laurentsimon
7e1e47d7d7
docs: update release doc and rm binary ( #716 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-10-16 13:44:13 -07:00
Mend Renovate
a7d5c7b0f1
fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.5 ( #669 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.apache.maven:maven-plugin-api](https://maven.apache.org/ ) |
`3.6.3` -> `3.9.5` |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzcuMC4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-10-10 02:06:04 +00:00
Mend Renovate
088a626879
fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.9.0 ( #667 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[org.apache.maven.plugin-tools:maven-plugin-annotations](https://maven.apache.org/plugin-tools )
| `3.6.0` -> `3.9.0` |
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
[](https://docs.renovatebot.com/merge-confidence/ )
|
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzYuMTEuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-10-10 01:00:37 +00:00
laurentsimon
2184d9d604
chore: bump versions ( #715 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-10-10 00:27:33 +00:00
laurentsimon
3b171c4140
feat: Address unresolved comments from #705 ( #708 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/707
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-10-09 23:17:48 +00:00
dependabot[bot]
8602109f3f
chore(deps): bump org.apache.maven:maven-core from 3.2.5 to 3.8.1 in /experimental/maven-plugin ( #713 )
...
Bumps [org.apache.maven:maven-core](https://github.com/apache/maven )
from 3.2.5 to 3.8.1.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="05c21c65bdd295dc362fa46906806adad8a3e1c56aa1f4acf5907d53ad32899465aeecfa79cb22e4e5f6634e1709f77da9b0https://github.com/apache/maven/compare/maven-3.2.5...maven-3.8.1 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-verifier/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-09 23:04:57 +00:00
laurentsimon
417b7aacc6
feat: Rename verifySubjectDigest function ( #712 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/711
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-10-10 07:37:38 +09:00
Mend Renovate
0e5b3a3d11
fix(deps): update golang.org/x/exp digest to 7918f67 ( #694 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang.org/x/exp | require | digest | `10a5072` -> `7918f67` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuMC4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-10-09 09:59:53 -07:00
Trishank Karthik Kuppusamy
92e23214ec
docs: Propose a security policy ( #710 )
...
Propose a security policy (largely
[borrowed](35c71e42cd/docs/SECURITY.mdhttps://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository ).
Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com >
2023-10-03 09:49:43 -07:00
laurentsimon
f6ae402f45
fix: npm publish verification ( #705 )
...
- adding support for IEEE P1363 formatted signatures
- fix the npm publish attestation bug. The verification always return
success, because it was not using PAE signature
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com >
2023-10-02 10:12:51 -07:00
laurentsimon
54010d9735
fix: Support npm v2 format ( #704 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/703
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-09-21 17:10:01 -07:00
Trishank Karthik Kuppusamy
e2c7ca1325
feat: Add homebrew formula to README ( #702 )
...
Add installation using Homebrew on macOS
---------
Signed-off-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com >
2023-09-21 14:36:52 -07:00
laurentsimon
d23c97947e
chore: Update doc for v2.4.0 ( #699 )
...
How to LGTM this PR (I'll work on a proper doc for this in
https://github.com/slsa-framework/slsa-github-generator/issues/112 ):
1. Clone repo
```
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ bash verify-release.sh v2.4.0 # NOTE: use the file in _this_ PR.
# Note down the path to the temporary dir use. The bash script will print its first line as "INFO: using dir: /tmp/tmp.VaYi6HfbmL"
```
2. Run command below and compare to SHA256SUM.md in this PR
```
$sha256sum /tmp/tmp.VaYi6HfbmL/*
```
The output hash should be the hash I'm updating to in this PR. If they
match, LGTM. If they don't, someone tampered with the released binary
and don't LGTM
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
2023-08-25 12:09:40 -07:00
laurentsimon
886eb4b109
fix: link to installer Action ( #698 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-25 16:56:09 +00:00
laurentsimon
73d1bcba98
fix: release failure ( #697 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-24 15:58:45 -07:00
laurentsimon
80c7d86183
feat: v1.9.0 regression tests ( #696 )
...
