Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[chore][bazel] use secure-folder-upload and temp dir #2396

Closed

Conversation

enteraga6
Copy link
Collaborator

closes #2276
closes #2331

This switches the folder upload from the actions/upload-artifact to our secure-upload-folder @ v1.7.0.

This also strengthens the name of the folder that is uploaded to avoid collisions. Since the path to folder cannot be in /tmp with the secure-upload-folder, the name of the folder being upload was changed from binaries to bazel_builder_binaries_to_upload_to_gh to avoid any potential name collisions and be able to utilize the secure-upload-folder action.

ianlewis and others added 21 commits July 18, 2023 18:48
Apologies for all the PRs. Should work this time.
Successful run:
https://github.com/ianlewis/actions-test/actions/runs/5352271438

Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/sigstore/cosign/v2](https://togithub.com/sigstore/cosign)
| require | minor | `v2.0.2` -> `v2.1.0` |
| [github.com/sigstore/sigstore](https://togithub.com/sigstore/sigstore)
| require | minor | `v1.6.4` -> `v1.7.1` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>sigstore/cosign</summary>

###
[`v2.1.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v210)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.0.2...v2.1.0)

**Breaking Change: The predicate is now a required flag in the attest
commands, set via the --type flag.**

#### Enhancements

- Verify sigs and attestations in parallel
([#&#8203;3066](https://togithub.com/sigstore/cosign/issues/3066))
- Deep inspect attestations when filtering download
([#&#8203;3031](https://togithub.com/sigstore/cosign/issues/3031))
- refactor bundle validation code, add support for DSSE rekor type
([#&#8203;3016](https://togithub.com/sigstore/cosign/issues/3016))
- Allow overriding remote options
([#&#8203;3049](https://togithub.com/sigstore/cosign/issues/3049))
- feat: adds no cert found on sig exit code
([#&#8203;3038](https://togithub.com/sigstore/cosign/issues/3038))
- Make predicate a required flag in attest commands
([#&#8203;3033](https://togithub.com/sigstore/cosign/issues/3033))
- Added support for attaching Time stamp authority Response in attach
command
([#&#8203;3001](https://togithub.com/sigstore/cosign/issues/3001))
- Add `sign --sign-container-identity` CLI
([#&#8203;2984](https://togithub.com/sigstore/cosign/issues/2984))
- Feature: Allow cosign to sign digests before they are uploaded.
([#&#8203;2959](https://togithub.com/sigstore/cosign/issues/2959))
- accepts `attachment-tag-prefix` for `cosign copy`
([#&#8203;3014](https://togithub.com/sigstore/cosign/issues/3014))
- Feature: adds '--allow-insecure-registry' for cosign load
([#&#8203;3000](https://togithub.com/sigstore/cosign/issues/3000))
- download attestation: support --platform flag
([#&#8203;2980](https://togithub.com/sigstore/cosign/issues/2980))
- Cleanup: Add `Digest` to the `SignedEntity` interface.
([#&#8203;2960](https://togithub.com/sigstore/cosign/issues/2960))
- verify command: support keyless verification using only a provided
certificate chain with non-fulcio roots
([#&#8203;2845](https://togithub.com/sigstore/cosign/issues/2845))
- verify: use workers to limit the paralellism when verifying images
with --max-workers flag
([#&#8203;3069](https://togithub.com/sigstore/cosign/issues/3069))

#### Bug Fixes

- Fix pkg/cosign/errors
([#&#8203;3050](https://togithub.com/sigstore/cosign/issues/3050))
- fix: update doc to refer to github-actions oidc provider
([#&#8203;3040](https://togithub.com/sigstore/cosign/issues/3040))
- fix: prefer GitHub OIDC provider if enabled
([#&#8203;3044](https://togithub.com/sigstore/cosign/issues/3044))
- Fix --sig-only in cosign copy
([#&#8203;3074](https://togithub.com/sigstore/cosign/issues/3074))

#### Documentation

- Fix links to sigstore/docs in markdown files
([#&#8203;3064](https://togithub.com/sigstore/cosign/issues/3064))
- Update release readme
([#&#8203;2942](https://togithub.com/sigstore/cosign/issues/2942))

**Thank you to our contributors!**

-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Chok Yip Lau
-   Chris Burns
-   Dmitry Savintsev
-   Enyinna Ochulor
-   Hayden B
-   Hector Fernandez
-   Jakub Hrozek
-   Jason Hall
-   Jon Johnson
-   Luiz Carvalho
-   Matt Moore
-   Mritunjay Kumar Sharma
-   Mukuls77
-   Ramkumar Chinchani
-   Sascha Grunert
-   Yolanda Robla Mota
-   priyawadhwa

