- A new
upload-tag-name
input was added to allow users to specify the tag name for the release whenupload-assets
is set totrue
. - The environment variables included in provenance output were changed to include only those variables that are specified by the user in the slsa-goreleaser.yml configuration file in order to improve reproducibility. See #822 for more information and background.
- A new boolean
continue-on-error
input was added which, when set totrue
, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in theoutcome
output. - A new
upload-tag-name
input was added to allow users to specify the tag name for the release whenupload-assets
is set totrue
.
- A new boolean
continue-on-error
input was added which, when set totrue
, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in theoutcome
output. - A new
repository-username
secret input was added to allow users to pass their repository username that is stored in a Github Actions encrypted secret. This secret input should only be used for high-entropy registry username values such as AWS Access Key. - Support was added for authenticating with Google Artifact Registry and Google Container Registry using Workload Identity Federation. Users can use this new feature by using the
gcp-workload-identity-provider
andgcp-service-account
inputs
https://github.com/slsa-framework/slsa-github-generator/compare/v1.4.0...v1.5.0
This release is the first Generally Available version of the Container Generator workflow. The Container Generator workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release (technically the second) with support for the generally available version of sigstore!! We hope to have fewer issues with sigstore infrastructure moving forward.
- Allow users of the Generic Generator to generate provenance for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go builder (#1231)
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0
*_This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release. _
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release with support for the generally available version of sigstore!
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.2
*This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release with support for the generally available version of sigstore!
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.1
This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release with support for the generally available version of sigstore!
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
- @cfergeau made their first contribution in #1232
- @DanAlbert made their first contribution in #1239
- @gal-legit made their first contribution in #1252
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.0
This release fixes issues with signing provenance due to a change in Sigstore TUF root certificates (#1163). This release also includes better handling of transient errors from the Rekor transparency logs.
- @suzuki-shunsuke made their first contribution in #1061
- @datosh made their first contribution in #1074
- @pnacht made their first contribution in #1187
- @dongheelee92 made their first contribution in #1209
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.1...v1.2.2
DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #1163. Please upgrade to v1.2.2 or later.
This release fixes an error that occurs on the "Generate Builder" step for various workflows.
FAILED: SLSA verification failed: could not find a matching valid signature entry
See #942
This release changes the buildType
used in provenance created by the generic generator.
The previous value was:
"buildType": "https://github.com/slsa-framework/slsa-github-generator@v1",
The new value is:
"buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1",
See #627
Previously the default file name for provenance was attestation.intoto.jsonl
. This has been updated to be in line with intoto attestation file naming conventions. The file name now defaults to <artifact filename>.intoto.jsonl
if there is a single artifact, or multiple.intoto.jsonl
if there are multiple artifacts.
See #654
Private repository support was enhanced to required the private-repository
input field as the repository name will be made public in the public Rekor transparency log.
Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.
with:
private-repository: true
See #823
Support for private repositories was fixed. If using a private repository you must specify the private-repository
input field as the repository name will be made public in the public Rekor transparency log.
Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.
with:
private-repository: true
See #823
- @sethmlarson made their first contribution in #758
- @yunginnanet made their first contribution in #776
- @diogoteles08 made their first contribution in #957
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.0...v1.2.1
DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #942. Please upgrade to v1.2.2 or later.
The highlight of this release is a new re-usable workflow called the "Generic generator". It lets users build artifacts on their own and generate a provenance that satisfies SLSA provenance 3 requirement. It's perfect to get started with SLSA with minimal changes to an existing build workflow. To use it, check the README.md!
No changes.
- @naveensrinivasan made their first contribution in #352
- @renovate-bot made their first contribution in #401
- @rarkins made their first contribution in #489
- @developer-guy made their first contribution in #497
- @loosebazooka made their first contribution in #573
https://github.com/slsa-framework/slsa-github-generator/compare/v1.1.1...v1.2.0
- Improve documentation
- Fix filename issue when resolving it with variables
- Add support for environment variables in artifact filename
- @joshuagl made their first contribution in #199
- @mihaimaruseac made their first contribution in #202
- @MarkLodato made their first contribution in #312
- @chipzoller made their first contribution in #354
https://github.com/slsa-framework/slsa-github-generator/compare/v1.0.0...v1.1.1
This is the first official release of the generator. The first builder we are releasing is for Golang projects. To learn how to use it, see ./README.md#golang-projects
@asraa @ianlewis @MarkLodato @joshuagl @laurentsimon