Add regression tests for BYOB releae.
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-24 09:20:57 -07:00
laurentsimon
58eede7e66
feat: gcb v1.0 support ( #691 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/683
This is a large PR, but there is not much new code.
The code adding support for v1.0 is under:
- verifiers/internal/gcb/slsaprovenance/v1.0/*
- verifiers/internal/gcb/slsaprovenance/provenance.go
The rest is mostly some re-factoring needed
Remaining is regression tests, tracked in
https://github.com/slsa-framework/slsa-verifier/issues/690
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
2023-08-18 17:32:58 +00:00
laurentsimon
4b59ce4050
feat: Update doc and code for Maven plugin ( #680 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-16 01:46:57 +00:00
laurentsimon
2a24d8e0f1
feat: Allow byob builders ref at main for e2e tests ( #689 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-16 00:57:17 +00:00
laurentsimon
9aef8ff8aa
feat: GCB refactor for v1.0 support ( #682 )
...
In anticipation for GCB's v1.0 support, this PR re-factors the code to
look similar to GHA's code
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
2023-08-15 18:15:49 +00:00
Mend Renovate
b9a0e6babf
chore(deps): update github-actions ( #686 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action )
| action | patch | `v3.0.6` -> `v3.0.7` |
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| minor | `v3.7.0` -> `v3.8.0` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | patch | `v2.21.3` -> `v2.21.4` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>
###
[`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7 ):
3.0.7
[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7 )
#### What's Changed
- Make GHES support / setup more clear by
[@​rajbos](https://togithub.com/rajbos ) in
[https://github.com/actions/dependency-review-action/pull/534 ](https://togithub.com/actions/dependency-review-action/pull/534 )
- Add an option to deny packages or groups of packages by
[@​adrienpessu](https://togithub.com/adrienpessu ) in
[https://github.com/actions/dependency-review-action/pull/544 ](https://togithub.com/actions/dependency-review-action/pull/544 )
#### New Contributors
- [@​rajbos](https://togithub.com/rajbos ) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/534 ](https://togithub.com/actions/dependency-review-action/pull/534 )
- [@​adrienpessu](https://togithub.com/adrienpessu ) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/544 ](https://togithub.com/actions/dependency-review-action/pull/544 )
**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v3...v3.0.7
</details>
<details>
<summary>actions/setup-node (actions/setup-node)</summary>
###
[`v3.8.0`](https://togithub.com/actions/setup-node/releases/tag/v3.8.0 )
[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.7.0...v3.8.0 )
#### What's Changed
##### Bug fixes:
- Add check for existing paths by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/803 ](https://togithub.com/actions/setup-node/pull/803 )
- Resolve SymbolicLink by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/809 ](https://togithub.com/actions/setup-node/pull/809 )
- Change passing logic for cache input by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/816 ](https://togithub.com/actions/setup-node/pull/816 )
- Fix armv7 cache issue by
[@​louislam](https://togithub.com/louislam ) in
[https://github.com/actions/setup-node/pull/794 ](https://togithub.com/actions/setup-node/pull/794 )
- Update check-dist workflow name by
[@​sinchang](https://togithub.com/sinchang ) in
[https://github.com/actions/setup-node/pull/710 ](https://togithub.com/actions/setup-node/pull/710 )
##### Feature implementations:
- feat: handling the case where "node" is used for tool-versions file.
