Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: BYOB verification support #604

Merged
merged 6 commits into from
May 23, 2023

Conversation

laurentsimon
Copy link
Contributor

@laurentsimon laurentsimon commented May 19, 2023

closes #601

CLI e2e tests will be tacked as part of #603

Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
@laurentsimon
Copy link
Contributor Author

Copy link
Member

@ianlewis ianlewis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, so I assume that for BYOB that we'll expect the user to always provide the provenance as a sigstore bundle? As it stands you need to provide the full sigstore bundle in order for the verifier to be able to find the rekor entry.

verifiers/utils/structures.go Outdated Show resolved Hide resolved
@ianlewis
Copy link
Member

@ianlewis do you know what's happening with https://github.com/slsa-framework/slsa-verifier/actions/runs/5019866408/jobs/9000799655?pr=604?

You need to add go: 1.18 to the golangci-lint config since you're using generics.
golangci/golangci-lint#2664 (comment)

@laurentsimon
Copy link
Contributor Author

laurentsimon commented May 22, 2023

Ok, so I assume that for BYOB that we'll expect the user to always provide the provenance as a sigstore bundle

For now yes. When we create new BYOB builders and / or migrate our existing ones, I'll update the code.
I have not thought thru the implications of trusting our byob by default...

Signed-off-by: laurentsimon <[email protected]>
@laurentsimon laurentsimon enabled auto-merge (squash) May 22, 2023 15:43
Signed-off-by: laurentsimon <[email protected]>
@laurentsimon
Copy link
Contributor Author

@ianlewis I made the change to use 1.18 go, but still encountering the same problem. Any ideas?

@ianlewis
Copy link
Member

ianlewis commented May 23, 2023

@ianlewis I made the change to use 1.18 go, but still encountering the same problem. Any ideas?

I think they disable checks that don't support generics yet when you set that, but they missed gocritic since I think it's not enabled by default. Let's just update golangci-lint since I think this issue is already fixed.

Signed-off-by: Ian Lewis <[email protected]>
@laurentsimon
Copy link
Contributor Author

@ianlewis I made the change to use 1.18 go, but still encountering the same problem. Any ideas?

I think they disable checks that don't support generics yet when you set that, but they missed gocritic since I think it's not enabled by default. Let's just update golangci-lint since I think this issue is already fixed.

Thanks!

@laurentsimon
Copy link
Contributor Author

@ianlewis I made the change to use 1.18 go, but still encountering the same problem. Any ideas?

I think they disable checks that don't support generics yet when you set that, but they missed gocritic since I think it's not enabled by default. Let's just update golangci-lint since I think this issue is already fixed.

Thanks!

It's now failing with non-wrapping format verb for fmt.Errorf. Use %w to format errors (errorlint). Shall I add a //nolint:errorlint? I don't see what's wrong with the code, ie it's already using %w

@ianlewis
Copy link
Member

ianlewis commented May 23, 2023

It's now failing with non-wrapping format verb for fmt.Errorf. Use %w to format errors (errorlint). Shall I add a //nolint:errorlint? I don't see what's wrong with the code, ie it's already using %w

Yeah, It's complaining because Go 1.20 allows you to wrap multiple errors (aside: which obviates the need to have the wrappableError in the generators). I guess the linter doesn't know we're still using Go 1.18. I added a config to ignore it for now.

@laurentsimon
Copy link
Contributor Author

It's now failing with non-wrapping format verb for fmt.Errorf. Use %w to format errors (errorlint). Shall I add a //nolint:errorlint? I don't see what's wrong with the code, ie it's already using %w

Yeah, It's complaining because Go 1.20 allows you to wrap multiple errors (aside: which obviates the need to have the wrappableError in the generators). I guess the linter doesn't know we're still using Go 1.18. I added a config to ignore it for now.

Thanks. can't wait to use 1.20!

@laurentsimon laurentsimon merged commit bda35e0 into slsa-framework:main May 23, 2023
laurentsimon referenced this pull request Dec 1, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
minor | `v3.5.3` -> `v3.6.0` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | minor | `v3.0.7` -> `v3.1.0` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| patch | `v3.8.0` -> `v3.8.1` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | patch | `v3.1.2` -> `v3.1.3` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | minor | `v2.21.4` -> `v2.22.1` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | minor | `v2.2.0` -> `v2.3.0` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator)
| action | minor | `v1.8.0` -> `v1.9.0` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier)
| action | minor | `v2.3.0` -> `v2.4.0` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0)

- [Fix: Mark test scripts with Bash'isms to be run via
Bash](https://togithub.com/actions/checkout/pull/1377)
- [Add option to fetch tags even if fetch-depth >
0](https://togithub.com/actions/checkout/pull/579)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0):
3.1.0

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0)

#### What's New

Added support for dependencies submitted through the [dependency
submission
API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together).
This includes two new configuration parameters:
`retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`.

