Update slsa-framework/slsa-github-generator action to v2 #24
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.4.0
->v2.0.0
Release Notes
slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)
v2.0.0
Compare Source
v2.0.0: Breaking Change: upload-artifact and download-artifact
@v4
s ofactions/upload-artifact
andactions/download-artifact
, which are incompatiblle with the prior@v3
. See Our docs on the generic generator for more information and how to upgrade.v2.0.0: Breaking Change: attestation-name Workflow Input and Output
attestation-name
as a workflow input to.github/workflows/generator_generic_slsa3.yml
is now removed. Useprovenance-name
instead.v2.0.0: DSSE Rekor Type
a DSSE Rekor type. This fixes a bug where the current intoto type does not
persist provenance signatures. The attestation will no longer be persisted
in Rekor (#3299)
v1.10.0
Compare Source
Release v1.10.0 includes bug fixes and new features.
See the full change list.
v1.10.0: TUF fix
v1.10.0: Gradle Builder
repository root (#2727)
v1.10.0: Go Builder
go-version-file
input was fixed so that it can find thego.mod
file(#2661)
v1.10.0: Container Generator
provenance-repository
input was added to allow reading provenance froma different container repository than the image itself (#2956)
v1.9.1
Compare Source
This is an un-finalized release.
See the CHANGELOG for details.
v1.9.0
Compare Source
Release [v1.9.0] includes bug fixes and new features.
See the full change list.
v1.9.0: BYOB framework (beta)
v1.9.0: Maven builder (beta)
v1.9.0: Gradle builder (beta)
v1.9.0: JReleaser builder
v1.8.0
Compare Source
Release [v1.8.0] includes bug fixes and new features.
See the full change list.
v1.8.0: Generic Generator
base64-subjects-as-file
was added to allow for specifying a large subject list.
v1.8.0: Node.js Builder (beta)
#2359)
deployment
event is not supported.from
.sigstore
to.build.slsa
in order to make it easier to identifyprovenance files regardless of file format.
name when using Node 16.
v1.7.0
Compare Source
This release includes the first beta release of the
Container-based builder.
The Container-based builder provides a GitHub Actions reusable workflow that can
be used to invoke a container image with a user-specified command to generate an
artifact and SLSA Build L3 compliant provenance.
v1.7.0: Go builder
go-version-file
input was added. This allows you to specify a go.mod file in order to track
which version of Go is used for your project.
v1.6.0
Compare Source
This release includes the first beta release of the
Node.js builder.
The Node.js builder provides a GitHub Actions reusable workflow that can be
called to build a Node.js package, generate SLSA Build L3 compliant provenance,
and publish it to the npm registry along with the package.
Summary of changes
Go builder
New Features
prerelease
input was added to allow users to create releases marked as prerelease when
upload-assets
is set totrue
.draft-release
was added to allow users to create releases markedas draft when
upload-assets
is set totrue
.go-provenance-name
added which can be used to retrieve the nameof the provenance file generated by the builder.
Generic generator
New Features
draft-release
was added to allow users to create releases markedas draft when
upload-assets
is set totrue
.Container generator
The Container Generator was updated to use
cosign
v2.0.0. No changes to theworkflow's inputs or outputs were made.
Changelog since v1.5.0
v1.5.0
Compare Source
Summary of changes
Go builder
New Features
upload-tag-name
input was added to allow users to specify the tag name for the release whenupload-assets
is set totrue
.Generic generator
New Features
continue-on-error
input was added which, when set totrue
, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in theoutcome
output.upload-tag-name
input was added to allow users to specify the tag name for the release whenupload-assets
is set totrue
.Container generator
New Features
continue-on-error
input was added which, when set totrue
, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in theoutcome
output.repository-username
secret input was added to allow users to pass their repository username that is stored in a Github Actions encrypted secret. This secret input should only be used for high-entropy registry username values such as AWS Access Key.gcp-workload-identity-provider
andgcp-service-account
inputsChangelog since v1.4.0
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.