by [@​xytis](https://togithub.com/xytis ) in
[https://github.com/actions/setup-node/pull/812 ](https://togithub.com/actions/setup-node/pull/812 )
##### Documentation changes:
- Refer to semver package name in README.md by
[@​olleolleolle](https://togithub.com/olleolleolle ) in
[https://github.com/actions/setup-node/pull/808 ](https://togithub.com/actions/setup-node/pull/808 )
##### Update dependencies:
- Update toolkit cache to fix zstd by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-node/pull/804 ](https://togithub.com/actions/setup-node/pull/804 )
- Bump tough-cookie and
[@​azure/ms-rest-js](https://togithub.com/azure/ms-rest-js ) by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-node/pull/802 ](https://togithub.com/actions/setup-node/pull/802 )
- Bump semver from 6.1.2 to 6.3.1 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-node/pull/807 ](https://togithub.com/actions/setup-node/pull/807 )
- Bump word-wrap from 1.2.3 to 1.2.4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-node/pull/815 ](https://togithub.com/actions/setup-node/pull/815 )
#### New Contributors
- [@​olleolleolle](https://togithub.com/olleolleolle ) made their
first contribution in
[https://github.com/actions/setup-node/pull/808 ](https://togithub.com/actions/setup-node/pull/808 )
- [@​louislam](https://togithub.com/louislam ) made their first
contribution in
[https://github.com/actions/setup-node/pull/794 ](https://togithub.com/actions/setup-node/pull/794 )
- [@​sinchang](https://togithub.com/sinchang ) made their first
contribution in
[https://github.com/actions/setup-node/pull/710 ](https://togithub.com/actions/setup-node/pull/710 )
- [@​xytis](https://togithub.com/xytis ) made their first
contribution in
[https://github.com/actions/setup-node/pull/812 ](https://togithub.com/actions/setup-node/pull/812 )
**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.8.0
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.21.4`](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4 )
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40MC4zIiwidXBkYXRlZEluVmVyIjoiMzYuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-08-14 22:44:36 +00:00
Mend Renovate
9d7646a7af
chore(deps): update golang docker tag to v1.21 ( #687 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | minor | `1.19` -> `1.21` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40MC4zIiwidXBkYXRlZEluVmVyIjoiMzYuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-08-14 15:34:48 -07:00
Noah Elzner
8bcf1f0525
feat: Non-compulsory BuilderID for BYOB Builders ( #674 )
...
/cc @mihaimaruseac
/cc @laurentsimon
Based off the prefix of the BuilderID within the provenance, if the
builder use to build the artifact is one of the BYOB builders of
slsa-framework/slsa-github-generator repo, the --builderid flag is not
need and is handled automatically. This was done to increase access to
users since before the automatic pickup of the builder-id would get the
delegator.
Test cases that cover verifyProvenance will need to be complete after
the v1.8.0 release of slsa-framework/slsa-github-generator.
The main structure that is changed is the ExpectedBuilderPath is
hardcoded now to slsa-framework builders within
`/cli/slsa-verifier/verify/verify_artifact.go `. This can later be
changed now if needed to be an input like the other fields of
`provenanceOpts` populated during `verify_artifact.go`. The added
function within `provenance.go`, `verifyBuilderIDPath` is called during
`verifyProvenance` to check this path within `provenanceOpts`. Upon
failure of this function, expected and received BuilderID's are also
outputted.
