All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Unreleased
- v2.0.0
- v1.10.0
- v1.9.0
- v1.8.0
- v1.7.0
- v1.6.0
- v1.5.0
- v1.4.0
- v1.4.0-rc.2
- v1.4.0-rc.1
- v1.4.0-rc.0
- v1.2.2
- v1.2.1
- v1.2.0
- v1.1.1
- v1.0.0
- Updated: GitHub
vars
context is now recorded in provenance for the generic and container generators. Thevars
context cannot affect the build in the Go builder so it is not recorded.
- Our workflows now use the new
@v4
s ofactions/upload-artifact
andactions/download-artifact
, which are incompatiblle with the prior@v3
. See Our docs on the generic generator for more information and how to upgrade.
attestation-name
as a workflow input to.github/workflows/generator_generic_slsa3.yml
is now removed. Useprovenance-name
instead.
- When uploading signed provenance to the log, the entry created in the log is now a DSSE Rekor type. This fixes a bug where the current intoto type does not persist provenance signatures. The attestation will no longer be persisted in Rekor (#3299)
Release v1.10.0 includes bug fixes and new features.
See the full change list.
- The Gradle Builder was fixed when the project root is the same as the repository root (#2727)
- The
go-version-file
input was fixed so that it can find thego.mod
file (#2661)
- A new
provenance-repository
input was added to allow reading provenance from a different container repository than the image itself (#2956)
Release v1.9.0 includes bug fixes and new features.
See the full change list.
- New: A new framework to turn GitHub Actions into SLSA compliant builders.
- New: A Maven builder to build Java projects and publish to Maven central.
- New: A Gradle builder to build Java projects and publish to Maven central.
- New: A JReleaser builder that wraps the official JReleaser Action.
Release v1.8.0 includes bug fixes and new features.
See the full change list.
- Added: A new
base64-subjects-as-file
was added to allow for specifying a large subject list.
- Fixed: Publishing for non-scoped packages was fixed (See #2359)
- Fixed: Documentation was updated to clarify that the GitHub Actions
deployment
event is not supported. - Changed: The file extension for the generated provenance file was changed
from
.sigstore
to.build.slsa
in order to make it easier to identify provenance files regardless of file format. - Fixed: The publish action was fixed to address an issue with the package name when using Node 16.
This release includes the first beta release of the Container-based builder. The Container-based builder provides a GitHub Actions reusable workflow that can be used to invoke a container image with a user-specified command to generate an artifact and SLSA Build L3 compliant provenance.
- Added: A new go-version-file input was added. This allows you to specify a go.mod file in order to track which version of Go is used for your project.
This release includes the first beta release of the Node.js builder. The Node.js builder provides a GitHub Actions reusable workflow that can be called to build a Node.js package, generate SLSA Build L3 compliant provenance, and publish it to the npm registry along with the package.
- A new
prerelease
input was added to allow users to create releases marked as prerelease whenupload-assets
is set totrue
. - A new input
draft-release
was added to allow users to create releases marked as draft whenupload-assets
is set totrue
. - A new output
go-provenance-name
added which can be used to retrieve the name of the provenance file generated by the builder.
- A new input
draft-release
was added to allow users to create releases marked as draft whenupload-assets
is set totrue
.
The Container Generator was updated to use cosign
v2.0.0. No changes to the
workflow's inputs or outputs were made.
- A new
upload-tag-name
input was added to allow users to specify the tag name for the release whenupload-assets
is set totrue
. - The environment variables included in provenance output were changed to include only those variables that are specified by the user in the slsa-goreleaser.yml configuration file in order to improve reproducibility. See #822 for more information and background.
- A new boolean
continue-on-error
input was added which, when set totrue
, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in theoutcome
output. - A new
upload-tag-name
input was added to allow users to specify the tag name for the release whenupload-assets
is set totrue
.
- A new boolean
continue-on-error
input was added which, when set totrue
, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in theoutcome
output. - A new
repository-username
secret input was added to allow users to pass their repository username that is stored in a Github Actions encrypted secret. This secret input should only be used for high-entropy registry username values such as AWS Access Key. - Support was added for authenticating with Google Artifact Registry and Google Container Registry using Workload Identity Federation. Users can use this new feature by using the
gcp-workload-identity-provider
andgcp-service-account
inputs
This release is the first Generally Available version of the Container Generator workflow. The Container Generator workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release (technically the second) with support for the generally available version of sigstore!! We hope to have fewer issues with sigstore infrastructure moving forward.
- Allow users of the Generic Generator to generate provenance for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go builder (#1231)
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
*This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release with support for the generally available version of sigstore!
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
*This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release with support for the generally available version of sigstore!
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release with support for the generally available version of sigstore!
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
This release fixes issues with signing provenance due to a change in Sigstore TUF root certificates (#1163). This release also includes better handling of transient errors from the Rekor transparency logs.
- @suzuki-shunsuke made their first contribution in #1061
- @datosh made their first contribution in #1074
- @pnacht made their first contribution in #1187
- @dongheelee92 made their first contribution in #1209
DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #1163. Please upgrade to v1.2.2 or later.
This release fixes an error that occurs on the "Generate Builder" step for various workflows.
FAILED: SLSA verification failed: could not find a matching valid signature entry
See #942
This release changes the buildType
used in provenance created by the generic generator.
The previous value was:
"buildType": "https://github.com/slsa-framework/slsa-github-generator@v1",
The new value is:
"buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1",
See #627
Previously the default file name for provenance was attestation.intoto.jsonl
. This has been updated to be in line with intoto attestation file naming conventions. The file name now defaults to <artifact filename>.intoto.jsonl
if there is a single artifact, or multiple.intoto.jsonl
if there are multiple artifacts.
See #654
Private repository support was enhanced to required the private-repository
input field as the repository name will be made public in the public Rekor transparency log.
Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.
with:
private-repository: true
See #823
Support for private repositories was fixed. If using a private repository you must specify the private-repository
input field as the repository name will be made public in the public Rekor transparency log.
Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.
with:
private-repository: true
See #823
- @sethmlarson made their first contribution in #758
- @yunginnanet made their first contribution in #776
- @diogoteles08 made their first contribution in #957
DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #942. Please upgrade to v1.2.2 or later.
The highlight of this release is a new re-usable workflow called the "Generic generator". It lets users build artifacts on their own and generate a provenance that satisfies SLSA provenance 3 requirement. It's perfect to get started with SLSA with minimal changes to an existing build workflow. To use it, check the README.md!
No changes.
- @naveensrinivasan made their first contribution in #352
- @renovate-bot made their first contribution in #401
- @rarkins made their first contribution in #489
- @developer-guy made their first contribution in #497
- @loosebazooka made their first contribution in #573
- Improve documentation
- Fix filename issue when resolving it with variables
- Add support for environment variables in artifact filename
- @joshuagl made their first contribution in #199
- @mihaimaruseac made their first contribution in #202
- @MarkLodato made their first contribution in #312
- @chipzoller made their first contribution in #354
This is the first official release of the generator. The first builder we are releasing is for Golang projects. To learn how to use it, see ./README.md#golang-projects
@asraa @ianlewis @MarkLodato @joshuagl @laurentsimon