Releases: slsa-framework/slsa-verifier
Releases · slsa-framework/slsa-verifier
v2.6.0-rc.1
This is a pre-release. DO NOT install
What's Changed
- chore: Update doc and digests for v2.5.1 by @laurentsimon in #748
- fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] by @renovate-bot in #743
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by @renovate-bot in #718
- chore: Update @actions/github v6 by @laurentsimon in #749
- fix: use sigstore/pkg/fulcioroots to lessen deps by @ramonpetgrave64 in #746
- feat: add ramonpetgrave64 as CODEOWNER by @ramonpetgrave64 in #750
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 1a8ece8 by @renovate-bot in #701
- chore(deps): update github-actions (major) by @renovate-bot in #719
- fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 by @renovate-bot in #751
- chore(deps): update npm dev (major) by @ramonpetgrave64 in #753
- fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by @renovate-bot in #752
- feat: fixes #547: add npm sigstore-tuf suport by @ramonpetgrave64 in #731
- fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] by @renovate-bot in #723
- chore(deps): update golang:1.21 docker digest to 81811f8 by @renovate-bot in #693
- chore: slsa-framework/[email protected]: add testdata by @ramonpetgrave64 in #758
- chore(deps): update golang:1.21 docker digest to d83472f by @renovate-bot in #764
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 by @renovate-bot in #763
- feat: workflow to update actions dist by @ramonpetgrave64 in #760
- fix(deps): update dependency @actions/core to v1.10.1 by @renovate-bot in #717
- chore: fix pr-title-checker by @ianlewis in #770
- chore: Update Renovate config by @ianlewis in #769
- fix: use pr_number as env variable by @ramonpetgrave64 in #771
- fix: signoff commit by @ramonpetgrave64 in #767
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #781
- chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 by @dependabot in #782
- chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer by @dependabot in #779
- chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer by @dependabot in #780
- chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by @dependabot in #784
- fix(deps): update golang.org/x/exp digest to 7f521ea by @renovate-bot in #775
- fix: make download-artifacts.sh more flexible by @ramonpetgrave64 in #761
- chore(deps): update golang:1.21 docker digest to b405b62 by @renovate-bot in #774
- chore(deps): update npm dev by @renovate-bot in #650
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by @renovate-bot in #787
- chore(deps): update github-actions by @renovate-bot in #786
- feat: vsa support by @ramonpetgrave64 in #777
- fix: use tag for the builder in the release workflow by @ramonpetgrave64 in #788
Full Changelog: v2.5.1...v2.6.0-rc.1
Contributors
ianlewis, renovate-bot, and 3 other contributors
Assets 14
v2.6.0
What's Changed
- chore: Update doc and digests for v2.5.1 by @laurentsimon in #748
- fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] by @renovate-bot in #743
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by @renovate-bot in #718
- chore: Update @actions/github v6 by @laurentsimon in #749
- fix: use sigstore/pkg/fulcioroots to lessen deps by @ramonpetgrave64 in #746
- feat: add ramonpetgrave64 as CODEOWNER by @ramonpetgrave64 in #750
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 1a8ece8 by @renovate-bot in #701
- chore(deps): update github-actions (major) by @renovate-bot in #719
- fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 by @renovate-bot in #751
- chore(deps): update npm dev (major) by @ramonpetgrave64 in #753
- fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by @renovate-bot in #752
- feat: fixes #547: add npm sigstore-tuf suport by @ramonpetgrave64 in #731
- fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] by @renovate-bot in #723
- chore(deps): update golang:1.21 docker digest to 81811f8 by @renovate-bot in #693
- chore: slsa-framework/[email protected]: add testdata by @ramonpetgrave64 in #758
- chore(deps): update golang:1.21 docker digest to d83472f by @renovate-bot in #764
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 by @renovate-bot in #763
- feat: workflow to update actions dist by @ramonpetgrave64 in #760
- fix(deps): update dependency @actions/core to v1.10.1 by @renovate-bot in #717
- chore: fix pr-title-checker by @ianlewis in #770
- chore: Update Renovate config by @ianlewis in #769
- fix: use pr_number as env variable by @ramonpetgrave64 in #771
- fix: signoff commit by @ramonpetgrave64 in #767
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #781
- chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 by @dependabot in #782
- chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer by @dependabot in #779
- chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer by @dependabot in #780
- chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by @dependabot in #784
- fix(deps): update golang.org/x/exp digest to 7f521ea by @renovate-bot in #775
- fix: make download-artifacts.sh more flexible by @ramonpetgrave64 in #761
- chore(deps): update golang:1.21 docker digest to b405b62 by @renovate-bot in #774
- chore(deps): update npm dev by @renovate-bot in #650
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by @renovate-bot in #787
- chore(deps): update github-actions by @renovate-bot in #786
- feat: vsa support by @ramonpetgrave64 in #777
- fix: use tag for the builder in the release workflow by @ramonpetgrave64 in #788
Full Changelog: v2.5.1...v2.6.0
Contributors
ianlewis, renovate-bot, and 3 other contributors
Assets 14
- 29.1 MB
2024-07-15T19:06:11Z - 18.1 KB
2024-07-15T19:06:11Z - 28.7 MB
2024-07-15T19:06:25Z - 18.1 KB
2024-07-15T19:06:25Z - 29.5 MB
2024-07-15T19:06:01Z - 18.1 KB
2024-07-15T19:06:01Z - 28.4 MB
2024-07-15T19:06:07Z - 18.1 KB
2024-07-15T19:06:07Z - 30 MB
2024-07-15T19:06:02Z - 18.1 KB
2024-07-15T19:06:02Z -
2024-07-11T16:34:52Z -
2024-07-11T16:34:52Z - Loading
v2.6.0-dev.1
Development release containing pending support for VSAs #777. This is not meant to pass our official release process.
