diff --git a/.github/workflows/builder_docker-based_slsa3.yml b/.github/workflows/builder_docker-based_slsa3.yml index d939d157ea..6214b5ece7 100644 --- a/.github/workflows/builder_docker-based_slsa3.yml +++ b/.github/workflows/builder_docker-based_slsa3.yml @@ -102,7 +102,7 @@ jobs: steps: - name: Generate random 16-byte value (32-char hex encoded) id: rng - uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.5.0 # This detects the repository and ref of the reusable workflow. # For pull request, this gets the head repository and head SHA. @@ -117,7 +117,7 @@ jobs: steps: - name: Detect the builder ref id: detect - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@v1.5.0 ################################################################### # # @@ -154,7 +154,7 @@ jobs: steps: - name: Generate builder binary id: generate - uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -187,7 +187,7 @@ jobs: steps: - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -259,7 +259,7 @@ jobs: needs: [rng, detect-env, generate-builder] steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -367,7 +367,7 @@ jobs: provenance-name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 00696975ad..875eec7abe 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -87,7 +87,7 @@ jobs: steps: - name: Generate random 16-byte value (32-char hex encoded) id: rng - uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.5.0 detect-env: outputs: @@ -99,7 +99,7 @@ jobs: steps: - name: Detect the builder ref id: detect - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@v1.5.0 ################################################################### # # @@ -114,7 +114,7 @@ jobs: steps: - name: Generate builder binary id: generate - uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -148,7 +148,7 @@ jobs: needs: [builder, rng, detect-env] steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -194,7 +194,7 @@ jobs: needs: [builder, build-dry, rng, detect-env] steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -274,7 +274,7 @@ jobs: go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }} steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -332,7 +332,7 @@ jobs: if: inputs.upload-assets == true steps: - name: Checkout builder repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" diff --git a/.github/workflows/delegator_generic_slsa3.yml b/.github/workflows/delegator_generic_slsa3.yml index 67c40b178e..ce7c44096f 100644 --- a/.github/workflows/delegator_generic_slsa3.yml +++ b/.github/workflows/delegator_generic_slsa3.yml @@ -77,7 +77,7 @@ jobs: steps: - name: Generate random 16-byte value (32-char hex encoded) id: rng - uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/rng@v1.5.0 # verify-token verifies the slsa token. verify-token: @@ -91,7 +91,7 @@ jobs: steps: - name: Verify token with test action id: verify - uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/verify-token@v1.5.0 with: slsa-workflow-recipient: "delegator_generic_slsa3.yml" slsa-unverified-token: ${{ inputs.slsa-token }} @@ -99,7 +99,7 @@ jobs: - name: Upload predicate id: upload - uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.5.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_PREDICATE_FILE }}" path: ${{ env.SLSA_PREDICATE_FILE }} @@ -110,7 +110,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check private repos - uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/privacy-check@v1.5.0 with: error_message: "Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override." override: ${{ fromJson(needs.verify-token.outputs.slsa-verified-token).builder.rekor_log_public }} @@ -138,7 +138,7 @@ jobs: echo "$RUNNER: $RUNNER" - name: Checkout the tool repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0 with: repository: ${{ needs.verify-token.outputs.tool-repository }} ref: ${{ needs.verify-token.outputs.tool-ref }} @@ -162,7 +162,7 @@ jobs: tree - name: Checkout the project repository - uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@v1.5.0 # NOTE: This calls the Action defined in the slsa-token. - name: Build artifacts @@ -188,7 +188,7 @@ jobs: - name: Upload artifact layout file id: upload - uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@v1.5.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_ARTIFACTS_FILE }}" path: "${{ env.SLSA_ARTIFACTS_FILE }}" @@ -203,14 +203,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Download the artifact layout file - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.5.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_ARTIFACTS_FILE }}" path: "${{ env.SLSA_ARTIFACTS_FILE }}" sha256: ${{ needs.build-artifacts-ubuntu.outputs.artifacts-layout-sha256 }} - name: Download the predicate file - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@v1.5.0 with: name: "${{ needs.rng.outputs.value }}-${{ env.SLSA_PREDICATE_FILE }}" path: ${{ env.SLSA_PREDICATE_FILE }} @@ -223,7 +223,7 @@ jobs: - name: Generate attestations id: attestations - uses: slsa-framework/slsa-github-generator/.github/actions/generate-attestations@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-attestations@v1.5.0 with: slsa-layout-file: ${{ env.SLSA_ARTIFACTS_FILE }} predicate-type: "https://slsa.dev/provenance/v1.0?draft" @@ -232,7 +232,7 @@ jobs: - name: Sign attestations id: sign - uses: slsa-framework/slsa-github-generator/.github/actions/sign-attestations@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/sign-attestations@v1.5.0 with: attestations: attestations output-folder: "${{ needs.rng.outputs.value }}-slsa-attestations" diff --git a/.github/workflows/e2e.create-docker_based-predicate.schedule.yml b/.github/workflows/e2e.create-docker_based-predicate.schedule.yml index 3163128ad8..5fb9fa093e 100644 --- a/.github/workflows/e2e.create-docker_based-predicate.schedule.yml +++ b/.github/workflows/e2e.create-docker_based-predicate.schedule.