search

xeol-io / xeol

A scanner for end-of-life (EOL) software and dependencies in container images, filesystems, and SBOMs
https://www.xeol.io/
Apache License 2.0
332 stars 18 forks source link

Bump slsa-framework/slsa-github-generator from 1.9.0 to 2.0.0 #332

Closed dependabot[bot] closed 1 month ago

dependabot[bot] commented 1 month ago

Bumps slsa-framework/slsa-github-generator from 1.9.0 to 2.0.0.

Release notes

Sourced from slsa-framework/slsa-github-generator's releases.

v2.0.0

See the CHANGELOG for details.

v2.0.0-rc.0

See the CHANGELOG for details.

v1.10.0

See the CHANGELOG for details.

v1.9.1

This is an un-finalized release.

See the CHANGELOG for details.

v1.9.1-rc.0

See the CHANGELOG for details.

Changelog

Sourced from slsa-framework/slsa-github-generator's changelog.

v2.0.0

v2.0.0: Breaking Change: upload-artifact and download-artifact

  • Our workflows now use the new @v4s of actions/upload-artifact and actions/download-artifact, which are incompatiblle with the prior @v3. See Our docs on the generic generator for more information and how to upgrade.

v2.0.0: Breaking Change: attestation-name Workflow Input and Output

  • attestation-name as a workflow input to .github/workflows/generator_generic_slsa3.yml is now removed. Use provenance-name instead.

v2.0.0: DSSE Rekor Type

  • When uploading signed provenance to the log, the entry created in the log is now a DSSE Rekor type. This fixes a bug where the current intoto type does not persist provenance signatures. The attestation will no longer be persisted in Rekor (#3299)

v1.10.0

Release v1.10.0 includes bug fixes and new features.

See the full change list.

v1.10.0: TUF fix

  • The cosign TUF roots were fixed (#3350). More details here.

v1.10.0: Gradle Builder

  • The Gradle Builder was fixed when the project root is the same as the repository root (#2727)

v1.10.0: Go Builder

  • The go-version-file input was fixed so that it can find the go.mod file (#2661)

v1.10.0: Container Generator

  • A new provenance-repository input was added to allow reading provenance from a different container repository than the image itself (#2956)
Commits
  • 5a775b3 chore: v2.0.0: update tags (#3583)
  • 41733f7 chore: v2.0.0-rc.0: update tags (#3578)
  • 3789345 docs: v.2.0.0: finalize CHANGELOG.md (#3577)
  • 02fc78b fix: deadlock and improve debugging experience (#3570)
  • 4534a0b break: Revert "chore: Revert "fix: upload-artifact and download-artifact v4""...
  • e8c2dcf fix(deps): Update Sigstore Dep to Sigstore 2.2.2 (#3491)
  • 2512315 feat(breaking): remove attestation-name input and output (#3456)
  • 4fbc6a9 chore: add ramonpetgrave64 to CODEOWNERS (#3490)
  • 8869c8a fix: Switch to newer DSSE rekor type (#3299)
  • 9d81ca7 chore: Update slsa-verifier version (#3454)
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 1 month ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.