Bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0 #3385
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
the
dependencies
dependabot
bot
added
the
Skip Changelog
|
The following labels could not be found: |
|
This upgrade may break our publish workflow because the new version uses actions/upload-artifact v4 and other jobs of our workflow use v3 |
dependabot
bot
force-pushed
the
dependabot/github_actions/slsa-framework/slsa-github-generator-2.0.0
branch
2 times, most recently
from
0614735
to
52bd188
Compare
|
Thanks. I think it's safe to move to v4 now. David Lord switched his repos this week without issues: https://mas.to/@davidism/112323427394208633. I'm not clear on whether we need to switch everything at once or not. |
dependabot
bot
force-pushed
the
dependabot/github_actions/slsa-framework/slsa-github-generator-2.0.0
branch
from
52bd188
to
83c29cc
Compare
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.10.0 to 2.0.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](slsa-framework/slsa-github-generator@v1.10.0...v2.0.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/github_actions/slsa-framework/slsa-github-generator-2.0.0
branch
from
83c29cc
to
f33b40e
Compare
There was a problem hiding this comment.
Looking at the changelog (https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md#v200), I only updated download-artifact and upload-artifact as it's the only thing that I think affects us. (And also removed a workaround for an old version.)
Any suggestions for how to test this?
| with: | ||
| base64-subjects: "${{ needs.build.outputs.hashes }}" | ||
| upload-assets: true | ||
| compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163 |
There was a problem hiding this comment.
The above issue is closed and https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#error-updating-to-tuf-remote-mirror-tuf-invalid-key mentions the workaround is only needed for 1.2.x.
|
Sigh, coverage failed due to ECONNRESET in download-artifacts v4, retrying. |
I remember @sethmlarson tested changes to the publish workflow in a separate repo |
|
That would be great. Do you know of any project that does that and that I could copy from? Or any other suggestion? |
Bumps slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0.
Release notes
Sourced from slsa-framework/slsa-github-generator's releases.
Changelog
Sourced from slsa-framework/slsa-github-generator's changelog.
Commits
41733f7chore: v2.0.0-rc.0: update tags (#3578)3789345docs: v.2.0.0: finalize CHANGELOG.md (#3577)02fc78bfix: deadlock and improve debugging experience (#3570)4534a0bbreak: Revert "chore: Revert "fix: upload-artifact and download-artifact v4""...e8c2dcffix(deps): Update Sigstore Dep to Sigstore 2.2.2 (#3491)2512315feat(breaking): remove attestation-name input and output (#3456)4fbc6a9chore: add ramonpetgrave64 to CODEOWNERS (#3490)8869c8afix: Switch to newer DSSE rekor type (#3299)9d81ca7chore: Update slsa-verifier version (#3454)d6b8c9fchore: Ref to main after v1.10.0 release (#3421)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)