diff --git a/.github/actions/generate-builder/action.yml b/.github/actions/generate-builder/action.yml index e08b0324c0..2191684671 100644 --- a/.github/actions/generate-builder/action.yml +++ b/.github/actions/generate-builder/action.yml @@ -48,7 +48,7 @@ runs: using: "composite" steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} diff --git a/.github/actions/secure-download-artifact/action.yml b/.github/actions/secure-download-artifact/action.yml index 398daab660..a7e1bd2d3e 100644 --- a/.github/actions/secure-download-artifact/action.yml +++ b/.github/actions/secure-download-artifact/action.yml @@ -71,7 +71,7 @@ runs: - name: Compute the hash id: compute - uses: slsa-framework/slsa-github-generator/.github/actions/compute-sha256@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/compute-sha256@v1.6.0 with: path: "${{ steps.validate-path.outputs.file_path }}" diff --git a/.github/actions/secure-download-folder/action.yml b/.github/actions/secure-download-folder/action.yml index 30e7aef5b7..f87c31196f 100644 --- a/.github/actions/secure-download-folder/action.yml +++ b/.github/actions/secure-download-folder/action.yml @@ -17,7 +17,7 @@ runs: steps: - name: Compute a random value id: rng - uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.6.0 - name: Download the artifact uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -27,7 +27,7 @@ runs: - name: Compute the hash id: compute - uses: slsa-framework/slsa-github-generator/.github/actions/compute-sha256@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/compute-sha256@v1.6.0 with: path: "${{ steps.rng.outputs.random }}/folder.tgz" diff --git a/.github/actions/secure-upload-artifact/action.yml b/.github/actions/secure-upload-artifact/action.yml index 3f915b33a0..0287d22895 100644 --- a/.github/actions/secure-upload-artifact/action.yml +++ b/.github/actions/secure-upload-artifact/action.yml @@ -18,7 +18,7 @@ runs: steps: - name: Compute binary hash id: compute-digest - uses: slsa-framework/slsa-github-generator/.github/actions/compute-sha256@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/compute-sha256@v1.6.0 with: path: "${{ inputs.path }}" diff --git a/.github/actions/secure-upload-folder/action.yml b/.github/actions/secure-upload-folder/action.yml index a8cb12e5d3..260225f2c7 100644 --- a/.github/actions/secure-upload-folder/action.yml +++ b/.github/actions/secure-upload-folder/action.yml @@ -46,7 +46,7 @@ runs: - name: Upload the artifact id: upload - uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.6.0 with: name: "${{ inputs.name }}" path: "${{ steps.create.outputs.tarball-path }}" diff --git a/.github/workflows/builder_docker-based_slsa3.yml b/.github/workflows/builder_docker-based_slsa3.yml index 633377eea1..632a72c5ca 100644 --- a/.github/workflows/builder_docker-based_slsa3.yml +++ b/.github/workflows/builder_docker-based_slsa3.yml @@ -151,7 +151,7 @@ jobs: steps: - name: Generate random 16-byte value (32-char hex encoded) id: rng - uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.6.0 # This detects the repository and ref of the reusable workflow. # For pull request, this gets the referenced slsa-github-generator workflow. @@ -166,7 +166,7 @@ jobs: steps: - name: Detect the builder ref id: detect - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v1.6.0 ################################################################### # # @@ -183,7 +183,7 @@ jobs: steps: - name: Generate builder binary id: generate - uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -216,7 +216,7 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -344,7 +344,7 @@ jobs: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -472,7 +472,7 @@ jobs: provenance-sha256: ${{ steps.upload-signed.outputs.sha256 }} steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -562,7 +562,7 @@ jobs: if: inputs.upload-assets && (startsWith(github.ref, 'refs/tags/') || inputs.upload-tag-name != '') steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 27eeb5aa88..2be3172ee1 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -112,7 +112,7 @@ jobs: steps: - name: Generate random 16-byte value (32-char hex encoded) id: rng - uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.6.0 detect-env: outputs: @@ -124,7 +124,7 @@ jobs: steps: - name: Detect the builder ref id: detect - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v1.6.0 ################################################################### # # @@ -139,7 +139,7 @@ jobs: steps: - name: Generate builder binary id: generate - uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -173,7 +173,7 @@ jobs: needs: [builder, rng, detect-env] steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -219,7 +219,7 @@ jobs: needs: [builder, build-dry, rng, detect-env] steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -299,7 +299,7 @@ jobs: go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }} steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -357,7 +357,7 @@ jobs: if: inputs.upload-assets && (startsWith(github.ref, 