Merge branch 'main' into ramonpetgrave64-go1.21

.github/actions/compute-sha256/action.yml

@@ -24,5 +24,5 @@ outputs:
     value: "${{ steps.compute.outputs.sha256 }}"
 
 runs:
-  using: node16
-  main: 'dist/index.js'
+  using: "node20"
+  main: "dist/index.js"

.github/actions/create-container_based-predicate/action.yml

@@ -16,25 +16,25 @@ name: "Create container-based SLSA predicate"
 description: "Creates a container-based SLSA predicate given a BuildDefinition."
 inputs:
   build-definition:
-    description: 'A JSON file describing the SLSA BuildDefinition'
+    description: "A JSON file describing the SLSA BuildDefinition"
     required: true
   output-file:
-    description: 'Output file to place predicate'
+    description: "Output file to place predicate"
     required: true
   binary-sha256:
-    description: 'Builder binary digest to place in resolvedDependencies'
+    description: "Builder binary digest to place in resolvedDependencies"
     required: true
   binary-uri:
-    description: 'Builder binary source location to place in resolvedDependencies'
+    description: "Builder binary source location to place in resolvedDependencies"
     required: true
   builder-id:
-    description: 'Trusted builder identity'
+    description: "Trusted builder identity"
     required: true
   token:
     description: "The GitHub Actions token."
     required: false
     default: ${{ github.token }}
 
 runs:
-  using: node16
+  using: "node20"
   main: "dist/index.js"

.github/actions/detect-workflow-js/action.yml

@@ -28,5 +28,5 @@ outputs:
     description: The path to the workflow relative to the repository, for example ".github/workflows/example.yml"
 
 runs:
-  using: node16
+  using: "node20"
   main: "dist/index.js"

.github/actions/generate-attestations/action.yml

@@ -12,21 +12,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: 'Generate Attestations'
-description: 'Generates in-toto attestations based on a SLSA output layout and a predicate'
+name: "Generate Attestations"
+description: "Generates in-toto attestations based on a SLSA output layout and a predicate"
 inputs:
   slsa-layout-file:
-    description: 'A JSON file describing the SLSA output layout with attestation filename keys and the generated subjects (and digests)'
+    description: "A JSON file describing the SLSA output layout with attestation filename keys and the generated subjects (and digests)"
     required: true
   predicate-type:
-    description: 'A URI defining the type of the predicate, for e.g. https://slsa.dev/provenance/v0.2'
+    description: "A URI defining the type of the predicate, for e.g. https://slsa.dev/provenance/v0.2"
     required: true
   predicate-file:
-    description: 'A JSON file describing the SLSA predicate to attach to the subjects'
+    description: "A JSON file describing the SLSA predicate to attach to the subjects"
     required: true
   output-folder:
-    description: 'Output folder to place attestations'
+    description: "Output folder to place attestations"
     required: true
 runs:
-  using: 'node16'
-  main: 'dist/index.js'
+  using: "node20"
+  main: "dist/index.js"

.github/actions/privacy-check/action.yml

@@ -33,5 +33,5 @@ outputs:
     description: "True if the repository is private."
 
 runs:
-  using: node16
+  using: "node20"
   main: "dist/index.js"

.github/actions/sign-attestations/action.yml

@@ -12,19 +12,19 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: 'Sign Attestations'
-description: 'Signs in-toto attestations with Sigstore signing'
+name: "Sign Attestations"
+description: "Signs in-toto attestations with Sigstore signing"
 inputs:
   attestations:
-    description: 'Folder of attestations to sign'
+    description: "Folder of attestations to sign"
     required: true
   payload-type:
-    description: 'The in-toto payload type of the attestations'
+    description: "The in-toto payload type of the attestations"
     required: false
-    default: 'application/vnd.in-toto+json'
+    default: "application/vnd.in-toto+json"
   output-folder:
-    description: 'Output folder to place attestations'
+    description: "Output folder to place attestations"
     required: true
 runs:
-  using: 'node16'
-  main: 'dist/index.js'
+  using: "node20"
+  main: "dist/index.js"

.github/actions/verify-token/action.yml

@@ -49,5 +49,5 @@ outputs:
     description: "The tool repository ref taken from the signing certificate."
 
 runs:
-  using: "node16"
+  using: "node20"
   main: "dist/index.js"

CHANGELOG.md

@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- toc -->
 
+- [Unreleased](#unreleased)
+  - [Unreleased: Gradle Builder](#unreleased-gradle-builder)
+  - [Unreleased: Go Builder](#unreleased-go-builder)
+  - [Unreleased: Container Generator](#unreleased-container-generator)
 - [v1.9.0](#v190)
   - [v1.9.0: BYOB framework (beta)](#v190-byob-framework-beta)
   - [v1.9.0: Maven builder (beta)](#v190-maven-builder-beta)
@@ -93,6 +97,23 @@ Use the format "X.Y.Z: Go builder" etc. for format headers to avoid header name
 duplication."
 -->
 
+## Unreleased
+
+### Unreleased: Gradle Builder
+
+- The Gradle Builder was fixed when the project root is the same as the
+  repository root (#2727)
+
+### Unreleased: Go Builder
+
+- The `go-version-file` input was fixed so that it can find the `go.mod` file
+  (#2661)
+
+### Unreleased: Container Generator
+
+- A new `provenance-repository` input was added to allow reading provenance from
+  a different container repository than the image itself (#2956)
+
 ## v1.9.0
 
 Release [v1.9.0] includes bug fixes and new features.

