feat: Verification for when sha1 is specified in BYOB TRW #641
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
ianlewis
commented
Jun 16, 2023
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
ianlewis
commented
Jun 19, 2023
| "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common" | ||
| ) | ||
|
|
||
| // ContainerBasedProvenance is SLSA v1.0 provenance for the slsa-github-generator BYOB build type. | ||
| type ContainerBasedProvenance struct { |
There was a problem hiding this comment.
Note to reviewers: ContainerBasedProvenance doesn't support sha1 and only supports source == trigger
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
…ed-by-trw-for-v10 Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
|
Still a few things not working... This PR is getting too big so I'll see if I can't break it up into smaller PRs. |
This was referenced Jun 27, 2023
laurentsimon
approved these changes
Jun 29, 2023
ianlewis
added a commit
that referenced
this pull request
Jul 1, 2023
Adds the functions `NormalizeGitURI`, `ParseGitURIAndRef`, and `ValidateGitRef`. `ParseGitRef` was updated to be permissive of the ref type whereas `ValidateGitRef` validates that the type is of a given type. Code extracted from #641 Signed-off-by: Ian Lewis <[email protected]>
ianlewis
added a commit
that referenced
this pull request
Jul 10, 2023
Internally use full builder IDs including server url rather than worflow ref as a path. This should hopefully avoid confusion between dealing with builder IDs and `GITHUB_WORKFLOW_REF` which only contains the path portion. `GITHUB_WORKFLOW_REF` is the only thing that doesn't include the domain/server url part of the workflow/builder ID. The Fulcio OID claims include the full url. Code extracted from #641 --------- Signed-off-by: Ian Lewis <[email protected]>
…ed-by-trw-for-v10 Signed-off-by: laurentsimon <[email protected]>
…ed-by-trw-for-v10
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
| }, | ||
| }, | ||
| ), | ||
| err: serrors.ErrorInvalidDssePayload, |
| }, | ||
| }, | ||
| ), | ||
| err: serrors.ErrorInvalidDssePayload, |
laurentsimon
referenced
this pull request
Dec 1, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | action | minor | `v3.0.7` -> `v3.1.0` | | [actions/setup-node](https://github.com/actions/setup-node) | action | patch | `v3.8.0` -> `v3.8.1` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://github.com/github/codeql-action) | action | minor | `v2.21.4` -> `v2.22.1` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) | action | minor | `v1.8.0` -> `v1.9.0` | | [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) | action | minor | `v2.3.0` -> `v2.4.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://github.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://github.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://github.com/actions/checkout/pull/579) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.0`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://github.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@​oerd](https://github.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://github.com/actions/dependency-review-action/pull/551) #### New Contributors - [@​oerd](https://github.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://github.com/actions/dependency-review-action/pull/551) **Full Changelog**: actions/dependency-review-action@v3...v3.1.0 ### [`v3.0.8`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://github.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@​sgmurphy](https://github.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://github.com/actions/dependency-review-action/pull/540) Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@​sgmurphy](https://github.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://github.com/actions/dependency-review-action/pull/540) **Full Changelog**: actions/dependency-review-action@v3...v3.0.8 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://github.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://github.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/831](https://github.com/actions/setup-node/pull/831). It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://github.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://github.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@​ljmf00](https://github.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://github.com/actions/upload-artifact/pull/313) - Bump [@​actions/artifact](https://github.com/actions/artifact) version to v1.1.2 by [@​bethanyj28](https://github.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://github.com/actions/upload-artifact/pull/436) **Full Changelog**: actions/upload-artifact@v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.1`](https://github.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://github.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://github.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://github.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://github.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://github.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://github.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.4...v2.21.5) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://github.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://github.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://github.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://github.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://github.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://github.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://github.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://github.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://github.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://github.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://github.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://github.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://github.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.9.0`](https://github.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://github.