidc utils
[#&#8203;1511](https://togithub.com/actions/toolkit/pull/1511)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

---------

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>
 2024-05-07 14:09:48 -04:00
Ramon Petgrave
23160d82c0 feat: workflow to update actions dist (#760) 
Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.

> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!

## Testing.

Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-06 17:56:35 -04:00
Mend Renovate
9c4e2196d8 chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 (#763) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `1a8ece8` -> `53745e9` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-06 16:01:16 +00:00
Mend Renovate
f787eeebf7 chore(deps): update golang:1.21 docker digest to d83472f (#764) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `81811f8` -> `d83472f` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-05-06 11:48:47 -04:00
Ramon Petgrave
637b07fdab chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata (#758) 
https://github.com/slsa-framework/slsa-github-generator/issues/3576

Next step in 

https://github.com/slsa-framework/slsa-github-generator/blob/main/RELEASE.md#update-verifier

Creating new test data for slsa-github-generator@v2.0.0

# Instructions:

## diff to download-artifacts.sh

```
diff --git a/download-artifacts.sh b/download-artifacts.sh
old mode 100644
new mode 100755
index e5e218e8..49257ea6
--- a/download-artifacts.sh
+++ b/download-artifacts.sh
@@ -88,6 +88,10 @@ unzip_files() {
         rm -rf "${tmp_dir}"
         ;;
 
+    ./*.zip)
+        unzip -o "${zip_path}" -d "${output_path}"
+        ;;
+
     *)
         echo "unexpected file path: ${zip_path}"
         exit 1
@@ -167,7 +171,7 @@ rename_java_files "test-java-project-" "maven"
 rename_java_files "workflow_dispatch-" "gradle"
 
 # Files downloaded. Now copy them
-repo_path="../.."
+repo_path="/path/to/slsa-verifier"
 
 # Go builder files.
 copy_files "gha_go-binary-linux-amd64-" "${repo_path}/cli/slsa-verifier/testdata/gha_go/${version}"
```

## download the artifacts

```
../slsa-verifier/download-artifacts.sh 8791212155 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219359 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219514 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219607 v2.0.0
```

## docker github auth

```
gh auth login --scopes=read:packages
echo `gh auth token` | docker login ghcr.io -u ramonpetgrave64 --password-stdin
cosign save \
    --dir ./cli/slsa-verifier/testdata/gha_generic_container/v2.0.0/container_workflow_dispatch \
    ghcr.io/slsa-framework/example-package.verifier-e2e.all.tag.main.default.slsa3@sha256:55aee984fd6b1d0e0a19a55265d10d40063a2212bdbabd75b202b1728236548d
```

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-04-23 12:26:13 -04:00
Mend Renovate
ee32cbff7e chore(deps): update golang:1.21 docker digest to 81811f8 (#693) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `ec457a2` -> `81811f8` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuMzAxLjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-04-18 16:46:15 +00:00
Mend Renovate
79d225bb44 fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] (#723) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/sigstore/cosign/v2](https://togithub.com/sigstore/cosign)
| `v2.2.0` -> `v2.2.4` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.0/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsigstore%2fcosign%2fv2/v2.2.0/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2023-46737](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9)

### Summary
Cosign is susceptible to a denial of service by an attacker controlled
registry. An attacker who controls a remote registry can return a high
number of attestations and/or signatures to Cosign and cause Cosign to
enter a long loop resulting in an endless data attack. The root cause is
that Cosign loops through all attestations fetched from the remote
registry in `pkg/cosign.FetchAttestations`.

The attacker needs to compromise the registry or make a request to a
registry they control. When doing so, the attacker must return a high
number of attestations in the response to Cosign. The result will be
that the attacker can cause Cosign to go into a long or infinite loop
that will prevent other users from verifying their data. In Kyvernos
case, an attacker whose privileges are limited to making requests to the
cluster can make a request with an image reference to their own
registry, trigger the infinite loop and deny other users from completing
their admission requests. Alternatively, the attacker can obtain control
of the registry used by an organization and return a high number of
attestations instead the expected number of attestations.

The vulnerable loop in Cosign starts on line 154 below:

0044432284/pkg/cosign/fetch.go (L135-L196)

The `l` slice is controllable by an attacker who controls the remote
registry.

Many cloud-native projects consider the remote registry to be untrusted,
including Crossplane, Notary and Kyverno. We consider the same to be the
case for Cosign, since users are not in control of whether the registry
returns the expected data.

TUF's security model labels this type of vulnerability an ["Endless data
attack"](https://theupdateframework.io/security/), but an attacker could
use this as a type of rollback attack, in case the user attempts to
deploy a patched version of a vulnerable image; The attacker could
prevent this upgrade by causing Cosign to get stuck in an infinite loop
and never complete.

### Mitigation
The issue can be mitigated rather simply by setting a limit to the limit
of attestations that Cosign will loop through. The limit does not need
to be high to be within the vast majority of use cases and still prevent
the endless data attack.

####
[CVE-2024-29902](https://togithub.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc)

### Summary
A remote image with a malicious attachment can cause denial of service
of the host machine running Cosign. This can impact other services on
the machine that rely on having memory available such as a Redis
database which can result in data loss. It can also impact the
availability of other services on the machine that will not be available
for the duration of the machine denial.

### Details
The root cause of this issue is that Cosign reads the attachment from a
remote image entirely into memory without checking the size of the
attachment first. As such, a large attachment can make Cosign read a
large attachment into memory; If the attachments size is larger than the
machine has memory available, the machine will be denied of service. The
Go runtime will make a `SIGKILL` after a few seconds of system-wide
denial.

