v1.2.1

🚨⚠️ DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #1163. Please upgrade to v1.2.2 or later. ⚠️🚨

What's Changed

This release fixes an error that occurs on the "Generate Builder" step for various workflows.

FAILED: SLSA verification failed: could not find a matching valid signature entry

See #942

Generic generator

buildType

This release changes the buildType used in provenance created by the generic generator.

The previous value was:

"buildType": "https://github.com/slsa-framework/slsa-github-generator@v1",

The new value is:

"buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1",

See #627

Provenance file names

Previously the default file name for provenance was attestation.intoto.jsonl. This has been updated to be in line with intoto attestation file naming conventions. The file name now defaults to <artifact filename>.intoto.jsonl if there is a single artifact, or multiple.intoto.jsonl if there are multiple artifacts.

See #654

Explicit opt-in for private repos

Private repository support was enhanced to required the private-repository input field as the repository name will be made public in the public Rekor transparency log.

Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.

with:
  private-repository: true

See #823

Go builder

Support private repos

Support for private repositories was fixed. If using a private repository you must specify the private-repository input field as the repository name will be made public in the public Rekor transparency log.

Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.

with:
  private-repository: true

See #823

New Contributors

• @sethmlarson made their first contribution in #758
• @yunginnanet made their first contribution in #776
• @diogoteles08 made their first contribution in #957

Full Changelog

v1.2.0...v1.2.1

• doc: release doc typos by @laurentsimon in #589
• Haskell provenance by @mihaimaruseac in #595
• fix: Remove build:id in generic examples by @laurentsimon in #596
• Add provenance for Haskell by @mihaimaruseac in #608
• feat: Share util functions by @laurentsimon in #598
• Add digest input to container docs by @ianlewis in #591
• Fix linter pre-submit by @ianlewis in #333
• Add doc for attestation-name by @ianlewis in #618
• Update golang.org/x/oauth2 digest to 128564f by @renovate-bot in #620
• Add links to milestones as a roadmap by @ianlewis in #612
• Update typos and formatting in RELEASE.md by @ianlewis in #518
• Remove legacy env vars by @ianlewis in #616
• Update github-actions by @renovate-bot in #621
• Move computesha256 to typescript by @naveensrinivasan in #546
• Update tags for renovatebot by @laurentsimon in #622
• Update module github.com/sigstore/cosign to v1.10.0 by @renovate-bot in #623
• Fix support for --signature="" by @ianlewis in #615
• Update buildType of generic generator by @ianlewis in #628
• Use a temp dir for cwd in tests by @ianlewis in #633
• Update availability information of builders by @laurentsimon in #635
• Update generic README.md for availability by @laurentsimon in #636
• Update module github.com/slsa-framework/slsa-github-generator to v1.2.0 by @renovate-bot in #624
• Update module github.com/coreos/go-oidc to v3 by @renovate-bot in #485
• Update golang digest to 9349ed8 by @renovate-bot in #557
• Request for membership by @naveensrinivasan in #428
• Fix builder dir in container workflow by @ianlewis in #640
• Included typescript-eslint by @naveensrinivasan in #639
• feat: Group NodeJs update by @laurentsimon in #653
• Update github-actions by @renovate-bot in #648
• Update module github.com/sigstore/rekor to v0.10.0 by @renovate-bot in #650
• Update module github.com/coreos/go-oidc to v2.2.1 by @renovate-bot in #649
• Update dependency prettier to v2.7.1 by @renovate-bot in #647
• Update module github.com/sigstore/sigstore to v1.3.1 by @renovate-bot in #643
• Update github-actions by @renovate-bot in #689
• chore: update verifier to v1.3.0 by @asraa in #718
• Update github-actions by @renovate-bot in #711
• Update github-actions by @renovate-bot in #723
• Update dependency @types/node to v16.11.53 by @renovate-bot in #645
• Update module github.com/sigstore/rekor to v0.11.0 by @renovate-bot in #724
• contents: write is required for the generic builder by @sethmlarson in #758
• docs: fix valid path to dir by @asraa in #717
• bug: fix address for fulcio by @asraa in #760
• Fix permissions in generic workflow doc by @ianlewis in #761
• fix: type in OIDC word by @developer-guy in #774
• Update github-actions by @renovate-bot in #765
• Update README.md by @yunginnanet in #776
• Temporarily disable Run test. by @ianlewis in #772
• Fix log message for tlog upload by @ianlewis in #773
• Rename attestation-name by @ianlewis in #777
• Update dependency @actions/core to v1.9.1 by @renovate-bot in #644
• Update github-actions by @renovate-bot in #785
• Update dependency @vercel/ncc to v0.34.0 by @renovate-bot in #646
• feat: harden checkout by @laurentsimon in #795
• Updated scorecard v2 by @naveensrinivasan in #791
• feat: pin verify action by hash by @laurentsimon in #796
• Refactor Makefiles by @ianlewis in #792
• Add pre-submit to verify base images by @ianlewis in #592
• Runner API by @ianlewis in #632
• Update pwd code in unit-test by @ianlewis in #826
• Remove PWD from provenance env by @ianlewis in #825
• Update module github.com/sigstore/sigstore to v1.4.0 by @renovate-bot in https://github.com/slsa-framework/slsa-github-generator/pu...

v1.2.0

🚨⚠️ DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #942. Please upgrade to v1.2.2 or later. ⚠️🚨

What's Changed

Generic generator

The highlight of this release is a new re-usable workflow called the "Generic generator". It lets users build artifacts on their own and generate a provenance that satisfies SLSA provenance 3 requirement. It's perfect to get started with SLSA with minimal changes to an existing build workflow. To use it, check the README.md!

Go builder

No changes.

New Contributors

• @naveensrinivasan made their first contribution in #352
• @renovate-bot made their first contribution in #401
• @rarkins made their first contribution in #489
• @developer-guy made their first contribution in #497
• @loosebazooka made their first contribution in #573

Full Changelog: v1.1.1...v1.2.0

v1.1.1

What's Changed

• Improve documentation
• Fix filename issue when resolving it with variables
• Add support for environment variables in artifact filename

New Contributors

• @joshuagl made their first contribution in #199
• @mihaimaruseac made their first contribution in #202
• @MarkLodato made their first contribution in #312
• @chipzoller made their first contribution in #354

Full Changelog: v1.0.0...v1.1.1

v1.1.0

WARNING

This release is intended to release the verifier with the certificate present in the provenance. It is not intended for public use. This release will remain in pre-release.

What's Changed

• Improve documentation
• Fix filename issue when resolving it with variables
• Add support for environment variables in artifact filename

New Contributors

• @joshuagl made their first contribution in #199
• @mihaimaruseac made their first contribution in #202
• @MarkLodato made their first contribution in #312
• @chipzoller made their first contribution in #354

Full Changelog: v1.0.0...v1.1.0

v1.0.0

What's Changed

This is the first official release of the generator. The first builder we are releasing is for Golang projects.
To learn how to use it, see ./README.md#golang-projects

Contributors

@asraa @ianlewis @MarkLodato @joshuagl @laurentsimon

v0.0.2

e2e release test with the hash of v0.0.1's slsa-verifier hardcoded (see b18a9ec)

v0.0.1

This is a pre-release test. We will validate e2e flow and #74