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://github.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - **New**: A [new framework](https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - **New**: A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - **New**: A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - **New**: A [JReleaser builder](https://github.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://github.com/jreleaser/release-action/tree/v1.0.0-java). </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.0`](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) [Compare Source](https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0) #### Summary Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0 #### What's Changed - chore: Update SHA256SUM.md for v2.3.0 by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/592](https://github.com/slsa-framework/slsa-verifier/pull/592) - docs: Make npm package version and name non-optional by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/591](https://github.com/slsa-framework/slsa-verifier/pull/591) - docs: npm provenance verification from GitHub runner by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/595](https://github.com/slsa-framework/slsa-verifier/pull/595) - chore(deps): update dependency [@​types/node](https://github.com/types/node) to v18.16.9 by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/596](https://github.com/slsa-framework/slsa-verifier/pull/596) - chore(deps): update github-actions by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/597](https://github.com/slsa-framework/slsa-verifier/pull/597) - chore(deps): update dependency jasmine to v5 by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/598](https://github.com/slsa-framework/slsa-verifier/pull/598) - feat: BYOB verification support by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/604](https://github.com/slsa-framework/slsa-verifier/pull/604) - feat: Support for v1.0 verification in BYOB by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/609](https://github.com/slsa-framework/slsa-verifier/pull/609) - feat: Use env variable to retrieve trigger workflow by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/615](https://github.com/slsa-framework/slsa-verifier/pull/615) - test: Add test data for v1.6.0 by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/612](https://github.com/slsa-framework/slsa-verifier/pull/612) - fix: Verify the TRW tag is a semver tag by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/619](https://github.com/slsa-framework/slsa-verifier/pull/619) - chore: Don't be verbose with tests locally by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/620](https://github.com/slsa-framework/slsa-verifier/pull/620) - fix: use ExternalParameters\["source"] for the Source URI for SLSA v1.0 provenance by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/621](https://github.com/slsa-framework/slsa-verifier/pull/621) - test: re-generate container-based tests by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/627](https://github.com/slsa-framework/slsa-verifier/pull/627) - fix: revert to using resolvedDepdendencies for source verification by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/629](https://github.com/slsa-framework/slsa-verifier/pull/629) - refactor: Provenance tests by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/628](https://github.com/slsa-framework/slsa-verifier/pull/628) - fix(deps): update module github.com/sigstore/rekor to v1.2.0 \[security] by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/622](https://github.com/slsa-framework/slsa-verifier/pull/622) - fix: only allow hashes of 256 bits or more by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/633](https://github.com/slsa-framework/slsa-verifier/pull/633) - fix: builder ID verification for testing by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/635](https://github.com/slsa-framework/slsa-verifier/pull/635) - feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/634](https://github.com/slsa-framework/slsa-verifier/pull/634) - chore: update toc in README.md by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/636](https://github.com/slsa-framework/slsa-verifier/pull/636) - fix: allow workflow_dispatch to trigger release.yml by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/637](https://github.com/slsa-framework/slsa-verifier/pull/637) - test: add tests for v1.7.0 builders by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/638](https://github.com/slsa-framework/slsa-verifier/pull/638) - chore(deps): update github-actions by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/607](https://github.com/slsa-framework/slsa-verifier/pull/607) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`c623859`](https://github.com/slsa-framework/slsa-verifier/commit/c623859) by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/567](https://github.com/slsa-framework/slsa-verifier/pull/567) - fix(deps): update github.com/sigstore/protobuf-specs digest to [`5ef5406`](https://github.com/slsa-framework/slsa-verifier/commit/5ef5406) by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/606](https://github.com/slsa-framework/slsa-verifier/pull/606) - chore(deps): update npm dev by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/608](https://github.com/slsa-framework/slsa-verifier/pull/608) - chore(deps): update golang:1.19 docker digest to [`83f9f84`](https://github.com/slsa-framework/slsa-verifier/commit/83f9f84) by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/583](https://github.com/slsa-framework/slsa-verifier/pull/583) - feat: Verify provenance by build type by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/632](https://github.com/slsa-framework/slsa-verifier/pull/632) - refactor: Use Go 1.20 by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/643](https://github.com/slsa-framework/slsa-verifier/pull/643) - test: Add more ProvenanceFromEnvelope tests by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/640](https://github.com/slsa-framework/slsa-verifier/pull/640) - fix: pre-submit: e2e-cli.sh artifact download