slsa-verifier

mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-09 01:56:52 +00:00

Author	SHA1	Message	Date
laurentsimon	73d1bcba98	fix: release failure (#697 ) Signed-off-by: laurentsimon <laurentsimon@google.com> v2.4.0-rc.1 v2.4.0	2023-08-24 15:58:45 -07:00
laurentsimon	80c7d86183	feat: v1.9.0 regression tests (#696 ) Add regression tests for BYOB releae. --------- Signed-off-by: laurentsimon <laurentsimon@google.com> v2.4.0-rc.0	2023-08-24 09:20:57 -07:00
laurentsimon	58eede7e66	feat: gcb v1.0 support (#691 ) closes https://github.com/slsa-framework/slsa-verifier/issues/683 This is a large PR, but there is not much new code. The code adding support for v1.0 is under: - verifiers/internal/gcb/slsaprovenance/v1.0/* - verifiers/internal/gcb/slsaprovenance/provenance.go The rest is mostly some re-factoring needed Remaining is regression tests, tracked in https://github.com/slsa-framework/slsa-verifier/issues/690 --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-08-18 17:32:58 +00:00
laurentsimon	4b59ce4050	feat: Update doc and code for Maven plugin (#680 ) Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-08-16 01:46:57 +00:00
laurentsimon	2a24d8e0f1	feat: Allow byob builders ref at main for e2e tests (#689 ) Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-08-16 00:57:17 +00:00
laurentsimon	9aef8ff8aa	feat: GCB refactor for v1.0 support (#682 ) In anticipation for GCB's v1.0 support, this PR re-factors the code to look similar to GHA's code --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-08-15 18:15:49 +00:00
Mend Renovate	b9a0e6babf	chore(deps): update github-actions (#686 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) \| action \| patch \| `v3.0.6` -> `v3.0.7` \| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| minor \| `v3.7.0` -> `v3.8.0` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| patch \| `v2.21.3` -> `v2.21.4` \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7): 3.0.7 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7) #### What's Changed - Make GHES support / setup more clear by [@rajbos](https://togithub.com/rajbos) in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534) - Add an option to deny packages or groups of packages by [@adrienpessu](https://togithub.com/adrienpessu) in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544) #### New Contributors - [@rajbos](https://togithub.com/rajbos) made their first contribution in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534) - [@adrienpessu](https://togithub.com/adrienpessu) made their first contribution in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.0.7 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.0`](https://togithub.com/actions/setup-node/releases/tag/v3.8.0) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.7.0...v3.8.0) #### What's Changed ##### Bug fixes: - Add check for existing paths by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/803](https://togithub.com/actions/setup-node/pull/803) - Resolve SymbolicLink by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/809](https://togithub.com/actions/setup-node/pull/809) - Change passing logic for cache input by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/816](https://togithub.com/actions/setup-node/pull/816) - Fix armv7 cache issue by [@louislam](https://togithub.com/louislam) in [https://github.com/actions/setup-node/pull/794](https://togithub.com/actions/setup-node/pull/794) - Update check-dist workflow name by [@sinchang](https://togithub.com/sinchang) in [https://github.com/actions/setup-node/pull/710](https://togithub.com/actions/setup-node/pull/710) ##### Feature implementations: - feat: handling the case where "node" is used for tool-versions file. by [@xytis](https://togithub.com/xytis) in [https://github.com/actions/setup-node/pull/812](https://togithub.com/actions/setup-node/pull/812) ##### Documentation changes: - Refer to semver package name in README.md by [@olleolleolle](https://togithub.com/olleolleolle) in [https://github.com/actions/setup-node/pull/808](https://togithub.com/actions/setup-node/pull/808) ##### Update dependencies: - Update toolkit cache to fix zstd by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/804](https://togithub.com/actions/setup-node/pull/804) - Bump tough-cookie and [@azure/ms-rest-js](https://togithub.com/azure/ms-rest-js) by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/802](https://togithub.com/actions/setup-node/pull/802) - Bump semver from 6.1.2 to 6.3.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/807](https://togithub.com/actions/setup-node/pull/807) - Bump word-wrap from 1.2.3 to 1.2.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/815](https://togithub.com/actions/setup-node/pull/815) #### New Contributors - [@olleolleolle](https://togithub.com/olleolleolle) made their first contribution in [https://github.com/actions/setup-node/pull/808](https://togithub.com/actions/setup-node/pull/808) - [@louislam](https://togithub.com/louislam) made their first contribution in [https://github.com/actions/setup-node/pull/794](https://togithub.com/actions/setup-node/pull/794) - [@sinchang](https://togithub.com/sinchang) made their first contribution in [https://github.com/actions/setup-node/pull/710](https://togithub.com/actions/setup-node/pull/710) - [@xytis](https://togithub.com/xytis) made their first contribution in [https://github.com/actions/setup-node/pull/812](https://togithub.com/actions/setup-node/pull/812) Full Changelog: https://github.com/actions/setup-node/compare/v3...v3.8.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.21.4`](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) </details> --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40MC4zIiwidXBkYXRlZEluVmVyIjoiMzYuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2023-08-14 22:44:36 +00:00