closes #659
makes use of discussion on closed pr #673
---------
Signed-off-by: Noah Elzner <elzner@google.com >
Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com >
Co-authored-by: Ian Lewis <ianlewis@google.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-08-11 14:20:58 +00:00
Mend Renovate
57e3f65b43
chore(deps): update github-actions ( #666 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-go](https://togithub.com/actions/setup-go ) | action |
minor | `v4.0.1` -> `v4.1.0` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | minor | `v2.20.4` -> `v2.21.3` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator )
| action | minor | `v1.7.0` -> `v1.8.0` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/setup-go (actions/setup-go)</summary>
###
[`v4.1.0`](https://togithub.com/actions/setup-go/releases/tag/v4.1.0 )
[Compare
Source](https://togithub.com/actions/setup-go/compare/v4.0.1...v4.1.0 )
##### What's Changed
In scope of this release, slow installation on Windows was fixed by
[@​dsame](https://togithub.com/dsame ) in
[https://github.com/actions/setup-go/pull/393 ](https://togithub.com/actions/setup-go/pull/393 )
and OS version was added to `primaryKey` for Ubuntu runners to avoid
conflicts
([https://github.com/actions/setup-go/pull/383 ](https://togithub.com/actions/setup-go/pull/383 ))
This release also includes the following changes:
- Remove implicit dependencies by
[@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) in
[https://github.com/actions/setup-go/pull/378 ](https://togithub.com/actions/setup-go/pull/378 )
- Update action.yml by [@​mkelly](https://togithub.com/mkelly ) in
[https://github.com/actions/setup-go/pull/379 ](https://togithub.com/actions/setup-go/pull/379 )
- Added a description that go-version should be specified as a string
type by [@​n3xem](https://togithub.com/n3xem ) in
[https://github.com/actions/setup-go/pull/367 ](https://togithub.com/actions/setup-go/pull/367 )
- Add note about YAML parsing versions by
[@​dmitry-shibanov](https://togithub.com/dmitry-shibanov ) in
[https://github.com/actions/setup-go/pull/382 ](https://togithub.com/actions/setup-go/pull/382 )
- Automatic update of configuration files from 05/23/2023 by
[@​github-actions](https://togithub.com/github-actions ) in
[https://github.com/actions/setup-go/pull/377 ](https://togithub.com/actions/setup-go/pull/377 )
- Bump tough-cookie and
[@​azure/ms-rest-js](https://togithub.com/azure/ms-rest-js ) by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-go/pull/392 ](https://togithub.com/actions/setup-go/pull/392 )
- Bump word-wrap from 1.2.3 to 1.2.4 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-go/pull/397 ](https://togithub.com/actions/setup-go/pull/397 )
- Bump semver from 6.3.0 to 6.3.1 by
[@​dependabot](https://togithub.com/dependabot ) in
[https://github.com/actions/setup-go/pull/396 ](https://togithub.com/actions/setup-go/pull/396 )
##### New Contributors
- [@​mkelly](https://togithub.com/mkelly ) made their first
contribution in
[https://github.com/actions/setup-go/pull/379 ](https://togithub.com/actions/setup-go/pull/379 )
- [@​n3xem](https://togithub.com/n3xem ) made their first
contribution in
[https://github.com/actions/setup-go/pull/367 ](https://togithub.com/actions/setup-go/pull/367 )
**Full Changelog**:
https://github.com/actions/setup-go/compare/v4...v4.1.0
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.21.3`](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3 )
###
[`v2.21.2`](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2 )
###
[`v2.21.1`](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1 )
###
[`v2.21.0`](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0 )
</details>
<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>
###
[`v1.8.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v180 )
[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0 )
Release \[v1.8.0] includes bug fixes and new features.
See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0 ).
##### v1.8.0: Generic Generator
- **Added**: A new
[`base64-subjects-as-file`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.8.0/internal/builders/generic/README.md#workflow-inputs )
was added to allow for specifying a large subject list.
##### v1.8.0: Node.js Builder (beta)
- **Fixed**: Publishing for non-scoped packages was fixed (See
[#​2359](https://togithub.com/slsa-framework/slsa-github-generator/issues/2359 ))
- **Fixed**: Documentation was updated to clarify that the GitHub
Actions
`deployment` event is not supported.
- **Changed**: The file extension for the generated provenance file was
changed
from `.sigstore` to `.build.slsa` in order to make it easier to identify
provenance files regardless of file format.
- **Fixed**: The publish action was fixed to address an issue with the
package
name when using Node 16.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzYuMjcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-08-09 08:24:24 +09:00
Ian Lewis
612f4e525f
test: Add test data for v1.8.0 ( #681 )
...
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-08-08 13:58:30 +09:00
laurentsimon
9aa2319ef0
feat: Print byob builder ( #677 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/672
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-02 18:34:13 +00:00
laurentsimon
6affdbb81c
chore: Add Kris to codeowners ( #678 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-02 16:04:53 +00:00
laurentsimon
4d0ebdcbee
docs: Add example for maven verification plugin ( #676 )
...
closes https://github.com/slsa-framework/slsa-verifier/issues/675
---------
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-08-02 11:55:09 +09:00
Ian Lewis
e7fc7a4621
feat: Verification for when sha1 is specified in BYOB TRW ( #641 )
...
