Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: slsa-framework/slsa-verifier
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.4.1
Choose a base ref
...
head repository: slsa-framework/slsa-verifier
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.5.1
Choose a head ref
  • 15 commits
  • 104 files changed
  • 6 contributors

Commits on Nov 8, 2023

  1. feat: Digest for new release (#722) 

    #label:release v2.4.1

How to LGTM this PR:

Ensure you have installed the GitHub client from https://cli.github.com.
If it is not installed in your `PATH`, set `export GH=/path/to/your/gh`

Set your `export GH_TOKEN=...`

Use [verify-release.sh](./verify-release.sh) script in this repository:
```
bash verify-release v2.4.1
```

Once it completes, you will see the last line `Verifying artifact
/tmp/tmp.SomeRanDOm/` and do:
```bash
sha256sum /tmp/tmp.SomeRanDOm/* | grep -v intoto
```

This will print out the hashes. Compare them to the changes in this PR

---------

Signed-off-by: laurentsimon <[email protected]>
    @laurentsimon
    laurentsimon authored Nov 8, 2023
    Configuration menu
    Copy the full SHA
    e986dfc View commit details
    Browse the repository at this point in the history

Commits on Dec 1, 2023

  1. chore(deps): update github-actions (#695) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
minor | `v3.5.3` -> `v3.6.0` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | minor | `v3.0.7` -> `v3.1.0` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| patch | `v3.8.0` -> `v3.8.1` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | patch | `v3.1.2` -> `v3.1.3` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | minor | `v2.21.4` -> `v2.22.1` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | minor | `v2.2.0` -> `v2.3.0` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator)
| action | minor | `v1.8.0` -> `v1.9.0` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier)
| action | minor | `v2.3.0` -> `v2.4.0` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0)

- [Fix: Mark test scripts with Bash'isms to be run via
Bash](https://togithub.com/actions/checkout/pull/1377)
- [Add option to fetch tags even if fetch-depth >
0](https://togithub.com/actions/checkout/pull/579)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0):
3.1.0

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0)

#### What's New

Added support for dependencies submitted through the [dependency
submission
API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together).
This includes two new configuration parameters:
`retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`.

#### What's Changed

- Fix(docs): Correct action input name by
[@&#8203;oerd](https://togithub.com/oerd) in
[https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551)

#### New Contributors

- [@&#8203;oerd](https://togithub.com/oerd) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.0

###
[`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8):
3.0.8

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8)

#### What's Changed

Added `on-failure` option to `comment-summary-in-pr` setting by
[@&#8203;sgmurphy](https://togithub.com/sgmurphy) in
[https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540)

Previous configuration files using `true`/`false` for
`comment-summary-in-pr` will be mapped automatically to the new values,
but we encourage you to update to `always`/`on-failure`/`never`.

#### New Contributors

- [@&#8203;sgmurphy](https://togithub.com/sgmurphy) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540)

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.8

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1)

#### What's Changed

In scope of this release, the filter was removed within the cache-save
step by [@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov)
in
[https://github.com/actions/setup-node/pull/831](https://togithub.com/actions/setup-node/pull/831).
It is filtered and checked in the toolkit/cache library.

**Full Changelog**:
actions/setup-node@v3...v3.8.1

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3)

#### What's Changed

- chore(github): remove trailing whitespaces by
[@&#8203;ljmf00](https://togithub.com/ljmf00) in
[https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313)
- Bump [@&#8203;actions/artifact](https://togithub.com/actions/artifact)
version to v1.1.2 by
[@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436)

**Full Changelog**:
actions/upload-artifact@v3...v3.1.3

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1)

###
[`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0)

###
[`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9)

###
[`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8)

###
[`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7)

###
[`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6)

###
[`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270)
- For a full changelist of what this includes, see the
[v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and
[v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0)
release notes
- ✨ Send rekor tlog index to webapp when publishing results by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169)
- 🐛 Prevent url clipping for GHES instances by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225)