The root cause is that Cosign reads the contents of the attachments
entirely into memory on line 238 below:


9bc3ee309b/pkg/oci/remote/remote.go (L228-L239)

...and prior to that, neither Cosign nor go-containerregistry checks the
size of the attachment and enforces a max cap. In the case of a remote
layer of `f *attached`, go-containerregistry will invoke this API:


a0658aa1d0/pkg/v1/remote/layer.go (L36-L40)
```golang
func (rl *remoteLayer) Compressed() (io.ReadCloser, error) {
	// We don't want to log binary layers -- this can break terminals.
	ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs")
	return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)
}
```

Notice that the second argument to `rl.fetcher.fetchBlob` is
`verify.SizeUnknown` which results in not using the `io.LimitReader` in
`verify.ReadCloser`:

a0658aa1d0/internal/verify/verify.go (L82-L100)
```golang
func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {
	w, err := v1.Hasher(h.Algorithm)
	if err != nil {
		return nil, err
	}
	r2 := io.TeeReader(r, w) // pass all writes to the hasher.
	if size != SizeUnknown {
		r2 = io.LimitReader(r2, size) // if we know the size, limit to that size.
	}
	return &and.ReadCloser{
		Reader: &verifyReader{
			inner:    r2,
			hasher:   w,
			expected: h,
			wantSize: size,
		},
		CloseFunc: r.Close,
	}, nil
}
```

### Impact
This issue can allow a supply-chain escalation from a compromised
registry to the Cosign user: If an attacher has compromised a registry
or the account of an image vendor, they can include a malicious
attachment and hurt the image consumer.

### Remediation
Update to the latest version of Cosign, which limits the number of
attachments. An environment variable can override this value.

####
[CVE-2024-29903](https://togithub.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv)

Maliciously-crafted software artifacts can cause denial of service of
the machine running Cosign, thereby impacting all services on the
machine. The root cause is that Cosign creates slices based on the
number of signatures, manifests or attestations in untrusted artifacts.
As such, the untrusted artifact can control the amount of memory that
Cosign allocates.

As an example, these lines demonstrate the problem:


286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)

This `Get()` method gets the manifest of the image, allocates a slice
equal to the length of the layers in the manifest, loops through the
layers and adds a new signature to the slice.

The exact issue is Cosign allocates excessive memory on the lines that
creates a slice of the same length as the manifests.

## Remediation

Update to the latest version of Cosign, where the number of
attestations, signatures and manifests has been limited to a reasonable
value.

## Cosign PoC

In the case of this API (also referenced above):


286a98a4a9/pkg/oci/remote/signatures.go (L56-L70)

… The first line can contain a length that is safe for the system and
will not throw a runtime panic or be blocked by other safety mechanisms.
For the sake of argument, let’s say that the length of `m, err :=
s.Manifest()` is the max allowed (by the machine without throwing OOM
panics) manifests minus 1. When Cosign then allocates a new slice on
this line: `signatures := make([]oci.Signature, 0, len(m.Layers))`,
Cosign will allocate more memory than is available and the machine will
be denied of service, causing Cosign and all other services on the
machine to be unavailable.

To illustrate the issue here, we run a modified version of
`TestSignedImageIndex()` in `pkg/oci/remote`:


14795db164/pkg/oci/remote/index_test.go (L31-L57)

Here, `wantLayers` is the number of manifests from these lines:


286a98a4a9/pkg/oci/remote/signatures.go (L56-L60)

To test this, we want to make `wantLayers` high enough to not cause a
memory on its own but still trigger the machine-wide OOM when a slice
gets create with the same length. On my local machine, it would take
hours to create a slice of layers that fulfils that criteria, so instead
I modify the Cosign production code to reflect a long list of manifests:

```golang
// Get implements oci.Signatures
func (s *sigs) Get() ([]oci.Signature, error) {
        m, err := s.Manifest()
        if err != nil {
                return nil, err
        }
        // Here we imitate a long list of manifests
        ms := make([]byte, 2600000000) // imitate a long list of manifests
        signatures := make([]oci.Signature, 0, len(ms))
        panic("Done")
        //signatures := make([]oci.Signature, 0, len(m.Layers))
        for _, desc := range m.Layers {
```

With this modified code, if we can cause an OOM without triggering the
`panic("Done")`, we have succeeded.

---

### Release Notes

<details>
<summary>sigstore/cosign (github.com/sigstore/cosign/v2)</summary>

###
[`v2.2.4`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v224)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.3...v2.2.4)

#### Bug Fixes

- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv
([#&#8203;3661](https://togithub.com/sigstore/cosign/issues/3661))
- ErrNoSignaturesFound should be used when there is no signature
attached to an image.
([#&#8203;3526](https://togithub.com/sigstore/cosign/issues/3526))
- fix semgrep issues for dgryski.semgrep-go ruleset
([#&#8203;3541](https://togithub.com/sigstore/cosign/issues/3541))
- Honor creation timestamp for signatures again
([#&#8203;3549](https://togithub.com/sigstore/cosign/issues/3549))

#### Features

- Adds Support for Fulcio Client Credentials Flow, and Argument to Set
Flow Explicitly
([#&#8203;3578](https://togithub.com/sigstore/cosign/issues/3578))

#### Documentation

- add oci bundle spec
([#&#8203;3622](https://togithub.com/sigstore/cosign/issues/3622))
- Correct help text of triangulate cmd
([#&#8203;3551](https://togithub.com/sigstore/cosign/issues/3551))
- Correct help text of verify-attestation policy argument
([#&#8203;3527](https://togithub.com/sigstore/cosign/issues/3527))
- feat: add OVHcloud MPR registry tested with cosign
([#&#8203;3639](https://togithub.com/sigstore/cosign/issues/3639))