Mend Renovate	9d7646a7af	chore(deps): update golang docker tag to v1.21 (#687 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| golang \| stage \| minor \| `1.19` -> `1.21` \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40MC4zIiwidXBkYXRlZEluVmVyIjoiMzYuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2023-08-14 15:34:48 -07:00
Noah Elzner	8bcf1f0525	feat: Non-compulsory BuilderID for BYOB Builders (#674 ) /cc @mihaimaruseac /cc @laurentsimon Based off the prefix of the BuilderID within the provenance, if the builder use to build the artifact is one of the BYOB builders of slsa-framework/slsa-github-generator repo, the --builderid flag is not need and is handled automatically. This was done to increase access to users since before the automatic pickup of the builder-id would get the delegator. Test cases that cover verifyProvenance will need to be complete after the v1.8.0 release of slsa-framework/slsa-github-generator. The main structure that is changed is the ExpectedBuilderPath is hardcoded now to slsa-framework builders within `/cli/slsa-verifier/verify/verify_artifact.go `. This can later be changed now if needed to be an input like the other fields of `provenanceOpts` populated during `verify_artifact.go`. The added function within `provenance.go`, `verifyBuilderIDPath` is called during `verifyProvenance` to check this path within `provenanceOpts`. Upon failure of this function, expected and received BuilderID's are also outputted. closes #659 makes use of discussion on closed pr #673 --------- Signed-off-by: Noah Elzner <elzner@google.com> Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Co-authored-by: Ian Lewis <ianlewis@google.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2023-08-11 14:20:58 +00:00
Mend Renovate	57e3f65b43	chore(deps): update github-actions (#666 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/setup-go](https://togithub.com/actions/setup-go) \| action \| minor \| `v4.0.1` -> `v4.1.0` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| minor \| `v2.20.4` -> `v2.21.3` \| \| [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) \| action \| minor \| `v1.7.0` -> `v1.8.0` \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v4.1.0`](https://togithub.com/actions/setup-go/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/setup-go/compare/v4.0.1...v4.1.0) ##### What's Changed In scope of this release, slow installation on Windows was fixed by [@dsame](https://togithub.com/dsame) in [https://github.com/actions/setup-go/pull/393](https://togithub.com/actions/setup-go/pull/393) and OS version was added to `primaryKey` for Ubuntu runners to avoid conflicts ([https://github.com/actions/setup-go/pull/383](https://togithub.com/actions/setup-go/pull/383)) This release also includes the following changes: - Remove implicit dependencies by [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-go/pull/378](https://togithub.com/actions/setup-go/pull/378) - Update action.yml by [@mkelly](https://togithub.com/mkelly) in [https://github.com/actions/setup-go/pull/379](https://togithub.com/actions/setup-go/pull/379) - Added a description that go-version should be specified as a string type by [@n3xem](https://togithub.com/n3xem) in [https://github.com/actions/setup-go/pull/367](https://togithub.com/actions/setup-go/pull/367) - Add note about YAML parsing versions by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-go/pull/382](https://togithub.com/actions/setup-go/pull/382) - Automatic update of configuration files from 05/23/2023 by [@github-actions](https://togithub.com/github-actions) in [https://github.com/actions/setup-go/pull/377](https://togithub.com/actions/setup-go/pull/377) - Bump tough-cookie and [@azure/ms-rest-js](https://togithub.com/azure/ms-rest-js) by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/392](https://togithub.com/actions/setup-go/pull/392) - Bump word-wrap from 1.2.3 to 1.2.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/397](https://togithub.com/actions/setup-go/pull/397) - Bump semver from 6.3.0 to 6.3.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/396](https://togithub.com/actions/setup-go/pull/396) ##### New Contributors - [@mkelly](https://togithub.com/mkelly) made their first contribution in [https://github.com/actions/setup-go/pull/379](https://togithub.com/actions/setup-go/pull/379) - [@n3xem](https://togithub.com/n3xem) made their first contribution in [https://github.com/actions/setup-go/pull/367](https://togithub.com/actions/setup-go/pull/367) Full Changelog: https://github.com/actions/setup-go/compare/v4...v4.1.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.21.3`](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) ### [`v2.21.2`](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2) ### [`v2.21.1`](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1) ### [`v2.21.0`](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0) </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.8.