by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/646](https://github.com/slsa-framework/slsa-verifier/pull/646) - refactor: Add more git utils by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/645](https://github.com/slsa-framework/slsa-verifier/pull/645) - refactor: Use full builder id by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/648](https://github.com/slsa-framework/slsa-verifier/pull/648) - feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/644](https://github.com/slsa-framework/slsa-verifier/pull/644) - chore(deps): update github-actions by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/651](https://github.com/slsa-framework/slsa-verifier/pull/651) - feat: move maven-plugin from slsa-github-generator by [@​AdamKorcz](https://github.com/AdamKorcz) in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://github.com/slsa-framework/slsa-verifier/pull/664) - docs: Fix maven-plugin README by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/671](https://github.com/slsa-framework/slsa-verifier/pull/671) - feat: Verification for when sha1 is specified in BYOB TRW by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/641](https://github.com/slsa-framework/slsa-verifier/pull/641) - docs: Add example for maven verification plugin by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/676](https://github.com/slsa-framework/slsa-verifier/pull/676) - chore: Add Kris to codeowners by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/678](https://github.com/slsa-framework/slsa-verifier/pull/678) - feat: Print byob builder by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/677](https://github.com/slsa-framework/slsa-verifier/pull/677) - test: Add test data for v1.8.0 by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/681](https://github.com/slsa-framework/slsa-verifier/pull/681) - chore(deps): update github-actions by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/666](https://github.com/slsa-framework/slsa-verifier/pull/666) - feat: Non-compulsory BuilderID for BYOB Builders by [@​enteraga6](https://github.com/enteraga6) in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://github.com/slsa-framework/slsa-verifier/pull/674) - chore(deps): update golang docker tag to v1.21 by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/687](https://github.com/slsa-framework/slsa-verifier/pull/687) - chore(deps): update github-actions by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/686](https://github.com/slsa-framework/slsa-verifier/pull/686) - feat: GCB refactor for v1.0 support by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/682](https://github.com/slsa-framework/slsa-verifier/pull/682) - feat: Allow byob builders ref at main for e2e tests by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/689](https://github.com/slsa-framework/slsa-verifier/pull/689) - feat: Update doc and code for Maven plugin by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/680](https://github.com/slsa-framework/slsa-verifier/pull/680) - feat: gcb v1.0 support by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/691](https://github.com/slsa-framework/slsa-verifier/pull/691) - feat: v1.9.0 regression tests by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/696](https://github.com/slsa-framework/slsa-verifier/pull/696) - fix: release failure by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/697](https://github.com/slsa-framework/slsa-verifier/pull/697) #### New Contributors - [@​AdamKorcz](https://github.com/AdamKorcz) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://github.com/slsa-framework/slsa-verifier/pull/664) - [@​enteraga6](https://github.com/enteraga6) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://github.com/slsa-framework/slsa-verifier/pull/674) **Full Changelog**: v2.3.0...v2.4.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <[email protected]> Co-authored-by: laurentsimon <[email protected]>
ramonpetgrave64
referenced
this pull request
in ramonpetgrave64/slsa-verifier
Apr 10, 2024
](https://renovatebot.com){kind=link}
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | action | minor | `v3.0.7` -> `v3.1.0` | | [actions/setup-node](https://github.com/actions/setup-node) | action | patch | `v3.8.0` -> `v3.8.1` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://github.com/github/codeql-action) | action | minor | `v2.21.4` -> `v2.22.1` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) | action | minor | `v1.8.0` -> `v1.9.0` | | [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) | action | minor | `v2.3.0` -> `v2.4.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://github.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://github.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://github.com/actions/checkout/pull/579) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.0`](https://github.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://github.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@​oerd](https://github.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://github.com/actions/dependency-review-action/pull/551) #### New Contributors - [@​oerd](https://github.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://github.com/actions/dependency-review-action/pull/551) **Full Changelog**: actions/dependency-review-action@v3...v3.1.0 ### [`v3.0.8`](https://github.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://github.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@​sgmurphy](https://github.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://github.com/actions/dependency-review-action/pull/540) Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@​sgmurphy](https://github.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://github.com/actions/dependency-review-action/pull/540) **Full Changelog**: actions/dependency-review-action@v3...v3.0.8 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://github.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://github.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@​dmitry-shibanov](https://github.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/831](https://github.com/actions/setup-node/pull/831). It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://github.