#### Testing

- Refactor e2e-tests.yml workflow
([#&#8203;3627](https://togithub.com/sigstore/cosign/issues/3627))
- Clean up and clarify e2e scripts
([#&#8203;3628](https://togithub.com/sigstore/cosign/issues/3628))
- Don't ignore transparency log in tests if possible
([#&#8203;3528](https://togithub.com/sigstore/cosign/issues/3528))
- Make E2E tests hermetic
([#&#8203;3499](https://togithub.com/sigstore/cosign/issues/3499))
- add e2e test for pkcs11 token signing
([#&#8203;3495](https://togithub.com/sigstore/cosign/issues/3495))

###
[`v2.2.3`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v223)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.2...v2.2.3)

#### Bug Fixes

- Fix race condition on verification with multiple signatures attached
to image
([#&#8203;3486](https://togithub.com/sigstore/cosign/issues/3486))
- fix(clean): Fix clean cmd for private registries
([#&#8203;3446](https://togithub.com/sigstore/cosign/issues/3446))
- Fixed BYO PKI verification
([#&#8203;3427](https://togithub.com/sigstore/cosign/issues/3427))

#### Features

- Allow for option in cosign attest and attest-blob to upload
attestation as supported in Rekor
([#&#8203;3466](https://togithub.com/sigstore/cosign/issues/3466))
- Add support for OpenVEX predicate type
([#&#8203;3405](https://togithub.com/sigstore/cosign/issues/3405))

#### Documentation

- Resolves
[#&#8203;3088](https://togithub.com/sigstore/cosign/issues/3088):
`version` sub-command expected behaviour documentation and testing
([#&#8203;3447](https://togithub.com/sigstore/cosign/issues/3447))
- add examples for cosign attach signature cmd
([#&#8203;3468](https://togithub.com/sigstore/cosign/issues/3468))

#### Misc

- Remove CertSubject function
([#&#8203;3467](https://togithub.com/sigstore/cosign/issues/3467))
- Use local rekor and fulcio instances in e2e tests
([#&#8203;3478](https://togithub.com/sigstore/cosign/issues/3478))

#### Contributors

-   aalsabag
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Colleen Murphy
-   Hayden B
-   Mukuls77
-   Omri Bornstein
-   Puerco
-   vivek kumar sahu

###
[`v2.2.2`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v222)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.1...v2.2.2)

v2.2.2 adds a new container with a shell,
`gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing
container `gcr.io/projectsigstore/cosign:vx.y.z` without a shell.

For private deployments, we have also added an alias for
`--insecure-skip-log`, `--private-infrastructure`.

#### Bug Fixes

- chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6
([#&#8203;3411](https://togithub.com/sigstore/cosign/issues/3411)) which
fixes a bug with using Azure KMS
- Don't require CT log keys if using a key/sk
([#&#8203;3415](https://togithub.com/sigstore/cosign/issues/3415))
- Fix copy without any flag set
([#&#8203;3409](https://togithub.com/sigstore/cosign/issues/3409))
- Update cosign generate cmd to not include newline
([#&#8203;3393](https://togithub.com/sigstore/cosign/issues/3393))
- Fix idempotency error with signing
([#&#8203;3371](https://togithub.com/sigstore/cosign/issues/3371))

#### Features

- Add `--yes` flag `cosign import-key-pair` to skip the overwrite
confirmation.
([#&#8203;3383](https://togithub.com/sigstore/cosign/issues/3383))
- Use the timeout flag value in verify\* commands.
([#&#8203;3391](https://togithub.com/sigstore/cosign/issues/3391))
- add --private-infrastructure flag
([#&#8203;3369](https://togithub.com/sigstore/cosign/issues/3369))

#### Container Updates

- Bump builder image to use go1.21.4 and add new cosign image tags with
shell ([#&#8203;3373](https://togithub.com/sigstore/cosign/issues/3373))

#### Documentation

- Update SBOM_SPEC.md
([#&#8203;3358](https://togithub.com/sigstore/cosign/issues/3358))

#### Contributors

-   Carlos Tadeu Panato Junior
-   Dylan Richardson
-   Hayden B
-   Lily Sturmann
-   Nikos Fotiou
-   Yonghe Zhao

###
[`v2.2.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v221)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.0...v2.2.1)

**Note: This release comes with a fix for CVE-2023-46737 described in
this [Github Security
Advisory](https://togithub.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9).
Please upgrade to this release ASAP**

#### Enhancements

- feat: Support basic auth and bearer auth login to registry
([#&#8203;3310](https://togithub.com/sigstore/cosign/issues/3310))
- add support for ignoring certificates with pkcs11
([#&#8203;3334](https://togithub.com/sigstore/cosign/issues/3334))
- Support ReplaceOp in Signatures
([#&#8203;3315](https://togithub.com/sigstore/cosign/issues/3315))
- feat: added ability to get image digest back via triangulate
([#&#8203;3255](https://togithub.com/sigstore/cosign/issues/3255))
- feat: add `--only` flag in `cosign copy` to copy sign, att & sbom
([#&#8203;3247](https://togithub.com/sigstore/cosign/issues/3247))
- feat: add support attaching a Rekor bundle to a container
([#&#8203;3246](https://togithub.com/sigstore/cosign/issues/3246))
- feat: add support outputting rekor response on signing
([#&#8203;3248](https://togithub.com/sigstore/cosign/issues/3248))
- feat: improve dockerfile verify subcommand
([#&#8203;3264](https://togithub.com/sigstore/cosign/issues/3264))
- Add guard flag for experimental OCI 1.1 verify.
([#&#8203;3272](https://togithub.com/sigstore/cosign/issues/3272))
- Deprecate SBOM attachments
([#&#8203;3256](https://togithub.com/sigstore/cosign/issues/3256))
- feat: dedent line in cosign copy doc
([#&#8203;3244](https://togithub.com/sigstore/cosign/issues/3244))
- feat: add platform flag to cosign copy command
([#&#8203;3234](https://togithub.com/sigstore/cosign/issues/3234))
- Add SLSA 1.0 attestation support to cosign. Closes
[#&#8203;2860](https://togithub.com/sigstore/cosign/issues/2860)
([#&#8203;3219](https://togithub.com/sigstore/cosign/issues/3219))
- attest: pass OCI remote opts to att resolver.
([#&#8203;3225](https://togithub.com/sigstore/cosign/issues/3225))