README.md

@@ -106,7 +106,7 @@ You can use the [slsa-verifier](#verify-provenance) to verify the provenance.
 
 Below is a non-exhaustive list of projects that use the builders in this repository to generate provenance:
 
-[![flask stars](https://img.shields.io/github/stars/pallets/flask?logo=github&label=pallets/flask)](https://github.com/pallets/flask) [![flatbuffers stars](https://img.shields.io/github/stars/google/flatbuffers?logo=github&label=google/flatbuffers)](<(https://github.com/google/flatbuffers)>) [![grpc-gateway stars](https://img.shields.io/github/stars/grpc-ecosystem/grpc-gateway?logo=github&label=grpc-ecosystem/grpc-gateway)](https://github.com/grpc-ecosystem/grpc-gateway) [![argo-cd stars](https://img.shields.io/github/stars/argoproj/argo-cd?logo=github&label=argoproj/argo-cd)](https://github.com/argoproj/argo-cd) [![click stars](https://img.shields.io/github/stars/pallets/click?logo=github&label=pallets/click)](https://github.com/pallets/click) [![SOPS stars](https://img.shields.io/github/stars/getsops/sops?logo=github&label=getsops/sops)](https://github.com/getsops/sops) [![jib stars](https://img.shields.io/github/stars/GoogleContainerTools/jib?logo=github&label=GoogleContainerTools/jib)](https://github.com/GoogleContainerTools/jib) [![jinja stars](https://img.shields.io/github/stars/pallets/jinja?logo=github&label=pallets/jinja)](https://github.com/pallets/jinja) [![docker-bench-security stars](https://img.shields.io/github/stars/docker/docker-bench-security?logo=github&label=docker/docker-bench-security)](https://github.com/docker/docker-bench-security) [![sentencepiece stars](https://img.shields.io/github/stars/google/sentencepiece?logo=github&label=google/sentencepiece)](https://github.com/google/sentencepiece) [![werkzeug stars](https://img.shields.io/github/stars/pallets/werkzeug?logo=github&label=pallets/werkzeug)](https://github.com/pallets/werkzeug) [![ko stars](https://img.shields.io/github/stars/ko-build/ko?logo=github&label=ko-build/ko)](https://github.com/ko-build/ko) [![micronaut-core stars](https://img.shields.io/github/stars/micronaut-projects/micronaut-core?logo=github&label=micronaut-projects/micronaut-core)](https://github.com/micronaut-projects/micronaut-core) [![kubeedge stars](https://img.shields.io/github/stars/kubeedge/kubeedge?logo=github&label=kubeedge/kubeedge)](https://github.com/kubeedge/kubeedge) [![osv-scanner stars](https://img.shields.io/github/stars/google/osv-scanner?logo=github&label=google/osv-scanner)](https://github.com/google/osv-scanner) [![flux2 stars](https://img.shields.io/github/stars/fluxcd/flux2?logo=github&label=fluxcd/flux2)](https://github.com/fluxcd/flux2) [![kyverno stars](https://img.shields.io/github/stars/kyverno/kyverno?logo=github&label=kyverno/kyverno)](https://github.com/kyverno/kyverno) [![flask-sqlalchemy stars](https://img.shields.io/github/stars/pallets-eco/flask-sqlalchemy?logo=github&label=pallets-eco/flask-sqlalchemy)](https://github.com/pallets-eco/flask-sqlalchemy) [![scorecard stars](https://img.shields.io/github/stars/ossf/scorecard?logo=github&label=ossf/scorecard)](https://github.com/ossf/scorecard) [![urllib3 stars](https://img.shields.io/github/stars/urllib3/urllib3?logo=github&label=urllib3/urllib3)](https://github.com/urllib3/urllib3) [![pdns stars](https://img.shields.io/github/stars/PowerDNS/pdns?logo=github&label=PowerDNS/pdns)](https://github.com/PowerDNS/pdns) [![powertools-lambda-python stars](https://img.shields.io/github/stars/aws-powertools/powertools-lambda-python?logo=github&label=aws-powertools/powertools-lambda-python)](https://github.com/aws-powertools/powertools-lambda-python) [![hishtory stars](https://img.shields.io/github/stars/ddworken/hishtory?logo=github&label=ddworken/hishtory)](https://github.com/ddworken/hishtory) [![PrivateBin stars](https://img.shields.io/github/stars/PrivateBin/PrivateBin?logo=github&label=PrivateBin/PrivateBin)](https://github.com/PrivateBin/PrivateBin)