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://github.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@​ljmf00](https://github.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://github.com/actions/upload-artifact/pull/313) - Bump [@​actions/artifact](https://github.com/actions/artifact) version to v1.1.2 by [@​bethanyj28](https://github.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://github.com/actions/upload-artifact/pull/436) **Full Changelog**: actions/upload-artifact@v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.1`](https://github.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://github.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://github.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://github.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://github.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://github.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://github.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.4...v2.21.5) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://github.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://github.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://github.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://github.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://github.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://github.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://github.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://github.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://github.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://github.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://github.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://github.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://github.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.9.0`](https://github.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://github.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://github.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - **New**: A [new framework](https://github.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - **New**: A [Maven builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - **New**: A [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - **New**: A [JReleaser builder](https://github.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://github.com/jreleaser/release-action/tree/v1.0.0-java). </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.0`](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) [Compare Source](https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0) #### Summary Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0 #### What's Changed - chore: Update SHA256SUM.md for v2.3.0 by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/592](https://github.com/slsa-framework/slsa-verifier/pull/592) - docs: Make npm package version and name non-optional by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/591](https://github.com/slsa-framework/slsa-verifier/pull/591) - docs: npm provenance verification from GitHub runner by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/595](https://github.com/slsa-framework/slsa-verifier/pull/595) - chore(deps): update dependency [@​types/node](https://github.com/types/node) to v18.16.9 by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/596](https://github.com/slsa-framework/slsa-verifier/pull/596) - chore(deps): update github-actions by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/597](https://github.com/slsa-framework/slsa-verifier/pull/597) - chore(deps): update dependency jasmine to v5 by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/598](https://github.com/slsa-framework/slsa-verifier/pull/598) - feat: BYOB verification support by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/604](https://github.com/slsa-framework/slsa-verifier/pull/604) - feat: Support for v1.0 verification in BYOB by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/609](https://github.com/slsa-framework/slsa-verifier/pull/609) - feat: Use env variable to retrieve trigger workflow by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/615](https://github.com/slsa-framework/slsa-verifier/pull/615) - test: Add test data for v1.6.0 by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/612](https://github.com/slsa-framework/slsa-verifier/pull/612) - fix: Verify the TRW tag is a semver tag by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/619](https://github.com/slsa-framework/slsa-verifier/pull/619) - chore: Don't be verbose with tests locally by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/620](https://github.com/slsa-framework/slsa-verifier/pull/620) - fix: use ExternalParameters\["source"] for the Source URI for SLSA v1.0 provenance by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/621](https://github.com/slsa-framework/slsa-verifier/pull/621) - test: re-generate container-based tests by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/627](https://github.com/slsa-framework/slsa-verifier/pull/627) - fix: revert to using resolvedDepdendencies for source verification by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/629](https://github.com/slsa-framework/slsa-verifier/pull/629) - refactor: Provenance tests by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/628](https://github.com/slsa-framework/slsa-verifier/pull/628) - fix(deps): update module github.com/sigstore/rekor to v1.2.0 \[security] by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/622](https://github.com/slsa-framework/slsa-verifier/pull/622) - fix: only allow hashes of 256 bits or more by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/633](https://github.com/slsa-framework/slsa-verifier/pull/633) - fix: builder ID verification for testing by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/635](https://github.com/slsa-framework/slsa-verifier/pull/635) - feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/634](https://github.com/slsa-framework/slsa-verifier/pull/634) - chore: update toc in README.md by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/636](https://github.com/slsa-framework/slsa-verifier/pull/636) - fix: allow workflow_dispatch to trigger release.yml by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/637](https://github.com/slsa-framework/slsa-verifier/pull/637) - test: add tests for v1.7.0 builders by [@​asraa](https://github.