Releases: slsa-framework/slsa-verifier
Releases · slsa-framework/slsa-verifier
v2.7.0-rc.1
What's Changed
- chore: v2.6.0: update docs by @ramonpetgrave64 in #789
- chore: Update CODEOWNERS to use teams by @haydentherapper in #793
- chore(deps): bump github.com/docker/docker from 24.0.9+incompatible to 26.1.4+incompatible in the go_modules group by @dependabot in #794
- feat: support npm cli provenance v1 attestations by @ramonpetgrave64 in #776
- chore: pin yamllint, golangci-lint by @ramonpetgrave64 in #783
- feat: refactor: use sigstore-go for fetching TrustedRoot by @ramonpetgrave64 in #791
- chore(deps): update golang:1.21 docker digest to f2eb989 by @renovate-bot in #796
- chore(deps): bump github.com/docker/docker from 26.1.4+incompatible to 26.1.5+incompatible in the go_modules group by @dependabot in #798
- chore: fix vuln: override autolinker ^4.0.0 by @ramonpetgrave64 in #785
- chore(config): migrate renovate config by @renovate-bot in #800
- feat: set user-agent header on Rekor requests by @bobcallaway in #801
- feat: handle dssev001 tlog entry types by @ramonpetgrave64 in #799
- fix(deps): update golang.org/x/exp digest to 225e2ab by @renovate-bot in #803
- chore(deps): update dependency pyyaml to v6.0.2 by @renovate-bot in #808
- chore(deps): update golang:1.21 docker digest to 4746d26 by @renovate-bot in #802
- fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.9 by @renovate-bot in #809
- chore: update go and golanci lint by @ramonpetgrave64 in #810
- feat(action): Updating to Node20 by @IAreKyleW00t in #811
- fix(deps): update module github.com/sigstore/sigstore-go to v0.6.1 [security] by @renovate-bot in #805
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to e5260be by @renovate-bot in #795
- chore(deps): bump github.com/sigstore/sigstore-go from 0.6.1 to 0.6.2 in the go_modules group across 1 directory by @dependabot in #812
- fix: fix method for getting leaf certs in Bundle v0.3 by @ramonpetgrave64 in #813
- chore(deps): update github-actions by @renovate-bot in #817
- chore(deps): update golang docker tag to v1.23 by @renovate-bot in #818
- fix(deps): update dependency @actions/core to v1.11.1 by @renovate-bot in #819
- chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.0.0 to 2.0.1 in the go_modules group by @dependabot in #820
- chore(deps): bump golang.org/x/crypto from 0.27.0 to 0.31.0 in the go_modules group by @dependabot in #821
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.9 by @renovate-bot in #816
- fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.15.1 by @renovate-bot in #824
- chore(deps): update github-actions by @renovate-bot in #823
- chore(deps): bump golang.org/x/net from 0.27.0 to 0.33.0 in the go_modules group by @dependabot in #826
- fix(deps): update go by @renovate-bot in #825
- chore(deps): update golang:1.23 docker digest to 51a6466 by @renovate-bot in #822
- fix(deps): update golang.org/x/exp digest to 3edf0e9 by @renovate-bot in #815
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 97d1521 by @renovate-bot in #814
- chore(deps): bump undici from 5.28.4 to 5.28.5 in /actions/installer in the npm_and_yarn group across 1 directory by @dependabot in #827
New Contributors
- @bobcallaway made their first contribution in #801
- @IAreKyleW00t made their first contribution in #811
Full Changelog: v2.6.0...v2.7.0-rc.1
Contributors
IAreKyleW00t, bobcallaway, and 4 other contributors
Assets 14
- 31.8 MB
2025-01-31T15:26:41Z - 23.5 KB
2025-01-31T15:26:41Z - 30.9 MB
2025-01-31T15:26:41Z - 23.5 KB
2025-01-31T15:26:41Z - 31.7 MB
2025-01-31T15:26:59Z - 23.5 KB
2025-01-31T15:26:59Z - 30.6 MB
2025-01-31T15:26:46Z - 23.5 KB
2025-01-31T15:26:46Z - 32.3 MB
2025-01-31T15:26:55Z - 23.5 KB
2025-01-31T15:26:55Z -
2025-01-28T19:21:01Z -
2025-01-28T19:21:01Z - Loading
v2.6.0-rc.1
This is a pre-release. DO NOT install
What's Changed
- chore: Update doc and digests for v2.5.1 by @laurentsimon in #748
- fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] by @renovate-bot in #743
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by @renovate-bot in #718
- chore: Update @actions/github v6 by @laurentsimon in #749
- fix: use sigstore/pkg/fulcioroots to lessen deps by @ramonpetgrave64 in #746
- feat: add ramonpetgrave64 as CODEOWNER by @ramonpetgrave64 in #750
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 1a8ece8 by @renovate-bot in #701
- chore(deps): update github-actions (major) by @renovate-bot in #719
- fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 by @renovate-bot in #751
- chore(deps): update npm dev (major) by @ramonpetgrave64 in #753
- fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by @renovate-bot in #752
- feat: fixes #547: add npm sigstore-tuf suport by @ramonpetgrave64 in #731
- fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] by @renovate-bot in #723
- chore(deps): update golang:1.21 docker digest to 81811f8 by @renovate-bot in #693
- chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata by @ramonpetgrave64 in #758
- chore(deps): update golang:1.21 docker digest to d83472f by @renovate-bot in #764
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 by @renovate-bot in #763
- feat: workflow to update actions dist by @ramonpetgrave64 in #760
- fix(deps): update dependency @actions/core to v1.10.1 by @renovate-bot in #717
- chore: fix pr-title-checker by @ianlewis in #770
- chore: Update Renovate config by @ianlewis in #769
- fix: use pr_number as env variable by @ramonpetgrave64 in #771
- fix: signoff commit by @ramonpetgrave64 in #767
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #781
- chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 by @dependabot in #782
- chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer by @dependabot in #779
- chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer by @dependabot in #780
- chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by @dependabot in #784
- fix(deps): update golang.org/x/exp digest to 7f521ea by @renovate-bot in #775
- fix: make download-artifacts.sh more flexible by @ramonpetgrave64 in #761
- chore(deps): update golang:1.21 docker digest to b405b62 by @renovate-bot in #774
- chore(deps): update npm dev by @renovate-bot in #650
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by @renovate-bot in #787
- chore(deps): update github-actions by @renovate-bot in #786
- feat: vsa support by @ramonpetgrave64 in #777
- fix: use tag for the builder in the release workflow by @ramonpetgrave64 in #788
Full Changelog: v2.5.1...v2.6.0-rc.1
Contributors
ianlewis, renovate-bot, and 3 other contributors
Assets 14
v2.6.0
What's Changed
- chore: Update doc and digests for v2.5.1 by @laurentsimon in #748
- fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] by @renovate-bot in #743
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by @renovate-bot in #718
- chore: Update @actions/github v6 by @laurentsimon in #749
- fix: use sigstore/pkg/fulcioroots to lessen deps by @ramonpetgrave64 in #746
- feat: add ramonpetgrave64 as CODEOWNER by @ramonpetgrave64 in #750
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 1a8ece8 by @renovate-bot in #701
- chore(deps): update github-actions (major) by @renovate-bot in #719
- fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 by @renovate-bot in #751
- chore(deps): update npm dev (major) by @ramonpetgrave64 in #753
- fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by @renovate-bot in #752
- feat: fixes #547: add npm sigstore-tuf suport by @ramonpetgrave64 in #731
- fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] by @renovate-bot in #723
- chore(deps): update golang:1.21 docker digest to 81811f8 by @renovate-bot in #693
- chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata by @ramonpetgrave64 in #758
- chore(deps): update golang:1.21 docker digest to d83472f by @renovate-bot in #764
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 by @renovate-bot in #763
- feat: workflow to update actions dist by @ramonpetgrave64 in #760
- fix(deps): update dependency @actions/core to v1.10.1 by @renovate-bot in #717
- chore: fix pr-title-checker by @ianlewis in #770
- chore: Update Renovate config by @ianlewis in #769
- fix: use pr_number as env variable by @ramonpetgrave64 in #771
- fix: signoff commit by @ramonpetgrave64 in #767
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #781
- chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 by @dependabot in #782
- chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer by @dependabot in #779
- chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer by @dependabot in #780
- chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by @dependabot in #784
- fix(deps): update golang.org/x/exp digest to 7f521ea by @renovate-bot in #775
- fix: make download-artifacts.sh more flexible by @ramonpetgrave64 in #761
- chore(deps): update golang:1.21 docker digest to b405b62 by @renovate-bot in #774
- chore(deps): update npm dev by @renovate-bot in #650
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by @renovate-bot in #787
- chore(deps): update github-actions by @renovate-bot in #786
- feat: vsa support by @ramonpetgrave64 in #777
- fix: use tag for the builder in the release workflow by @ramonpetgrave64 in #788
Full Changelog: v2.5.1...v2.6.0
Contributors
ianlewis, renovate-bot, and 3 other contributors
Assets 14
v2.6.0-dev.1
Development release containing pending support for VSAs #777. This is not meant to pass our official release process.