</details>

<details>
<summary>sigstore/sigstore</summary>

###
[`v1.7.1`](https://togithub.com/sigstore/sigstore/releases/tag/v1.7.1)

[Compare
Source](https://togithub.com/sigstore/sigstore/compare/v1.7.0...v1.7.1)

#### What's Changed

- Allow the user to optionally pass a Key Vault key version, update the
SDK by [@&#8203;malancas](https://togithub.com/malancas) in
[https://github.com/sigstore/sigstore/pull/1231](https://togithub.com/sigstore/sigstore/pull/1231)
- update golangci-lint to v1.53.x by
[@&#8203;cpanato](https://togithub.com/cpanato) in
[https://github.com/sigstore/sigstore/pull/1216](https://togithub.com/sigstore/sigstore/pull/1216)

**Full Changelog**:
sigstore/sigstore@v1.7.0...v1.7.1

###
[`v1.7.0`](https://togithub.com/sigstore/sigstore/releases/tag/v1.7.0)

[Compare
Source](https://togithub.com/sigstore/sigstore/compare/v1.6.5...v1.7.0)

#### What's Changed

- Update Azure Key Vault client by
[@&#8203;malancas](https://togithub.com/malancas) in
[https://github.com/sigstore/sigstore/pull/1170](https://togithub.com/sigstore/sigstore/pull/1170)
- kms: split KMS providers into separate Go modules by
[@&#8203;imjasonh](https://togithub.com/imjasonh) in
[https://github.com/sigstore/sigstore/pull/1115](https://togithub.com/sigstore/sigstore/pull/1115)
- have submodules specify real s/s releases by
[@&#8203;imjasonh](https://togithub.com/imjasonh) in
[https://github.com/sigstore/sigstore/pull/1178](https://togithub.com/sigstore/sigstore/pull/1178)
- Update go.mod and dependabot config by
[@&#8203;cpanato](https://togithub.com/cpanato) in
[https://github.com/sigstore/sigstore/pull/1184](https://togithub.com/sigstore/sigstore/pull/1184)
- Add `Cosign.ClaimedIdentity` API by
[@&#8203;saschagrunert](https://togithub.com/saschagrunert) in
[https://github.com/sigstore/sigstore/pull/1166](https://togithub.com/sigstore/sigstore/pull/1166)
- build(deps): bump github.com/aws/aws-sdk-go from 1.44.274 to 1.44.275
in /pkg/signature/kms/aws by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/sigstore/sigstore/pull/1199](https://togithub.com/sigstore/sigstore/pull/1199)
- Azure KMS: Infer hash function from key by
[@&#8203;codysoyland](https://togithub.com/codysoyland) in
[https://github.com/sigstore/sigstore/pull/1149](https://togithub.com/sigstore/sigstore/pull/1149)
- update golang.org/x/crypto to v0.10.0 and golang.org/x/oauth2 v0.9.0
by [@&#8203;cpanato](https://togithub.com/cpanato) in
[https://github.com/sigstore/sigstore/pull/1225](https://togithub.com/sigstore/sigstore/pull/1225)

#### New Contributors

- [@&#8203;saschagrunert](https://togithub.com/saschagrunert) made their
first contribution in
[https://github.com/sigstore/sigstore/pull/1166](https://togithub.com/sigstore/sigstore/pull/1166)

**Full Changelog**:
sigstore/sigstore@v1.6.4...v1.7.0

###
[`v1.6.5`](https://togithub.com/sigstore/sigstore/releases/tag/v1.6.5)

[Compare
Source](https://togithub.com/sigstore/sigstore/compare/v1.6.4...v1.6.5)

#### What's Changed

- Update Azure Key Vault client by
[@&#8203;malancas](https://togithub.com/malancas) in
[https://github.com/sigstore/sigstore/pull/1170](https://togithub.com/sigstore/sigstore/pull/1170)
- kms: split KMS providers into separate Go modules by
[@&#8203;imjasonh](https://togithub.com/imjasonh) in
[https://github.com/sigstore/sigstore/pull/1115](https://togithub.com/sigstore/sigstore/pull/1115)
- have submodules specify real s/s releases by
[@&#8203;imjasonh](https://togithub.com/imjasonh) in
[https://github.com/sigstore/sigstore/pull/1178](https://togithub.com/sigstore/sigstore/pull/1178)