##### Documentation

- 📖 Update access rights needed to see the results in code scanning
by [@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229)
- 📖 Add package comments. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221)
- 📖 Add SECURITY.md file by
[@&#8203;david-a-wheeler](https://togithub.com/david-a-wheeler) in
[https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250)
- 📖 Fix typo in token input docs by
[@&#8203;aabouzaid](https://togithub.com/aabouzaid) in
[https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258)

#### New Contributors

- [@&#8203;david-a-wheeler](https://togithub.com/david-a-wheeler) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250)
- [@&#8203;aabouzaid](https://togithub.com/aabouzaid) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258)

**Full Changelog**:
ossf/scorecard-action@v2.2.0...v2.3.0

</details>

<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>

###
[`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190)

[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0)

Release \[v1.9.0] includes bug fixes and new features.

See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0).

##### v1.9.0: BYOB framework (beta)

- **New**: A [new
framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md)
to turn GitHub Actions into SLSA compliant builders.

##### v1.9.0: Maven builder (beta)

- **New**: A [Maven
builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven)
to build Java projects and publish to Maven central.

##### v1.9.0: Gradle builder (beta)

- **New**: A [Gradle
builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle)
to build Java projects and publish to Maven central.

##### v1.9.0: JReleaser builder

- **New**: A [JReleaser
builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java)
that wraps the official [JReleaser
Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java).

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0)

[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0)

#### Summary

Support for BYOB-based builders released in
https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0