#### What's Changed

- Fix(docs): Correct action input name by
[@&#8203;oerd](https://togithub.com/oerd) in
[https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551)

#### New Contributors

- [@&#8203;oerd](https://togithub.com/oerd) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.0

###
[`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8):
3.0.8

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8)

#### What's Changed

Added `on-failure` option to `comment-summary-in-pr` setting by
[@&#8203;sgmurphy](https://togithub.com/sgmurphy) in
[https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540)

Previous configuration files using `true`/`false` for
`comment-summary-in-pr` will be mapped automatically to the new values,
but we encourage you to update to `always`/`on-failure`/`never`.

#### New Contributors

- [@&#8203;sgmurphy](https://togithub.com/sgmurphy) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540)

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.8

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1)

#### What's Changed

In scope of this release, the filter was removed within the cache-save
step by [@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov)
in
[https://github.com/actions/setup-node/pull/831](https://togithub.com/actions/setup-node/pull/831).
It is filtered and checked in the toolkit/cache library.

**Full Changelog**:
actions/setup-node@v3...v3.8.1

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3)

#### What's Changed

- chore(github): remove trailing whitespaces by
[@&#8203;ljmf00](https://togithub.com/ljmf00) in
[https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313)
- Bump [@&#8203;actions/artifact](https://togithub.com/actions/artifact)
version to v1.1.2 by
[@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436)

**Full Changelog**:
actions/upload-artifact@v3...v3.1.3

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1)

###
[`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0)

###
[`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9)

###
[`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8)

###
[`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7)

###
[`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6)

###
[`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270)
- For a full changelist of what this includes, see the
[v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and
[v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0)
release notes
- ✨ Send rekor tlog index to webapp when publishing results by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169)
- 🐛 Prevent url clipping for GHES instances by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225)

##### Documentation

- 📖 Update access rights needed to see the results in code scanning
by [@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229)
- 📖 Add package comments. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221)
- 📖 Add SECURITY.md file by
[@&#8203;david-a-wheeler](https://togithub.com/david-a-wheeler) in
[https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250)
- 📖 Fix typo in token input docs by
[@&#8203;aabouzaid](https://togithub.com/aabouzaid) in
[https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258)

#### New Contributors

- [@&#8203;david-a-wheeler](https://togithub.com/david-a-wheeler) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250)
- [@&#8203;aabouzaid](https://togithub.com/aabouzaid) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258)

**Full Changelog**:
ossf/scorecard-action@v2.2.0...v2.3.0

</details>

<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>

###
[`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190)

[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0)

Release \[v1.9.0] includes bug fixes and new features.

See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0).

##### v1.9.0: BYOB framework (beta)

- **New**: A [new
framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md)
to turn GitHub Actions into SLSA compliant builders.

##### v1.9.0: Maven builder (beta)

- **New**: A [Maven
builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven)
to build Java projects and publish to Maven central.

##### v1.9.0: Gradle builder (beta)

- **New**: A [Gradle
builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle)
to build Java projects and publish to Maven central.

##### v1.9.0: JReleaser builder

- **New**: A [JReleaser
builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java)
that wraps the official [JReleaser
Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java).

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0)

[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0)

#### Summary

Support for BYOB-based builders released in
https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0