What's Changed
- chore: Update doc and digests for v2.5.1 by @laurentsimon in #748
- fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] by @renovate-bot in #743
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by @renovate-bot in #718
- chore: Update @actions/github v6 by @laurentsimon in #749
- fix: use sigstore/pkg/fulcioroots to lessen deps by @ramonpetgrave64 in #746
- feat: add ramonpetgrave64 as CODEOWNER by @ramonpetgrave64 in #750
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 1a8ece8 by @renovate-bot in #701
- chore(deps): update github-actions (major) by @renovate-bot in #719
- fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 by @renovate-bot in #751
- chore(deps): update npm dev (major) by @ramonpetgrave64 in #753
- fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by @renovate-bot in #752
- feat: fixes #547: add npm sigstore-tuf suport by @ramonpetgrave64 in #731
- fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] by @renovate-bot in #723
- chore(deps): update golang:1.21 docker digest to 81811f8 by @renovate-bot in #693
- chore: slsa-framework/[email protected]: add testdata by @ramonpetgrave64 in #758
- chore(deps): update golang:1.21 docker digest to d83472f by @renovate-bot in #764
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 by @renovate-bot in #763
- feat: workflow to update actions dist by @ramonpetgrave64 in #760
- fix(deps): update dependency @actions/core to v1.10.1 by @renovate-bot in #717
- chore: fix pr-title-checker by @ianlewis in #770
- chore: Update Renovate config by @ianlewis in #769
- fix: use pr_number as env variable by @ramonpetgrave64 in #771
- fix: signoff commit by @ramonpetgrave64 in #767
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #781
- chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 by @dependabot in #782
- chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer by @dependabot in #779
- chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer by @dependabot in #780
- chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by @dependabot in #784
- fix(deps): update golang.org/x/exp digest to 7f521ea by @renovate-bot in #775
- fix: make download-artifacts.sh more flexible by @ramonpetgrave64 in #761
- chore(deps): update golang:1.21 docker digest to b405b62 by @renovate-bot in #774
- chore(deps): update npm dev by @renovate-bot in #650
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by @renovate-bot in #787
- chore(deps): update github-actions by @renovate-bot in #786
Full Changelog: v2.5.1...v2.6.0-dev.1
Contributors
ianlewis, renovate-bot, and 3 other contributors
Assets 14
v2.5.1
What's Changed
- feat: Add cosign registry opts for provenance registry by @saisatishkarra in #729 and #736
- feat: Add support for DSSE Rekor type by @haydentherapper in #742
New Contributors
- @saisatishkarra made their first contribution in #729
- @ramonpetgrave64 made their first contribution in #737
- @haydentherapper made their first contribution in #742
Full Changelog: v2.4.1...v2.5.1
Contributors
haydentherapper, saisatishkarra, and ramonpetgrave64
Assets 14
v2.5.1-rc.0
This is a pre-release. DO NOT install
What's Changed
- feat: Add cosign registry opts for provenance registry by @saisatishkarra in #729 and #736
- feat: Add support for DSSE Rekor type by @haydentherapper in #742
New Contributors
- @saisatishkarra made their first contribution in #729
- @ramonpetgrave64 made their first contribution in #737
- @haydentherapper made their first contribution in #742
Full Changelog: v2.4.1...v2.5.1-rc.0
Contributors
haydentherapper, saisatishkarra, and ramonpetgrave64
Assets 14
v2.4.1
What's Changed
- Fix a verification issue when verifying npm's publish attestations - Low severity GHSA-r2xv-vpr2-42m9. This part of the code remains experimental.
