Releases: slsa-framework/slsa-github-generator
Releases · slsa-framework/slsa-github-generator
v1.5.0-rc.0
See the CHANGELOG for details.
v1.4.0
What's Changed
🥳 This release is the first Generally Available version of the Container Generator workflow. The Container Generator workflow is now considered stable and can be included in your production GitHub Actions workflows 🥳
🎉 This is also the first release (technically the second) with support for the generally available version of sigstore!! 🎉
We hope to have fewer issues with sigstore infrastructure moving forward.
Generic Generator
Bug fixes
- Allow users of the Generic Generator to generate provenance for artifacts created in a project subdirectory (#1225)
Go Builder
Bug fixes
- Allow environment variables to contain '=' characters in the Go builder (#1231)
New Contributors
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
Full Changelog
- Update references to main after v1.2.2 release by @ianlewis in #1228
- [generic] fix attestation file creation when subject names are in subdirectories by @asraa in #1226
- Update docs to use v1.2.2 by @ianlewis in #1229
- Update RELEASE docs by @ianlewis in #1227
- chore(deps): update npm dev to v5.43.0 by @renovate-bot in #1230
- builder: go: Allow equal signs in env vars by @cfergeau in #1232
- Ko example by @ianlewis in #951
- docs(generic-generator): clarify that created provenance is encapsulated by @diogoteles08 in #1235
- Fix semver regex in actions pre-submit by @ianlewis in #1233
- Fix typo in doc. by @DanAlbert in #1239
- Fix reference Gradle workflow. by @DanAlbert in #1240
- Start code freeze for v1.3.0 by @ianlewis in #1248
- Undo the v1.3.0 freeze by @ianlewis in #1260
- Badges and README updates by @ianlewis in #1263
- Fix docs for goreleaser with the generic generator to include docker di… by @gal-legit in #1252
- Fix grep by @ianlewis in #1249
- Exclude go from renovate PR grouping by @ianlewis in #1268
- chore(deps): update npm dev by @renovate-bot in #1243
- Fix permissions in doc by @ianlewis in #1247
- chore(deps): update github-actions by @renovate-bot in #1242
- Update GHA token permissions for generic container workflow by @ianlewis in #1258
- fix(deps): update go by @renovate-bot in #1205
- Update references check to support pre-release by @ianlewis in #1270
- Restore compile-builder pre-submit by @ianlewis in #1272
- Code freeze v1.4.0 rc.0 by @ianlewis in #1271
- undo freeze by @ianlewis in #1284
- Revert package perms by @ianlewis in #1283
- Code freeze for v1.4.0-rc.1 by @ianlewis in #1285
- Undo freeze for v1.4.0-rc.1 by @ianlewis in #1288
- Update generate-builder tag check to support pre-releases by @ianlewis in #1287
- refactor: Update refs to v1.4.0-rc.2 by @ianlewis in #1290
Contributors
ianlewis, DanAlbert, and 5 other contributors
Assets 8
v1.4.0-rc.2
What's Changed
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows 🥳
This is also the first release with support for the generally available version of sigstore! 🎉
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
New Contributors
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
Full Changelog
- Update references to main after v1.2.2 release by @ianlewis in #1228
- [generic] fix attestation file creation when subject names are in subdirectories by @asraa in #1226
- Update docs to use v1.2.2 by @ianlewis in #1229
- Update RELEASE docs by @ianlewis in #1227
- chore(deps): update npm dev to v5.43.0 by @renovate-bot in #1230
- builder: go: Allow equal signs in env vars by @cfergeau in #1232
- Ko example by @ianlewis in #951
- docs(generic-generator): clarify that created provenance is encapsulated by @diogoteles08 in #1235
- Fix semver regex in actions pre-submit by @ianlewis in #1233
- Fix typo in doc. by @DanAlbert in #1239
- Fix reference Gradle workflow. by @DanAlbert in #1240
- Start code freeze for v1.3.0 by @ianlewis in #1248
- Undo the v1.3.0 freeze by @ianlewis in #1260
- Badges and README updates by @ianlewis in #1263
- Fix docs for goreleaser with the generic generator to include docker di… by @gal-legit in #1252
- Fix grep by @ianlewis in #1249
- Exclude go from renovate PR grouping by @ianlewis in #1268
- chore(deps): update npm dev by @renovate-bot in #1243
- Fix permissions in doc by @ianlewis in #1247
- chore(deps): update github-actions by @renovate-bot in #1242
- Update GHA token permissions for generic container workflow by @ianlewis in #1258
- fix(deps): update go by @renovate-bot in #1205