#### Bug Fixes

-   Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent
([#&#8203;3245](https://togithub.com/sigstore/cosign/issues/3245))
- ci: add a OCI registry test for referrers support
([#&#8203;3253](https://togithub.com/sigstore/cosign/issues/3253))
- Fix ReplaceSignatures
([#&#8203;3292](https://togithub.com/sigstore/cosign/issues/3292))
- Stop using deprecated in_toto.ProvenanceStatement
([#&#8203;3243](https://togithub.com/sigstore/cosign/issues/3243))
- Fixes
[#&#8203;3236](https://togithub.com/sigstore/cosign/issues/3236),
disable SCT checking for a cosign verification when usin…
([#&#8203;3237](https://togithub.com/sigstore/cosign/issues/3237))
- fix: update error in `SignedEntity` to be more descriptive
([#&#8203;3233](https://togithub.com/sigstore/cosign/issues/3233))
- Fail timestamp verification if no root is provided
([#&#8203;3224](https://togithub.com/sigstore/cosign/issues/3224))

#### Documentation

- Add some docs about verifying in an air-gapped environment
([#&#8203;3321](https://togithub.com/sigstore/cosign/issues/3321))
- Update CONTRIBUTING.md
([#&#8203;3268](https://togithub.com/sigstore/cosign/issues/3268))
- docs: improves the Contribution guidelines
([#&#8203;3257](https://togithub.com/sigstore/cosign/issues/3257))
- Remove security policy
([#&#8203;3230](https://togithub.com/sigstore/cosign/issues/3230))

#### Others

- Set go to min 1.21 and update dependencies
([#&#8203;3327](https://togithub.com/sigstore/cosign/issues/3327))
- Update contact for code of conduct
([#&#8203;3266](https://togithub.com/sigstore/cosign/issues/3266))
- Update .ko.yaml
([#&#8203;3240](https://togithub.com/sigstore/cosign/issues/3240))

#### Contributors

-   AdamKorcz
-   Andres Galante
-   Appu
-   Billy Lynch
-   Bob Callaway
-   Caleb Woodbine
-   Carlos Tadeu Panato Junior
-   Dylan Richardson
-   Gareth Healy
-   Hayden B
-   John Kjell
-   Jon Johnson
-   jonvnadelberg
-   Luiz Carvalho
-   Priya Wadhwa
-   Ramkumar Chinchani
-   Tosone
-   Ville Aikas
-   Vishal Choudhary
-   ziel

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [x] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-04-18 12:33:11 -04:00
Ramon Petgrave
8c9ed07f8f feat: fixes #547: add npm sigstore-tuf suport (#731) 
Addresses: https://github.com/slsa-framework/slsa-verifier/issues/547
 - [x] Pending: https://github.com/sigstore/sigstore-go/pull/41
Uses the new
[sigstore-go@0.2.0](https://github.com/sigstore/sigstore-go/releases/tag/v0.2.0)

Currently slsa-verifier has npmjs' attestation key hardcoded. But
sigstore now stores the same key within their own TUF root.

This PR 
- dynamically use the keyid specified in the sigstore bundle, rather
than the hardcoded keyid.
- uses an updated ([pending](
https://github.com/sigstore/sigstore-go/pull/41)) sigstore-go library
that allows us to fetch a signed and verified copy of the same key.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-04-16 17:21:49 +00:00
Mend Renovate
2a07cd6e3a fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 (#752) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[org.apache.maven.plugin-tools:maven-plugin-annotations](https://maven.apache.org/plugin-tools)
| `3.9.0` -> `3.11.0` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.9.0/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven.plugin-tools:maven-plugin-annotations/3.9.0/3.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-04-03 00:55:07 +00:00
Ramon Petgrave
bcc39bf21a chore(deps): update npm dev (major) (#753) 
Redo of https://github.com/slsa-framework/slsa-verifier/pull/654

- Fix dev-dependencies related to es-lint that the renovate-bot couldn't
auto-fix

- a few commas automatically added by the new linter

- use node20 for tests to avoid caompatibility warnings

```
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@typescript-eslint/parser@7.5.0',
npm WARN EBADENGINE   required: { node: '^18.18.0 || >=20.0.0' },
npm WARN EBADENGINE   current: { node: 'v16.20.2', npm: '8.19.4' }
npm WARN EBADENGINE }
```

---------

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Co-authored-by: Mend Renovate <bot@renovateapp.com>
 2024-04-02 17:44:08 -07:00
Mend Renovate
0547bc3002 fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 (#751) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-plugin-api](https://maven.apache.org/) |
`3.9.5` -> `3.9.6` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-plugin-api/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-plugin-api/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-plugin-api/3.9.5/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-plugin-api/3.9.5/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-04-02 18:46:09 +00:00
Mend Renovate
a8e21d5a83 chore(deps): update github-actions (major) (#719) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
major | `v3.6.0` -> `v4.1.1` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | major | `v3.1.5` -> `v4.2.5` |
|
[actions/download-artifact](https://togithub.com/actions/download-artifact)
| action | major | `v3.0.2` -> `v4.1.4` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| major | `v3` -> `v4` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| major | `v3.8.2` -> `v4.0.2` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | major | `v3.1.3` -> `v4.3.1` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | major | `v2.24.8` -> `v3.24.9` |
|
[golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action)
| action | major | `v3` -> `v4` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1)

