Skip to content

v5.0.3-e353aa8

Choose a tag to compare

View all tags
@github-actions github-actions released this 06 Apr 14:29
· 182 commits to main since this release
Immutable release. Only release title and notes can be modified.
v5.0.3-e353aa8
e353aa8
This commit was signed with the committer’s verified signature.
craigjbass Craig J. Bass
SSH Key Fingerprint: 7pzEignCyELNpXvYQiXNLwrYZtuNVaxDWLPVRyZZ/Lc
Verified
Learn about vigilant mode.

⚠️ This release is affected by GHSA-w253-42qp-5f2x. Update to v5.0.5-caaf673 or later.

Caution

This release is affected by GHSA-92f3-38m7-579h — dual-path ES events (rename, link, copyfile, exchangedata, clone) only checked the source path against policies. Update to v5.0.4 or later.

v5.0.3

Features

  • Wildcard signing ID in global allowlist — allowlist entries now accept wildcard signing identifiers, making it easier to cover families of related processes.
  • Chrome preset: GoogleUpdater ancestor — the Chrome browser preset now recognises GoogleUpdater as a valid ancestor signature.

Bug fixes

  • Touch ID authentication — switched to deviceOwnerAuthentication policy and surfaced authentication errors in the UI instead of silently failing (#127).

Platform

  • Minimum macOS target lowered to 15.6.

Supply-chain security

  • SLSA Build L3 provenance — releases now ship a .sigstore bundle (GitHub-native attestation) and a .intoto.jsonl (SLSA L3 provenance from an isolated builder). Verify with either gh attestation verify or slsa-verifier verify-artifact (#116).
  • Script injection hardened${{ github.ref_name }} no longer interpolated directly into shell in release workflows; passed via env vars instead (#113).
  • All GitHub Actions pinned by commit SHA across every workflow, with Dependabot configured to keep them current (#118, #120).
  • Top-level least-privilege permissions declared on all workflows (#117).
  • OpenSSF Scorecard integrated as a weekly CI check.
  • CodeQL SAST enabled for Swift and GitHub Actions on every push and PR (#119).
  • Security policy updated with private vulnerability reporting link (#121).
  • Immutable releases — release creation deferred to a single atomic job so all assets (DMG, .sigstore, .intoto.jsonl) land together, compatible with GitHub's immutable-release setting.

Documentation

  • Comprehensive documentation site with GitHub Pages deployment.
  • Rewritten ancestry docs focused on real-world use cases.
  • Docs corrections for XProtect allowlist behaviour, preset update badges, and empty-field semantics.
  • Recommendation to allowlist security products.
  • Mobile-responsive header showing Docs link (#111).
Assets 6
Loading