**Full Changelog**:
sigstore/sigstore@v1.6.4...v1.6.5

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMzEuMCIsInVwZGF0ZWRJblZlciI6IjM1LjEzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/setup-java | action | digest | `45058d7` -> `1f2faad` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v2.20.0` -> `v2.20.1` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | minor | `v2.1.3` -> `v2.2.0` |
|
[sigstore/cosign-installer](https://togithub.com/sigstore/cosign-installer)
| action | minor | `v3.0.5` -> `v3.1.0` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.20.1`](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://togithub.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://togithub.com/cynthia-sg) and
[@&#8203;tegioz](https://togithub.com/tegioz) at
[CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://togithub.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://togithub.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://togithub.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://togithub.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://togithub.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://togithub.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://togithub.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://togithub.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://togithub.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://togithub.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://togithub.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.1.0`](https://togithub.com/sigstore/cosign-installer/releases/tag/v3.1.0)

[Compare
Source](https://togithub.com/sigstore/cosign-installer/compare/v3.0.5...v3.1.0)

#### What's Changed

- update job to use latest action release by
[@&#8203;cpanato](https://togithub.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/130](https://togithub.com/sigstore/cosign-installer/pull/130)
- Update action example for keyless signing as xarg is not required by
[@&#8203;jbtrystram](https://togithub.com/jbtrystram) in
[https://github.com/sigstore/cosign-installer/pull/132](https://togithub.com/sigstore/cosign-installer/pull/132)
- update examples by [@&#8203;cpanato](https://togithub.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/133](https://togithub.com/sigstore/cosign-installer/pull/133)
- bump cosign to default to release v2.1.0 and update docs by
[@&#8203;cpanato](https://togithub.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/136](https://togithub.com/sigstore/cosign-installer/pull/136)

#### New Contributors

- [@&#8203;jbtrystram](https://togithub.com/jbtrystram) made their first
contribution in
[https://github.com/sigstore/cosign-installer/pull/132](https://togithub.com/sigstore/cosign-installer/pull/132)

**Full Changelog**:
sigstore/cosign-installer@v3.0.5...v3.1.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMzEuMCIsInVwZGF0ZWRJblZlciI6IjM1LjE0MS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Adds a publisher for the Maven builder.

It is missing a few bits here and there, but I am keeping it open as a
draft to track progress.

The main things to fix are:

1. ~~Keep the built artifacts without modifying the delegator.~~ Done
2. ~~Use the safe downloaders and uploaders.~~ Done

We have made a Maven plugin to replace `collect_release_artifacts.sh`.
This plugin currently exist in the test projects source tree but should
ideally exist in Maven Central.

Example usage:
https://github.com/AdamKorcz/test-java-project/blob/main/.github/workflows/byob.yml
Example action:
https://github.com/AdamKorcz/test-java-project/actions/runs/5380001938

Sample release: Browse v0.1.17 here:
https://central.sonatype.com/artifact/io.github.adamkorcz/test-java-project/0.1.17/versions

---------

Signed-off-by: AdamKorcz <[email protected]>
Signed-off-by: AdamKorcz <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Fixes slsa-framework#2359

Fixes parsing of npm package names when non-scoped.

Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@octokit/webhooks-types](https://togithub.com/octokit/webhooks) |
[`7.0.2` ->
`7.1.0`](https://renovatebot.com/diffs/npm/@octokit%2fwebhooks-types/7.0.2/7.1.0)
|
[![age](https://badges.renovateapi.com/packages/npm/@octokit%2fwebhooks-types/7.1.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/@octokit%2fwebhooks-types/7.1.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/@octokit%2fwebhooks-types/7.1.0/compatibility-slim/7.0.2)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/@octokit%2fwebhooks-types/7.1.0/confidence-slim/7.0.2)](https://docs.renovatebot.com/merge-confidence/)
|
|
[sigstore](https://togithub.com/sigstore/sigstore-js/tree/main/packages/client#readme)
([source](https://togithub.com/sigstore/sigstore-js)) | [`1.5.2` ->
`1.7.0`](https://renovatebot.com/diffs/npm/sigstore/1.5.2/1.7.0) |
[![age](https://badges.renovateapi.com/packages/npm/sigstore/1.7.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/sigstore/1.7.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/sigstore/1.7.0/compatibility-slim/1.5.2)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/sigstore/1.7.0/confidence-slim/1.5.2)](https://docs.renovatebot.com/merge-confidence/)
|
|
[sigstore](https://togithub.com/sigstore/sigstore-js/tree/main/packages/client#readme)
([source](https://togithub.com/sigstore/sigstore-js)) | [`1.5.1` ->
`1.7.0`](https://renovatebot.com/diffs/npm/sigstore/1.5.1/1.7.0) |
[![age](https://badges.renovateapi.com/packages/npm/sigstore/1.7.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/sigstore/1.7.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/sigstore/1.7.0/compatibility-slim/1.5.1)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/sigstore/1.7.0/confidence-slim/1.5.1)](https://docs.renovatebot.com/merge-confidence/)
|