#### What's Changed

- chore: Update SHA256SUM.md for v2.3.0 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/592](https://togithub.com/slsa-framework/slsa-verifier/pull/592)
- docs: Make npm package version and name non-optional by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/591](https://togithub.com/slsa-framework/slsa-verifier/pull/591)
- docs: npm provenance verification from GitHub runner by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/595](https://togithub.com/slsa-framework/slsa-verifier/pull/595)
- chore(deps): update dependency
[@&#8203;types/node](https://togithub.com/types/node) to v18.16.9 by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/596](https://togithub.com/slsa-framework/slsa-verifier/pull/596)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/597](https://togithub.com/slsa-framework/slsa-verifier/pull/597)
- chore(deps): update dependency jasmine to v5 by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/598](https://togithub.com/slsa-framework/slsa-verifier/pull/598)
- feat: BYOB verification support by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/604](https://togithub.com/slsa-framework/slsa-verifier/pull/604)
- feat: Support for v1.0 verification in BYOB by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/609](https://togithub.com/slsa-framework/slsa-verifier/pull/609)
- feat: Use env variable to retrieve trigger workflow by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/615](https://togithub.com/slsa-framework/slsa-verifier/pull/615)
- test: Add test data for v1.6.0 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/612](https://togithub.com/slsa-framework/slsa-verifier/pull/612)
- fix: Verify the TRW tag is a semver tag by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/619](https://togithub.com/slsa-framework/slsa-verifier/pull/619)
- chore: Don't be verbose with tests locally by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/620](https://togithub.com/slsa-framework/slsa-verifier/pull/620)
- fix: use ExternalParameters\["source"] for the Source URI for SLSA
v1.0 provenance by [@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/621](https://togithub.com/slsa-framework/slsa-verifier/pull/621)
- test: re-generate container-based tests by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/627](https://togithub.com/slsa-framework/slsa-verifier/pull/627)
- fix: revert to using resolvedDepdendencies for source verification by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/629](https://togithub.com/slsa-framework/slsa-verifier/pull/629)
- refactor: Provenance tests by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/628](https://togithub.com/slsa-framework/slsa-verifier/pull/628)
- fix(deps): update module github.com/sigstore/rekor to v1.2.0
\[security] by [@&#8203;renovate-bot](https://togithub.com/renovate-bot)
in
[https://github.com/slsa-framework/slsa-verifier/pull/622](https://togithub.com/slsa-framework/slsa-verifier/pull/622)
- fix: only allow hashes of 256 bits or more by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/633](https://togithub.com/slsa-framework/slsa-verifier/pull/633)
- fix: builder ID verification for testing by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/635](https://togithub.com/slsa-framework/slsa-verifier/pull/635)
- feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance
format by [@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/634](https://togithub.com/slsa-framework/slsa-verifier/pull/634)
- chore: update toc in README.md by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/636](https://togithub.com/slsa-framework/slsa-verifier/pull/636)
- fix: allow workflow_dispatch to trigger release.yml by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/637](https://togithub.com/slsa-framework/slsa-verifier/pull/637)
- test: add tests for v1.7.0 builders by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/638](https://togithub.com/slsa-framework/slsa-verifier/pull/638)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/607](https://togithub.com/slsa-framework/slsa-verifier/pull/607)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859)
by [@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/567](https://togithub.com/slsa-framework/slsa-verifier/pull/567)
- fix(deps): update github.com/sigstore/protobuf-specs digest to
[`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406)
by [@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/606](https://togithub.com/slsa-framework/slsa-verifier/pull/606)
- chore(deps): update npm dev by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/608](https://togithub.com/slsa-framework/slsa-verifier/pull/608)
- chore(deps): update golang:1.19 docker digest to
[`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84)
by [@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/583](https://togithub.com/slsa-framework/slsa-verifier/pull/583)
- feat: Verify provenance by build type by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/632](https://togithub.com/slsa-framework/slsa-verifier/pull/632)
- refactor: Use Go 1.20 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/643](https://togithub.com/slsa-framework/slsa-verifier/pull/643)
- test: Add more ProvenanceFromEnvelope tests by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/640](https://togithub.com/slsa-framework/slsa-verifier/pull/640)
- fix: pre-submit: e2e-cli.sh artifact download by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/646](https://togithub.com/slsa-framework/slsa-verifier/pull/646)
- refactor: Add more git utils by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/645](https://togithub.com/slsa-framework/slsa-verifier/pull/645)
- refactor: Use full builder id by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/648](https://togithub.com/slsa-framework/slsa-verifier/pull/648)
- feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/644](https://togithub.com/slsa-framework/slsa-verifier/pull/644)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/651](https://togithub.com/slsa-framework/slsa-verifier/pull/651)
- feat: move maven-plugin from slsa-github-generator by
[@&#8203;AdamKorcz](https://togithub.com/AdamKorcz) in
[https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664)
- docs: Fix maven-plugin README by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/671](https://togithub.com/slsa-framework/slsa-verifier/pull/671)
- feat: Verification for when sha1 is specified in BYOB TRW by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/641](https://togithub.com/slsa-framework/slsa-verifier/pull/641)
- docs: Add example for maven verification plugin by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/676](https://togithub.com/slsa-framework/slsa-verifier/pull/676)
- chore: Add Kris to codeowners by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/678](https://togithub.com/slsa-framework/slsa-verifier/pull/678)
- feat: Print byob builder by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/677](https://togithub.com/slsa-framework/slsa-verifier/pull/677)
- test: Add test data for v1.8.0 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/681](https://togithub.com/slsa-framework/slsa-verifier/pull/681)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/666](https://togithub.com/slsa-framework/slsa-verifier/pull/666)
- feat: Non-compulsory BuilderID for BYOB Builders by
[@&#8203;enteraga6](https://togithub.com/enteraga6) in
[https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674)
- chore(deps): update golang docker tag to v1.21 by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/687](https://togithub.com/slsa-framework/slsa-verifier/pull/687)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/686](https://togithub.com/slsa-framework/slsa-verifier/pull/686)
- feat: GCB refactor for v1.0 support by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/682](https://togithub.com/slsa-framework/slsa-verifier/pull/682)
- feat: Allow byob builders ref at main for e2e tests by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/689](https://togithub.com/slsa-framework/slsa-verifier/pull/689)
- feat: Update doc and code for Maven plugin by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/680](https://togithub.com/slsa-framework/slsa-verifier/pull/680)
- feat: gcb v1.0 support by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/691](https://togithub.com/slsa-framework/slsa-verifier/pull/691)
- feat: v1.9.0 regression tests by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/696](https://togithub.com/slsa-framework/slsa-verifier/pull/696)
- fix: release failure by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/697](https://togithub.com/slsa-framework/slsa-verifier/pull/697)