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v180) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0) Release \[v1.8.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0). ##### v1.8.0: Generic Generator - Added: A new [`base64-subjects-as-file`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.8.0/internal/builders/generic/README.md#workflow-inputs) was added to allow for specifying a large subject list. ##### v1.8.0: Node.js Builder (beta) - Fixed: Publishing for non-scoped packages was fixed (See [#2359](https://togithub.com/slsa-framework/slsa-github-generator/issues/2359)) - Fixed: Documentation was updated to clarify that the GitHub Actions `deployment` event is not supported. - Changed: The file extension for the generated provenance file was changed from `.sigstore` to `.build.slsa` in order to make it easier to identify provenance files regardless of file format. - Fixed: The publish action was fixed to address an issue with the package name when using Node 16. </details> --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzYuMjcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2023-08-09 08:24:24 +09:00
Ian Lewis	612f4e525f	test: Add test data for v1.8.0 (#681 ) Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-08-08 13:58:30 +09:00
laurentsimon	9aa2319ef0	feat: Print byob builder (#677 ) closes https://github.com/slsa-framework/slsa-verifier/issues/672 --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-08-02 18:34:13 +00:00
laurentsimon	6affdbb81c	chore: Add Kris to codeowners (#678 ) Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-08-02 16:04:53 +00:00
laurentsimon	4d0ebdcbee	docs: Add example for maven verification plugin (#676 ) closes https://github.com/slsa-framework/slsa-verifier/issues/675 --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-08-02 11:55:09 +09:00
Ian Lewis	e7fc7a4621	feat: Verification for when sha1 is specified in BYOB TRW (#641 ) Fixes #600 --------- Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2023-07-25 11:29:15 +09:00
laurentsimon	66ae6bcdf6	docs: Fix maven-plugin README (#671 ) Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2023-07-25 00:56:29 +00:00
AdamKorcz	1d65178d65	move maven-plugin from slsa-github-generator (#664 ) Adds the maven plugin from https://github.com/slsa-framework/slsa-github-generator/pull/2439 Signed-off-by: AdamKorcz <adam@adalogics.com>	2023-07-21 22:40:01 +00:00
Mend Renovate	59f6ba3e00	chore(deps): update github-actions (#651 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| minor \| `v3.6.0` -> `v3.7.0` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| minor \| `v2.3.6` -> `v2.20.4` \| \| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) \| action \| minor \| `v2.1.3` -> `v2.2.0` \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.7.0`](https://togithub.com/actions/setup-node/releases/tag/v3.7.0) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.6.0...v3.7.0) ##### What's Changed In scope of this release we added a logic to save an additional cache path for yarn 3 ([related pull request](https://togithub.com/actions/setup-node/pull/744) and [feature request](https://togithub.com/actions/setup-node/issues/325)). Moreover, we added functionality to use all the sub directories derived from `cache-dependency-path` input and add detect all dependencies directories to cache (related [pull request](https://togithub.com/actions/setup-node/pull/735) and [feature request](https://togithub.com/actions/setup-node/issues/488)). ##### Besides, we made such changes as: - Replace workflow badge with new badge by [@jongwooo](https://togithub.com/jongwooo) in [https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653) - Fix a minor typo by [@phanan](https://togithub.com/phanan) in [https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662) - docs: fix typo in advanced-usage.md by [@remarkablemark](https://togithub.com/remarkablemark) in [https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697) - bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by [@domdomegg](https://togithub.com/domdomegg) in [https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718) - Update to node 18.x by [@feelepxyz](https://togithub.com/feelepxyz) in [https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751) - Remove implicit dependencies by [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758) - Fix description about ensuring workflow access to private package by [@x86chi](https://togithub.com/x86chi) in [https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704) ##### New Contributors - [@jongwooo](https://togithub.com/jongwooo) made their first contribution in [https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653) - [@phanan](https://togithub.com/phanan) made their first contribution in [https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662) - [@remarkablemark](https://togithub.com/remarkablemark) made their first contribution in [https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697) - [@domdomegg](https://togithub.com/domdomegg) made their first contribution in [https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718) - [@feelepxyz](https://togithub.com/feelepxyz) made their first contribution in [https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751) - [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) made their first contribution in [https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758) - [@x86chi](https://togithub.com/x86chi) made their first contribution in [https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704) Full Changelog: https://github.com/actions/setup-node/compare/v3...v3.7.