New Contributors
- @trishankatdatadog made their first contribution in #702
Full Changelog: v2.4.0...v2.4.1
Contributors
trishankatdatadog
Assets 14
v2.4.1-rc.1
Pre-release, do not use
v2.4.1-rc.0
Pre-release, do not use.
v2.4.0
Summary
Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0
What's Changed
- chore: Update SHA256SUM.md for v2.3.0 by @ianlewis in #592
- docs: Make npm package version and name non-optional by @laurentsimon in #591
- docs: npm provenance verification from GitHub runner by @laurentsimon in #595
- chore(deps): update dependency @types/node to v18.16.9 by @renovate-bot in #596
- chore(deps): update github-actions by @renovate-bot in #597
- chore(deps): update dependency jasmine to v5 by @renovate-bot in #598
- feat: BYOB verification support by @laurentsimon in #604
- feat: Support for v1.0 verification in BYOB by @laurentsimon in #609
- feat: Use env variable to retrieve trigger workflow by @laurentsimon in #615
- test: Add test data for v1.6.0 by @ianlewis in #612
- fix: Verify the TRW tag is a semver tag by @laurentsimon in #619
- chore: Don't be verbose with tests locally by @ianlewis in #620
- fix: use ExternalParameters["source"] for the Source URI for SLSA v1.0 provenance by @asraa in #621
- test: re-generate container-based tests by @asraa in #627
- fix: revert to using resolvedDepdendencies for source verification by @asraa in #629
- refactor: Provenance tests by @ianlewis in #628
- fix(deps): update module github.com/sigstore/rekor to v1.2.0 [security] by @renovate-bot in #622
- fix: only allow hashes of 256 bits or more by @laurentsimon in #633
- fix: builder ID verification for testing by @ianlewis in #635
- feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by @asraa in #634
- chore: update toc in README.md by @asraa in #636
- fix: allow workflow_dispatch to trigger release.yml by @ianlewis in #637
- test: add tests for v1.7.0 builders by @asraa in #638
- chore(deps): update github-actions by @renovate-bot in #607
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to c623859 by @renovate-bot in #567
- fix(deps): update github.com/sigstore/protobuf-specs digest to 5ef5406 by @renovate-bot in #606
- chore(deps): update npm dev by @renovate-bot in #608
- chore(deps): update golang:1.19 docker digest to 83f9f84 by @renovate-bot in #583
- feat: Verify provenance by build type by @ianlewis in #632
- refactor: Use Go 1.20 by @ianlewis in #643
- test: Add more ProvenanceFromEnvelope tests by @ianlewis in #640
- fix: pre-submit: e2e-cli.sh artifact download by @ianlewis in #646
- refactor: Add more git utils by @ianlewis in #645
- refactor: Use full builder id by @ianlewis in #648
- feat: Use tags
vX.Y.Z-<language>for JReleaser builders by @laurentsimon in #644 - chore(deps): update github-actions by @renovate-bot in #651
- feat: move maven-plugin from slsa-github-generator by @AdamKorcz in #664
- docs: Fix maven-plugin README by @laurentsimon in #671
- feat: Verification for when sha1 is specified in BYOB TRW by @ianlewis in #641
- docs: Add example for maven verification plugin by @laurentsimon in #676
- chore: Add Kris to codeowners by @laurentsimon in #678
- feat: Print byob builder by @laurentsimon in #677
- test: Add test data for v1.8.0 by @ianlewis in #681
- chore(deps): update github-actions by @renovate-bot in #666
- feat: Non-compulsory BuilderID for BYOB Builders by @enteraga6 in #674
- chore(deps): update golang docker tag to v1.21 by @renovate-bot in #687
- chore(deps): update github-actions by @renovate-bot in #686
- feat: GCB refactor for v1.0 support by @laurentsimon in #682
- feat: Allow byob builders ref at main for e2e tests by @laurentsimon in #689
- feat: Update doc and code for Maven plugin by @laurentsimon in #680
- feat: gcb v1.0 support by @laurentsimon in #691
- feat: v1.9.0 regression tests by @laurentsimon in #696
- fix: release failure by @laurentsimon in #697
New Contributors
- @AdamKorcz made their first contribution in #664
- @enteraga6 made their first contribution in #674
Full Changelog: v2.3.0...v2.4.0
Contributors
ianlewis, asraa, and 4 other contributors
Assets 14
v2.4.0-rc.1
pre-release tests