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>octokit/webhooks (@&#8203;octokit/webhooks-types)</summary>

###
[`v7.1.0`](https://togithub.com/octokit/webhooks/releases/tag/v7.1.0)

[Compare
Source](https://togithub.com/octokit/webhooks/compare/v7.0.3...v7.1.0)

##### Features

- new and updated payload examples with resulting schema changes
([#&#8203;813](https://togithub.com/octokit/webhooks/issues/813))
([9f7f7f3](https://togithub.com/octokit/webhooks/commit/9f7f7f3cf3309e25210c60461bf62bdf266c09b2)),
closes [#&#8203;812](https://togithub.com/octokit/webhooks/issues/812)

###
[`v7.0.3`](https://togithub.com/octokit/webhooks/releases/tag/v7.0.3)

[Compare
Source](https://togithub.com/octokit/webhooks/compare/v7.0.2...v7.0.3)

##### Bug Fixes

- update `wont_fix` typo in `secret_scanning_alert`
([#&#8203;807](https://togithub.com/octokit/webhooks/issues/807))
([b709535](https://togithub.com/octokit/webhooks/commit/b709535eca2788c42f1f0bdfa9118faa90b2bd90))

</details>

<details>
<summary>sigstore/sigstore-js (sigstore)</summary>

###
[`v1.7.0`](https://togithub.com/sigstore/sigstore-js/releases/tag/sigstore%401.7.0)

[Compare
Source](https://togithub.com/sigstore/sigstore-js/compare/[email protected]@1.7.0)

##### Minor Changes

- [`f374dd3`](https://togithub.com/sigstore/sigstore-js/commit/f374dd3):
Include transparency log inclusion proof in Sigstore bundle
- [`fbfb315`](https://togithub.com/sigstore/sigstore-js/commit/fbfb315):
Exports new `createVerifier` function

##### Patch Changes

- [`bd1e1e1`](https://togithub.com/sigstore/sigstore-js/commit/bd1e1e1):
Internal refactoring of Typescript types
- Updated dependencies
\[[`b97be71`](https://togithub.com/sigstore/sigstore-js/commit/b97be71)]
-
[@&#8203;sigstore/tuf](https://togithub.com/sigstore/tuf)[@&#8203;1](https://togithub.com/1).0.1

###
[`v1.6.0`](https://togithub.com/sigstore/sigstore-js/releases/tag/sigstore%401.6.0)

[Compare
Source](https://togithub.com/sigstore/sigstore-js/compare/[email protected]@1.6.0)

##### Minor Changes

- [`5ea8b63`](https://togithub.com/sigstore/sigstore-js/commit/5ea8b63):
Adds a new `identityProvider` config option for the `sign`/`attest`
functions
- [`16de8c7`](https://togithub.com/sigstore/sigstore-js/commit/16de8c7):
Support for verifying Rekor entries w/ the new `dsse` entry type

##### Patch Changes

- [`4fdf826`](https://togithub.com/sigstore/sigstore-js/commit/4fdf826):
Consume TUF client from `@sigstore/tuf` package
- [`f72e2b2`](https://togithub.com/sigstore/sigstore-js/commit/f72e2b2):
Consume Rekor API types from `@sigstore/rekor-types` package
- [`84fd931`](https://togithub.com/sigstore/sigstore-js/commit/84fd931):
Export `IdentityProvider` interface
- Updated dependencies
\[[`29b88a3`](https://togithub.com/sigstore/sigstore-js/commit/29b88a3)]
- Updated dependencies
\[[`3e770f0`](https://togithub.com/sigstore/sigstore-js/commit/3e770f0)]
-
[@&#8203;sigstore/tuf](https://togithub.com/sigstore/tuf)[@&#8203;1](https://togithub.com/1).0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMTcuMyIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