What's Changed
- chore: Update doc and digests for v2.5.1 by @laurentsimon in #748
- fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] by @renovate-bot in #743
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by @renovate-bot in #718
- chore: Update @actions/github v6 by @laurentsimon in #749
- fix: use sigstore/pkg/fulcioroots to lessen deps by @ramonpetgrave64 in #746
- feat: add ramonpetgrave64 as CODEOWNER by @ramonpetgrave64 in #750
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 1a8ece8 by @renovate-bot in #701
- chore(deps): update github-actions (major) by @renovate-bot in #719
- fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 by @renovate-bot in #751
- chore(deps): update npm dev (major) by @ramonpetgrave64 in #753
- fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by @renovate-bot in #752
- feat: fixes #547: add npm sigstore-tuf suport by @ramonpetgrave64 in #731
- fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] by @renovate-bot in #723
- chore(deps): update golang:1.21 docker digest to 81811f8 by @renovate-bot in #693
- chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata by @ramonpetgrave64 in #758
- chore(deps): update golang:1.21 docker digest to d83472f by @renovate-bot in #764
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 by @renovate-bot in #763
- feat: workflow to update actions dist by @ramonpetgrave64 in #760
- fix(deps): update dependency @actions/core to v1.10.1 by @renovate-bot in #717
- chore: fix pr-title-checker by @ianlewis in #770
- chore: Update Renovate config by @ianlewis in #769
- fix: use pr_number as env variable by @ramonpetgrave64 in #771
- fix: signoff commit by @ramonpetgrave64 in #767
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #781
- chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 by @dependabot in #782
- chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer by @dependabot in #779
- chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer by @dependabot in #780
- chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by @dependabot in #784
- fix(deps): update golang.org/x/exp digest to 7f521ea by @renovate-bot in #775
- fix: make download-artifacts.sh more flexible by @ramonpetgrave64 in #761
- chore(deps): update golang:1.21 docker digest to b405b62 by @renovate-bot in #774
- chore(deps): update npm dev by @renovate-bot in #650
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by @renovate-bot in #787
- chore(deps): update github-actions by @renovate-bot in #786
Full Changelog: v2.5.1...v2.6.0-dev.1
Contributors
ianlewis, renovate-bot, and 3 other contributors
Assets 14
v2.5.1
What's Changed
- feat: Add cosign registry opts for provenance registry by @saisatishkarra in #729 and #736
- feat: Add support for DSSE Rekor type by @haydentherapper in #742
New Contributors
- @saisatishkarra made their first contribution in #729
- @ramonpetgrave64 made their first contribution in #737
- @haydentherapper made their first contribution in #742
Full Changelog: v2.4.1...v2.5.1
Contributors
haydentherapper, saisatishkarra, and ramonpetgrave64
Assets 14
v2.5.1-rc.0
This is a pre-release. DO NOT install
What's Changed
- feat: Add cosign registry opts for provenance registry by @saisatishkarra in #729 and #736
- feat: Add support for DSSE Rekor type by @haydentherapper in #742
New Contributors
- @saisatishkarra made their first contribution in #729
- @ramonpetgrave64 made their first contribution in #737
- @haydentherapper made their first contribution in #742
Full Changelog: v2.4.1...v2.5.1-rc.0
Contributors
haydentherapper, saisatishkarra, and ramonpetgrave64
Assets 14
v2.4.1
What's Changed
- Fix a verification issue when verifying npm's publish attestations - Low severity GHSA-r2xv-vpr2-42m9. This part of the code remains experimental.