+[![flask stars](https://img.shields.io/github/stars/pallets/flask?logo=github&label=pallets/flask)](https://github.com/pallets/flask) [![flatbuffers stars](https://img.shields.io/github/stars/google/flatbuffers?logo=github&label=google/flatbuffers)](https://github.com/google/flatbuffers) [![grpc-gateway stars](https://img.shields.io/github/stars/grpc-ecosystem/grpc-gateway?logo=github&label=grpc-ecosystem/grpc-gateway)](https://github.com/grpc-ecosystem/grpc-gateway) [![argo-cd stars](https://img.shields.io/github/stars/argoproj/argo-cd?logo=github&label=argoproj/argo-cd)](https://github.com/argoproj/argo-cd) [![click stars](https://img.shields.io/github/stars/pallets/click?logo=github&label=pallets/click)](https://github.com/pallets/click) [![SOPS stars](https://img.shields.io/github/stars/getsops/sops?logo=github&label=getsops/sops)](https://github.com/getsops/sops) [![jib stars](https://img.shields.io/github/stars/GoogleContainerTools/jib?logo=github&label=GoogleContainerTools/jib)](https://github.com/GoogleContainerTools/jib) [![jinja stars](https://img.shields.io/github/stars/pallets/jinja?logo=github&label=pallets/jinja)](https://github.com/pallets/jinja) [![docker-bench-security stars](https://img.shields.io/github/stars/docker/docker-bench-security?logo=github&label=docker/docker-bench-security)](https://github.com/docker/docker-bench-security) [![sentencepiece stars](https://img.shields.io/github/stars/google/sentencepiece?logo=github&label=google/sentencepiece)](https://github.com/google/sentencepiece) [![werkzeug stars](https://img.shields.io/github/stars/pallets/werkzeug?logo=github&label=pallets/werkzeug)](https://github.com/pallets/werkzeug) [![ko stars](https://img.shields.io/github/stars/ko-build/ko?logo=github&label=ko-build/ko)](https://github.com/ko-build/ko) [![micronaut-core stars](https://img.shields.io/github/stars/micronaut-projects/micronaut-core?logo=github&label=micronaut-projects/micronaut-core)](https://github.com/micronaut-projects/micronaut-core) [![kubeedge stars](https://img.shields.io/github/stars/kubeedge/kubeedge?logo=github&label=kubeedge/kubeedge)](https://github.com/kubeedge/kubeedge) [![osv-scanner stars](https://img.shields.io/github/stars/google/osv-scanner?logo=github&label=google/osv-scanner)](https://github.com/google/osv-scanner) [![flux2 stars](https://img.shields.io/github/stars/fluxcd/flux2?logo=github&label=fluxcd/flux2)](https://github.com/fluxcd/flux2) [![kyverno stars](https://img.shields.io/github/stars/kyverno/kyverno?logo=github&label=kyverno/kyverno)](https://github.com/kyverno/kyverno) [![flask-sqlalchemy stars](https://img.shields.io/github/stars/pallets-eco/flask-sqlalchemy?logo=github&label=pallets-eco/flask-sqlalchemy)](https://github.com/pallets-eco/flask-sqlalchemy) [![scorecard stars](https://img.shields.io/github/stars/ossf/scorecard?logo=github&label=ossf/scorecard)](https://github.com/ossf/scorecard) [![urllib3 stars](https://img.shields.io/github/stars/urllib3/urllib3?logo=github&label=urllib3/urllib3)](https://github.com/urllib3/urllib3) [![pdns stars](https://img.shields.io/github/stars/PowerDNS/pdns?logo=github&label=PowerDNS/pdns)](https://github.com/PowerDNS/pdns) [![powertools-lambda-python stars](https://img.shields.io/github/stars/aws-powertools/powertools-lambda-python?logo=github&label=aws-powertools/powertools-lambda-python)](https://github.com/aws-powertools/powertools-lambda-python) [![hishtory stars](https://img.shields.io/github/stars/ddworken/hishtory?logo=github&label=ddworken/hishtory)](https://github.com/ddworken/hishtory) [![PrivateBin stars](https://img.shields.io/github/stars/PrivateBin/PrivateBin?logo=github&label=PrivateBin/PrivateBin)](https://github.com/PrivateBin/PrivateBin)
 
 [Edit this file](https://github.com/slsa-framework/slsa-github-generator/edit/main/README.md) to add your repository!
 

actions/delegator/setup-generic/action.yml

@@ -88,5 +88,5 @@ outputs:
     description: "SLSA token"
 
 runs:
-  using: "node16"
+  using: "node20"
   main: "dist/index.js"

actions/gradle/publish/README.md

@@ -280,3 +280,7 @@ Closing the staging repository:
 Releasing:
 
 ![releasing the Gradle artefacts](/actions/gradle/publish/images/gradle-publisher-release-closed-repository.png)
+
+### Multi-Project Builds
+
+See the same guidance in the [build docs](../../../internal/builders/gradle/README.md#multi-project-builds) for consolidating files from multi-project builds.