Closed renovate[bot] closed 7 months ago
β No vulnerabilities or license issues or OpenSSF Scorecard issues found.
Package | Version | Score | Details | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
actions/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml | 1.10.0 | :green_circle: 8.2 | Details
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
actions/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml | 1.4.0 | :green_circle: 8.2 | Details
|
This PR contains the following updates:
v1.4.0
->v1.10.0
Release Notes
slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)
### [`v1.10.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0) Release \[v1.10.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0). ##### v1.10.0: TUF fix - The cosign TUF roots were fixed ([#3350](https://togithub.com/slsa-framework/slsa-github-generator/issues/3350)). More details [here](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid). ##### v1.10.0: Gradle Builder - The Gradle Builder was fixed when the project root is the same as the repository root ([#2727](https://togithub.com/slsa-framework/slsa-github-generator/issues/2727)) ##### v1.10.0: Go Builder - The `go-version-file` input was fixed so that it can find the `go.mod` file ([#2661](https://togithub.com/slsa-framework/slsa-github-generator/issues/2661)) ##### v1.10.0: Container Generator - A new `provenance-repository` input was added to allow reading provenance from a different container repository than the image itself ([#2956](https://togithub.com/slsa-framework/slsa-github-generator/issues/2956)) ### [`v1.9.1`](https://togithub.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1) **This is an un-finalized release.** See the [CHANGELOG](./CHANGELOG.md) for details. ### [`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - **New**: A [new framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - **New**: A [Maven builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - **New**: A [Gradle builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - **New**: A [JReleaser builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java). ### [`v1.8.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v180) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0) Release \[v1.8.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0). ##### v1.8.0: Generic Generator - **Added**: A new [`base64-subjects-as-file`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.8.0/internal/builders/generic/README.md#workflow-inputs) was added to allow for specifying a large subject list. ##### v1.8.0: Node.js Builder (beta) - **Fixed**: Publishing for non-scoped packages was fixed (See [#2359](https://togithub.com/slsa-framework/slsa-github-generator/issues/2359)) - **Fixed**: Documentation was updated to clarify that the GitHub Actions `deployment` event is not supported. - **Changed**: The file extension for the generated provenance file was changed from `.sigstore` to `.build.slsa` in order to make it easier to identify provenance files regardless of file format. - **Fixed**: The publish action was fixed to address an issue with the package name when using Node 16. ### [`v1.7.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v170) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0) This release includes the first beta release of the [Container-based builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/v1.7.0/internal/builders/docker). The Container-based builder provides a GitHub Actions reusable workflow that can be used to invoke a container image with a user-specified command to generate an artifact and SLSA Build L3 compliant provenance. ##### v1.7.0: Go builder - **Added**: A new [go-version-file](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#workflow-inputs) input was added. This allows you to specify a go.mod file in order to track which version of Go is used for your project. ### [`v1.6.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v160) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) This release includes the first beta release of the [Node.js builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/v1.6.0/internal/builders/nodejs). The Node.js builder provides a GitHub Actions reusable workflow that can be called to build a Node.js package, generate SLSA Build L3 compliant provenance, and publish it to the npm registry along with the package. ##### Summary of changes ##### Go builder ##### New Features - A new [`prerelease`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.6.0/internal/builders/go/README.md#workflow-inputs) input was added to allow users to create releases marked as prerelease when `upload-assets` is set to `true`. - A new input [`draft-release`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.6.0/internal/builders/go/README.md#workflow-inputs) was added to allow users to create releases marked as draft when `upload-assets` is set to `true`. - A new output [`go-provenance-name`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.6.0/internal/builders/go/README.md#workflow-outputs) added which can be used to retrieve the name of the provenance file generated by the builder. ##### Generic generator ##### New Features - A new input [`draft-release`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.6.0/internal/builders/generic/README.md#workflow-inputs) was added to allow users to create releases marked as draft when `upload-assets` is set to `true`. ##### Container generator The Container Generator was updated to use `cosign` v2.0.0. No changes to the workflow's inputs or outputs were made. ##### Changelog since v1.5.0 ### [`v1.5.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v150) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.4.0...v1.5.0) ##### Summary of changes ##### Go builder ##### New Features - A new [`upload-tag-name`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/generic/README.md#workflow-inputs) input was added to allow users to specify the tag name for the release when `upload-assets` is set to `true`. - The environment variables included in provenance output were changed to include only those variables that are specified by the user in the [slsa-goreleaser.yml configuration file](https://togithub.com/slsa-framework/slsa-github-generator/tree/v1.5.0/internal/builders/go#configuration-file) in order to improve reproducibility. See [#822](https://togithub.com/slsa-framework/slsa-github-generator/issues/822) for more information and background. ##### Generic generator ##### New Features - A new boolean [`continue-on-error`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/generic/README.md#workflow-inputs) input was added which, when set to `true`, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the [`outcome`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/generic/README.md#workflow-outputs) output. - A new [`upload-tag-name`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/generic/README.md#workflow-inputs) input was added to allow users to specify the tag name for the release when `upload-assets` is set to `true`. ##### Container generator ##### New Features - A new boolean [`continue-on-error`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added which, when set to `true`, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the [`outcome`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-outputs) output. - A new [`repository-username`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) secret input was added to allow users to pass their repository username that is stored in a [Github Actions encrypted secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets). This secret input should only be used for high-entropy registry username values such as AWS Access Key. - Support was added for authenticating with [Google Artifact Registry](https://cloud.google.com/artifact-registry) and [Google Container Registry](https://cloud.google.com/container-registry) using [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation). Users can use this new feature by using the [`gcp-workload-identity-provider` and `gcp-service-account` inputs](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) ##### Changelog since v1.4.0Configuration
π Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.