- Update references check to support pre-release by @ianlewis in #1270
- Restore compile-builder pre-submit by @ianlewis in #1272
- Code freeze v1.4.0 rc.0 by @ianlewis in #1271
- undo freeze by @ianlewis in #1284
- Revert package perms by @ianlewis in #1283
- Code freeze for v1.4.0-rc.1 by @ianlewis in #1285
- Undo freeze for v1.4.0-rc.1 by @ianlewis in #1288
- Update generate-builder tag check to support pre-releases by @ianlewis in #1287
Contributors
ianlewis, DanAlbert, and 5 other contributors
Assets 8
v1.4.0-rc.1
What's Changed
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows 🥳
This is also the first release with support for the generally available version of sigstore! 🎉
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
New Contributors
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
Full Changelog
- Update references to main after v1.2.2 release by @ianlewis in #1228
- [generic] fix attestation file creation when subject names are in subdirectories by @asraa in #1226
- Update docs to use v1.2.2 by @ianlewis in #1229
- Update RELEASE docs by @ianlewis in #1227
- chore(deps): update npm dev to v5.43.0 by @renovate-bot in #1230
- builder: go: Allow equal signs in env vars by @cfergeau in #1232
- Ko example by @ianlewis in #951
- docs(generic-generator): clarify that created provenance is encapsulated by @diogoteles08 in #1235
- Fix semver regex in actions pre-submit by @ianlewis in #1233
- Fix typo in doc. by @DanAlbert in #1239
- Fix reference Gradle workflow. by @DanAlbert in #1240
- Start code freeze for v1.3.0 by @ianlewis in #1248
- Undo the v1.3.0 freeze by @ianlewis in #1260
- Badges and README updates by @ianlewis in #1263
- Fix docs for goreleaser with the generic generator to include docker di… by @gal-legit in #1252
- Fix grep by @ianlewis in #1249
- Exclude go from renovate PR grouping by @ianlewis in #1268
- chore(deps): update npm dev by @renovate-bot in #1243
- Fix permissions in doc by @ianlewis in #1247
- chore(deps): update github-actions by @renovate-bot in #1242
- Update GHA token permissions for generic container workflow by @ianlewis in #1258
- fix(deps): update go by @renovate-bot in #1205
- Update references check to support pre-release by @ianlewis in #1270
- Restore compile-builder pre-submit by @ianlewis in #1272
- Code freeze v1.4.0 rc.0 by @ianlewis in #1271
- undo freeze by @ianlewis in #1284
- Revert package perms by @ianlewis in #1283
Contributors
ianlewis, DanAlbert, and 5 other contributors
Assets 8
v1.4.0-rc.0
What's Changed
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows 🥳
This is also the first release with support for the generally available version of sigstore! 🎉
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
New Contributors
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
Full Changelog
- Update references to main after v1.2.2 release by @ianlewis in #1228
- [generic] fix attestation file creation when subject names are in subdirectories by @asraa in #1226
- Update docs to use v1.2.2 by @ianlewis in #1229
- Update RELEASE docs by @ianlewis in #1227
- chore(deps): update npm dev to v5.43.0 by @renovate-bot in #1230
- builder: go: Allow equal signs in env vars by @cfergeau in #1232
- Ko example by @ianlewis in #951
- docs(generic-generator): clarify that created provenance is encapsulated by @diogoteles08 in #1235
- Fix semver regex in actions pre-submit by @ianlewis in #1233
- Fix typo in doc. by @DanAlbert in #1239
- Fix reference Gradle workflow. by @DanAlbert in #1240
- Start code freeze for v1.3.0 by @ianlewis in #1248
- Undo the v1.3.0 freeze by @ianlewis in #1260
- Badges and README updates by @ianlewis in #1263
- Fix docs for goreleaser with the generic generator to include docker di… by @gal-legit in #1252
- Fix grep by @ianlewis in #1249
- Exclude go from renovate PR grouping by @ianlewis in #1268
- chore(deps): update npm dev by @renovate-bot in #1243
- Fix permissions in doc by @ianlewis in #1247
- chore(deps): update github-actions by @renovate-bot in #1242
- Update GHA token permissions for generic container workflow by @ianlewis in #1258
- fix(deps): update go by @renovate-bot in #1205
Contributors
ianlewis, DanAlbert, and 5 other contributors
Assets 2
v1.3.0
v1.2.2
What's Changed
This release fixes issues with signing provenance due to a change in Sigstore TUF root certificates (#1163). This release also includes better handling of transient errors from the Rekor transparency logs.
