Skip to content

Latest commit

 

History

History
428 lines (279 loc) · 20.4 KB

CHANGELOG.md

File metadata and controls

428 lines (279 loc) · 20.4 KB

CHANGELOG

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

1.7.0

This release includes the first beta release of the Container-based builder. The Container-based builder provides a GitHub Actions reusable workflow that can be used to invoke a container image with a user-specified command to generate an artifact and SLSA Build L3 compliant provenance.

1.7.0: Go builder

  • Added: A new go-version-file input was added. This allows you to specify a go.mod file in order to track which version of Go is used for your project.

v1.6.0

This release includes the first beta release of the Node.js builder. The Node.js builder provides a GitHub Actions reusable workflow that can be called to build a Node.js package, generate SLSA Build L3 compliant provenance, and publish it to the npm registry along with the package.

Summary of changes

Go builder

New Features
  • A new prerelease input was added to allow users to create releases marked as prerelease when upload-assets is set to true.
  • A new input draft-release was added to allow users to create releases marked as draft when upload-assets is set to true.
  • A new output go-provenance-name added which can be used to retrieve the name of the provenance file generated by the builder.

Generic generator

New Features
  • A new input draft-release was added to allow users to create releases marked as draft when upload-assets is set to true.

Container generator

The Container Generator was updated to use cosign v2.0.0. No changes to the workflow's inputs or outputs were made.

Changelog since v1.5.0

https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0

v1.5.0

Summary of changes

Go builder

New Features
  • A new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true.
  • The environment variables included in provenance output were changed to include only those variables that are specified by the user in the slsa-goreleaser.yml configuration file in order to improve reproducibility. See #822 for more information and background.

Generic generator

New Features
  • A new boolean continue-on-error input was added which, when set to true, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the outcome output.
  • A new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true.

Container generator

New Features

Changelog since v1.4.0

https://github.com/slsa-framework/slsa-github-generator/compare/v1.4.0...v1.5.0

v1.4.0

What's Changed

This release is the first Generally Available version of the Container Generator workflow. The Container Generator workflow is now considered stable and can be included in your production GitHub Actions workflows

This is also the first release (technically the second) with support for the generally available version of sigstore!! We hope to have fewer issues with sigstore infrastructure moving forward.

Generic Generator

Bug fixes
  1. Allow users of the Generic Generator to generate provenance for artifacts created in a project subdirectory (#1225)

Go Builder

Bug fixes
  1. Allow environment variables to contain '=' characters in the Go builder (#1231)

New Contributors

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0

v1.4.0-rc.2

*This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.

What's Changed

This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows

This is also the first release with support for the generally available version of sigstore!

This release also includes a couple of bug fixes:

  1. Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
  2. Allow environment variables to contain '=' characters in the Go workflow (#1231)

New Contributors

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.2

v1.4.0-rc.1

*This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.

What's Changed

This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows

This is also the first release with support for the generally available version of sigstore!

This release also includes a couple of bug fixes:

  1. Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
  2. Allow environment variables to contain '=' characters in the Go workflow (#1231)

New Contributors

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.1

v1.4.0-rc.0

This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.

What's Changed

This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows

This is also the first release with support for the generally available version of sigstore!

This release also includes a couple of bug fixes:

  1. Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
  2. Allow environment variables to contain '=' characters in the Go workflow (#1231)

New Contributors

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.0

v1.2.2

What's Changed

This release fixes issues with signing provenance due to a change in Sigstore TUF root certificates (#1163). This release also includes better handling of transient errors from the Rekor transparency logs.

New Contributors

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.1...v1.2.2

v1.2.1

DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #1163. Please upgrade to v1.2.2 or later.

What's Changed

This release fixes an error that occurs on the "Generate Builder" step for various workflows.

FAILED: SLSA verification failed: could not find a matching valid signature entry

See #942

Generic generator

buildType

This release changes the buildType used in provenance created by the generic generator.

The previous value was:

"buildType": "https://github.com/slsa-framework/slsa-github-generator@v1",

The new value is:

"buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1",

See #627

Provenance file names

Previously the default file name for provenance was attestation.intoto.jsonl. This has been updated to be in line with intoto attestation file naming conventions. The file name now defaults to <artifact filename>.intoto.jsonl if there is a single artifact, or multiple.intoto.jsonl if there are multiple artifacts.

See #654

Explicit opt-in for private repos

Private repository support was enhanced to required the private-repository input field as the repository name will be made public in the public Rekor transparency log.

Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.

with:
  private-repository: true

See #823

Go builder

Support private repos

Support for private repositories was fixed. If using a private repository you must specify the private-repository input field as the repository name will be made public in the public Rekor transparency log.

Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.

with:
  private-repository: true

See #823

New Contributors

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.0...v1.2.1

v1.2.0

DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #942. Please upgrade to v1.2.2 or later.

What's Changed

Generic generator

The highlight of this release is a new re-usable workflow called the "Generic generator". It lets users build artifacts on their own and generate a provenance that satisfies SLSA provenance 3 requirement. It's perfect to get started with SLSA with minimal changes to an existing build workflow. To use it, check the README.md!

Go builder

No changes.

New Contributors

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.1.1...v1.2.0

v1.1.1

What's Changed

  • Improve documentation
  • Fix filename issue when resolving it with variables
  • Add support for environment variables in artifact filename

New Contributors

Full Changelog

https://github.com/slsa-framework/slsa-github-generator/compare/v1.0.0...v1.1.1

v1.0.0

What's Changed

This is the first official release of the generator. The first builder we are releasing is for Golang projects. To learn how to use it, see ./README.md#golang-projects

Contributors

@asraa @ianlewis @MarkLodato @joshuagl @laurentsimon