Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin dependencies #3

Merged
merged 1 commit into from
Aug 11, 2024
Merged

Pin dependencies #3

merged 1 commit into from
Aug 11, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 4, 2024

Mend Renovate

This PR contains the following updates:

Package Type Update Change Age Adoption Passing Confidence
actions/checkout action pinDigest -> 692973e
actions/checkout action major v3 -> v4 age adoption passing confidence
actions/setup-go action pinDigest -> 0a12ed9
actions/setup-go action major v4 -> v5 age adoption passing confidence
actions/setup-node action pinDigest -> 1e60f62
cpina/github-action-push-to-another-repository action pinDigest -> 07c4d7b
github.com/brianvoe/gofakeit/v7 require patch v7.0.2 -> v7.0.4 age adoption passing confidence
goreleaser/goreleaser-action action major v5 -> v6 age adoption passing confidence
slsa-framework/slsa-github-generator action major v1.4.0 -> v2.0.0 age adoption passing confidence

Release Notes

actions/checkout (actions/checkout)

v4

Compare Source

actions/setup-go (actions/setup-go)

v5

Compare Source

brianvoe/gofakeit (github.com/brianvoe/gofakeit/v7)

v7.0.4

Compare Source

v7.0.3

Compare Source

goreleaser/goreleaser-action (goreleaser/goreleaser-action)

v6

Compare Source

slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)

v2.0.0

Compare Source

v2.0.0: Breaking Change: upload-artifact and download-artifact
  • Our workflows now use the new @v4s of actions/upload-artifact and
    actions/download-artifact, which are incompatiblle with the prior @v3. See
    Our docs on the generic generator
    for more information and how to upgrade.
v2.0.0: Breaking Change: attestation-name Workflow Input and Output
  • attestation-name as a workflow input to
    .github/workflows/generator_generic_slsa3.yml is now removed. Use
    provenance-name instead.
v2.0.0: DSSE Rekor Type
  • When uploading signed provenance to the log, the entry created in the log is now
    a DSSE Rekor type. This fixes a bug where the current intoto type does not
    persist provenance signatures. The attestation will no longer be persisted
    in Rekor (#​3299)

v1.10.0

Compare Source

Release v1.10.0 includes bug fixes and new features.

See the full change list.

v1.10.0: TUF fix
  • The cosign TUF roots were fixed (#​3350).
    More details here.
v1.10.0: Gradle Builder
  • The Gradle Builder was fixed when the project root is the same as the
    repository root (#​2727)
v1.10.0: Go Builder
  • The go-version-file input was fixed so that it can find the go.mod file
    (#​2661)
v1.10.0: Container Generator
  • A new provenance-repository input was added to allow reading provenance from
    a different container repository than the image itself (#​2956)

v1.9.1

Compare Source

This is an un-finalized release.

See the CHANGELOG for details.

v1.9.0

Compare Source

Release [v1.9.0] includes bug fixes and new features.

See the full change list.

v1.9.0: BYOB framework (beta)
  • New: A new framework to turn GitHub Actions into SLSA compliant builders.
v1.9.0: Maven builder (beta)
  • New: A Maven builder to build Java projects and publish to Maven central.
v1.9.0: Gradle builder (beta)
  • New: A Gradle builder to build Java projects and publish to Maven central.
v1.9.0: JReleaser builder

v1.8.0

Compare Source

Release [v1.8.0] includes bug fixes and new features.

See the full change list.

v1.8.0: Generic Generator
v1.8.0: Node.js Builder (beta)
  • Fixed: Publishing for non-scoped packages was fixed (See
    #​2359)
  • Fixed: Documentation was updated to clarify that the GitHub Actions
    deployment event is not supported.
  • Changed: The file extension for the generated provenance file was changed
    from .sigstore to .build.slsa in order to make it easier to identify
    provenance files regardless of file format.
  • Fixed: The publish action was fixed to address an issue with the package
    name when using Node 16.

v1.7.0

Compare Source

This release includes the first beta release of the
Container-based builder.
The Container-based builder provides a GitHub Actions reusable workflow that can
be used to invoke a container image with a user-specified command to generate an
artifact and SLSA Build L3 compliant provenance.

v1.7.0: Go builder
  • Added: A new
    go-version-file
    input was added. This allows you to specify a go.mod file in order to track
    which version of Go is used for your project.

v1.6.0

Compare Source

This release includes the first beta release of the
Node.js builder.
The Node.js builder provides a GitHub Actions reusable workflow that can be
called to build a Node.js package, generate SLSA Build L3 compliant provenance,
and publish it to the npm registry along with the package.

Summary of changes
Go builder
New Features
  • A new
    prerelease
    input was added to allow users to create releases marked as prerelease when
    upload-assets is set to true.
  • A new input draft-release was added to allow users to create releases marked
    as draft when upload-assets is set to true.
  • A new output go-provenance-name added which can be used to retrieve the name
    of the provenance file generated by the builder.
Generic generator
New Features
  • A new input draft-release was added to allow users to create releases marked
    as draft when upload-assets is set to true.
Container generator

The Container Generator was updated to use cosign v2.0.0. No changes to the
workflow's inputs or outputs were made.

Changelog since v1.5.0

v1.5.0

Compare Source

Summary of changes
Go builder
New Features
  • A new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true.
  • The environment variables included in provenance output were changed to include only those variables that are specified by the user in the slsa-goreleaser.yml configuration file in order to improve reproducibility. See #​822 for more information and background.
Generic generator
New Features
  • A new boolean continue-on-error input was added which, when set to true, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the outcome output.
  • A new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true.
Container generator
New Features
Changelog since v1.4.0

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@matronator matronator merged commit 43c382d into main Aug 11, 2024
2 of 3 checks passed
@matronator matronator deleted the renovate/all branch August 11, 2024 02:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@matronator