#### What's Changed

- chore: Update SHA256SUM.md for v2.3.0 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/592](https://togithub.com/slsa-framework/slsa-verifier/pull/592)
- docs: Make npm package version and name non-optional by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/591](https://togithub.com/slsa-framework/slsa-verifier/pull/591)
- docs: npm provenance verification from GitHub runner by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/595](https://togithub.com/slsa-framework/slsa-verifier/pull/595)
- chore(deps): update dependency
[@&#8203;types/node](https://togithub.com/types/node) to v18.16.9 by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/596](https://togithub.com/slsa-framework/slsa-verifier/pull/596)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/597](https://togithub.com/slsa-framework/slsa-verifier/pull/597)
- chore(deps): update dependency jasmine to v5 by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/598](https://togithub.com/slsa-framework/slsa-verifier/pull/598)
- feat: BYOB verification support by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/604](https://togithub.com/slsa-framework/slsa-verifier/pull/604)
- feat: Support for v1.0 verification in BYOB by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/609](https://togithub.com/slsa-framework/slsa-verifier/pull/609)
- feat: Use env variable to retrieve trigger workflow by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/615](https://togithub.com/slsa-framework/slsa-verifier/pull/615)
- test: Add test data for v1.6.0 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/612](https://togithub.com/slsa-framework/slsa-verifier/pull/612)
- fix: Verify the TRW tag is a semver tag by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/619](https://togithub.com/slsa-framework/slsa-verifier/pull/619)
- chore: Don't be verbose with tests locally by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/620](https://togithub.com/slsa-framework/slsa-verifier/pull/620)
- fix: use ExternalParameters\["source"] for the Source URI for SLSA
v1.0 provenance by [@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/621](https://togithub.com/slsa-framework/slsa-verifier/pull/621)
- test: re-generate container-based tests by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/627](https://togithub.com/slsa-framework/slsa-verifier/pull/627)
- fix: revert to using resolvedDepdendencies for source verification by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/629](https://togithub.com/slsa-framework/slsa-verifier/pull/629)
- refactor: Provenance tests by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/628](https://togithub.com/slsa-framework/slsa-verifier/pull/628)
- fix(deps): update module github.com/sigstore/rekor to v1.2.0
\[security] by [@&#8203;renovate-bot](https://togithub.com/renovate-bot)
in
[https://github.com/slsa-framework/slsa-verifier/pull/622](https://togithub.com/slsa-framework/slsa-verifier/pull/622)
- fix: only allow hashes of 256 bits or more by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/633](https://togithub.com/slsa-framework/slsa-verifier/pull/633)
- fix: builder ID verification for testing by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/635](https://togithub.com/slsa-framework/slsa-verifier/pull/635)
- feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance
format by [@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/634](https://togithub.com/slsa-framework/slsa-verifier/pull/634)
- chore: update toc in README.md by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/636](https://togithub.com/slsa-framework/slsa-verifier/pull/636)
- fix: allow workflow_dispatch to trigger release.yml by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/637](https://togithub.com/slsa-framework/slsa-verifier/pull/637)
- test: add tests for v1.7.0 builders by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/638](https://togithub.com/slsa-framework/slsa-verifier/pull/638)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/607](https://togithub.com/slsa-framework/slsa-verifier/pull/607)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859)
by [@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/567](https://togithub.com/slsa-framework/slsa-verifier/pull/567)
- fix(deps): update github.com/sigstore/protobuf-specs digest to
[`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406)
by [@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/606](https://togithub.com/slsa-framework/slsa-verifier/pull/606)
- chore(deps): update npm dev by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/608](https://togithub.com/slsa-framework/slsa-verifier/pull/608)
- chore(deps): update golang:1.19 docker digest to
[`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84)
by [@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/583](https://togithub.com/slsa-framework/slsa-verifier/pull/583)
- feat: Verify provenance by build type by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/632](https://togithub.com/slsa-framework/slsa-verifier/pull/632)
- refactor: Use Go 1.20 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/643](https://togithub.com/slsa-framework/slsa-verifier/pull/643)
- test: Add more ProvenanceFromEnvelope tests by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/640](https://togithub.com/slsa-framework/slsa-verifier/pull/640)
- fix: pre-submit: e2e-cli.sh artifact download by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/646](https://togithub.com/slsa-framework/slsa-verifier/pull/646)
- refactor: Add more git utils by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/645](https://togithub.com/slsa-framework/slsa-verifier/pull/645)
- refactor: Use full builder id by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/648](https://togithub.com/slsa-framework/slsa-verifier/pull/648)
- feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/644](https://togithub.com/slsa-framework/slsa-verifier/pull/644)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/651](https://togithub.com/slsa-framework/slsa-verifier/pull/651)
- feat: move maven-plugin from slsa-github-generator by
[@&#8203;AdamKorcz](https://togithub.com/AdamKorcz) in
[https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664)
- docs: Fix maven-plugin README by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/671](https://togithub.com/slsa-framework/slsa-verifier/pull/671)
- feat: Verification for when sha1 is specified in BYOB TRW by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/641](https://togithub.com/slsa-framework/slsa-verifier/pull/641)
- docs: Add example for maven verification plugin by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/676](https://togithub.com/slsa-framework/slsa-verifier/pull/676)
- chore: Add Kris to codeowners by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/678](https://togithub.com/slsa-framework/slsa-verifier/pull/678)
- feat: Print byob builder by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/677](https://togithub.com/slsa-framework/slsa-verifier/pull/677)
- test: Add test data for v1.8.0 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/681](https://togithub.com/slsa-framework/slsa-verifier/pull/681)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/666](https://togithub.com/slsa-framework/slsa-verifier/pull/666)
- feat: Non-compulsory BuilderID for BYOB Builders by
[@&#8203;enteraga6](https://togithub.com/enteraga6) in
[https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674)
- chore(deps): update golang docker tag to v1.21 by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/687](https://togithub.com/slsa-framework/slsa-verifier/pull/687)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/686](https://togithub.com/slsa-framework/slsa-verifier/pull/686)
- feat: GCB refactor for v1.0 support by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/682](https://togithub.com/slsa-framework/slsa-verifier/pull/682)
- feat: Allow byob builders ref at main for e2e tests by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/689](https://togithub.com/slsa-framework/slsa-verifier/pull/689)
- feat: Update doc and code for Maven plugin by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/680](https://togithub.com/slsa-framework/slsa-verifier/pull/680)
- feat: gcb v1.0 support by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/691](https://togithub.com/slsa-framework/slsa-verifier/pull/691)
- feat: v1.9.0 regression tests by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/696](https://togithub.com/slsa-framework/slsa-verifier/pull/696)
- fix: release failure by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/697](https://togithub.com/slsa-framework/slsa-verifier/pull/697)