Fixes #600
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-07-25 11:29:15 +09:00
laurentsimon
66ae6bcdf6
docs: Fix maven-plugin README ( #671 )
...
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com >
2023-07-25 00:56:29 +00:00
AdamKorcz
1d65178d65
move maven-plugin from slsa-github-generator ( #664 )
...
Adds the maven plugin from
https://github.com/slsa-framework/slsa-github-generator/pull/2439
Signed-off-by: AdamKorcz <adam@adalogics.com >
2023-07-21 22:40:01 +00:00
Mend Renovate
59f6ba3e00
chore(deps): update github-actions ( #651 )
...
[](https://renovatebot.com )
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://togithub.com/actions/setup-node ) | action
| minor | `v3.6.0` -> `v3.7.0` |
| [github/codeql-action](https://togithub.com/github/codeql-action ) |
action | minor | `v2.3.6` -> `v2.20.4` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action ) |
action | minor | `v2.1.3` -> `v2.2.0` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Release Notes
<details>
<summary>actions/setup-node (actions/setup-node)</summary>
###
[`v3.7.0`](https://togithub.com/actions/setup-node/releases/tag/v3.7.0 )
[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.6.0...v3.7.0 )
##### What's Changed
In scope of this release we added a logic to save an additional cache
path for yarn 3 ([related pull
request](https://togithub.com/actions/setup-node/pull/744 ) and [feature
request](https://togithub.com/actions/setup-node/issues/325 )). Moreover,
we added functionality to use all the sub directories derived from
`cache-dependency-path` input and add detect all dependencies
directories to cache (related [pull
request](https://togithub.com/actions/setup-node/pull/735 ) and [feature
request](https://togithub.com/actions/setup-node/issues/488 )).
##### Besides, we made such changes as:
- Replace workflow badge with new badge by
[@​jongwooo](https://togithub.com/jongwooo ) in
[https://github.com/actions/setup-node/pull/653 ](https://togithub.com/actions/setup-node/pull/653 )
- Fix a minor typo by [@​phanan](https://togithub.com/phanan ) in
[https://github.com/actions/setup-node/pull/662 ](https://togithub.com/actions/setup-node/pull/662 )
- docs: fix typo in advanced-usage.md by
[@​remarkablemark](https://togithub.com/remarkablemark ) in
[https://github.com/actions/setup-node/pull/697 ](https://togithub.com/actions/setup-node/pull/697 )
- bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by
[@​domdomegg](https://togithub.com/domdomegg ) in
[https://github.com/actions/setup-node/pull/718 ](https://togithub.com/actions/setup-node/pull/718 )
- Update to node 18.x by
[@​feelepxyz](https://togithub.com/feelepxyz ) in
[https://github.com/actions/setup-node/pull/751 ](https://togithub.com/actions/setup-node/pull/751 )
- Remove implicit dependencies by
[@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) in
[https://github.com/actions/setup-node/pull/758 ](https://togithub.com/actions/setup-node/pull/758 )
- Fix description about ensuring workflow access to private package by
[@​x86chi](https://togithub.com/x86chi ) in
[https://github.com/actions/setup-node/pull/704 ](https://togithub.com/actions/setup-node/pull/704 )
##### New Contributors
- [@​jongwooo](https://togithub.com/jongwooo ) made their first
contribution in
[https://github.com/actions/setup-node/pull/653 ](https://togithub.com/actions/setup-node/pull/653 )
- [@​phanan](https://togithub.com/phanan ) made their first
contribution in
[https://github.com/actions/setup-node/pull/662 ](https://togithub.com/actions/setup-node/pull/662 )
- [@​remarkablemark](https://togithub.com/remarkablemark ) made
their first contribution in
[https://github.com/actions/setup-node/pull/697 ](https://togithub.com/actions/setup-node/pull/697 )
- [@​domdomegg](https://togithub.com/domdomegg ) made their first
contribution in
