-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: produce sigstore Bundles for generic generator and go builder workflows #3777
feat: produce sigstore Bundles for generic generator and go builder workflows #3777
Conversation
20e2376
to
f9a7e3e
Compare
@@ -39,6 +39,9 @@ const ( | |||
|
|||
// OIDCToken represents the contents of a GitHub OIDC JWT token. | |||
type OIDCToken struct { | |||
// Expiry is the expiration date of the token. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lint: reordering fields by type.
7d5dcde
to
91fc61e
Compare
@@ -53,7 +53,7 @@ func Test_CreateBuildDefinition(t *testing.T) { | |||
} | |||
|
|||
if diff := cmp.Diff(got, want); diff != "" { | |||
t.Errorf(diff) | |||
t.Error(diff) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lint: change t.Errorf
to t.Error
when not actually using any string formatting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really great!
// Bundle will have already verified that the TLog entries are signed. | ||
logIndex := innerBundle.GetVerificationMaterial().GetTlogEntries()[0].GetLogIndex() | ||
fmt.Printf("Signed attestation is in rekor with UUID %d.\n", logIndex) | ||
fmt.Printf("You could use rekor-cli to view the log entry details:\n\n"+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor thing, but I would avoid printing the info about how to look up the entry given these look ups aren't verifying inclusion. In Cosign we've always struggled with what is useful output, and I don't have a good answer there - maybe a list of steps that the client took (requested token, fetched cert, uploaded entry to log, etc)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's more of a UX thing, since I'm deleting another print statement that showed the log UUID.
I now see I need to update that text to say Log Index, not UUID.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we add any tests for this? Possibly e2e tests with a similar setup like Colleen added in Cosign? https://github.com/sigstore/cosign/blob/main/test/README.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are e2e tests in slsa-framework/example-package that will produce and verify. We can't have the e2e tests in PRs because PRs don't have the needed token permissions to sign.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you use the identity token workflow we set up for conformance testing that publishes a valid ID token? Here's an example of gitsign using it - https://github.com/sigstore/gitsign/pull/549/files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could definitely tweak this code to use that alternative token in PRs, but then verification won't work with slsa-verifier until we tweak it to trust alternative workflow and certificate identities:
# Summary Followup to #3746 Removes the verify job, which won't work, because the ref will be incorrect. - https://github.com/slsa-framework/slsa-github-generator/actions/runs/10115454784/job/27976327657#step:5:1 ``` WARNING: Insecure SLSA_VERIFIER_TESTING is enabled. Verifying artifact ./target/test-java-project-1.21.97.jar: FAILED: invalid ref: "refs/heads/main": unexpected ref type: "heads" FAILED: SLSA verification failed: invalid ref: "refs/heads/main": unexpected ref type: "heads" Error: Process completed with exit code 1. ``` ## Testing Process The e2e test is executed in this PR, which now passes. ## Checklist - [x] Review the contributing [guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md) - [x] Add a reference to related issues in the PR description. - [ ] Update documentation if applicable. - [x] Add unit tests if applicable. - [ ] Add changes to the [CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) if applicable. --------- Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | actions/checkout | action | digest | `692973e` -> `9a9194f` | | [actions/download-artifact](https://togithub.com/actions/download-artifact) | action | patch | `v4.1.7` -> `v4.1.8` | | [actions/setup-go](https://togithub.com/actions/setup-go) | action | patch | `v5.0.1` -> `v5.0.2` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | patch | `v4.0.2` -> `v4.0.3` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | digest | `60edb5d` -> `1e60f62` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v4.3.3` -> `v4.3.5` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v3.25.11` -> `v3.25.15` | | [gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action) | action | minor | `v3.4.2` -> `v3.5.