#### New Contributors

- [@&#8203;AdamKorcz](https://togithub.com/AdamKorcz) made their first
contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664)
- [@&#8203;enteraga6](https://togithub.com/enteraga6) made their first
contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674)

**Full Changelog**:
v2.3.0...v2.4.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
ramonpetgrave64 referenced this pull request in ramonpetgrave64/slsa-verifier Apr 10, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
minor | `v3.5.3` -> `v3.6.0` |
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | minor | `v3.0.7` -> `v3.1.0` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| patch | `v3.8.0` -> `v3.8.1` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | patch | `v3.1.2` -> `v3.1.3` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | minor | `v2.21.4` -> `v2.22.1` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | minor | `v2.2.0` -> `v2.3.0` |
|
[slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator)
| action | minor | `v1.8.0` -> `v1.9.0` |
|
[slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier)
| action | minor | `v2.3.0` -> `v2.4.0` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0)

- [Fix: Mark test scripts with Bash'isms to be run via
Bash](https://togithub.com/actions/checkout/pull/1377)
- [Add option to fetch tags even if fetch-depth >
0](https://togithub.com/actions/checkout/pull/579)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0):
3.1.0

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0)

#### What's New

Added support for dependencies submitted through the [dependency
submission
API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together).
This includes two new configuration parameters:
`retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`.

#### What's Changed

- Fix(docs): Correct action input name by
[@&#8203;oerd](https://togithub.com/oerd) in
[https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551)

#### New Contributors

- [@&#8203;oerd](https://togithub.com/oerd) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551)

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.0

###
[`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8):
3.0.8

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8)

#### What's Changed

Added `on-failure` option to `comment-summary-in-pr` setting by
[@&#8203;sgmurphy](https://togithub.com/sgmurphy) in
[https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540)

Previous configuration files using `true`/`false` for
`comment-summary-in-pr` will be mapped automatically to the new values,
but we encourage you to update to `always`/`on-failure`/`never`.

#### New Contributors

- [@&#8203;sgmurphy](https://togithub.com/sgmurphy) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540)

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.8

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1)

#### What's Changed

In scope of this release, the filter was removed within the cache-save
step by [@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov)
in
[https://github.com/actions/setup-node/pull/831](https://togithub.com/actions/setup-node/pull/831).
It is filtered and checked in the toolkit/cache library.

**Full Changelog**:
actions/setup-node@v3...v3.8.1

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3)

#### What's Changed

- chore(github): remove trailing whitespaces by
[@&#8203;ljmf00](https://togithub.com/ljmf00) in
[https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313)
- Bump [@&#8203;actions/artifact](https://togithub.com/actions/artifact)
version to v1.1.2 by
[@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436)

**Full Changelog**:
actions/upload-artifact@v3...v3.1.3

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1)

###
[`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0)

###
[`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9)

###
[`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8)

###
[`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7)

###
[`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6)

###
[`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270)
- For a full changelist of what this includes, see the
[v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and
[v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0)
release notes
- ✨ Send rekor tlog index to webapp when publishing results by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169)
- 🐛 Prevent url clipping for GHES instances by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225)