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.20.4`](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4) ### [`v2.20.3`](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) ### [`v2.20.2`](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) ### [`v2.20.1`](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) ### [`v2.20.0`](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1192](https://togithub.com/ossf/scorecard-action/pull/1192) #### Scorecard Result Viewer Thanks to contributions from [@cynthia-sg](https://togithub.com/cynthia-sg) and [@tegioz](https://togithub.com/tegioz) at [CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new Scorecard Result visualization page at `https://securityscorecards.dev/viewer/?uri=<project-url>`. - [https://github.com/ossf/scorecard-webapp/pull/406](https://togithub.com/ossf/scorecard-webapp/pull/406) - [https://github.com/ossf/scorecard-webapp/pull/422](https://togithub.com/ossf/scorecard-webapp/pull/422) As an example, you can see our own score visualized [here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) Checkout our [README](`08b4669551/README.md (scorecard-badge)`) to learn how to link your README badge to the new visualization page. #### Publishing Results This release contains two fixes which will improve the user experience when `publish_results` is `true` - Runs that fail our [workflow restrictions](`08b4669551/README.md (workflow-restrictions)`) will fail with a 400 response indicating the problem, instead of a vague 500 status. ([https://github.com/ossf/scorecard-action/pull/1156](https://togithub.com/ossf/scorecard-action/pull/1156), resolved [https://github.com/ossf/scorecard-action/issues/1150](https://togithub.com/ossf/scorecard-action/issues/1150)) - Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. ([https://github.com/ossf/scorecard-action/pull/1191](https://togithub.com/ossf/scorecard-action/pull/1191)) #### Docs - 📖 Update README to accept fine-grained tokens by [@pnacht](https://togithub.com/pnacht) in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) - 📖 Update installation instructions to match current GitHub UI by [@joycebrum](https://togithub.com/joycebrum) in [https://github.com/ossf/scorecard-action/pull/1153](https://togithub.com/ossf/scorecard-action/pull/1153) - 📖 Document the GitHub action workflow restrictions when publishing results. by [@spencerschrock](https://togithub.com/spencerschrock) in #### New Contributors - [@bobcallaway](https://togithub.com/bobcallaway) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1140](https://togithub.com/ossf/scorecard-action/pull/1140) - [@pnacht](https://togithub.com/pnacht) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0 </details> --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2023-07-18 10:51:23 +09:00
laurentsimon	c6d12b745c	feat: Use tags `vX.Y.Z-<language>` for JReleaser builders (#644 ) Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-07-10 16:42:48 +00:00
Ian Lewis	1778495466	refactor: Use full builder id (#648 ) Internally use full builder IDs including server url rather than worflow ref as a path. This should hopefully avoid confusion between dealing with builder IDs and `GITHUB_WORKFLOW_REF` which only contains the path portion. `GITHUB_WORKFLOW_REF` is the only thing that doesn't include the domain/server url part of the workflow/builder ID. The Fulcio OID claims include the full url. Code extracted from #641 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-07-10 06:23:48 +00:00
Ian Lewis	965f5784c1	refactor: Add more git utils (#645 ) Adds the functions `NormalizeGitURI`, `ParseGitURIAndRef`, and `ValidateGitRef`. `ParseGitRef` was updated to be permissive of the ref type whereas `ValidateGitRef` validates that the type is of a given type. Code extracted from #641 Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-07-01 09:03:52 +09:00
Ian Lewis	e2b1828894	fix: pre-submit: e2e-cli.sh artifact download (#646 ) Updates #647 Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-29 10:05:12 -07:00
Ian Lewis	90f4f23e1e	test: Add more ProvenanceFromEnvelope tests (#640 ) Fixes #573 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-26 02:03:34 +00:00
Ian Lewis	f025c630ac	refactor: Use Go 1.20 (#643 ) Fixes #589 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-26 10:49:52 +09:00
Ian Lewis	d2dc8193ae	feat: Verify provenance by build type (#632 ) Fixes #473 Updates handling of provenance by providing implementations based on [buildType](https://slsa.dev/provenance/v1#buildType) since this determines how to interpret parameters and dependencies. This is done because we need a way to interpret parameters not just based on the predicateType. The 3 major build types with format differences are: - non-BYOB SLSA v0.2 - BYOB SLSA v0.2 - BYOB SLSA v1.0 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-16 09:54:20 +09:00
