Skip to content

Latest commit

 

History

History
553 lines (365 loc) · 26 KB

CHANGELOG.md

File metadata and controls

553 lines (365 loc) · 26 KB

CHANGELOG

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

Unreleased: Vars context recorded in provenance

  • Updated: GitHub vars context is now recorded in provenance for the generic and container generators. The vars context cannot affect the build in the Go builder so it is not recorded.

v2.0.0

v2.0.0: Breaking Change: upload-artifact and download-artifact

  • Our workflows now use the new @v4s of actions/upload-artifact and actions/download-artifact, which are incompatiblle with the prior @v3. See Our docs on the generic generator for more information and how to upgrade.

v2.0.0: Breaking Change: attestation-name Workflow Input and Output

  • attestation-name as a workflow input to .github/workflows/generator_generic_slsa3.yml is now removed. Use provenance-name instead.

v2.0.0: DSSE Rekor Type

  • When uploading signed provenance to the log, the entry created in the log is now a DSSE Rekor type. This fixes a bug where the current intoto type does not persist provenance signatures. The attestation will no longer be persisted in Rekor (#3299)

v1.10.0

Release v1.10.0 includes bug fixes and new features.

See the full change list.

v1.10.0: TUF fix

  • The cosign TUF roots were fixed (#3350). More details here.

v1.10.0: Gradle Builder

  • The Gradle Builder was fixed when the project root is the same as the repository root (#2727)

v1.10.0: Go Builder

  • The go-version-file input was fixed so that it can find the go.mod file (#2661)

v1.10.0: Container Generator

  • A new provenance-repository input was added to allow reading provenance from a different container repository than the image itself (#2956)

v1.9.0

Release v1.9.0 includes bug fixes and new features.

See the full change list.

v1.9.0: BYOB framework (beta)

  • New: A new framework to turn GitHub Actions into SLSA compliant builders.

v1.9.0: Maven builder (beta)

  • New: A Maven builder to build Java projects and publish to Maven central.

v1.9.0: Gradle builder (beta)

  • New: A Gradle builder to build Java projects and publish to Maven central.

v1.9.0: JReleaser builder

v1.8.0

Release v1.8.0 includes bug fixes and new features.

See the full change list.

v1.8.0: Generic Generator

v1.8.0: Node.js Builder (beta)

  • Fixed: Publishing for non-scoped packages was fixed (See #2359)
  • Fixed: Documentation was updated to clarify that the GitHub Actions deployment event is not supported.
  • Changed: The file extension for the generated provenance file was changed from .sigstore to .build.slsa in order to make it easier to identify provenance files regardless of file format.
  • Fixed: The publish action was fixed to address an issue with the package name when using Node 16.

v1.7.0

This release includes the first beta release of the Container-based builder. The Container-based builder provides a GitHub Actions reusable workflow that can be used to invoke a container image with a user-specified command to generate an artifact and SLSA Build L3 compliant provenance.

v1.7.0: Go builder

  • Added: A new go-version-file input was added. This allows you to specify a go.mod file in order to track which version of Go is used for your project.

v1.6.0

This release includes the first beta release of the Node.js builder. The Node.js builder provides a GitHub Actions reusable workflow that can be called to build a Node.js package, generate SLSA Build L3 compliant provenance, and publish it to the npm registry along with the package.

Summary of changes

Go builder

New Features
  • A new prerelease input was added to allow users to create releases marked as prerelease when upload-assets is set to true.
  • A new input draft-release was added to allow users to create releases marked as draft when upload-assets is set to true.
  • A new output go-provenance-name added which can be used to retrieve the name of the provenance file generated by the builder.

Generic generator

New Features
  • A new input draft-release was added to allow users to create releases marked as draft when upload-assets is set to true.

Container generator

The Container Generator was updated to use cosign v2.0.0. No changes to the workflow's inputs or outputs were made.

Changelog since v1.5.0

https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0

v1.5.0

Summary of changes

Go builder

New Features
  • A new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true.
  • The environment variables included in provenance output were changed to include only those variables that are specified by the user in the slsa-goreleaser.yml configuration file in order to improve reproducibility. See #822 for more information and background.

Generic generator

New Features
  • A new boolean continue-on-error input was added which, when set to true, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the outcome output.
  • A new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true.

Container generator

New Features

Changelog since v1.4.0

https://github.com/slsa-framework/slsa-github-generator/compare/v1.4.0...v1.5.0

v1.4.0

What's Changed

This release is the first Generally Available version of the Container Generator workflow. The Container Generator workflow is now considered stable and can be included in your production GitHub Actions workflows

This is also the first release (technically the second) with support for the generally available version of sigstore!! We hope to have fewer issues with sigstore infrastructure moving forward.