New Contributors
- @suzuki-shunsuke made their first contribution in #1061
- @datosh made their first contribution in #1074
- @pnacht made their first contribution in #1187
- @dongheelee92 made their first contribution in #1209
Full Changelog
- fix: use GITHUB_OUTPUT instead of deprecated set-output command by @suzuki-shunsuke in #1061
- Fix reference to generic generator by @ianlewis in #1063
- Add presumbit checks for internal actions by @ianlewis in #1067
- chore(deps): update gcr.io/distroless/static docker digest to cb0f703 by @renovate-bot in #1062
- Add ref to checkout-node action by @ianlewis in #1071
- Document renovate exception for tags over digest. by @datosh in #1074
- ci: exclude codeql on yaml by @asraa in #1008
- Update CodeQL workflow by @ianlewis in #1081
- Remove ref for internal action calls by @laurentsimon in #1075
- Update link to container generator workflow by @ianlewis in #1079
- Add doc on sigstore policy-controller by @ianlewis in #946
- Enable CodeQL scanning for Javascript by @ianlewis in #1078
- bug: fix path in action by @laurentsimon in #1085
- bug: additional fixes for ref removal by @laurentsimon in #1083
- fix: grep in secure download action by @laurentsimon in #1087
- fix: workingDir by @laurentsimon in #1107
- fix: workingDir by @laurentsimon in #1109
- feat: update ref by @laurentsimon in #1086
- doc: add tag pinning documentation in each builder README by @laurentsimon in #1106
- docs: update release.md for generating verifier e2e tests by @asraa in #1108
- fix: use GITHUB_OUTPUT instead of deprecated set-output command by @suzuki-shunsuke in #1066
- fix: checkout uses the wrong repository by @laurentsimon in #1113
- fix(deps): update module github.com/in-toto/in-toto-golang to v0.4.0 by @renovate-bot in #987
- chore(deps): update github-actions to v3 by @renovate-bot in #1059
- feat: improve refs by @laurentsimon in #1126
- Fix privacy-check checkout by @ianlewis in #1160
- Update Rekor to v1.0.0 by @ianlewis in #1121
- Update Rekor client by @ianlewis in #1162
- Add documentation for private-repository input by @ianlewis in #1165
- Temporarily disable pre-submit by @ianlewis in #1171
- re-enable pre-submits by @ianlewis in #1161
- fix(deps): update module github.com/sigstore/sigstore to v1.4.5 by @renovate-bot in #1123
- fix(deps): update module github.com/in-toto/in-toto-golang to v0.5.0 by @renovate-bot in #1122
- chore(deps): update dependency eslint to v8.26.0 by @renovate-bot in #1115
- fix(deps): update module github.com/slsa-framework/slsa-github-generator to v1.2.1 by @renovate-bot in #1114
- fix(deps): update module github.com/spf13/cobra to v1.6.1 by @renovate-bot in #1058
- fix(deps): update module github.com/sigstore/cosign to v1.13.1 by @renovate-bot in #1057
- chore(deps): update typescript-eslint monorepo to v5.41.0 by @renovate-bot in #1056
- chore(deps): update dependency eslint-plugin-github to v4.4.0 by @renovate-bot in #1055
- chore(deps): update dependency @types/node to v16.18.2 by @renovate-bot in #1054
- chore(deps): update dependency @types/node to v18 by @renovate-bot in #1179
- chore(deps): update github-actions by @renovate-bot in #864
- verifier: update verifier version to v1.3.2 by @asraa in #1184
- Add known issues to docs by @ianlewis in #1170
- 📖 Bump version tag in examples by @pnacht in #1187
- Container build type by @ianlewis in #1176
- Group updates for renovate by @ianlewis in #1185
- Add CONTRIBUTING.md by @ianlewis in #1080
- feat: add commands to nodejs builder by @laurentsimon in #1189
- cleanup: remove more set-outputs by @asraa in #1194
- chore(deps): update npm dev by @renovate-bot in #1203
- chore(deps): update github-actions by @renovate-bot in #1202