Mend Renovate	7aa6533540	chore(deps): update golang:1.19 docker digest to 83f9f84 (#583 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 05:06:28 +00:00
Mend Renovate	658d91aa82	chore(deps): update npm dev (#608 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 13:47:38 +09:00
Mend Renovate	dab7d387fa	fix(deps): update github.com/sigstore/protobuf-specs digest to 5ef5406 (#606 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 01:33:18 +00:00
Mend Renovate	b69ed475aa	chore(deps): update gcr.io/distroless/base:nonroot docker digest to c623859 (#567 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 01:00:06 +00:00
Mend Renovate	3ee6cee147	chore(deps): update github-actions (#607 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 09:44:31 +09:00
asraa	3a772f79ec	test: add tests for v1.7.0 builders (#638 ) * test: add tests for v1.7.0 builders Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-06-08 21:14:28 +00:00
Ian Lewis	c39b10c4c9	fix: allow workflow_dispatch to trigger release.yml (#637 ) Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-08 22:49:25 +09:00
asraa	733cecb300	chore: update toc in README.md (#636 ) Signed-off-by: Asra Ali <asraa@google.com>	2023-06-07 09:15:51 -05:00
asraa	aac022747e	feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format (#634 ) * feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format Signed-off-by: Asra Ali <asraa@google.com> * docs: update verifier README.md for docker-based builder Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-06-06 22:07:20 +00:00
Ian Lewis	8faf24c6dc	fix: builder ID verification for testing (#635 ) Fix builder ID verification for testing Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-06 08:32:20 -05:00
laurentsimon	7b942b8666	fix: only allow hashes of 256 bits or more (#633 ) Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-06-05 08:32:53 +09:00
Mend Renovate	5ca5eb0120	fix(deps): update module github.com/sigstore/rekor to v1.2.0 [security] (#622 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-02 09:10:53 -05:00
Ian Lewis	9bfbc91c5b	refactor: Provenance tests (#628 ) Refactors GHA provenance tests to use `testProvenance` which makes it clearer what is actually being tested. This will also make it easier to support `buildType` as a way to have different verification logic as the tests no longer rely on testdata with the `"https://github.com/Attestations/GitHubActionsWorkflow@v1"` build type, which isn't used by any supported builders. A couple of updates to utilities: - `VerifyTag` will now validate the ref returned by the `Provenance` instance. - `VerifyBranch` will now validate the ref returned by the `Provenance` instance. - `VerifyDigest` now supports the 160 bit `"sha1"` algo (FWIW) and will now search all subject entries even if one subject entry's algorithm does not match the expected algorithm. --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-02 13:34:56 +09:00
asraa	8fe8ee9f3f	fix: revert to using resolvedDepdendencies for source verification (#629 ) Signed-off-by: Asra Ali <asraa@google.com>	2023-06-01 20:15:22 +00:00
asraa	70d23d4f26	test: re-generate container-based tests (#627 ) Signed-off-by: Asra Ali <asraa@google.com>	2023-05-30 14:38:47 -05:00
asraa	db0560e328	fix: use ExternalParameters["source"] for the Source URI for SLSA v1.0 provenance (#621 ) * feat: add support for checking a source annotation when there are multiple resolveddependencies Signed-off-by: Asra Ali <asraa@google.com> * revert to using external parameters source key Signed-off-by: Asra Ali <asraa@google.com> * unused file Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-05-27 02:28:44 +00:00
Ian Lewis	7e2c7ae288	chore: Don't be verbose with tests locally (#620 ) It can sometimes be unwieldy when running tests with the verbose flag. This changes the Makefile to run tests without the flag by default but with the flag set on GitHub Actions. Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-05-26 05:39:52 +00:00
laurentsimon	93d3f8c06c	fix: Verify the TRW tag is a semver tag (#619 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * Update verifiers/utils/builder.go Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-05-26 01:15:32 +00:00
Ian Lewis	de79463752	test: Add test data for v1.6.0 (#612 ) --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-05-25 23:40:28 +00:00
laurentsimon	fba178ea9c	feat: Use env variable to retrieve trigger workflow (#615 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-25 14:32:48 -07:00
laurentsimon	ba32c706ac	feat: Support for v1.0 verification in BYOB (#609 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-23 07:31:13 -07:00
laurentsimon	bda35e0238	feat: BYOB verification support (#604 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-23 01:41:17 +00:00
Mend Renovate	a86957c6a5	chore(deps): update dependency jasmine to v5 (#598 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-05-15 04:14:31 +00:00
Mend Renovate	52a48d18af	chore(deps): update github-actions (#597 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-05-15 04:05:12 +00:00
Mend Renovate	ab4b6b4cc7	chore(deps): update dependency @types/node to v18.16.9 (#596 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-05-15 03:55:18 +00:00

1 2 3 4 5 ...

370 Commits