Generic Generator

Bug fixes
  1. Allow users of the Generic Generator to generate provenance for artifacts created in a project subdirectory (#1225)

Go Builder

Bug fixes
  1. Allow environment variables to contain '=' characters in the Go builder (#1231)

New Contributors

  • @cfergeau made their first contribution in #1232
  • @DanAlbert made their first contribution in #1239
  • @gal-legit made their first contribution in #1252

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0

v1.4.0-rc.2

*This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.

What's Changed

This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows

This is also the first release with support for the generally available version of sigstore!

This release also includes a couple of bug fixes:

  1. Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
  2. Allow environment variables to contain '=' characters in the Go workflow (#1231)

New Contributors

  • @cfergeau made their first contribution in #1232
  • @DanAlbert made their first contribution in #1239
  • @gal-legit made their first contribution in #1252

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.2

v1.4.0-rc.1

*This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.

What's Changed

This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows

This is also the first release with support for the generally available version of sigstore!

This release also includes a couple of bug fixes:

  1. Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
  2. Allow environment variables to contain '=' characters in the Go workflow (#1231)

New Contributors

  • @cfergeau made their first contribution in #1232
  • @DanAlbert made their first contribution in #1239
  • @gal-legit made their first contribution in #1252

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.1

v1.4.0-rc.0

This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.

What's Changed

This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows

This is also the first release with support for the generally available version of sigstore!

This release also includes a couple of bug fixes:

  1. Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
  2. Allow environment variables to contain '=' characters in the Go workflow (#1231)

New Contributors

  • @cfergeau made their first contribution in #1232
  • @DanAlbert made their first contribution in #1239
  • @gal-legit made their first contribution in #1252

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.0

v1.2.2

What's Changed

This release fixes issues with signing provenance due to a change in Sigstore TUF root certificates (#1163). This release also includes better handling of transient errors from the Rekor transparency logs.

New Contributors

  • @suzuki-shunsuke made their first contribution in #1061
  • @datosh made their first contribution in #1074
  • @pnacht made their first contribution in #1187
  • @dongheelee92 made their first contribution in #1209

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.1...v1.2.2

v1.2.1

DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #1163. Please upgrade to v1.2.2 or later.

What's Changed

This release fixes an error that occurs on the "Generate Builder" step for various workflows.

FAILED: SLSA verification failed: could not find a matching valid signature entry

See #942

Generic generator

buildType

This release changes the buildType used in provenance created by the generic generator.

The previous value was:

"buildType": "https://github.com/slsa-framework/slsa-github-generator@v1",

The new value is:

"buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1",

See #627

Provenance file names

Previously the default file name for provenance was attestation.intoto.jsonl. This has been updated to be in line with intoto attestation file naming conventions. The file name now defaults to <artifact filename>.intoto.jsonl if there is a single artifact, or multiple.intoto.jsonl if there are multiple artifacts.

See #654

Explicit opt-in for private repos

Private repository support was enhanced to required the private-repository input field as the repository name will be made public in the public Rekor transparency log.

Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.

with:
  private-repository: true

See #823

Go builder

Support private repos

Support for private repositories was fixed. If using a private repository you must specify the private-repository input field as the repository name will be made public in the public Rekor transparency log.

Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.

with:
  private-repository: true

See #823

New Contributors

  • @sethmlarson made their first contribution in #758
  • @yunginnanet made their first contribution in #776
  • @diogoteles08 made their first contribution in #957

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.0...v1.2.1

v1.2.0

DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #942. Please upgrade to v1.2.2 or later.

What's Changed

Generic generator

The highlight of this release is a new re-usable workflow called the "Generic generator". It lets users build artifacts on their own and generate a provenance that satisfies SLSA provenance 3 requirement. It's perfect to get started with SLSA with minimal changes to an existing build workflow. To use it, check the README.md!

Go builder

No changes.

New Contributors

  • @naveensrinivasan made their first contribution in #352
  • @renovate-bot made their first contribution in #401
  • @rarkins made their first contribution in #489
  • @developer-guy made their first contribution in #497
  • @loosebazooka made their first contribution in #573

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.1.1...v1.2.0

v1.1.1

What's Changed

  • Improve documentation
  • Fix filename issue when resolving it with variables
  • Add support for environment variables in artifact filename

New Contributors

  • @joshuagl made their first contribution in #199
  • @mihaimaruseac made their first contribution in #202
  • @MarkLodato made their first contribution in #312
  • @chipzoller made their first contribution in #354

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.0.0...v1.1.1

v1.0.0

What's Changed

This is the first official release of the generator. The first builder we are releasing is for Golang projects. To learn how to use it, see ./README.md#golang-projects

Contributors

@asraa @ianlewis @MarkLodato @joshuagl @laurentsimon