#### New Contributors

- [@&#8203;AdamKorcz](https://togithub.com/AdamKorcz) made their first
contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664)
- [@&#8203;enteraga6](https://togithub.com/enteraga6) made their first
contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674)

**Full Changelog**:
v2.3.0...v2.4.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
    @renovate-bot @laurentsimon
    renovate-bot and laurentsimon authored Dec 1, 2023
    Configuration menu
    Copy the full SHA
    b72da83 View commit details
    Browse the repository at this point in the history

Commits on Dec 5, 2023

  1. ci: Make renovate schedule monthly (#725) 

    Makes renovate create PRs for dependency updates monthly rather than
weekly.
https://docs.renovatebot.com/presets-schedule/#schedulemonthly

Also sets vulnerability PRs to be scheduled daily.
https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts

Signed-off-by: Ian Lewis <[email protected]>
    Ian Lewis authored Dec 5, 2023
    Configuration menu
    Copy the full SHA
    fcc8bf3 View commit details
    Browse the repository at this point in the history

Commits on Jan 3, 2024

  1. chore: Fix renovate.json (#727) 

    Should fix #726

Signed-off-by: laurentsimon <[email protected]>
    @laurentsimon
    laurentsimon authored Jan 3, 2024
    Configuration menu
    Copy the full SHA
    eecb791 View commit details
    Browse the repository at this point in the history

  2. chore: Remove asraa from CODEOWNERS (#728) 

    Signed-off-by: laurentsimon <[email protected]>
    @laurentsimon
    laurentsimon authored Jan 3, 2024
    Configuration menu
    Copy the full SHA
    e77e085 View commit details
    Browse the repository at this point in the history

Commits on Jan 4, 2024

  1. feat: Add cosign registry opts for provenance registry (#729) 

    triggered on specification of COSIGN_REPOSITORY env

---------

Signed-off-by: saisatishkarra <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
    @saisatishkarra @laurentsimon
    saisatishkarra and laurentsimon authored Jan 4, 2024
    Configuration menu
    Copy the full SHA
    f09d99f View commit details
    Browse the repository at this point in the history

Commits on Jan 16, 2024

  1. chore: Remove ianlewis from CODEOWNERS (#732) 

    I'm not really contributing to slsa-verifier anymore.

Signed-off-by: Ian Lewis <[email protected]>
    Ian Lewis authored Jan 16, 2024
    Configuration menu
    Copy the full SHA
    b804933 View commit details
    Browse the repository at this point in the history

Commits on Jan 17, 2024

  1. fix: #642: don't use go-cmp for outputting diff (#737) 

    Previously we used the go-cmp's Diff for displaying a human-friendly
diff between two structs in an error message.

I had intended to do a json print of the structs and do a line-by-line
diff. There is an internal library for calculating text diff, but I
don't see any external functions that expose it to make it available for
our use: https://pkg.go.dev/golang.org/x/tools/internal/diff

Instead, this we will simply display both structs in their own "actual"
and "expected" sections. The user can use their other tools to find a
human-friendly diff.

Signed-off-by: Ramon Petgrave <[email protected]>
    @ramonpetgrave64
    ramonpetgrave64 authored Jan 17, 2024
    Configuration menu
    Copy the full SHA
    ceaebee View commit details
    Browse the repository at this point in the history

Commits on Jan 22, 2024

  1. feat: fixes #724: add input for --provenance-repository while image v… 

    …erification (#736)

@laurentsimon Added a new image verification cmd input
`--provenance-repository`
This replicates the feature of the `COSIGN_REPOSITORY` environment
variable when provenance is stored in a different repository/registry

Order of precedence:
- If input `--provenance-repository` is set, leverages the non-empty
input value
- If the env variable `COSIGN_REPOSITORY` is set, it is NOT consumed

README edit :
https://github.com/slsa-framework/slsa-verifier/pull/736/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R280

---------

Signed-off-by: saisatishkarra <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
    @saisatishkarra @laurentsimon
    saisatishkarra and laurentsimon authored Jan 22, 2024
    Configuration menu
    Copy the full SHA
    9b2467f View commit details
    Browse the repository at this point in the history

Commits on Jan 24, 2024

  1. fix(deps): update go to 1.21 (#738) 

    Fixing the existing PR
#498 to also change
the github actions to use the go 1.21 sourced directly from `go.mod`.