- chore(deps): update gcr.io/distroless/static docker digest to 5759d19 by @renovate-bot in #1201
- feat: npm builder updates by @laurentsimon in #1206
- chore(deps): update dependency eslint to v8.27.0 by @renovate-bot in #1208
- [doc] Add example for Python by @dongheelee92 in #1209
- [doc] update TOC(Table Of Content) for python example by @dongheelee92 in #1213
- Fix PR description check for releases by @ianlewis in #1211
- release: fix release tag reference by @asraa in #1215
- Update release instructions by @ianlewis in #1212
- Update release tag for v1.2.2 by @ianlewis in #1210
- Revert "Update release tag for v1.2.2 (#1210)" by @ianlewis in #1220
- Fix builder-fetch.sh path by @ianlewis in #1221
- Update refs for release 1.2.2 by @ianlewis in #1222
Contributors
ianlewis, asraa, and 6 other contributors
Assets 8
v1.2.1
🚨
What's Changed
This release fixes an error that occurs on the "Generate Builder" step for various workflows.
FAILED: SLSA verification failed: could not find a matching valid signature entry
See #942
Generic generator
buildType
This release changes the buildType used in provenance created by the generic generator.
The previous value was:
"buildType": "https://github.com/slsa-framework/slsa-github-generator@v1",
The new value is:
"buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1",
See #627
Provenance file names
Previously the default file name for provenance was attestation.intoto.jsonl. This has been updated to be in line with intoto attestation file naming conventions. The file name now defaults to <artifact filename>.intoto.jsonl if there is a single artifact, or multiple.intoto.jsonl if there are multiple artifacts.
See #654
Explicit opt-in for private repos
Private repository support was enhanced to required the private-repository input field as the repository name will be made public in the public Rekor transparency log.
Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.
with:
private-repository: trueSee #823
Go builder
Support private repos
Support for private repositories was fixed. If using a private repository you must specify the private-repository input field as the repository name will be made public in the public Rekor transparency log.
Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.
with:
private-repository: trueSee #823
New Contributors
- @sethmlarson made their first contribution in #758
- @yunginnanet made their first contribution in #776
- @diogoteles08 made their first contribution in #957
Full Changelog
- doc: release doc typos by @laurentsimon in #589
- Haskell provenance by @mihaimaruseac in #595
- fix: Remove
build:idin generic examples by @laurentsimon in #596 - Add provenance for Haskell by @mihaimaruseac in #608
- feat: Share util functions by @laurentsimon in #598
- Add digest input to container docs by @ianlewis in #591
- Fix linter pre-submit by @ianlewis in #333
- Add doc for attestation-name by @ianlewis in #618
- Update golang.org/x/oauth2 digest to 128564f by @renovate-bot in #620
- Add links to milestones as a roadmap by @ianlewis in #612
- Update typos and formatting in RELEASE.md by @ianlewis in #518
- Remove legacy env vars by @ianlewis in #616
- Update github-actions by @renovate-bot in #621
- Move computesha256 to typescript by @naveensrinivasan in #546
- Update tags for renovatebot by @laurentsimon in #622
- Update module github.com/sigstore/cosign to v1.10.0 by @renovate-bot in #623
- Fix support for --signature="" by @ianlewis in #615
- Update buildType of generic generator by @ianlewis in #628
- Use a temp dir for cwd in tests by @ianlewis in #633
- Update availability information of builders by @laurentsimon in #635
- Update generic README.md for availability by @laurentsimon in #636