##### Documentation

- 📖 Update access rights needed to see the results in code scanning
by [@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229)
- 📖 Add package comments. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221)
- 📖 Add SECURITY.md file by
[@&#8203;david-a-wheeler](https://togithub.com/david-a-wheeler) in
[https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250)
- 📖 Fix typo in token input docs by
[@&#8203;aabouzaid](https://togithub.com/aabouzaid) in
[https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258)

#### New Contributors

- [@&#8203;david-a-wheeler](https://togithub.com/david-a-wheeler) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250)
- [@&#8203;aabouzaid](https://togithub.com/aabouzaid) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258)

**Full Changelog**:
ossf/scorecard-action@v2.2.0...v2.3.0

</details>

<details>
<summary>slsa-framework/slsa-github-generator
(slsa-framework/slsa-github-generator)</summary>

###
[`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190)

[Compare
Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0)

Release \[v1.9.0] includes bug fixes and new features.

See the [full change
list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0).

##### v1.9.0: BYOB framework (beta)

- **New**: A [new
framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md)
to turn GitHub Actions into SLSA compliant builders.

##### v1.9.0: Maven builder (beta)

- **New**: A [Maven
builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven)
to build Java projects and publish to Maven central.

##### v1.9.0: Gradle builder (beta)

- **New**: A [Gradle
builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle)
to build Java projects and publish to Maven central.

##### v1.9.0: JReleaser builder

- **New**: A [JReleaser
builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java)
that wraps the official [JReleaser
Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java).

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0)

[Compare
Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0)

#### Summary

Support for BYOB-based builders released in
https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0