##### What's Changed

- Update CODEOWNERS to Launch team by
[@&#8203;joshmgross](https://togithub.com/joshmgross) in
[https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510)
- Correct link to GitHub Docs by
[@&#8203;peterbe](https://togithub.com/peterbe) in
[https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511)
- Link to release page from what's new section by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1514](https://togithub.com/actions/checkout/pull/1514)

##### New Contributors

- [@&#8203;joshmgross](https://togithub.com/joshmgross) made their first
contribution in
[https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510)
- [@&#8203;peterbe](https://togithub.com/peterbe) made their first
contribution in
[https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511)

**Full Changelog**:
https://github.com/actions/checkout/compare/v4.1.0...v4.1.1

###
[`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0)

- [Add support for partial checkout
filters](https://togithub.com/actions/checkout/pull/1396)

###
[`v4.0.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.6.0...v4.0.0)

- [Support fetching without the --progress
option](https://togithub.com/actions/checkout/pull/1067)
-   [Update to node20](https://togithub.com/actions/checkout/pull/1436)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.2.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.5):
4.2.5

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5)

#### What's Changed

- Fixed a bug where some configuration options in external files were
not being properly picked up --
[https://github.com/actions/dependency-review-action/pull/722](https://togithub.com/actions/dependency-review-action/pull/722)
-   Bump eslint from 8.56.0 to 8.57.0

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5

###
[`v4.2.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.4)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4)

#### What's Changed

Fixed a bug in the output of OpenSSF cards for GitHub Actions.

#### New Contributors

- [@&#8203;sporkmonger](https://togithub.com/sporkmonger) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/721](https://togithub.com/actions/dependency-review-action/pull/721)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4

###
[`v4.2.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.3):
4.2.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3)

#### What's Changed

- Set comment as output by [@&#8203;jsoref](https://togithub.com/jsoref)
in
[https://github.com/actions/dependency-review-action/pull/698](https://togithub.com/actions/dependency-review-action/pull/698)
- Add support for calculating OpenSSF Scorecards by
[@&#8203;jhutchings1](https://togithub.com/jhutchings1) in
[https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709)
- Add outputs for the changes data by
[@&#8203;laughedelic](https://togithub.com/laughedelic) in
[https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707)

#### New Contributors

- [@&#8203;jhutchings1](https://togithub.com/jhutchings1) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709)
- [@&#8203;laughedelic](https://togithub.com/laughedelic) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3

###
[`v4.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.3):
4.1.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3)

Fixes a bug in 4.1.2 that would introduce comments in every pull
request, regardless of the user's configuration (see
[https://github.com/actions/dependency-review-action/issues/697](https://togithub.com/actions/dependency-review-action/issues/697)).

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3

###
[`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2):
4.1.2

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2)

#### What's Changed

- Expose dependency comment content by
[@&#8203;jsoref](https://togithub.com/jsoref) in
[https://github.com/actions/dependency-review-action/pull/696](https://togithub.com/actions/dependency-review-action/pull/696)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2

###
[`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1):
4.1.1

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1)

#### What's Changed

- Bump `undici` to fix
[GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g)
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
20.11.17 to 20.11.19 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/693](https://togithub.com/actions/dependency-review-action/pull/693)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1

###
[`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0):
4.1.0

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0)

#### What's Changed

- Add `warn-only` by [@&#8203;tgrall](https://togithub.com/tgrall) in
[https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432)

Added a new configuration option (`warn-only`, boolean) that makes the
action always succeed while still displaying found vulnerabilities in
the log.

- Create stale.yaml by
[@&#8203;jonjanego](https://togithub.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671)
- Use manual codeql config by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/678](https://togithub.com/actions/dependency-review-action/pull/678)
- Multiple dependency updates (see the changelog below for more
information)

#### New Contributors

- [@&#8203;jonjanego](https://togithub.com/jonjanego) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671)
- [@&#8203;tgrall](https://togithub.com/tgrall) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4...v4.1.0

###
[`v4.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.0.0)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0)

- Update action to Node 20 by
[@&#8203;takost](https://togithub.com/takost) in
[https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639)
-   Dependabot updates, see the full changelog for more details.

#### New Contributors

- [@&#8203;takost](https://togithub.com/takost) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.4`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.4)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.3...v4.1.4)

##### What's Changed

- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact) by
[@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/307](https://togithub.com/actions/download-artifact/pull/307)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.4

###
[`v4.1.3`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.3)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.2...v4.1.3)

##### What's Changed

- Update release-new-action-version.yml by
[@&#8203;konradpabjan](https://togithub.com/konradpabjan) in
[https://github.com/actions/download-artifact/pull/292](https://togithub.com/actions/download-artifact/pull/292)
- Update toolkit dependency with updated unzip logic by
[@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299)
- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact) by
[@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/303](https://togithub.com/actions/download-artifact/pull/303)

##### New Contributors

- [@&#8203;bethanyj28](https://togithub.com/bethanyj28) made their first
contribution in
[https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.3

###
[`v4.1.2`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.2)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.1...v4.1.2)

- Bump
[@&#8203;actions/artifacts](https://togithub.com/actions/artifacts) to
latest version to include [updated GHES host
check](https://togithub.com/actions/toolkit/pull/1648)

###
[`v4.1.1`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.1)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.0...v4.1.1)

