build(deps): bump slsa-framework/slsa-verifier from 2.3.0 to 2.4.0 #769

dependabot · 2023-08-28T06:48:15Z

Bumps slsa-framework/slsa-verifier from 2.3.0 to 2.4.0.

Release notes

Sourced from slsa-framework/slsa-verifier's releases.

v2.4.0

Summary

Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0

What's Changed

chore: Update SHA256SUM.md for v2.3.0 by @ianlewis in slsa-framework/slsa-verifier#592

docs: Make npm package version and name non-optional by @laurentsimon in slsa-framework/slsa-verifier#591

docs: npm provenance verification from GitHub runner by @laurentsimon in slsa-framework/slsa-verifier#595

chore(deps): update dependency @types/node to v18.16.9 by @renovate-bot in slsa-framework/slsa-verifier#596

chore(deps): update github-actions by @renovate-bot in slsa-framework/slsa-verifier#597

chore(deps): update dependency jasmine to v5 by @renovate-bot in slsa-framework/slsa-verifier#598

feat: BYOB verification support by @laurentsimon in slsa-framework/slsa-verifier#604

feat: Support for v1.0 verification in BYOB by @laurentsimon in slsa-framework/slsa-verifier#609

feat: Use env variable to retrieve trigger workflow by @laurentsimon in slsa-framework/slsa-verifier#615

test: Add test data for v1.6.0 by @ianlewis in slsa-framework/slsa-verifier#612

fix: Verify the TRW tag is a semver tag by @laurentsimon in slsa-framework/slsa-verifier#619

chore: Don't be verbose with tests locally by @ianlewis in slsa-framework/slsa-verifier#620

fix: use ExternalParameters["source"] for the Source URI for SLSA v1.0 provenance by @asraa in slsa-framework/slsa-verifier#621

test: re-generate container-based tests by @asraa in slsa-framework/slsa-verifier#627

fix: revert to using resolvedDepdendencies for source verification by @asraa in slsa-framework/slsa-verifier#629

refactor: Provenance tests by @ianlewis in slsa-framework/slsa-verifier#628

fix(deps): update module github.com/sigstore/rekor to v1.2.0 [security] by @renovate-bot in slsa-framework/slsa-verifier#622

fix: only allow hashes of 256 bits or more by @laurentsimon in slsa-framework/slsa-verifier#633

fix: builder ID verification for testing by @ianlewis in slsa-framework/slsa-verifier#635

feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by @asraa in slsa-framework/slsa-verifier#634

chore: update toc in README.md by @asraa in slsa-framework/slsa-verifier#636

fix: allow workflow_dispatch to trigger release.yml by @ianlewis in slsa-framework/slsa-verifier#637

test: add tests for v1.7.0 builders by @asraa in slsa-framework/slsa-verifier#638

chore(deps): update github-actions by @renovate-bot in slsa-framework/slsa-verifier#607

chore(deps): update gcr.io/distroless/base:nonroot docker digest to c623859 by @renovate-bot in slsa-framework/slsa-verifier#567

fix(deps): update github.com/sigstore/protobuf-specs digest to 5ef5406 by @renovate-bot in slsa-framework/slsa-verifier#606

chore(deps): update npm dev by @renovate-bot in slsa-framework/slsa-verifier#608

chore(deps): update golang:1.19 docker digest to 83f9f84 by @renovate-bot in slsa-framework/slsa-verifier#583

feat: Verify provenance by build type by @ianlewis in slsa-framework/slsa-verifier#632

refactor: Use Go 1.20 by @ianlewis in slsa-framework/slsa-verifier#643

test: Add more ProvenanceFromEnvelope tests by @ianlewis in slsa-framework/slsa-verifier#640

fix: pre-submit: e2e-cli.sh artifact download by @ianlewis in slsa-framework/slsa-verifier#646

refactor: Add more git utils by @ianlewis in slsa-framework/slsa-verifier#645

refactor: Use full builder id by @ianlewis in slsa-framework/slsa-verifier#648

feat: Use tags vX.Y.Z-<language> for JReleaser builders by @laurentsimon in slsa-framework/slsa-verifier#644

chore(deps): update github-actions by @renovate-bot in slsa-framework/slsa-verifier#651

feat: move maven-plugin from slsa-github-generator by @AdamKorcz in slsa-framework/slsa-verifier#664

docs: Fix maven-plugin README by @laurentsimon in slsa-framework/slsa-verifier#671

feat: Verification for when sha1 is specified in BYOB TRW by @ianlewis in slsa-framework/slsa-verifier#641

docs: Add example for maven verification plugin by @laurentsimon in slsa-framework/slsa-verifier#676

chore: Add Kris to codeowners by @laurentsimon in slsa-framework/slsa-verifier#678

feat: Print byob builder by @laurentsimon in slsa-framework/slsa-verifier#677

test: Add test data for v1.8.0 by @ianlewis in slsa-framework/slsa-verifier#681

chore(deps): update github-actions by @renovate-bot in slsa-framework/slsa-verifier#666

... (truncated)

Commits

73d1bcb fix: release failure (#697)
80c7d86 feat: v1.9.0 regression tests (#696)
58eede7 feat: gcb v1.0 support (#691)
4b59ce4 feat: Update doc and code for Maven plugin (#680)
2a24d8e feat: Allow byob builders ref at main for e2e tests (#689)
9aef8ff feat: GCB refactor for v1.0 support (#682)
b9a0e6b chore(deps): update github-actions (#686)
9d7646a chore(deps): update golang docker tag to v1.21 (#687)
8bcf1f0 feat: Non-compulsory BuilderID for BYOB Builders (#674)
57e3f65 chore(deps): update github-actions (#666)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](slsa-framework/slsa-verifier@v2.3.0...v2.4.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Aug 28, 2023

jhrozek approved these changes Aug 28, 2023

View reviewed changes

jhrozek merged commit 91ec085 into main Aug 28, 2023
13 checks passed

jhrozek deleted the dependabot/github_actions/slsa-framework/slsa-verifier-2.4.0 branch August 28, 2023 07:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump slsa-framework/slsa-verifier from 2.3.0 to 2.4.0 #769

build(deps): bump slsa-framework/slsa-verifier from 2.3.0 to 2.4.0 #769

dependabot bot commented on behalf of github Aug 28, 2023

build(deps): bump slsa-framework/slsa-verifier from 2.3.0 to 2.4.0 #769

build(deps): bump slsa-framework/slsa-verifier from 2.3.0 to 2.4.0 #769

Conversation

dependabot bot commented on behalf of github Aug 28, 2023

v2.4.0

Summary

What's Changed