- Update module github.com/slsa-framework/slsa-github-generator to v1.2.0 by @renovate-bot in #624
- Update module github.com/coreos/go-oidc to v3 by @renovate-bot in #485
- Update golang digest to 9349ed8 by @renovate-bot in #557
- Request for membership by @naveensrinivasan in #428
- Fix builder dir in container workflow by @ianlewis in #640
- Included typescript-eslint by @naveensrinivasan in #639
- feat: Group NodeJs update by @laurentsimon in #653
- Update github-actions by @renovate-bot in #648
- Update module github.com/sigstore/rekor to v0.10.0 by @renovate-bot in #650
- Update module github.com/coreos/go-oidc to v2.2.1 by @renovate-bot in #649
- Update dependency prettier to v2.7.1 by @renovate-bot in #647
- Update module github.com/sigstore/sigstore to v1.3.1 by @renovate-bot in #643
- Update github-actions by @renovate-bot in #689
- chore: update verifier to v1.3.0 by @asraa in #718
- Update github-actions by @renovate-bot in #711
- Update github-actions by @renovate-bot in #723
- Update dependency @types/node to v16.11.53 by @renovate-bot in #645
- Update module github.com/sigstore/rekor to v0.11.0 by @renovate-bot in #724
- contents: write is required for the generic builder by @sethmlarson in #758
- docs: fix valid path to dir by @asraa in #717
- bug: fix address for fulcio by @asraa in #760
- Fix permissions in generic workflow doc by @ianlewis in #761
- fix: type in OIDC word by @developer-guy in #774
- Update github-actions by @renovate-bot in #765
- Update README.md by @yunginnanet in #776
- Temporarily disable Run test. by @ianlewis in #772
- Fix log message for tlog upload by @ianlewis in #773
- Rename attestation-name by @ianlewis in #777
- Update dependency @actions/core to v1.9.1 by @renovate-bot in #644
- Update github-actions by @renovate-bot in #785
- Update dependency @vercel/ncc to v0.34.0 by @renovate-bot in #646
- feat: harden checkout by @laurentsimon in #795
- Updated scorecard v2 by @naveensrinivasan in #791
- feat: pin verify action by hash by @laurentsimon in #796
- Refactor Makefiles by @ianlewis in #792
- Add pre-submit to verify base images by @ianlewis in #592
- Runner API by @ianlewis in #632
- Update pwd code in unit-test by @ianlewis in #826
- Remove PWD from provenance env by @ianlewis in #825
- Update module github.com/sigstore/sigstore to v1.4.0 by @renovate-bot in https://github.com/slsa-framework/slsa-github-generator/pu...
Contributors
ianlewis, naveensrinivasan, and 8 other contributors
Assets 6
v1.2.0
🚨
What's Changed
Generic generator
The highlight of this release is a new re-usable workflow called the "Generic generator". It lets users build artifacts on their own and generate a provenance that satisfies SLSA provenance 3 requirement. It's perfect to get started with SLSA with minimal changes to an existing build workflow. To use it, check the README.md!
Go builder
No changes.
New Contributors
- @naveensrinivasan made their first contribution in #352
- @renovate-bot made their first contribution in #401
- @rarkins made their first contribution in #489
- @developer-guy made their first contribution in #497
- @loosebazooka made their first contribution in #573
Full Changelog: v1.1.1...v1.2.0
Contributors
naveensrinivasan, loosebazooka, and 3 other contributors
Assets 6
v1.1.1
What's Changed
- Improve documentation
- Fix filename issue when resolving it with variables
- Add support for environment variables in artifact filename
New Contributors
- @joshuagl made their first contribution in #199
- @mihaimaruseac made their first contribution in #202
- @MarkLodato made their first contribution in #312
- @chipzoller made their first contribution in #354
Full Changelog: v1.0.0...v1.1.1
Contributors
MarkLodato, mihaimaruseac, and 2 other contributors