'refs/tags/') || inputs.upload-tag-name != '') steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" diff --git a/.github/workflows/builder_nodejs_slsa3.yml b/.github/workflows/builder_nodejs_slsa3.yml index 54a81acced..e5357f27e1 100644 --- a/.github/workflows/builder_nodejs_slsa3.yml +++ b/.github/workflows/builder_nodejs_slsa3.yml @@ -89,7 +89,7 @@ jobs: steps: - name: Generate the token id: generate - uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@v1.6.0 with: slsa-workflow-recipient: "delegator_lowperms-generic_slsa3.yml" slsa-rekor-log-public: ${{ inputs.rekor-log-public }} @@ -104,6 +104,6 @@ jobs: id-token: write # For signing. contents: read # For repo checkout of private repos. actions: read # For getting workflow run on private repos. - uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@v1.6.0 with: slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }} diff --git a/.github/workflows/delegator_generic_slsa3.yml b/.github/workflows/delegator_generic_slsa3.yml index e547b0af14..8a54c22823 100644 --- a/.github/workflows/delegator_generic_slsa3.yml +++ b/.github/workflows/delegator_generic_slsa3.yml @@ -85,7 +85,7 @@ jobs: steps: - name: Generate random 16-byte value (32-char hex encoded) id: rng - uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.6.0 # verify-token verifies the slsa token. verify-token: @@ -101,7 +101,7 @@ jobs: steps: - name: Verify token id: verify - uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@v1.6.0 with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-unverified-token: ${{ inputs.slsa-token }} @@ -109,7 +109,7 @@ jobs: - name: Upload predicate id: upload - uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.6.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_PREDICATE_FILE }}" path: ${{ env.SLSA_PREDICATE_FILE }} @@ -120,7 +120,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check private repos - uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@v1.6.0 with: error_message: "Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override." override: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).builder.rekor_log_public }} @@ -147,7 +147,7 @@ jobs: echo "$RUNNER: $RUNNER" - name: Checkout the tool repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: ${{ needs.verify-token.outputs.tool-repository }} ref: ${{ needs.verify-token.outputs.tool-ref }} @@ -171,7 +171,7 @@ jobs: tree - name: Checkout the project repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@v1.6.0 with: fetch-depth: ${{ toJson(needs.verify-token.outputs.slsa-verified-token).source.checkout.fetch_depth }} @@ -212,7 +212,7 @@ jobs: - name: Upload artifact layout file id: upload - uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.6.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_ARTIFACTS_FILE }}" path: "${{ env.SLSA_ARTIFACTS_FILE }}" @@ -228,14 +228,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Download the artifact layout file - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.6.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_ARTIFACTS_FILE }}" path: "${{ env.SLSA_ARTIFACTS_FILE }}" sha256: ${{ needs.build-artifacts-ubuntu.outputs.artifacts-layout-sha256 }} - name: Download the predicate file - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.6.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_PREDICATE_FILE }}" path: ${{ env.SLSA_PREDICATE_FILE }} @@ -265,7 +265,7 @@ jobs: - name: Generate attestations id: attestations - uses: slsa-framework/slsa-github-generator/.github/actions/generate-attestations@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-attestations@v1.6.0 with: slsa-layout-file: ${{ env.SLSA_ARTIFACTS_FILE }} predicate-type: ${{ steps.predicate-type.outputs.predicate-type }} @@ -274,14 +274,14 @@ jobs: - name: Sign attestations id: sign - uses: slsa-framework/slsa-github-generator/.github/actions/sign-attestations@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/sign-attestations@v1.6.0 with: attestations: attestations output-folder: "${{ needs.rng.outputs.value }}-slsa-attestations" - name: Upload attestations id: upload - uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@v1.6.0 with: name: "${{ needs.rng.outputs.value }}-slsa-attestations" path: "${{ needs.rng.outputs.value }}-slsa-attestations" diff --git a/.github/workflows/delegator_lowperms-generic_slsa3.yml b/.github/workflows/delegator_lowperms-generic_slsa3.yml index ab30cd8de6..0317775338 100644 --- a/.github/workflows/delegator_lowperms-generic_slsa3.yml +++ b/.github/workflows/delegator_lowperms-generic_slsa3.yml @@ -90,7 +90,7 @@ jobs: steps: - name: Generate random 16-byte value (32-char hex encoded) id: rng - uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.6.0 # verify-token verifies the slsa token. verify-token: @@ -106,7 +106,7 @@ jobs: steps: - name: Verify token id: verify - uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@v1.6.0 with: slsa-workflow-recipient: "delegator_lowperms-generic_slsa3.yml" slsa-unverified-token: ${{ inputs.slsa-token }} @@ -114,7 +114,7 @@ jobs: - name: Upload predicate id: upload - uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.6.