[https://github.com/actions/setup-node/pull/718 ](https://togithub.com/actions/setup-node/pull/718 )
- [@​feelepxyz](https://togithub.com/feelepxyz ) made their first
contribution in
[https://github.com/actions/setup-node/pull/751 ](https://togithub.com/actions/setup-node/pull/751 )
- [@​nikolai-laevskii](https://togithub.com/nikolai-laevskii ) made
their first contribution in
[https://github.com/actions/setup-node/pull/758 ](https://togithub.com/actions/setup-node/pull/758 )
- [@​x86chi](https://togithub.com/x86chi ) made their first
contribution in
[https://github.com/actions/setup-node/pull/704 ](https://togithub.com/actions/setup-node/pull/704 )
**Full Changelog**:
https://github.com/actions/setup-node/compare/v3...v3.7.0
</details>
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v2.20.4`](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4 )
###
[`v2.20.3`](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3 )
###
[`v2.20.2`](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2 )
###
[`v2.20.1`](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1 )
###
[`v2.20.0`](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0 )
[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0 )
</details>
<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>
###
[`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0 )
[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0 )
#### What's Changed
- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@​spencerschrock](https://togithub.com/spencerschrock ) in
[https://github.com/ossf/scorecard-action/pull/1192 ](https://togithub.com/ossf/scorecard-action/pull/1192 )
#### Scorecard Result Viewer
Thanks to contributions from
[@​cynthia-sg](https://togithub.com/cynthia-sg ) and
[@​tegioz](https://togithub.com/tegioz ) at
[CLOMonitor](https://togithub.com/cncf/clomonitor ), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri= <project-url>`.
-
[https://github.com/ossf/scorecard-webapp/pull/406 ](https://togithub.com/ossf/scorecard-webapp/pull/406 )
-
[https://github.com/ossf/scorecard-webapp/pull/422 ](https://togithub.com/ossf/scorecard-webapp/pull/422 )
As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard )
Checkout our
[README](08b4669551/README.md (scorecard-badge)08b4669551/README.md (workflow-restrictions)https://github.com/ossf/scorecard-action/pull/1156 ](https://togithub.com/ossf/scorecard-action/pull/1156 ),
resolved
[https://github.com/ossf/scorecard-action/issues/1150 ](https://togithub.com/ossf/scorecard-action/issues/1150 ))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191 ](https://togithub.com/ossf/scorecard-action/pull/1191 ))
#### Docs
- 📖 Update README to accept fine-grained tokens by
[@​pnacht](https://togithub.com/pnacht ) in
[https://github.com/ossf/scorecard-action/pull/1175 ](https://togithub.com/ossf/scorecard-action/pull/1175 )
- 📖 Update installation instructions to match current GitHub UI by
[@​joycebrum](https://togithub.com/joycebrum ) in
[https://github.com/ossf/scorecard-action/pull/1153 ](https://togithub.com/ossf/scorecard-action/pull/1153 )
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@​spencerschrock](https://togithub.com/spencerschrock ) in
#### New Contributors
- [@​bobcallaway](https://togithub.com/bobcallaway ) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140 ](https://togithub.com/ossf/scorecard-action/pull/1140 )
- [@​pnacht](https://togithub.com/pnacht ) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175 ](https://togithub.com/ossf/scorecard-action/pull/1175 )
**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/ ). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com >
2023-07-18 10:51:23 +09:00
laurentsimon
c6d12b745c
feat: Use tags vX.Y.Z-<language> for JReleaser builders ( #644 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-07-10 16:42:48 +00:00
Ian Lewis
1778495466
refactor: Use full builder id ( #648 )
...