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.3.3` -> `v2.4.0` | | [softprops/action-gh-release](https://togithub.com/softprops/action-gh-release) | action | patch | `v2.0.6` -> `v2.0.8` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.8`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.8) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.7...v4.1.8) #### What's Changed - Update [@​actions/artifact](https://togithub.com/actions/artifact) version, bump dependencies by [@​robherley](https://togithub.com/robherley) in [https://github.com/actions/download-artifact/pull/341](https://togithub.com/actions/download-artifact/pull/341) **Full Changelog**: actions/download-artifact@v4...v4.1.8 </details> <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v5.0.2`](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2) [Compare Source](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2) </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v4.0.3`](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3) [Compare Source](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.5`](https://togithub.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) ### [`v4.3.4`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.4) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.3...v4.3.4) ##### What's Changed - Update [@​actions/artifact](https://togithub.com/actions/artifact) version, bump dependencies by [@​robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/584](https://togithub.com/actions/upload-artifact/pull/584) **Full Changelog**: actions/upload-artifact@v4.3.3...v4.3.4 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.25.15`](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15) ### [`v3.25.14`](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14) ### [`v3.25.13`](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13) ### [`v3.25.12`](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12) </details> <details> <summary>gradle/gradle-build-action (gradle/gradle-build-action)</summary> ### [`v3.5.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v3.5.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v3.4.2...v3.5.0) > \[!IMPORTANT] > As of `v3` this action has been superceded by `gradle/actions/setup-gradle`. > Any workflow that uses `gradle/gradle-build-action@v3` will transparently delegate to `gradle/actions/setup-gradle@v3`. > > Users are encouraged to update their workflows, replacing: > > uses: gradle/gradle-build-action@v3 > > with > > uses: gradle/actions/setup-gradle@v3 > > See the [setup-gradle documentation](https://togithub.com/gradle/actions/tree/main/setup-gradle) for up-to-date documentation for `gradle/actions/setup-gradle`. For release details, see https://github.com/gradle/actions/releases/tag/v3.5.0 </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.4.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.4.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0) #### What's Changed This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the [v5.0.0 release notes](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0). Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation. - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1410](https://togithub.com/ossf/scorecard-action/pull/1410) - 🐛 lower license sarif alert threshold to 9 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1411](https://togithub.com/ossf/scorecard-action/pull/1411) ##### Documentation - docs: dogfooding badge by [@​jkowalleck](https://togithub.com/jkowalleck) in [https://github.com/ossf/scorecard-action/pull/1399](https://togithub.com/ossf/scorecard-action/pull/1399) #### New Contributors - [@​jkowalleck](https://togithub.com/jkowalleck) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1399](https://togithub.com/ossf/scorecard-action/pull/1399) **Full Changelog**: ossf/scorecard-action@v2.3.3...v2.4.0 </details> <details> <summary>softprops/action-gh-release (softprops/action-gh-release)</summary> ### [`v2.0.8`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.8) [Compare Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.7...v2.0.8) <!-- Release notes generated using configuration in .github/release.yml at master --> #### What's Changed ##### Other Changes 🔄 - chore(deps): bump prettier from 2.8.0 to 3.3.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/480](https://togithub.com/softprops/action-gh-release/pull/480) - chore(deps): bump [@​types/node](https://togithub.com/types/node) from 20.14.9 to 20.14.11 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/483](https://togithub.com/softprops/action-gh-release/pull/483) - chore(deps): bump [@​octokit/plugin-throttling](https://togithub.com/octokit/plugin-throttling) from 9.3.0 to 9.3.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/484](https://togithub.com/softprops/action-gh-release/pull/484) - chore(deps): bump glob from 10.4.2 to 11.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/477](https://togithub.com/softprops/action-gh-release/pull/477) - refactor: write jest config in ts by [@​chenrui333](https://togithub.com/chenrui333) in [https://github.com/softprops/action-gh-release/pull/485](https://togithub.com/softprops/action-gh-release/pull/485) - chore(deps): bump [@​actions/github](https://togithub.com/actions/github) from 5.1.1 to 6.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/470](https://togithub.com/softprops/action-gh-release/pull/470) **Full Changelog**: softprops/action-gh-release@v2...v2.0.8 ### [`v2.0.7`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.7) [Compare Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.6...v2.0.7) <!-- Release notes generated using configuration in .github/release.yml at master --> #### What's Changed ##### Bug fixes 🐛 - Fix missing update release body by [@​FirelightFlagboy](https://togithub.com/FirelightFlagboy) in [https://github.com/softprops/action-gh-release/pull/365](https://togithub.com/softprops/action-gh-release/pull/365) ##### Other Changes 🔄 - Bump [@​octokit/plugin-retry](https://togithub.com/octokit/plugin-retry) from 4.0.3 to 7.1.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/443](https://togithub.com/softprops/action-gh-release/pull/443) - Bump typescript from 4.9.5 to 5.5.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/467](https://togithub.com/softprops/action-gh-release/pull/467) - Bump [@​types/node](https://togithub.com/types/node) from 20.14.6 to 20.14.8 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/469](https://togithub.com/softprops/action-gh-release/pull/469) - Bump [@​types/node](https://togithub.com/types/node) from 20.14.8 to 20.14.9 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/473](https://togithub.com/softprops/action-gh-release/pull/473) - Bump typescript from 5.5.2 to 5.5.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/472](https://togithub.com/softprops/action-gh-release/pull/472) - Bump ts-jest from 29.1.5 to 29.2.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/479](https://togithub.com/softprops/action-gh-release/pull/479) - docs: document that existing releases are updated by [@​jvanbruegge](https://togithub.com/jvanbruegge) in [https://github.com/softprops/action-gh-release/pull/474](https://togithub.com/softprops/action-gh-release/pull/474) #### New Contributors - [@​jvanbruegge](https://togithub.com/jvanbruegge) made their first contribution in [https://github.com/softprops/action-gh-release/pull/474](https://togithub.com/softprops/action-gh-release/pull/474) - [@​FirelightFlagboy](https://togithub.com/FirelightFlagboy) made their first contribution in [https://github.com/softprops/action-gh-release/pull/365](https://togithub.com/softprops/action-gh-release/pull/365) **Full Changelog**: softprops/action-gh-release@v2.0.6...v2.0.7 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-github-generator). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Signed-off-by: Mend Renovate <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
…o 25.0.6+incompatible in the go_modules group (#3760) Bumps the go_modules group with 1 update: [github.com/docker/docker](https://github.com/docker/docker). Updates `github.com/docker/docker` from 24.0.9+incompatible to 25.0.6+incompatible <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/docker/releases">github.com/docker/docker's releases</a>.</em></p> <blockquote> <h2>v25.0.6</h2> <h2>25.0.6</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:</p> <ul> <li><a href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.6">docker/cli, 25.0.6 milestone</a></li> <li><a href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.6">moby/moby, 25.0.6 milestone</a></li> <li>Deprecated and removed features, see <a href="https://github.com/docker/cli/blob/v25.0.6/docs/deprecated.md">Deprecated Features</a>.</li> <li>Changes to the Engine API, see <a href="https://github.com/moby/moby/blob/v25.0.6/docs/api/version-history.md">API version history</a>.</li> </ul> <h3>Security</h3> <p>This release contains a fix for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41110">CVE-2024-41110</a> / <a href="https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq">GHSA-v23v-6jw2-98fq</a> that impacted setups using <a href="https://docs.docker.com/engine/extend/plugins_authorization/">authorization plugins (AuthZ)</a> for access control.</p> <h3>Bug fixes and enhancements</h3> <ul> <li>[25.0] remove erroneous <code>platform</code> from image <code>config</code> OCI descriptor in <code>docker save</code> output. <a href="https://redirect.github.com/moby/moby/pull/47695">moby/moby#47695</a></li> <li>[25.0 backport] Fix a nil dereference when getting image history for images having layers without the <code>Created</code> value set. <a href="https://redirect.github.com/moby/moby/pull/47759">moby/moby#47759</a></li> <li>[25.0 backport] apparmor: Allow confined runc to kill containers. <a href="https://redirect.github.com/moby/moby/pull/47830">moby/moby#47830</a></li> <li>[25.0 backport] Fix an issue where rapidly promoting a Swarm node after another node was demoted could cause the promoted node to fail its promotion. <a href="https://redirect.github.com/moby/moby/pull/47869">moby/moby#47869</a></li> <li>[25.0 backport] don't depend on containerd platform.Parse to return a typed error. <a href="https://redirect.github.com/moby/moby/pull/47890">moby/moby#47890</a></li> <li>[25.0 backport] builder/mobyexporter: Add missing nil check <a href="https://redirect.github.com/moby/moby/pull/47987">moby/moby#47987</a></li> </ul> <h3>Packaging updates</h3> <ul> <li>Update AWS SDK Go v2 to v1.24.1 for AWS CloudWatch logging driver. <a href="https://redirect.github.com/moby/moby/pull/47724">moby/moby#47724</a></li> <li>Update Go runtime to 1.21.12, which contains security fixes for <a href="https://github.com/advisories/GHSA-hw49-2p59-3mhj">CVE-2024-24791</a> <a href="https://redirect.github.com/moby/moby/pull/48146">moby/moby#48146</a></li> <li>Update Containerd (static binaries only) to <a href="https://github.com/containerd/containerd/releases/tag/v1.7.20">v1.7.20</a>. <a href="https://redirect.github.com/moby/moby/pull/48199">moby/moby#48199</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/moby/moby/compare/v25.0.5...v25.0.6">https://github.com/moby/moby/compare/v25.0.5...v25.0.6</a></p> <h2>v25.0.5</h2> <h2>25.0.5</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:</p> <ul> <li><a href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.5">docker/cli, 25.0.5 milestone</a></li> <li><a href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.5">moby/moby, 25.0.5 milestone</a></li> <li>Deprecated and removed features, see <a href="https://github.com/docker/cli/blob/v25.0.5/docs/deprecated.md">Deprecated Features</a>.</li> <li>Changes to the Engine API, see <a href="https://github.com/moby/moby/blob/v25.0.5/docs/api/version-history.md">API version history</a>.</li> </ul> <h3>Security</h3> <p>This release contains a security fix for <a href="https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx">CVE-2024-29018</a>, a potential data exfiltration from 'internal' networks via authoritative DNS servers.</p> <h3>Bug fixes and enhancements</h3> <ul> <li> <p><a href="https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx">CVE-2024-29018</a>: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. <a href="https://redirect.github.com/moby/moby/pull/47589">moby/moby#47589</a></p> </li> <li> <p>plugin: fix mounting /etc/hosts when running in UserNS. <a href="https://redirect.github.com/moby/moby/pull/47588">moby/moby#47588</a></p> </li> <li> <p>rootless: fix <code>open /etc/docker/plugins: permission denied</code>. <a href="https://redirect.github.com/moby/moby/pull/47587">moby/moby#47587</a></p> </li> <li> <p>Fix multiple parallel <code>docker build</code> runs leaking disk space. <a href="https://redirect.github.com/moby/moby/pull/47527">moby/moby#47527</a></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/moby/moby/commit/b08a51fe16eed67de3861c03b363ba403643b12e"><code>b08a51f</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/48231">#48231</a> from austinvazquez/backport-vendor-otel-v0.46.1-to-...</li> <li><a href="https://github.com/moby/moby/commit/d151b0f87f9673f206b477c90db25956e1704ba5"><code>d151b0f</code></a> vendor: OTEL v0.46.1 / v1.21.0</li> <li><a href="https://github.com/moby/moby/commit/c6ba9a5124603357bfc4a64971cbb9708180f06e"><code>c6ba9a5</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/48225">#48225</a> from austinvazquez/backport-workflow-artifact-reten...</li> <li><a href="https://github.com/moby/moby/commit/4673a3ca2c37ae30270a29c281ccd9477107dcee"><code>4673a3c</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/48227">#48227</a> from austinvazquez/backport-backport-branch-check-t...</li> <li><a href="https://github.com/moby/moby/commit/30f89081028ce6fb1b49a71c02c156dacbe9aa62"><code>30f8908</code></a> github/ci: Check if backport is opened against the expected branch</li> <li><a href="https://github.com/moby/moby/commit/7454d6a2e672b0b977aaa14463c9aeb53acd06af"><code>7454d6a</code></a> ci: update workflow artifacts retention</li> <li><a href="https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919"><code>65cc597</code></a> Merge commit from fork</li> <li><a href="https://github.com/moby/moby/commit/b722836927669b414569c42f096869cd800b59a6"><code>b722836</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/48199">#48199</a> from austinvazquez/update-containerd-binary-to-1.7.20</li> <li><a href="https://github.com/moby/moby/commit/e8ecb9c76d97579ebbf3f9d3ef770d08ac303809"><code>e8ecb9c</code></a> update containerd binary to v1.7.20</li> <li><a href="https://github.com/moby/moby/commit/e6cae1f2373d4ff37499570e67f23b2cebb7a043"><code>e6cae1f</code></a> update containerd binary to v1.7.19</li> <li>Additional commits viewable in <a href="https://github.com/docker/docker/compare/v24.0.9...v25.0.6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/docker/docker&package-manager=go_modules&previous-version=24.0.9+incompatible&new-version=25.0.6+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-github-generator/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) The Renovate config in this repository needs migrating. Typically this is because one or more configuration options you are using have been renamed. You don't need to merge this PR right away, because Renovate will continue to migrate these fields internally each time it runs. But later some of these fields may be fully deprecated and the migrations removed. So it's a good idea to merge this migration PR soon. 🔕 **Ignore**: Close this PR and you won't be reminded about config migration again, but one day your current config may no longer be valid. ❓ Got questions? Does something look wrong to you? Please don't hesitate to [request help here](https://togithub.com/renovatebot/renovate/discussions). --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-github-generator). Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
This reverts commit 8cde63a. Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
verification Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
bf7c4a6
to
b23bcf2
Compare
…builder workflows" (#3985) Reverts #3777 Lots of new failing errors in our e2e tests today. We may have missed something when testing these changes. For now, we should revert while we debug, and come up with more robust testing methods. - https://github.com/slsa-framework/example-package/actions/runs/11511156484/job/32044242878#step:6:125 - #3967 ``` **** Verifying provenance authenticity with verifier at HEAD ***** Testing against builder args **** Default parameters (annotated tags) ***** WARNING: Insecure SLSA_VERIFIER_TESTING is enabled. Verifying artifact hello: FAILED: missing signing certificate in bundle FAILED: SLSA verification failed: missing signing certificate in bundle ✖ 1 == 0 :: not main default parameters (annotated_tags) Error: Process completed with exit code 1. ```
Followup to slsa-framework/slsa-github-generator#3777 This PR adds a missing modification for getting the leaf certificate in the new Bundle format v0.3. In my original experiments, I did have this method in a dev branch, but neglected to include it in the final PR. - main...verify-sigstore-go-Bundlev3#diff-a9bfffae1bd0d145e950805e7a35b8e65adc7a68affa605b484f4831097b989cR98-R107 - https://github.com/slsa-framework/slsa-verifier/pull/799/files ## Testing - I re-used the same attestation file from a failing workflow for unit tests and manual invocation. - https://github.com/slsa-framework/example-package/actions/runs/11511156484 ## Followup - Finish finding a way to test changes within PRs. - slsa-framework/slsa-github-generator#3777 (comment) - #797 --------- Signed-off-by: Ramon Petgrave <[email protected]>
Summary
fixes #3750
pending slsa-framework/slsa-verifier#799
Changes the internal go code to produce Sigstore Bundles, instead of only signed DSSE envelopes. This means that the generic generator and go builder workflows now produce Sigstore Bundles, just like the other BYOB-type workflows.
Testing Process
Testing done on a previous commit with a test workflow. It's using a slightly modified slsa-verifier that respects sls-aw workflows from non-main branches.
Followup
[ ] Produce the provenance in v1 format, rather than the current v0.2 format.
[ ] fix initialism of
[build]invocationID
to[build]invocationId
#3876Checklist