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_PREDICATE_FILE }}" path: ${{ env.SLSA_PREDICATE_FILE }} @@ -125,7 +125,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check private repos - uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@v1.6.0 with: error_message: "Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override." override: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).builder.rekor_log_public }} @@ -150,7 +150,7 @@ jobs: echo "$RUNNER: $RUNNER" - name: Checkout the tool repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: ${{ needs.verify-token.outputs.tool-repository }} ref: ${{ needs.verify-token.outputs.tool-ref }} @@ -174,7 +174,7 @@ jobs: tree - name: Checkout the project repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@v1.6.0 with: fetch-depth: ${{ toJson(needs.verify-token.outputs.slsa-verified-token).source.checkout.fetch_depth }} @@ -215,7 +215,7 @@ jobs: - name: Upload artifact layout file id: upload - uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.6.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_ARTIFACTS_FILE }}" path: "${{ env.SLSA_ARTIFACTS_FILE }}" @@ -231,14 +231,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Download the artifact layout file - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.6.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_ARTIFACTS_FILE }}" path: "${{ env.SLSA_ARTIFACTS_FILE }}" sha256: ${{ needs.build-artifacts-ubuntu.outputs.artifacts-layout-sha256 }} - name: Download the predicate file - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.6.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_PREDICATE_FILE }}" path: ${{ env.SLSA_PREDICATE_FILE }} @@ -268,7 +268,7 @@ jobs: - name: Generate attestations id: attestations - uses: slsa-framework/slsa-github-generator/.github/actions/generate-attestations@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-attestations@v1.6.0 with: slsa-layout-file: ${{ env.SLSA_ARTIFACTS_FILE }} predicate-type: ${{ steps.predicate-type.outputs.predicate-type }} @@ -277,14 +277,14 @@ jobs: - name: Sign attestations id: sign - uses: slsa-framework/slsa-github-generator/.github/actions/sign-attestations@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/sign-attestations@v1.6.0 with: attestations: attestations output-folder: "${{ needs.rng.outputs.value }}-slsa-attestations" - name: Upload attestations id: upload - uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@v1.6.0 with: name: "${{ needs.rng.outputs.value }}-slsa-attestations" path: "${{ needs.rng.outputs.value }}-slsa-attestations" diff --git a/.github/workflows/e2e.create-docker_based-predicate.schedule.yml b/.github/workflows/e2e.create-docker_based-predicate.schedule.yml index 8468d842dd..33fa51d74f 100644 --- a/.github/workflows/e2e.create-docker_based-predicate.schedule.yml +++ b/.github/workflows/e2e.create-docker_based-predicate.schedule.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Detect the builder ref id: detect - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v1.6.0 - name: Update the build definition # We use a build definition hard-coded in testadata. To ensure validation against # workflow context, we must update the source references. diff --git a/.github/workflows/e2e.verify-token.schedule.yml b/.github/workflows/e2e.verify-token.schedule.yml index ada4463e26..f0a41d15ea 100644 --- a/.github/workflows/e2e.verify-token.schedule.yml +++ b/.github/workflows/e2e.verify-token.schedule.yml @@ -20,4 +20,4 @@ jobs: issues: write # NOTE: must call @main is required rather than using a "same repo" call so # that the job_workflow_ref is correctly set to the reusable workflow. - uses: slsa-framework/slsa-github-generator/.github/workflows/e2e.verify-token.reusable.yml@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/workflows/e2e.verify-token.reusable.yml@v1.6.0 diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index cd397f611e..8ad01072c1 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -94,7 +94,7 @@ jobs: - name: Detect the generator ref id: detect continue-on-error: true - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v1.6.0 - name: Final outcome id: final @@ -125,7 +125,7 @@ jobs: - name: Generate builder id: generate-builder continue-on-error: true - uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index 2ae3f0395d..aa7fabfc55 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -121,7 +121,7 @@ jobs: - name: Detect the generator ref id: detect continue-on-error: true - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v1.6.0 - name: Final outcome id: final @@ -154,7 +154,7 @@ jobs: - name: Generate builder id: generate-builder continue-on-error: true - uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -228,7 +228,7 @@ jobs: - name: Checkout builder repository id: checkout-builder continue-on-error: true - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.6.