#### What's Changed

- chore: Update SHA256SUM.md for v2.3.0 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/592](https://togithub.com/slsa-framework/slsa-verifier/pull/592)
- docs: Make npm package version and name non-optional by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/591](https://togithub.com/slsa-framework/slsa-verifier/pull/591)
- docs: npm provenance verification from GitHub runner by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/595](https://togithub.com/slsa-framework/slsa-verifier/pull/595)
- chore(deps): update dependency
[@&#8203;types/node](https://togithub.com/types/node) to v18.16.9 by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/596](https://togithub.com/slsa-framework/slsa-verifier/pull/596)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/597](https://togithub.com/slsa-framework/slsa-verifier/pull/597)
- chore(deps): update dependency jasmine to v5 by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/598](https://togithub.com/slsa-framework/slsa-verifier/pull/598)
- feat: BYOB verification support by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/604](https://togithub.com/slsa-framework/slsa-verifier/pull/604)
- feat: Support for v1.0 verification in BYOB by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/609](https://togithub.com/slsa-framework/slsa-verifier/pull/609)
- feat: Use env variable to retrieve trigger workflow by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/615](https://togithub.com/slsa-framework/slsa-verifier/pull/615)
- test: Add test data for v1.6.0 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/612](https://togithub.com/slsa-framework/slsa-verifier/pull/612)
- fix: Verify the TRW tag is a semver tag by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/619](https://togithub.com/slsa-framework/slsa-verifier/pull/619)
- chore: Don't be verbose with tests locally by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/620](https://togithub.com/slsa-framework/slsa-verifier/pull/620)
- fix: use ExternalParameters\["source"] for the Source URI for SLSA
v1.0 provenance by [@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/621](https://togithub.com/slsa-framework/slsa-verifier/pull/621)
- test: re-generate container-based tests by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/627](https://togithub.com/slsa-framework/slsa-verifier/pull/627)
- fix: revert to using resolvedDepdendencies for source verification by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/629](https://togithub.com/slsa-framework/slsa-verifier/pull/629)
- refactor: Provenance tests by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/628](https://togithub.com/slsa-framework/slsa-verifier/pull/628)
- fix(deps): update module github.com/sigstore/rekor to v1.2.0
\[security] by [@&#8203;renovate-bot](https://togithub.com/renovate-bot)
in
[https://github.com/slsa-framework/slsa-verifier/pull/622](https://togithub.com/slsa-framework/slsa-verifier/pull/622)
- fix: only allow hashes of 256 bits or more by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/633](https://togithub.com/slsa-framework/slsa-verifier/pull/633)
- fix: builder ID verification for testing by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/635](https://togithub.com/slsa-framework/slsa-verifier/pull/635)
- feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance
format by [@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/634](https://togithub.com/slsa-framework/slsa-verifier/pull/634)
- chore: update toc in README.md by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/636](https://togithub.com/slsa-framework/slsa-verifier/pull/636)
- fix: allow workflow_dispatch to trigger release.yml by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/637](https://togithub.com/slsa-framework/slsa-verifier/pull/637)
- test: add tests for v1.7.0 builders by
[@&#8203;asraa](https://togithub.com/asraa) in
[https://github.com/slsa-framework/slsa-verifier/pull/638](https://togithub.com/slsa-framework/slsa-verifier/pull/638)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/607](https://togithub.com/slsa-framework/slsa-verifier/pull/607)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859)
by [@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/567](https://togithub.com/slsa-framework/slsa-verifier/pull/567)
- fix(deps): update github.com/sigstore/protobuf-specs digest to
[`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406)
by [@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/606](https://togithub.com/slsa-framework/slsa-verifier/pull/606)
- chore(deps): update npm dev by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/608](https://togithub.com/slsa-framework/slsa-verifier/pull/608)
- chore(deps): update golang:1.19 docker digest to
[`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84)
by [@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/583](https://togithub.com/slsa-framework/slsa-verifier/pull/583)
- feat: Verify provenance by build type by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/632](https://togithub.com/slsa-framework/slsa-verifier/pull/632)
- refactor: Use Go 1.20 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/643](https://togithub.com/slsa-framework/slsa-verifier/pull/643)
- test: Add more ProvenanceFromEnvelope tests by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/640](https://togithub.com/slsa-framework/slsa-verifier/pull/640)
- fix: pre-submit: e2e-cli.sh artifact download by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/646](https://togithub.com/slsa-framework/slsa-verifier/pull/646)
- refactor: Add more git utils by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/645](https://togithub.com/slsa-framework/slsa-verifier/pull/645)
- refactor: Use full builder id by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/648](https://togithub.com/slsa-framework/slsa-verifier/pull/648)
- feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/644](https://togithub.com/slsa-framework/slsa-verifier/pull/644)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/651](https://togithub.com/slsa-framework/slsa-verifier/pull/651)
- feat: move maven-plugin from slsa-github-generator by
[@&#8203;AdamKorcz](https://togithub.com/AdamKorcz) in
[https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664)
- docs: Fix maven-plugin README by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/671](https://togithub.com/slsa-framework/slsa-verifier/pull/671)
- feat: Verification for when sha1 is specified in BYOB TRW by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/641](https://togithub.com/slsa-framework/slsa-verifier/pull/641)
- docs: Add example for maven verification plugin by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/676](https://togithub.com/slsa-framework/slsa-verifier/pull/676)
- chore: Add Kris to codeowners by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/678](https://togithub.com/slsa-framework/slsa-verifier/pull/678)
- feat: Print byob builder by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/677](https://togithub.com/slsa-framework/slsa-verifier/pull/677)
- test: Add test data for v1.8.0 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/681](https://togithub.com/slsa-framework/slsa-verifier/pull/681)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/666](https://togithub.com/slsa-framework/slsa-verifier/pull/666)
- feat: Non-compulsory BuilderID for BYOB Builders by
[@&#8203;enteraga6](https://togithub.com/enteraga6) in
[https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674)
- chore(deps): update golang docker tag to v1.21 by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/687](https://togithub.com/slsa-framework/slsa-verifier/pull/687)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://togithub.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/686](https://togithub.com/slsa-framework/slsa-verifier/pull/686)
- feat: GCB refactor for v1.0 support by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/682](https://togithub.com/slsa-framework/slsa-verifier/pull/682)
- feat: Allow byob builders ref at main for e2e tests by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/689](https://togithub.com/slsa-framework/slsa-verifier/pull/689)
- feat: Update doc and code for Maven plugin by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/680](https://togithub.com/slsa-framework/slsa-verifier/pull/680)
- feat: gcb v1.0 support by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/691](https://togithub.com/slsa-framework/slsa-verifier/pull/691)
- feat: v1.9.0 regression tests by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/696](https://togithub.com/slsa-framework/slsa-verifier/pull/696)
- fix: release failure by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/697](https://togithub.com/slsa-framework/slsa-verifier/pull/697)

#### New Contributors

- [@&#8203;AdamKorcz](https://togithub.com/AdamKorcz) made their first
contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664)
- [@&#8203;enteraga6](https://togithub.com/enteraga6) made their first
contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674)

**Full Changelog**:
slsa-framework/slsa-verifier@v2.3.0...v2.4.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[feature][byob] Verification support v0.2
2 participants