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/638](https://github.com/slsa-framework/slsa-verifier/pull/638) - chore(deps): update github-actions by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/607](https://github.com/slsa-framework/slsa-verifier/pull/607) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`c623859`](https://github.com/slsa-framework/slsa-verifier/commit/c623859) by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/567](https://github.com/slsa-framework/slsa-verifier/pull/567) - fix(deps): update github.com/sigstore/protobuf-specs digest to [`5ef5406`](https://github.com/slsa-framework/slsa-verifier/commit/5ef5406) by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/606](https://github.com/slsa-framework/slsa-verifier/pull/606) - chore(deps): update npm dev by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/608](https://github.com/slsa-framework/slsa-verifier/pull/608) - chore(deps): update golang:1.19 docker digest to [`83f9f84`](https://github.com/slsa-framework/slsa-verifier/commit/83f9f84) by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/583](https://github.com/slsa-framework/slsa-verifier/pull/583) - feat: Verify provenance by build type by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/632](https://github.com/slsa-framework/slsa-verifier/pull/632) - refactor: Use Go 1.20 by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/643](https://github.com/slsa-framework/slsa-verifier/pull/643) - test: Add more ProvenanceFromEnvelope tests by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/640](https://github.com/slsa-framework/slsa-verifier/pull/640) - fix: pre-submit: e2e-cli.sh artifact download by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/646](https://github.com/slsa-framework/slsa-verifier/pull/646) - refactor: Add more git utils by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/645](https://github.com/slsa-framework/slsa-verifier/pull/645) - refactor: Use full builder id by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/648](https://github.com/slsa-framework/slsa-verifier/pull/648) - feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/644](https://github.com/slsa-framework/slsa-verifier/pull/644) - chore(deps): update github-actions by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/651](https://github.com/slsa-framework/slsa-verifier/pull/651) - feat: move maven-plugin from slsa-github-generator by [@​AdamKorcz](https://github.com/AdamKorcz) in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://github.com/slsa-framework/slsa-verifier/pull/664) - docs: Fix maven-plugin README by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/671](https://github.com/slsa-framework/slsa-verifier/pull/671) - feat: Verification for when sha1 is specified in BYOB TRW by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/641](https://github.com/slsa-framework/slsa-verifier/pull/641) - docs: Add example for maven verification plugin by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/676](https://github.com/slsa-framework/slsa-verifier/pull/676) - chore: Add Kris to codeowners by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/678](https://github.com/slsa-framework/slsa-verifier/pull/678) - feat: Print byob builder by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/677](https://github.com/slsa-framework/slsa-verifier/pull/677) - test: Add test data for v1.8.0 by [@​ianlewis](https://github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/681](https://github.com/slsa-framework/slsa-verifier/pull/681) - chore(deps): update github-actions by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/666](https://github.com/slsa-framework/slsa-verifier/pull/666) - feat: Non-compulsory BuilderID for BYOB Builders by [@​enteraga6](https://github.com/enteraga6) in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://github.com/slsa-framework/slsa-verifier/pull/674) - chore(deps): update golang docker tag to v1.21 by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/687](https://github.com/slsa-framework/slsa-verifier/pull/687) - chore(deps): update github-actions by [@​renovate-bot](https://github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/686](https://github.com/slsa-framework/slsa-verifier/pull/686) - feat: GCB refactor for v1.0 support by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/682](https://github.com/slsa-framework/slsa-verifier/pull/682) - feat: Allow byob builders ref at main for e2e tests by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/689](https://github.com/slsa-framework/slsa-verifier/pull/689) - feat: Update doc and code for Maven plugin by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/680](https://github.com/slsa-framework/slsa-verifier/pull/680) - feat: gcb v1.0 support by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/691](https://github.com/slsa-framework/slsa-verifier/pull/691) - feat: v1.9.0 regression tests by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/696](https://github.com/slsa-framework/slsa-verifier/pull/696) - fix: release failure by [@​laurentsimon](https://github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/697](https://github.com/slsa-framework/slsa-verifier/pull/697) #### New Contributors - [@​AdamKorcz](https://github.com/AdamKorcz) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://github.com/slsa-framework/slsa-verifier/pull/664) - [@​enteraga6](https://github.com/enteraga6) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://github.com/slsa-framework/slsa-verifier/pull/674) **Full Changelog**: slsa-framework/slsa-verifier@v2.3.0...v2.4.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <[email protected]> Co-authored-by: laurentsimon <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #600