v1.2.1
🚨
What's Changed
This release fixes an error that occurs on the "Generate Builder" step for various workflows.
FAILED: SLSA verification failed: could not find a matching valid signature entry
See #942
Generic generator
buildType
This release changes the buildType used in provenance created by the generic generator.
The previous value was:
"buildType": "https://github.com/slsa-framework/slsa-github-generator@v1",
The new value is:
"buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1",
See #627
Provenance file names
Previously the default file name for provenance was attestation.intoto.jsonl. This has been updated to be in line with intoto attestation file naming conventions. The file name now defaults to <artifact filename>.intoto.jsonl if there is a single artifact, or multiple.intoto.jsonl if there are multiple artifacts.
See #654
Explicit opt-in for private repos
Private repository support was enhanced to required the private-repository input field as the repository name will be made public in the public Rekor transparency log.
Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.
with:
private-repository: trueSee #823
Go builder
Support private repos
Support for private repositories was fixed. If using a private repository you must specify the private-repository input field as the repository name will be made public in the public Rekor transparency log.
Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.
with:
private-repository: trueSee #823
New Contributors
- @sethmlarson made their first contribution in #758
- @yunginnanet made their first contribution in #776
- @diogoteles08 made their first contribution in #957
Full Changelog
- doc: release doc typos by @laurentsimon in #589
- Haskell provenance by @mihaimaruseac in #595
- fix: Remove
build:idin generic examples by @laurentsimon in #596 - Add provenance for Haskell by @mihaimaruseac in #608
- feat: Share util functions by @laurentsimon in #598
- Add digest input to container docs by @ianlewis in #591
- Fix linter pre-submit by @ianlewis in #333
- Add doc for attestation-name by @ianlewis in #618
- Update golang.org/x/oauth2 digest to 128564f by @renovate-bot in #620
- Add links to milestones as a roadmap by @ianlewis in #612
- Update typos and formatting in RELEASE.md by @ianlewis in #518
- Remove legacy env vars by @ianlewis in #616
- Update github-actions by @renovate-bot in #621
- Move computesha256 to typescript by @naveensrinivasan in #546
- Update tags for renovatebot by @laurentsimon in #622
- Update module github.com/sigstore/cosign to v1.10.0 by @renovate-bot in #623
- Fix support for --signature="" by @ianlewis in #615
- Update buildType of generic generator by @ianlewis in #628
- Use a temp dir for cwd in tests by @ianlewis in #633
- Update availability information of builders by @laurentsimon in #635
- Update generic README.md for availability by @laurentsimon in #636
- Update module github.com/slsa-framework/slsa-github-generator to v1.2.0 by @renovate-bot in #624
- Update module github.com/coreos/go-oidc to v3 by @renovate-bot in #485
- Update golang digest to 9349ed8 by @renovate-bot in #557
- Request for membership by @naveensrinivasan in #428
- Fix builder dir in container workflow by @ianlewis in #640
- Included typescript-eslint by @naveensrinivasan in #639
- feat: Group NodeJs update by @laurentsimon in #653
- Update github-actions by @renovate-bot in #648
- Update module github.com/sigstore/rekor to v0.10.0 by @renovate-bot in #650
- Update module github.com/coreos/go-oidc to v2.2.1 by @renovate-bot in #649
- Update dependency prettier to v2.7.1 by @renovate-bot in #647
- Update module github.com/sigstore/sigstore to v1.3.1 by @renovate-bot in #643
- Update github-actions by @renovate-bot in #689
- chore: update verifier to v1.3.0 by @asraa in #718
- Update github-actions by @renovate-bot in #711
- Update github-actions by @renovate-bot in #723
- Update dependency @types/node to v16.11.53 by @renovate-bot in #645
- Update module github.com/sigstore/rekor to v0.11.0 by @renovate-bot in #724
- contents: write is required for the generic builder by @sethmlarson in #758
- docs: fix valid path to dir by @asraa in #717
- bug: fix address for fulcio by @asraa in #760
- Fix permissions in generic workflow doc by @ianlewis in #761
- fix: type in OIDC word by @developer-guy in #774
- Update github-actions by @renovate-bot in #765
- Update README.md by @yunginnanet in #776
- Temporarily disable Run test. by @ianlewis in #772
- Fix log message for tlog upload by @ianlewis in #773
- Rename attestation-name by @ianlewis in #777
- Update dependency @actions/core to v1.9.1 by @renovate-bot in #644
- Update github-actions by @renovate-bot in #785
- Update dependency @vercel/ncc to v0.34.0 by @renovate-bot in #646
- feat: harden checkout by @laurentsimon in #795
- Updated scorecard v2 by @naveensrinivasan in #791
- feat: pin verify action by hash by @laurentsimon in #796
- Refactor Makefiles by @ianlewis in #792
- Add pre-submit to verify base images by @ianlewis in #592
- Runner API by @ianlewis in #632
- Update pwd code in unit-test by @ianlewis in #826
- Remove PWD from provenance env by @ianlewis in #825
- Update module github.com/sigstore/sigstore to v1.4.0 by @renovate-bot in #766
- Update module github.com/sigstore/cosign to v1.11.1 by @renovate-bot in #690
- Update dependency eslint to v8.23.0 by @renovate-bot in #691
- Update gcr.io/distroless/static Docker digest to f4787e8 by @renovate-bot in #838
- Update github-actions by @renovate-bot in #839
- Update golang.org/x/oauth2 digest to f213421 by @renovate-bot in #841
- Update dependency @types/node to v16.11.58 by @renovate-bot in #842
- Update module github.com/google/go-cmp to v0.5.9 by @renovate-bot in #843
- Update typescript-eslint monorepo to v5.36.2 by @renovate-bot in #693
- Add privacy-check action by @ianlewis in #836
- Add call to privacy check to workflows by @ianlewis in #850
- Remove contents:read from privacy-check by @ianlewis in #855
- [docs] Verifying provenance with kyverno by @ianlewis in #853
- Updated README.md to include Scorecard badge by @naveensrinivasan in #870
- Update typescript-eslint monorepo to v5.37.0 by @renovate-bot in #869
- Update dependency @types/node to v16.11.59 by @renovate-bot in #862
- Pin dependencies by @renovate-bot in #861
- Update dependency eslint to v8.23.1 by @renovate-bot in #866
- Check result of dist and checkout pre-submits by @ianlewis in #887
- Update dependency typescript to v4.8.3 by @renovate-bot in #867
- Add example of using cosign and cue policy by @ianlewis in #902
- Add OpenSSF best practices badge by @ianlewis in #891
- feat: add log when verify-checkout fails by @laurentsimon in #905
- feat: Add npm builder workflow by @laurentsimon in #881
- Log the GitHub context by @laurentsimon in #913
- fix: verify-checkout uses wrong sha to validate for pull_requests by @laurentsimon in #941
- update verifier version in actions by @asraa in #945
- Update READMEs to clarify that SLSA generators and builders must be referred by tag by @diogoteles08 in #957
- Update module github.com/sigstore/rekor to v0.12.0 by @renovate-bot in #844
- chore(deps): update dependency @types/node to v16.11.64 by @renovate-bot in #906
- fix(deps): update module github.com/sigstore/sigstore to v1.4.2 by @renovate-bot in #865
- fix(deps): update dependency @actions/github to v5.1.1 by @renovate-bot in #907
- chore(deps): update dependency eslint to v8.24.0 by @renovate-bot in #908
- chore(deps): update typescript-eslint monorepo to v5.39.0 by @renovate-bot in #910
- chore(deps): update gcr.io/distroless/static docker digest to 7292458 by @renovate-bot in #972
- fix(deps): update golang.org/x/oauth2 digest to b44042a by @renovate-bot in #973
- chore(deps): update dependency typescript to v4.8.4 by @renovate-bot in #979
- fix(deps): update module github.com/sigstore/rekor to v0.12.2 by @renovate-bot in #980
- fix(deps): update module github.com/sigstore/sigstore to v1.4.4 by @renovate-bot in #982
- chore(deps): update dependency eslint to v8.25.0 by @renovate-bot in #983
- fix(deps): update dependency @actions/core to v1.10.0 by @renovate-bot in #986
- Add secure-checkout action by @ianlewis in #971
- Fix input default values by @ianlewis in #991
- Update checkout-(go|node) to use secure-checkout by @ianlewis in #992
- Fix secure-checkout bugs by @ianlewis in #994
- Update secure-checkout by @ianlewis in #995
- Update ref for checkout-go by @ianlewis in #993
- Remove exclude checkout-go|node from presubmit by @ianlewis in #997
- Support ref in secure-checkout by @ianlewis in #1005
- Use ref for secure-checkout by @ianlewis in #1006
- Restore default inputs for checkout-go by @ianlewis in #1007
- fix: fix ref from detect-env in pull_request by @asraa in #1010
- update refs to generate-builder by @asraa in #1009
- Fix token use in secure-checkout by @ianlewis in #1011
- fix: use updated ref for secure-checkout by @asraa in #1046
- fix: update refs for checkout-go by @asraa in #1048
- fix: update refs for checkout-go by @asraa in #1049
- update refs for generate-builder by @asraa in #1050
Contributors
ianlewis, naveensrinivasan, and 8 other contributors