- Fix transient request timeouts
[https://github.com/actions/download-artifact/issues/249](https://togithub.com/actions/download-artifact/issues/249)
-   Bump `@actions/artifacts` to latest version

###
[`v4.1.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.0)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.0.0...v4.1.0)

#### What's Changed

- Some cleanup by [@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/download-artifact/pull/247](https://togithub.com/actions/download-artifact/pull/247)
- Fix default for run-id by [@&#8203;stchr](https://togithub.com/stchr)
in
[https://github.com/actions/download-artifact/pull/252](https://togithub.com/actions/download-artifact/pull/252)
- Support pattern matching to filter artifacts & merge to same directory
by [@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/download-artifact/pull/259](https://togithub.com/actions/download-artifact/pull/259)

#### New Contributors

- [@&#8203;stchr](https://togithub.com/stchr) made their first
contribution in
[https://github.com/actions/download-artifact/pull/252](https://togithub.com/actions/download-artifact/pull/252)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.0

###
[`v4.0.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.0.0)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v3.0.2...v4.0.0)

#### What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major
changes to the backend architecture of Artifacts. They have numerous
performance and behavioral improvements.

ℹ️ However, this is a major update that includes breaking changes.
Artifacts created with versions v3 and below are not compatible with the
v4 actions. Uploads and downloads *must* use the same major actions
versions. There are also key differences from previous versions that may
require updates to your workflows.

For more information, please see:

1. The
[changelog](https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/)
post.
2. The
[README](https://togithub.com/actions/download-artifact/blob/main/README.md).
3. The [migration
documentation](https://togithub.com/actions/upload-artifact/blob/main/docs/MIGRATION.md).
4. As well as the underlying npm package,
[@&#8203;actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact)
documentation.

#### New Contributors

- [@&#8203;bflad](https://togithub.com/bflad) made their first
contribution in
[https://github.com/actions/download-artifact/pull/194](https://togithub.com/actions/download-artifact/pull/194)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v3...v4.0.0

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

### [`v4`](https://togithub.com/actions/setup-node/compare/v3...v4)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v3...v4)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.3.1`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.1)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.0...v4.3.1)

- Bump
[@&#8203;actions/artifacts](https://togithub.com/actions/artifacts) to
latest version to include [updated GHES host
check](https://togithub.com/actions/toolkit/pull/1648)

###
[`v4.3.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.0)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.2.0...v4.3.0)

##### What's Changed

- Reorganize upload code in prep for merge logic & add more tests by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/504](https://togithub.com/actions/upload-artifact/pull/504)
- Add sub-action to merge artifacts by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/505](https://togithub.com/actions/upload-artifact/pull/505)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.3.0

###
[`v4.2.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.2.0)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.1.0...v4.2.0)

##### What's Changed

- Ability to overwrite an Artifact by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/501](https://togithub.com/actions/upload-artifact/pull/501)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.2.0

###
[`v4.1.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.1.0)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.0.0...v4.1.0)

#### What's Changed

- Add migrations docs by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/482](https://togithub.com/actions/upload-artifact/pull/482)
- Update README.md by
[@&#8203;samuelwine](https://togithub.com/samuelwine) in
[https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492)
- Support artifact-url output by
[@&#8203;konradpabjan](https://togithub.com/konradpabjan) in
[https://github.com/actions/upload-artifact/pull/496](https://togithub.com/actions/upload-artifact/pull/496)
- Update readme to reflect new 500 artifact per job limit by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/497](https://togithub.com/actions/upload-artifact/pull/497)

#### New Contributors

- [@&#8203;samuelwine](https://togithub.com/samuelwine) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4...v4.1.0

###
[`v4.0.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.0.0)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v3.1.3...v4.0.0)

#### What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major
changes to the backend architecture of Artifacts. They have numerous
performance and behavioral improvements.

For more information, see the
[@&#8203;actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact)
documentation.

#### New Contributors

- [@&#8203;vmjoseph](https://togithub.com/vmjoseph) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/464](https://togithub.com/actions/upload-artifact/pull/464)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v3...v4.0.0

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.24.9`](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9)

###
[`v3.24.8`](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8)

###
[`v3.24.7`](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7)

###
[`v3.24.6`](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6)

###
[`v3.24.5`](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5)

###
[`v3.24.4`](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4)

###
[`v3.24.3`](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3)

###
[`v3.24.2`](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2)

###
[`v3.24.1`](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1)

###
[`v3.24.0`](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0)

###
[`v3.23.2`](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2)

###
[`v3.23.1`](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1)

###
[`v3.23.0`](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0)

###
[`v3.22.12`](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12)

###
[`v3.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.11...v3.22.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.9...v3.22.11)

###
[`v2.24.9`](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9)

</details>

<details>
<summary>golangci/golangci-lint-action
(golangci/golangci-lint-action)</summary>

###
[`v4`](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4)

[Compare
Source](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-04-01 15:26:46 +00:00
Mend Renovate
363e8da4fa chore(deps): update gcr.io/distroless/base:nonroot docker digest to 1a8ece8 (#701) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `c623859` -> `1a8ece8` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi42OC4xIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-04-01 08:13:46 -07:00
Ramon Petgrave
095d6f8200 feat: add ramonpetgrave64 as CODEOWNER (#750) 
adding myself as CODEOWNER

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-03-27 09:00:14 -07:00
Ramon Petgrave
fe539a2bde fix: use sigstore/pkg/fulcioroots to lessen deps (#746) 
We've long had the problem that slsa-verifier has too many dependencies.

This PR replaces `"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`
with `"github.com/sigstore/sigstore/pkg/fulcioroots"`,
removing lot's of unneeded transitive dependencies like
`"github.com/aws/aws-sdk-go-v2"` and
`"github.com/Azure/go-autorest/autorest"` from our `go.mod`.

