build(deps): Bump slsa-framework/slsa-verifier from 2.0.1 to 2.1.0 #3

dependabot · 2023-03-31T13:54:19Z

Bumps slsa-framework/slsa-verifier from 2.0.1 to 2.1.0.

Release notes

Sourced from slsa-framework/slsa-verifier's releases.

v2.1.0

Summary

This release adds support for:

GCB V1's global signing key that uses PAE encoding for signing

Installer Action to install the slsa-verifier in GitHub workflows. See Setup GitHub Action

Verification of multiple artifacts via the CLI

Fixes:

GCB now adds a prefix git+ to their material source URIs. This is fixed in slsa-framework/slsa-verifier#519

This release also includes the following experimental changes:

npm package verification from the public registry via an SLSA_VERIFIER_EXPERIMENTAL=1 flag.

Offline verification using a Sigstore bundle behind the SLSA_VERIFIER_EXPERIMENTAL=1 flag.

What's Changed

feat: scheduled tests for installer Action by @laurentsimon in slsa-framework/slsa-verifier#398

feat: allow version to be empty for Installer tests by @laurentsimon in slsa-framework/slsa-verifier#404

chore: Add CODEOWNERS by @ianlewis in slsa-framework/slsa-verifier#401

docs: update docs for release v2.0.1 by @asraa in slsa-framework/slsa-verifier#403

fix: token permission in Installer scheduled tests by @laurentsimon in slsa-framework/slsa-verifier#407

fix: permissions for script by @laurentsimon in slsa-framework/slsa-verifier#408

fix: installer tests by @laurentsimon in slsa-framework/slsa-verifier#410

ci: Use github.token to create issues by @ianlewis in slsa-framework/slsa-verifier#412

ci: Add regression build tag by @ianlewis in slsa-framework/slsa-verifier#400

feat: Enhance help message by @mihaimaruseac in slsa-framework/slsa-verifier#418

ci: add git sign off to renovate-bot by @asraa in slsa-framework/slsa-verifier#420

feat: Verify all artifacts passed in cmdline by @mihaimaruseac in slsa-framework/slsa-verifier#419

fix: Expect at least one artifact in verification by @mihaimaruseac in slsa-framework/slsa-verifier#426

fix: Use Run instead of RunE to handle usage/errors by @mihaimaruseac in slsa-framework/slsa-verifier#424

fix: fix exit status on command execution errors by @asraa in slsa-framework/slsa-verifier#429

ci: add verifier e2e presubmit that runs CLI at main by @asraa in slsa-framework/slsa-verifier#430

fix: remove accidental checked in binary by @asraa in slsa-framework/slsa-verifier#432

ci: Add large file pre-submit check by @ianlewis in slsa-framework/slsa-verifier#433

ci: fix a deprecation warning by @suzuki-shunsuke in slsa-framework/slsa-verifier#435

chore: release assets for multiple platforms by @suzuki-shunsuke in slsa-framework/slsa-verifier#434

docs: Add instructions for GHA container generator by @ianlewis in slsa-framework/slsa-verifier#438

ci: Add javascript to CodeQL analysis by @ianlewis in slsa-framework/slsa-verifier#413

test: add v1.4.0 build tests for gha_go gha_generic and gha_generic_container by @asraa in slsa-framework/slsa-verifier#439

chore: enable some Go linters by @asraa in slsa-framework/slsa-verifier#456

test: add builder id tests for short form by @asraa in slsa-framework/slsa-verifier#455

ci: Ensure all version references are up-to-date prior to release by @pnacht in slsa-framework/slsa-verifier#447

feat: add experimental offline bundle signature verification by @asraa in slsa-framework/slsa-verifier#457

refactor: generalize provenance out of predicate type info by @asraa in slsa-framework/slsa-verifier#463

feat: add slsa v1?draft provenance experimental support by @asraa in slsa-framework/slsa-verifier#470

feat: support branch and tag from slsa v1 provenance by @asraa in slsa-framework/slsa-verifier#476

fix: use a uniform verifier interface for provenance type by @asraa in slsa-framework/slsa-verifier#478

ci: Add go mod tidy to renovate post update by @ianlewis in slsa-framework/slsa-verifier#484

test: add docker based spport and start adding tests by @asraa in slsa-framework/slsa-verifier#486

test: Add test data for v1.5.0 by @ianlewis in slsa-framework/slsa-verifier#506

feat: npm default runner support by @laurentsimon in slsa-framework/slsa-verifier#495

... (truncated)

Commits

1ed3847 chore(deps): update npm dev (#517)
58786d3 chore: add a file extension ".exe" to Windows artifacts (#527)
20b0642 docs: update installation to cover the Action and to receive updates (#523)
ae38103 feat: verify sourceURI for npm packages (#521)
5a77b25 fix: fix GCB verification with git material source prefix (#519)
47495c7 feat: Update SLSA verifier to support a global signing key for GCB V1 which… ...
9f57e6a chore(deps): update github-actions (#502)
82a1259 feat: npm default runner support (#495)
12910ea test: Add test data for v1.5.0 (#506)
66931c7 chore(deps): update npm dev (#501)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.0.1 to 2.1.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](slsa-framework/slsa-verifier@v2.0.1...v2.1.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added the dependencies Pull requests that update a dependency file label Mar 31, 2023

IAreKyleW00t merged commit 3a6646d into main Mar 31, 2023
7 checks passed

IAreKyleW00t deleted the dependabot/github_actions/slsa-framework/slsa-verifier-2.1.0 branch March 31, 2023 13:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): Bump slsa-framework/slsa-verifier from 2.0.1 to 2.1.0 #3

build(deps): Bump slsa-framework/slsa-verifier from 2.0.1 to 2.1.0 #3

dependabot bot commented on behalf of github Mar 31, 2023

build(deps): Bump slsa-framework/slsa-verifier from 2.0.1 to 2.1.0 #3

build(deps): Bump slsa-framework/slsa-verifier from 2.0.1 to 2.1.0 #3

Conversation

dependabot bot commented on behalf of github Mar 31, 2023

v2.1.0

Summary

What's Changed