New Contributors
- @trishankatdatadog made their first contribution in #702
Full Changelog: v2.4.0...v2.4.1
Contributors
trishankatdatadog
Assets 14
v2.4.1-rc.1
Pre-release, do not use
v2.4.1-rc.0
Pre-release, do not use.
v2.4.0
Summary
Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0
What's Changed
- chore: Update SHA256SUM.md for v2.3.0 by @ianlewis in #592
- docs: Make npm package version and name non-optional by @laurentsimon in #591
- docs: npm provenance verification from GitHub runner by @laurentsimon in #595
- chore(deps): update dependency @types/node to v18.16.9 by @renovate-bot in #596
- chore(deps): update github-actions by @renovate-bot in #597
- chore(deps): update dependency jasmine to v5 by @renovate-bot in #598
- feat: BYOB verification support by @laurentsimon in #604
- feat: Support for v1.0 verification in BYOB by @laurentsimon in #609
- feat: Use env variable to retrieve trigger workflow by @laurentsimon in #615
- test: Add test data for v1.6.0 by @ianlewis in #612
- fix: Verify the TRW tag is a semver tag by @laurentsimon in #619
- chore: Don't be verbose with tests locally by @ianlewis in #620
- fix: use ExternalParameters["source"] for the Source URI for SLSA v1.0 provenance by @asraa in #621
- test: re-generate container-based tests by @asraa in #627
- fix: revert to using resolvedDepdendencies for source verification by @asraa in #629
- refactor: Provenance tests by @ianlewis in #628
- fix(deps): update module github.com/sigstore/rekor to v1.2.0 [security] by @renovate-bot in #622
- fix: only allow hashes of 256 bits or more by @laurentsimon in #633
- fix: builder ID verification for testing by @ianlewis in #635
- feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by @asraa in #634
- chore: update toc in README.md by @asraa in #636
- fix: allow workflow_dispatch to trigger release.yml by @ianlewis in #637
- test: add tests for v1.7.0 builders by @asraa in #638
- chore(deps): update github-actions by @renovate-bot in #607
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to c623859 by @renovate-bot in #567
- fix(deps): update github.com/sigstore/protobuf-specs digest to 5ef5406 by @renovate-bot in #606
- chore(deps): update npm dev by @renovate-bot in #608
- chore(deps): update golang:1.19 docker digest to 83f9f84 by @renovate-bot in #583
- feat: Verify provenance by build type by @ianlewis in #632
- refactor: Use Go 1.20 by @ianlewis in #643
- test: Add more ProvenanceFromEnvelope tests by @ianlewis in #640
- fix: pre-submit: e2e-cli.sh artifact download by @ianlewis in #646
- refactor: Add more git utils by @ianlewis in #645
- refactor: Use full builder id by @ianlewis in #648
- feat: Use tags
vX.Y.Z-<language>for JReleaser builders by @laurentsimon in #644 - chore(deps): update github-actions by @renovate-bot in #651
- feat: move maven-plugin from slsa-github-generator by @AdamKorcz in #664
- docs: Fix maven-plugin README by @laurentsimon in #671
- feat: Verification for when sha1 is specified in BYOB TRW by @ianlewis in #641
- docs: Add example for maven verification plugin by @laurentsimon in #676
- chore: Add Kris to codeowners by @laurentsimon in #678
- feat: Print byob builder by @laurentsimon in #677
- test: Add test data for v1.8.0 by @ianlewis in #681
- chore(deps): update github-actions by @renovate-bot in #666
- feat: Non-compulsory BuilderID for BYOB Builders by @enteraga6 in #674
- chore(deps): update golang docker tag to v1.21 by @renovate-bot in #687
- chore(deps): update github-actions by @renovate-bot in #686
- feat: GCB refactor for v1.0 support by @laurentsimon in #682
- feat: Allow byob builders ref at main for e2e tests by @laurentsimon in #689
- feat: Update doc and code for Maven plugin by @laurentsimon in #680
- feat: gcb v1.0 support by @laurentsimon in #691
- feat: v1.9.0 regression tests by @laurentsimon in #696
- fix: release failure by @laurentsimon in #697
New Contributors
- @AdamKorcz made their first contribution in #664
- @enteraga6 made their first contribution in #674
Full Changelog: v2.3.0...v2.4.0
Contributors
ianlewis, asraa, and 4 other contributors