## Investigation

At
[deps.dep](https://deps.dev/go/github.com%2Fslsa-framework%2Fslsa-verifier%2Fv2/v2.4.1/dependencies/graph?filter=aws),
we can see that the indirect dependencies of `aws/aws-sdk-go-v2` come
from `cosign/cosign`.

<img width="1110" alt="image"
src="https://github.com/slsa-framework/slsa-verifier/assets/32398091/3de1adf4-29ac-4bec-a511-0ae191c3141c">

That's a good start, but this gives us only module-wide dependencies,
not package-level dependencies. We can instead use `go mod why <pkg>` to
get the package-level dependency chain.

Now we know that it's our `gha` package that imports a fulcio package,
which imports an aws package.

```
➜  slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/                                  
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2
```

Looking at our `gha` package we can see that the required methods from
fulcio are `Get()` and `GetIntermediates()`. Looking at the source
codes, we see that
`"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`'s implementation
of these methods is the same as
`"github.com/sigstore/sigstore/pkg/fulcioroots"`'s implementation. So we
chose the latter's implementation, which happens to require fewer
module-level dependencies.

-
546f1c5b91/cmd/cosign/cli/fulcio/fulcio.go (L16)
-
546f1c5b91/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go (L16)
-
25dd9f3e52/pkg/fulcioroots/fulcioroots.go (L17)

## Testing

- unit tests continue to pass
- manual test to verify a provenance with the steps in our
[readme](https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#npm-packages-built-using-the-slsa3-nodejs-builder)

## Future Work

The sigstore-go library is meant to be a more long-term solution, for
replacing much of the sigstore-related functionality that slsa-verifier
implements directly.

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-03-27 14:27:09 +00:00
laurentsimon
b1f986788d chore: Update @actions/github v6 (#749) 
Need to re-compile
https://github.com/slsa-framework/slsa-verifier/pull/720/files

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2024-03-26 22:03:42 +00:00
Mend Renovate
66a9f93df2 fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 (#718) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-core](https://maven.apache.org/) | `3.8.1` ->
`3.9.6` |
[![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven:maven-core/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven:maven-core/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven:maven-core/3.8.1/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven:maven-core/3.8.1/3.9.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2024-03-26 20:42:43 +00:00
Mend Renovate
449e404e2a fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] (#743) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[google.golang.org/protobuf](https://togithub.com/protocolbuffers/protobuf-go)
| `v1.32.0` -> `v1.33.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/google.golang.org%2fprotobuf/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/google.golang.org%2fprotobuf/v1.32.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fprotobuf/v1.32.0/v1.33.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

#### [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)

The protojson.Unmarshal function can enter an infinite loop when
unmarshaling certain forms of invalid JSON. This condition can occur
when unmarshaling into a message which contains a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown option is set.

---

### Release Notes

<details>
<summary>protocolbuffers/protobuf-go
(google.golang.org/protobuf)</summary>

###
[`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)

[Compare
Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - At any
time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2024-03-26 15:33:59 +00:00
laurentsimon
f315652a8c chore: Update doc and digests for v2.5.1 (#748) 
This sets the expected sha256 of the v2.5.1 slsa-verifier released
binary.

How to LGTM this PR (I'll work on a proper doc for this in
https://github.com/slsa-framework/slsa-github-generator/issues/112):

1. Download the binary and provenance from
https://github.com/slsa-framework/slsa-verifier/releases/tag/v0.0.1
2. Clone the slsa-verifier repo, compile and verify the provenance using
the steps described in
https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#verify-provenance
```
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ bash verify-release.sh v2.5.1
```

The output hash should be the hash I'm updating to in this PR. If they
match, LGTM. If they don't, someone tampered with the released binary
and don't LGTM

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2024-03-26 08:11:24 -07:00
laurentsimon
eb7007070b feat: Update verifier version in GHA installer (#747) 
This is part of the release tests in
https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#dry-run
to verify that the Action installer works.

A follow up PR will be sent prior to release to update to `v2.5.0`

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
v2.5.1 		2024-03-25 14:54:53 +00:00
Mend Renovate
594b179564 chore(deps): update github-actions (#741) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | patch | `v3.1.0` -> `v3.1.5` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| patch | `v3.8.1` -> `v3.8.2` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | minor | `v2.22.1` -> `v2.24.8` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.3.0` -> `v2.3.1` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator)
| action | minor | `v1.9.0` -> `v1.10.0` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier)
| action | patch | `v2.4.0` -> `v2.4.1` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5):
3.1.5

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5)

#### What's Changed

- Smaller `per_page` when requesting diff by
[@&#8203;hmaurer](https://togithub.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/649](https://togithub.com/actions/dependency-review-action/pull/649)
-   Update dependencies:
- Bump
[@&#8203;typescript-eslint/parser](https://togithub.com/typescript-eslint/parser)
from 6.10.0 to 6.13.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/630](https://togithub.com/actions/dependency-review-action/pull/630)
- Bump prettier from 3.0.3 to 3.1.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/629](https://togithub.com/actions/dependency-review-action/pull/629)
- Bump [@&#8203;types/jest](https://togithub.com/types/jest) from 29.5.8
to 29.5.11 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/637](https://togithub.com/actions/dependency-review-action/pull/637)
- Bump nodemon from 3.0.1 to 3.0.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/636](https://togithub.com/actions/dependency-review-action/pull/636)
- Replace pip -> pypi in PURL examples by
[@&#8203;febuiles](https://togithub.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/638](https://togithub.com/actions/dependency-review-action/pull/638)
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin)
from 6.12.0 to 6.15.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/644](https://togithub.com/actions/dependency-review-action/pull/644)
- Bump eslint from 8.53.0 to 8.56.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/640](https://togithub.com/actions/dependency-review-action/pull/640)
- Bump
[@&#8203;typescript-eslint/parser](https://togithub.com/typescript-eslint/parser)
from 6.13.1 to 6.16.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/645](https://togithub.com/actions/dependency-review-action/pull/645)
- Bump prettier from 3.1.0 to 3.1.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/646](https://togithub.com/actions/dependency-review-action/pull/646)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5