-
https://github.com/slsa-framework/slsa-github-generator/blob/07e64b653f10a80b6510f4568f685f8b7b9ea830/.github/workflows/builder_go_slsa3.yml#L56
-
https://github.com/actions/setup-go?tab=readme-ov-file#getting-go-version-from-the-gomod-file
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/7559933600/job/20584856777?pr=498


> ...
Error: We were unable to automatically build your code. Please replace
the call to the autobuild action with your custom build steps.
Encountered a fatal error while running
"/opt/hostedtoolcache/CodeQL/2.15.5/x64/codeql/go/tools/autobuild.sh".
Exit code was 1 and error was: 2024/01/17 18:06:58 Autobuilder was built
with go1.21.5, environment has go1.20.12
...

Also fixing some more lint checks about repeated strings

---------

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Co-authored-by: Mend Renovate <[email protected]>
    @ramonpetgrave64 @renovate-bot
    ramonpetgrave64 and renovate-bot authored Jan 24, 2024
    Configuration menu
    Copy the full SHA
    74119b2 View commit details
    Browse the repository at this point in the history

  2. fix(deps): update go (#498) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/go-openapi/runtime](https://togithub.com/go-openapi/runtime)
| `v0.26.2` -> `v0.27.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-openapi%2fruntime/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgo-openapi%2fruntime/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgo-openapi%2fruntime/v0.26.2/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-openapi%2fruntime/v0.26.2/v0.27.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [github.com/go-openapi/swag](https://togithub.com/go-openapi/swag) |
`v0.22.7` -> `v0.22.8` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-openapi%2fswag/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgo-openapi%2fswag/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgo-openapi%2fswag/v0.22.7/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-openapi%2fswag/v0.22.7/v0.22.8?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>go-openapi/runtime (github.com/go-openapi/runtime)</summary>

###
[`v0.27.0`](https://togithub.com/go-openapi/runtime/compare/v0.26.2...v0.27.0)

[Compare
Source](https://togithub.com/go-openapi/runtime/compare/v0.26.2...v0.27.0)

</details>

<details>
<summary>go-openapi/swag (github.com/go-openapi/swag)</summary>

###
[`v0.22.8`](https://togithub.com/go-openapi/swag/compare/v0.22.7...v0.22.8)

[Compare
Source](https://togithub.com/go-openapi/swag/compare/v0.22.7...v0.22.8)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xMjUuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <[email protected]>
    @renovate-bot
    renovate-bot authored Jan 24, 2024
    Configuration menu
    Copy the full SHA
    bb41cb6 View commit details
    Browse the repository at this point in the history

Commits on Mar 4, 2024

  1. feat: Add support for DSSE Rekor type (#742) 

    This is in preparation for switching over the Rekor entry type in the
slsa github generator to be the newer DSSE type. This adds support for
searching for both intoto v001 and dsse v001 entries.

Signed-off-by: Hayden Blauzvern <[email protected]>
    @haydentherapper
    haydentherapper authored Mar 4, 2024
    Configuration menu
    Copy the full SHA
    52c099b View commit details
    Browse the repository at this point in the history

Commits on Mar 21, 2024

  1. feat: Regression tests for builder v1.10.0 (#745) 

    We need the pre-submit to pass. Merging can happen after the builder
release

---------

Signed-off-by: laurentsimon <[email protected]>
    @laurentsimon
    laurentsimon authored Mar 21, 2024
    Configuration menu
    Copy the full SHA
    dc7173b View commit details
    Browse the repository at this point in the history

Commits on Mar 22, 2024

  1. chore(deps): update github-actions (#741) 

    [![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | patch | `v3.1.0` -> `v3.1.5` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| patch | `v3.8.1` -> `v3.8.2` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | minor | `v2.22.1` -> `v2.24.8` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.3.0` -> `v2.3.1` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator)
| action | minor | `v1.9.0` -> `v1.10.0` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier)
| action | patch | `v2.4.0` -> `v2.4.1` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5):
3.1.5

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5)

#### What's Changed

- Smaller `per_page` when requesting diff by
[@&#8203;hmaurer](https://togithub.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/649](https://togithub.com/actions/dependency-review-action/pull/649)
-   Update dependencies:
- Bump
[@&#8203;typescript-eslint/parser](https://togithub.com/typescript-eslint/parser)
from 6.10.0 to 6.13.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/630](https://togithub.com/actions/dependency-review-action/pull/630)
- Bump prettier from 3.0.3 to 3.1.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/629](https://togithub.com/actions/dependency-review-action/pull/629)
- Bump [@&#8203;types/jest](https://togithub.com/types/jest) from 29.5.8
to 29.5.11 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/637](https://togithub.com/actions/dependency-review-action/pull/637)
- Bump nodemon from 3.0.1 to 3.0.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/636](https://togithub.com/actions/dependency-review-action/pull/636)
- Replace pip -> pypi in PURL examples by
[@&#8203;febuiles](https://togithub.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/638](https://togithub.com/actions/dependency-review-action/pull/638)
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin)
from 6.12.0 to 6.15.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/644](https://togithub.com/actions/dependency-review-action/pull/644)
- Bump eslint from 8.53.0 to 8.56.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/640](https://togithub.com/actions/dependency-review-action/pull/640)
- Bump
[@&#8203;typescript-eslint/parser](https://togithub.com/typescript-eslint/parser)
from 6.13.1 to 6.16.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/645](https://togithub.com/actions/dependency-review-action/pull/645)
- Bump prettier from 3.1.0 to 3.1.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/646](https://togithub.com/actions/dependency-review-action/pull/646)

**Full Changelog**:
actions/dependency-review-action@v3.1.4...v3.1.5

###
[`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4):
3.1.4

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4)

#### What's Changed

- Fixed a
[bug](https://togithub.com/actions/dependency-review-action/issues/618)
with severity filtering when using the `allow_ghsas` option:
[https://github.com/actions/dependency-review-action/pull/623](https://togithub.com/actions/dependency-review-action/pull/623).

-   Updates dependencies:
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
16.18.61 to 16.18.62 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/619](https://togithub.com/actions/dependency-review-action/pull/619)
        action/pull/620
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin)
from 6.11.0 to 6.12.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/625](https://togithub.com/actions/dependency-review-action/pull/625)
- Bump typescript from 5.2.2 to 5.3.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/624](https://togithub.com/actions/dependency-review-action/pull/624)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.4

###
[`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3):
3.1.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3)

#### What's Changed

- Fixes purl "version must be percent-encoded" by
[@&#8203;theztefan](https://togithub.com/theztefan) in
[https://github.com/actions/dependency-review-action/pull/617](https://togithub.com/actions/dependency-review-action/pull/617)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.3

###
[`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2):
3.1.2

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2)

#### What's Changed

- Fix a regression for setups using self-hosted runners behind HTTP
proxies:[@&#8203;febuiles](https://togithub.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/611](https://togithub.com/actions/dependency-review-action/pull/611)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.2

###
[`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1):
3.1.1

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1)

#### What's Changed

- Update a bunch of dependencies, including major version upgrades for
`octokit`, `@actions/github` and `typescript`.