---------

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Co-authored-by: Ian Lewis <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[github.com/secure-systems-lab/go-securesystemslib](https://togithub.com/secure-systems-lab/go-securesystemslib)
| require | minor | `v0.6.0` -> `v0.7.0` |
| [github.com/sigstore/cosign/v2](https://togithub.com/sigstore/cosign)
| require | patch | `v2.1.0` -> `v2.1.1` |
| golang.org/x/oauth2 | require | minor | `v0.9.0` -> `v0.10.0` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>secure-systems-lab/go-securesystemslib
(github.com/secure-systems-lab/go-securesystemslib)</summary>

###
[`v0.7.0`](https://togithub.com/secure-systems-lab/go-securesystemslib/compare/v0.6.0...v0.7.0)

[Compare
Source](https://togithub.com/secure-systems-lab/go-securesystemslib/compare/v0.6.0...v0.7.0)

</details>

<details>
<summary>sigstore/cosign (github.com/sigstore/cosign/v2)</summary>

###
[`v2.1.1`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v211)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.1.0...v2.1.1)

#### Bug Fixes

- wait for the workers become available again to continue the execution
([#&#8203;3084](https://togithub.com/sigstore/cosign/issues/3084))
- fix help text when in a container
([#&#8203;3082](https://togithub.com/sigstore/cosign/issues/3082))

#### Documentation

- update changelog
([#&#8203;3080](https://togithub.com/sigstore/cosign/issues/3080))

- DNM: Add CHANGELOG for v2.1.0
([#&#8203;3068](https://togithub.com/sigstore/cosign/issues/3068))

-   Carlos Tadeu Panato Junior

-   priyawadhwa

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/setup-java | action | digest | `1f2faad` -> `75c6561` |
| [actions/setup-java](https://togithub.com/actions/setup-java) | action
| pinDigest | -> `5ffc13f` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| minor | `v3.6.0` -> `v3.7.0` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| digest | `64ed1c7` -> `e33196f` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v2.20.1` -> `v2.20.3` |
|
[gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action)
| action | minor | `v2.4.2` -> `v2.6.0` |
|
[sigstore/cosign-installer](https://togithub.com/sigstore/cosign-installer)
| action | patch | `v3.1.0` -> `v3.1.1` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.7.0`](https://togithub.com/actions/setup-node/releases/tag/v3.7.0)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.6.0...v3.7.0)

##### What's Changed

In scope of this release we added a logic to save an additional cache
path for yarn 3 ([related pull
request](https://togithub.com/actions/setup-node/pull/744) and [feature
request](https://togithub.com/actions/setup-node/issues/325)). Moreover,
we added functionality to use all the sub directories derived from
`cache-dependency-path` input and add detect all dependencies
directories to cache (related [pull
request](https://togithub.com/actions/setup-node/pull/735) and [feature
request](https://togithub.com/actions/setup-node/issues/488)).

##### Besides, we made such changes as:

- Replace workflow badge with new badge by
[@&#8203;jongwooo](https://togithub.com/jongwooo) in
[https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653)
- Fix a minor typo by [@&#8203;phanan](https://togithub.com/phanan) in
[https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662)
- docs: fix typo in advanced-usage.md by
[@&#8203;remarkablemark](https://togithub.com/remarkablemark) in
[https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697)
- bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by
[@&#8203;domdomegg](https://togithub.com/domdomegg) in
[https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718)
- Update to node 18.x by
[@&#8203;feelepxyz](https://togithub.com/feelepxyz) in
[https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751)
- Remove implicit dependencies by
[@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758)
- Fix description about ensuring workflow access to private package by
[@&#8203;x86chi](https://togithub.com/x86chi) in
[https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704)

##### New Contributors

- [@&#8203;jongwooo](https://togithub.com/jongwooo) made their first
contribution in
[https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653)
- [@&#8203;phanan](https://togithub.com/phanan) made their first
contribution in
[https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662)
- [@&#8203;remarkablemark](https://togithub.com/remarkablemark) made
their first contribution in
[https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697)
- [@&#8203;domdomegg](https://togithub.com/domdomegg) made their first
contribution in
[https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718)
- [@&#8203;feelepxyz](https://togithub.com/feelepxyz) made their first
contribution in
[https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751)
- [@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) made
their first contribution in
[https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758)
- [@&#8203;x86chi](https://togithub.com/x86chi) made their first
contribution in
[https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704)

**Full Changelog**:
actions/setup-node@v3...v3.7.0

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.20.3`](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3)

###
[`v2.20.2`](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2)

</details>

<details>
<summary>gradle/gradle-build-action
(gradle/gradle-build-action)</summary>

###
[`v2.6.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.6.0)

[Compare
Source](https://togithub.com/gradle/gradle-build-action/compare/v2.5.1...v2.6.0)

##### GitHub Dependency Graph support (Experimental)

This release brings experimental support for submitting a [GitHub
Dependency
Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)
snapshot via the [GitHub Dependency Submission
API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28).