###
[`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4):
3.1.4

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4)

#### What's Changed

- Fixed a
[bug](https://togithub.com/actions/dependency-review-action/issues/618)
with severity filtering when using the `allow_ghsas` option:
[https://github.com/actions/dependency-review-action/pull/623](https://togithub.com/actions/dependency-review-action/pull/623).

-   Updates dependencies:
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
16.18.61 to 16.18.62 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/619](https://togithub.com/actions/dependency-review-action/pull/619)
        action/pull/620
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin)
from 6.11.0 to 6.12.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/625](https://togithub.com/actions/dependency-review-action/pull/625)
- Bump typescript from 5.2.2 to 5.3.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/624](https://togithub.com/actions/dependency-review-action/pull/624)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.4

###
[`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3):
3.1.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3)

#### What's Changed

- Fixes purl "version must be percent-encoded" by
[@&#8203;theztefan](https://togithub.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/617](https://togithub.com/actions/dependency-review-action/pull/617)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.3

###
[`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2):
3.1.2

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2)

#### What's Changed

- Fix a regression for setups using self-hosted runners behind HTTP
proxies:[@&#8203;febuiles](https://togithub.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/611](https://togithub.com/actions/dependency-review-action/pull/611)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.1.2

###
[`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1):
3.1.1

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1)

#### What's Changed

- Update a bunch of dependencies, including major version upgrades for
`octokit`, `@actions/github` and `typescript`.

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.8.2`](https://togithub.com/actions/setup-node/releases/tag/v3.8.2)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.8.1...v3.8.2)

##### What's Changed

- Update semver by
[@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov) in
[https://github.com/actions/setup-node/pull/861](https://togithub.com/actions/setup-node/pull/861)
- Update temp directory creation by
[@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/859](https://togithub.com/actions/setup-node/pull/859)
- Bump [@&#8203;babel/traverse](https://togithub.com/babel/traverse)
from 7.15.4 to 7.23.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/setup-node/pull/870](https://togithub.com/actions/setup-node/pull/870)
- Add notice about binaries not being updated yet by
[@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/872](https://togithub.com/actions/setup-node/pull/872)
- Update toolkit cache and core by
[@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov) and
[@&#8203;seongwon-privatenote](https://togithub.com/seongwon-privatenote)
in
[https://github.com/actions/setup-node/pull/875](https://togithub.com/actions/setup-node/pull/875)

**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.8.2

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.24.8`](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8)

###
[`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)

###
[`v2.24.6`](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6)

###
[`v2.24.5`](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5)

###
[`v2.24.4`](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4)

###
[`v2.24.3`](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3)

###
[`v2.24.2`](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2)

###
[`v2.24.1`](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1)

###
[`v2.24.0`](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0)

###
[`v2.23.2`](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2)

###
[`v2.23.1`](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1)

###
[`v2.23.0`](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0)

###
[`v2.22.12`](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12)

###
[`v2.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11)

###
[`v2.22.10`](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10)

###
[`v2.22.9`](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9)

###
[`v2.22.8`](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8)

###
[`v2.22.7`](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7)

###
[`v2.22.6`](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6)

###
[`v2.22.5`](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5)

###
[`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4)

###
[`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3)

###
[`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1

</details>

<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>

###
[`v1.10.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100)

[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0)

Release \[v1.10.0] includes bug fixes and new features.

See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0).

##### v1.10.0: TUF fix

- The cosign TUF roots were fixed
([#&#8203;3350](https://togithub.com/slsa-framework/slsa-github-generator/issues/3350)).
More details
[here](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid).

##### v1.10.0: Gradle Builder

- The Gradle Builder was fixed when the project root is the same as the
repository root
([#&#8203;2727](https://togithub.com/slsa-framework/slsa-github-generator/issues/2727))

##### v1.10.0: Go Builder

- The `go-version-file` input was fixed so that it can find the `go.mod`
file

([#&#8203;2661](https://togithub.com/slsa-framework/slsa-github-generator/issues/2661))

##### v1.10.0: Container Generator

- A new `provenance-repository` input was added to allow reading
provenance from
a different container repository than the image itself
([#&#8203;2956](https://togithub.com/slsa-framework/slsa-github-generator/issues/2956))

###
[`v1.9.1`](https://togithub.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1)

[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1)

**This is an un-finalized release.**

See the [CHANGELOG](./CHANGELOG.md) for details.

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.4.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.1)

[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1)

#### What's Changed

- Fix a verification issue when verifying npm's publish attestations -
Low severity
https://github.com/slsa-framework/slsa-verifier/security/advisories/GHSA-r2xv-vpr2-42m9.
This part of the code remains *experimental*.

#### New Contributors

- [@&#8203;trishankatdatadog](https://togithub.com/trishankatdatadog)
made their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/702](https://togithub.com/slsa-framework/slsa-verifier/pull/702)

**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2MS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
v2.5.1-rc.0 		2024-03-22 00:59:31 -07:00
laurentsimon
dc7173b856 feat: Regression tests for builder v1.10.0 (#745) 
We need the pre-submit to pass. Merging can happen after the builder
release

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2024-03-21 08:48:59 -07:00