Internally use full builder IDs including server url rather than worflow
ref as a path. This should hopefully avoid confusion between dealing
with builder IDs and `GITHUB_WORKFLOW_REF` which only contains the path
portion. `GITHUB_WORKFLOW_REF` is the only thing that doesn't include
the domain/server url part of the workflow/builder ID. The Fulcio OID
claims include the full url.
Code extracted from #641
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-07-10 06:23:48 +00:00
Ian Lewis
965f5784c1
refactor: Add more git utils ( #645 )
...
Adds the functions `NormalizeGitURI`, `ParseGitURIAndRef`, and
`ValidateGitRef`. `ParseGitRef` was updated to be permissive of the ref
type whereas `ValidateGitRef` validates that the type is of a given
type.
Code extracted from #641
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-07-01 09:03:52 +09:00
Ian Lewis
e2b1828894
fix: pre-submit: e2e-cli.sh artifact download ( #646 )
...
Updates #647
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-29 10:05:12 -07:00
Ian Lewis
90f4f23e1e
test: Add more ProvenanceFromEnvelope tests ( #640 )
...
Fixes #573
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-26 02:03:34 +00:00
Ian Lewis
f025c630ac
refactor: Use Go 1.20 ( #643 )
...
Fixes #589
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-26 10:49:52 +09:00
Ian Lewis
d2dc8193ae
feat: Verify provenance by build type ( #632 )
...
Fixes #473
Updates handling of provenance by providing implementations based on
[buildType](https://slsa.dev/provenance/v1#buildType ) since this
determines how to interpret parameters and dependencies. This is done
because we need a way to interpret parameters not just based on the
predicateType. The 3 major build types with format differences are:
- non-BYOB SLSA v0.2
- BYOB SLSA v0.2
- BYOB SLSA v1.0
---------
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-16 09:54:20 +09:00
Mend Renovate
7aa6533540
chore(deps): update golang:1.19 docker digest to 83f9f84 ( #583 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-06-12 05:06:28 +00:00
Mend Renovate
658d91aa82
chore(deps): update npm dev ( #608 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-06-12 13:47:38 +09:00
Mend Renovate
dab7d387fa
fix(deps): update github.com/sigstore/protobuf-specs digest to 5ef5406 ( #606 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-06-12 01:33:18 +00:00
Mend Renovate
b69ed475aa
chore(deps): update gcr.io/distroless/base:nonroot docker digest to c623859 ( #567 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-06-12 01:00:06 +00:00
Mend Renovate
3ee6cee147
chore(deps): update github-actions ( #607 )
...
Signed-off-by: Renovate Bot <bot@renovateapp.com >
2023-06-12 09:44:31 +09:00
asraa
3a772f79ec
test: add tests for v1.7.0 builders ( #638 )
...
* test: add tests for v1.7.0 builders
Signed-off-by: Asra Ali <asraa@google.com >
---------
Signed-off-by: Asra Ali <asraa@google.com >
2023-06-08 21:14:28 +00:00
Ian Lewis
c39b10c4c9
fix: allow workflow_dispatch to trigger release.yml ( #637 )
...
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-08 22:49:25 +09:00
asraa
733cecb300
chore: update toc in README.md ( #636 )
...
Signed-off-by: Asra Ali <asraa@google.com >
2023-06-07 09:15:51 -05:00
asraa
aac022747e
feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format ( #634 )
...
* feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format
Signed-off-by: Asra Ali <asraa@google.com >
* docs: update verifier README.md for docker-based builder
Signed-off-by: Asra Ali <asraa@google.com >
---------
Signed-off-by: Asra Ali <asraa@google.com >
2023-06-06 22:07:20 +00:00
Ian Lewis
8faf24c6dc
fix: builder ID verification for testing ( #635 )
...
Fix builder ID verification for testing
Signed-off-by: Ian Lewis <ianlewis@google.com >
2023-06-06 08:32:20 -05:00
laurentsimon
7b942b8666
fix: only allow hashes of 256 bits or more ( #633 )
...
Signed-off-by: laurentsimon <laurentsimon@google.com >
2023-06-05 08:32:53 +09:00