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 58cfd05171..634f20b836 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,7 +46,7 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. actions: read # For the entrypoint. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0 with: go-version: "1.20" config-file: .github/workflows/configs-container/config-release.yml @@ -59,7 +59,7 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. actions: read # For the entrypoint. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0 with: go-version: "1.20" config-file: .github/workflows/configs-generic/config-release.yml @@ -72,7 +72,7 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. actions: read # For the entrypoint. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0 with: go-version: "1.20" config-file: .github/workflows/configs-go/config-release.yml @@ -85,7 +85,7 @@ jobs: id-token: write # For signing. contents: write # For asset uploads. actions: read # For the entrypoint. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0 with: go-version: "1.20" config-file: .github/workflows/configs-docker/config-release.yml diff --git a/RELEASE.md b/RELEASE.md index ff1882c389..2ac8be1c66 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -408,7 +408,7 @@ find .github/workflows/ .github/actions/ actions/ -name '*.yaml' -o -name '*.yml Likewise, update documentation with the following command: ```shell -find . -name "*.md" -exec sed -i "s~\(uses: .*/slsa-github-generator/.*@\)v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)~\1$BUILDER_TAG~g" {} + +find . -name "*.md" -exec sed -i "s~\(uses: .*/slsa-github-generator/.*@\)v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?~\1$BUILDER_TAG~g" {} + ``` Send a PR with this update and add `#label:release ${BUILDER_TAG}` in the PR description. diff --git a/actions/nodejs/publish/action.yml b/actions/nodejs/publish/action.yml index e4e85cb354..35515d79be 100644 --- a/actions/nodejs/publish/action.yml +++ b/actions/nodejs/publish/action.yml @@ -36,7 +36,7 @@ runs: # TODO(#1897): Use upstream version of npm - name: Setup npm id: setup-npm - uses: slsa-framework/slsa-github-generator/actions/nodejs/setup-npm@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/actions/nodejs/setup-npm@v1.6.0 - name: Create temp dir id: temp-dir @@ -48,14 +48,14 @@ runs: echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}" - name: Download tarball - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.6.0 with: name: ${{ inputs.package-download-name }} path: "${{ steps.temp-dir.outputs.path }}/${{ inputs.package-name }}" sha256: ${{ inputs.package-download-sha256 }} - name: Download provenance - uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@v1.6.0 with: name: ${{ inputs.provenance-download-name }} path: "${{ steps.temp-dir.outputs.path }}" diff --git a/actions/nodejs/secure-attestations-download/action.yml b/actions/nodejs/secure-attestations-download/action.yml index e618153ecd..3c1ce80c49 100644 --- a/actions/nodejs/secure-attestations-download/action.yml +++ b/actions/nodejs/secure-attestations-download/action.yml @@ -16,7 +16,7 @@ runs: using: "composite" steps: - name: Download the attestations - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.6.0-rc.3 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.6.0 with: name: ${{ inputs.name }} path: ${{ inputs.path }} diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index a4a25fc94a..f1749a4788 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -72,7 +72,7 @@ provenance: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.6.0 with: image: ${{ needs.build.outputs.image }} digest: ${{ needs.build.outputs.digest }} @@ -143,7 +143,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.6.0 with: image: ${{ needs.build.outputs.image }} digest: ${{ needs.build.outputs.digest }} @@ -367,7 +367,7 @@ This section explains how to generate non-forgeable SLSA provenance with existin # contents: read packages: write if: startsWith(github.ref, 'refs/tags/') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.6.0 with: image: ${{ needs.build.outputs.image }} digest: ${{ needs.build.outputs.digest }} @@ -432,7 +432,7 @@ This section explains how to generate non-forgeable SLSA provenance with existin # contents: read packages: write if: startsWith(github.ref, 'refs/tags/') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.6.0 with: image: ${{ needs.build.outputs.image }} digest: ${{ needs.build.outputs.digest }} diff --git a/internal/builders/docker/README.md b/internal/builders/docker/README.md index d452e055c5..1e78e5468f 100644 --- a/internal/builders/docker/README.md +++ b/internal/builders/docker/README.md @@ -206,7 +206,7 @@ jobs: contents: write # To upload assets to release. actions: read # To read the workflow path. needs: args - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml@v1.6.0 with: builder-image: "bash" builder-digest: "sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9" diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index 37f036a8ea..701d1e3671 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -93,7 +93,7 @@ provenance: actions: read # Needed for detection of GitHub Actions environment. id-token: write # Needed for provenance signing and ID contents: write # Needed for release uploads - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" ``` @@ -150,7 +150,7 @@ jobs: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" # Upload provenance to a new release @@ -391,7 +391,7 @@ generate SLSA3 provenance by updating your existing workflow with the steps indi actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" upload-assets: true # upload to a new release @@ -433,7 +433,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" upload-assets: true # upload to a new release @@ -493,7 +493,7 @@ generate SLSA3 provenance by updating your existing workflow with the steps indi actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: ${{ needs.release.outputs.hashes }} upload-assets: true # upload to a new release @@ -541,7 +541,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: ${{ needs.release.outputs.hashes }} upload-assets: true # upload to a new release @@ -598,7 +598,7 @@ If you use [Bazel](https://bazel.build/) to generate your artifacts, you can eas actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -640,7 +640,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -698,7 +698,7 @@ steps indicated in the workflow below: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -745,7 +745,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -794,7 +794,7 @@ jobs: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -837,7 +837,7 @@ Jobs: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -888,7 +888,7 @@ steps indicated in the workflow below: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -927,7 +927,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -984,7 +984,7 @@ workflow with the steps indicated in the workflow below. actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -1029,7 +1029,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -1094,7 +1094,7 @@ steps indicated in the workflow below: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -1141,7 +1141,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -1232,7 +1232,7 @@ Regardless of your choice, there's unfortunately a bit of necessary boilerplate. actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -1285,7 +1285,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -1324,7 +1324,7 @@ provenance: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs[format('hash-{0}-{1}', matrix.color, matrix.flavor)] }}" upload-assets: true # Optional: Upload to a new release @@ -1365,7 +1365,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 with: base64-subjects: "${{ needs.build.outputs[format('hash-{0}-{1}', matrix.color, matrix.flavor)] }}" upload-assets: true # Optional: Upload to a new release @@ -1425,5 +1425,5 @@ downloading the latest release. Make sure you continue to reference the workflow using a release tag in order to allow verification by `slsa-verifier`. ```yaml -uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 +uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0 ``` diff --git a/internal/builders/go/README.md b/internal/builders/go/README.md index 80d1170391..2ab1350f4d 100644 --- a/internal/builders/go/README.md +++ b/internal/builders/go/README.md @@ -173,7 +173,7 @@ build: arch: - amd64 - arm64 - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0 with: go-version: 1.19 config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yml @@ -249,7 +249,7 @@ jobs: contents: write # To upload assets to release. actions: read # To read the workflow path. needs: args - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0 with: go-version: 1.17 # Optional: only needed if using ldflags. @@ -418,5 +418,5 @@ the latest release. Make sure you continue to reference the workflow using a release tag in order to allow verification by `slsa-verifier`. ```yaml -uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0 +uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.6.0 ``` diff --git a/internal/builders/nodejs/README.md b/internal/builders/nodejs/README.md index ae8b3003d8..5a4654d58d 100644 --- a/internal/builders/nodejs/README.md +++ b/internal/builders/nodejs/README.md @@ -111,7 +111,7 @@ jobs: packages: write # for uploading attestations. contents: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/') - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v1.6.0 with: run-scripts: "ci, build" secrets: @@ -142,7 +142,7 @@ After creating the package you can publish the package using the provided - name: publish id: publish - uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@7f4fdb871876c23e455853d694197440c5a91506 # v1.5.0 + uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@ # v1.6.0 with: access: public node-auth-token: ${{ secrets.NPM_TOKEN }}