The dependency graph snapshot is generated via integration with the
[GitHub Dependency Graph Gradle
Plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin),
and saved as a workflow artifact. The generated snapshot files can be
submitted either in the same job, or in a subsequent job (in the same or
a dependent workflow).

The generated dependency graph snapshot reports all of the dependencies
that were resolved during a bulid execution, and is used by GitHub to
generate [Dependabot
Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
for vulnerable dependencies, as well as to populate the [Dependency
Graph insights
view](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph).

Check out the README chapter for more details on how this works and how
to configure a workflow that submits a dependency graph.

##### Changelog

###
[`v2.5.1`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.5.1)

[Compare
Source](https://togithub.com/gradle/gradle-build-action/compare/v2.5.0...v2.5.1)

Fixes a regression in v2.5.0 that resulted in failure when running a
workflow that has a name containing a comma.

##### Fixes

- Cache key Validation Error when workflow name contains a comma
[#&#8203;756](https://togithub.com/gradle/gradle-build-action/issues/756)

##### Changelog

###
[`v2.5.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.5.0)

[Compare
Source](https://togithub.com/gradle/gradle-build-action/compare/v2.4.2...v2.5.0)

This minor release fixes a couple of issues that affected the action in
particular scenarios, and updates all dependencies to recent versions.

##### Fixes

- Parallel workflows containing jobs with the same name use the same
cache key
[#&#8203;699](https://togithub.com/gradle/gradle-build-action/issues/699)
- Build scans are not captured when GE plugin is applied within
`settingsEvaluated`
[#&#8203;626](https://togithub.com/gradle/gradle-build-action/issues/626)

**Full changelog**:
gradle/gradle-build-action@v2.4.2...v2.5.0

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.1.1`](https://togithub.com/sigstore/cosign-installer/releases/tag/v3.1.1)

[Compare
Source](https://togithub.com/sigstore/cosign-installer/compare/v3.1.0...v3.1.1)

#### What's Changed

- default cosign to v2.1.1 by
[@&#8203;cpanato](https://togithub.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/137](https://togithub.com/sigstore/cosign-installer/pull/137)

**Full Changelog**:
sigstore/cosign-installer@v3.1.0...v3.1.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
…work#2362)

cc: @mihaimaruseac

This will provide support for artifacts that also need runfiles. Users
can use a flag, `needs-runfiles`, to also package the artifact alongside
the runfiles Bazel generates if the user deems it as necessary.

Also, support for Java artifacts is made available by packaging the JARs
to be standalone through a format in Bazel called `_deploy.jar`.
Alongside the `_deploy.jar`, there will be a modified `run-script` that
allows the users that download the artifact to run the run-script by
using a flag called `local_javabin`, where they put the path to their
own java bin such that it is utilized by the run-script. This run-script
is generated by Bazel from a template and later modified in the
`build.sh` in the internal part of the builder to add this flag for the
users. More information is available on the readme.

Java targets will automatically be converted to their `_deploy.jar` with
this. Three flags are used for users that have java targets:

`includes-java`: if true then adds an additional flag to build command
as well as rule for local java repo in WORKSPACE in order to utilize the
`--singlejar` capability of run-script for `_deploy.jar` such that the
remote jdk does not need to be included in runfiles. Doing it like this
prevents massive bloat when attesting.

`user-java-distribution` and `user-java-version`: let the user specify
the exact java they want to use to build

When users run the run-script they will include an additional flag
`local_javabin` which they will set to their local javabin that the
run-script will utilize to run the `_deploy.jar`

A combination of `bazel query` and `bazel cquery` were used to resolved
edge cases with the implementation.

---------

Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Co-authored-by: Ian Lewis <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Adds the first documentation for the Maven builder following the same
template as the Node.js documentation.

Signed-off-by: AdamKorcz <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
@enteraga6 enteraga6 force-pushed the chores-secure-validate-temp branch from c513f44 to bf082d4 Compare July 18, 2023 18:51
@enteraga6 enteraga6 closed this Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
5 participants