**Full Changelog**:
actions/dependency-review-action@v3.1.0...v3.1.1

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.8.2`](https://togithub.com/actions/setup-node/releases/tag/v3.8.2)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.8.1...v3.8.2)

##### What's Changed

- Update semver by
[@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov) in
[https://github.com/actions/setup-node/pull/861](https://togithub.com/actions/setup-node/pull/861)
- Update temp directory creation by
[@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/859](https://togithub.com/actions/setup-node/pull/859)
- Bump [@&#8203;babel/traverse](https://togithub.com/babel/traverse)
from 7.15.4 to 7.23.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/setup-node/pull/870](https://togithub.com/actions/setup-node/pull/870)
- Add notice about binaries not being updated yet by
[@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/872](https://togithub.com/actions/setup-node/pull/872)
- Update toolkit cache and core by
[@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov) and
[@&#8203;seongwon-privatenote](https://togithub.com/seongwon-privatenote)
in
[https://github.com/actions/setup-node/pull/875](https://togithub.com/actions/setup-node/pull/875)

**Full Changelog**:
actions/setup-node@v3...v3.8.2

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.24.8`](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8)

###
[`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7)

###
[`v2.24.6`](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6)

###
[`v2.24.5`](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5)

###
[`v2.24.4`](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4)

###
[`v2.24.3`](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3)

###
[`v2.24.2`](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2)

###
[`v2.24.1`](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1)

###
[`v2.24.0`](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0)

###
[`v2.23.2`](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2)

###
[`v2.23.1`](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1)

###
[`v2.23.0`](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0)

###
[`v2.22.12`](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12)

###
[`v2.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11)

###
[`v2.22.10`](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10)

###
[`v2.22.9`](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9)

###
[`v2.22.8`](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8)

###
[`v2.22.7`](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7)

###
[`v2.22.6`](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6)

###
[`v2.22.5`](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5)

###
[`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4)

###
[`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3)

###
[`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
ossf/scorecard-action@v2.3.0...v2.3.1

</details>

<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>

###
[`v1.10.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100)

[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0)

Release \[v1.10.0] includes bug fixes and new features.

See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0).

##### v1.10.0: TUF fix

- The cosign TUF roots were fixed
([#&#8203;3350](https://togithub.com/slsa-framework/slsa-github-generator/issues/3350)).
More details
[here](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid).

##### v1.10.0: Gradle Builder

- The Gradle Builder was fixed when the project root is the same as the
repository root
([#&#8203;2727](https://togithub.com/slsa-framework/slsa-github-generator/issues/2727))

##### v1.10.0: Go Builder

- The `go-version-file` input was fixed so that it can find the `go.mod`
file

([#&#8203;2661](https://togithub.com/slsa-framework/slsa-github-generator/issues/2661))

##### v1.10.0: Container Generator

- A new `provenance-repository` input was added to allow reading
provenance from
a different container repository than the image itself
([#&#8203;2956](https://togithub.com/slsa-framework/slsa-github-generator/issues/2956))

###
[`v1.9.1`](https://togithub.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1)

[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1)

**This is an un-finalized release.**

See the [CHANGELOG](./CHANGELOG.md) for details.

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.4.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.1)

[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1)

#### What's Changed

- Fix a verification issue when verifying npm's publish attestations -
Low severity
GHSA-r2xv-vpr2-42m9.
This part of the code remains *experimental*.

#### New Contributors

- [@&#8203;trishankatdatadog](https://togithub.com/trishankatdatadog)
made their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/702](https://togithub.com/slsa-framework/slsa-verifier/pull/702)

**Full Changelog**:
v2.4.0...v2.4.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2MS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <[email protected]>
    @renovate-bot
    renovate-bot authored Mar 22, 2024
    Configuration menu
    Copy the full SHA
    594b179 View commit details
    Browse the repository at this point in the history

Commits on Mar 25, 2024

  1. feat: Update verifier version in GHA installer (#747) 

    This is part of the release tests in
https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#dry-run
to verify that the Action installer works.

A follow up PR will be sent prior to release to update to `v2.5.0`

---------

Signed-off-by: laurentsimon <[email protected]>
    @laurentsimon
    laurentsimon authored Mar 25, 2024
    Configuration menu
    Copy the full SHA
    eb70070 View commit details
    Browse the repository at this point in the history
Loading