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Detect the builder ref id: detect - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@v1.5.0 - name: Create predicate id: predicate uses: ./.github/actions/create-docker_based-predicate diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 45c87ef722..259004eb33 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -94,7 +94,7 @@ jobs: - name: Detect the generator ref id: detect continue-on-error: true - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@v1.5.0 - name: Final outcome id: final @@ -125,7 +125,7 @@ jobs: - name: Generate builder id: generate-builder continue-on-error: true - uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index 668d10bd1b..e027813972 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -110,7 +110,7 @@ jobs: - name: Detect the generator ref id: detect continue-on-error: true - uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@v1.5.0 - name: Final outcome id: final @@ -143,7 +143,7 @@ jobs: - name: Generate builder id: generate-builder continue-on-error: true - uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" @@ -217,7 +217,7 @@ jobs: - name: Checkout builder repository id: checkout-builder continue-on-error: true - uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@v1.5.0 with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" diff --git a/CHANGELOG.md b/CHANGELOG.md index da7a875fe6..4e764dab55 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ -- [Next Release](#next-release) +- [v1.5.0](#v150) - [Summary of changes](#summary-of-changes) - [Go builder](#go-builder) - [New Features](#new-features) @@ -61,7 +61,7 @@ -# Next Release +# v1.5.0 @@ -71,27 +71,27 @@ #### New Features -- A new [`upload-tag-name`](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#workflow-inputs) input was added to allow users to specify the tag name for the release when `upload-assets` is set to `true`. -- The environment variables included in provenance output were changed to include only those variables that are specified by the user in the [slsa-goreleaser.yml configuration file](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/go#configuration-file) in order to improve reproducibility. See [#822](https://github.com/slsa-framework/slsa-github-generator/issues/822) for more information and background. +- A new [`upload-tag-name`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/generic/README.md#workflow-inputs) input was added to allow users to specify the tag name for the release when `upload-assets` is set to `true`. +- The environment variables included in provenance output were changed to include only those variables that are specified by the user in the [slsa-goreleaser.yml configuration file](https://github.com/slsa-framework/slsa-github-generator/tree/v1.5.0/internal/builders/go#configuration-file) in order to improve reproducibility. See [#822](https://github.com/slsa-framework/slsa-github-generator/issues/822) for more information and background. ### Generic generator #### New Features -- A new boolean [`continue-on-error`](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#workflow-inputs) input was added which, when set to `true`, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the [`outcome`](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#workflow-outputs) output. -- A new [`upload-tag-name`](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#workflow-inputs) input was added to allow users to specify the tag name for the release when `upload-assets` is set to `true`. +- A new boolean [`continue-on-error`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/generic/README.md#workflow-inputs) input was added which, when set to `true`, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the [`outcome`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/generic/README.md#workflow-outputs) output. +- A new [`upload-tag-name`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/generic/README.md#workflow-inputs) input was added to allow users to specify the tag name for the release when `upload-assets` is set to `true`. ### Container generator #### New Features -- A new boolean [`continue-on-error`](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#workflow-inputs) input was added which, when set to `true`, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the [`outcome`](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#workflow-outputs) output. -- A new [`repository-username`](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#workflow-inputs) secret input was added to allow users to pass their repository username that is stored in a [Github Actions encrypted secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets). This secret input should only be used for high-entropy registry username values such as AWS Access Key. -- Support was added for authenticating with [Google Artifact Registry](https://cloud.google.com/artifact-registry) and [Google Container Registry](https://cloud.google.com/container-registry) using [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation). Users can use this new feature by using the [`gcp-workload-identity-provider` and `gcp-service-account` inputs](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#workflow-inputs) +- A new boolean [`continue-on-error`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added which, when set to `true`, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the [`outcome`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-outputs) output. +- A new [`repository-username`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) secret input was added to allow users to pass their repository username that is stored in a [Github Actions encrypted secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets). This secret input should only be used for high-entropy registry username values such as AWS Access Key. +- Support was added for authenticating with [Google Artifact Registry](https://cloud.google.com/artifact-registry) and [Google Container Registry](https://cloud.google.com/container-registry) using [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation). Users can use this new feature by using the [`gcp-workload-identity-provider` and `gcp-service-account` inputs](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) ## Changelog since v1.4.0 -https://github.com/slsa-framework/slsa-github-generator/compare/v1.4.0...main +https://github.com/slsa-framework/slsa-github-generator/compare/v1.4.0...v1.5.0 # v1.4.0 diff --git a/SECURITY.md b/SECURITY.md index 25320a3842..850658cc3e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -29,6 +29,7 @@ The following versions are currently supported and receive security updates. | Version | Supported | | ------- | ------------------ | +| 1.5.x | :white_check_mark: | | 1.4.x | :white_check_mark: | | <=1.2.x | :x: | diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 2dbc86be6f..0da75eb199 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -72,7 +72,7 @@ provenance: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 with: image: ${{ needs.build.outputs.image }} digest: ${{ needs.build.outputs.digest }} @@ -143,7 +143,7 @@ jobs: id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. if: startsWith(github.ref, 'refs/tags/') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 with: image: ${{ needs.build.outputs.image }} digest: ${{ needs.build.outputs.digest }} @@ -367,7 +367,7 @@ provenance: # contents: read packages: write if: startsWith(github.ref, 'refs/tags/') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 with: image: ${{ needs.build.outputs.image }} digest: ${{ needs.build.outputs.digest }} @@ -432,7 +432,7 @@ jobs: # contents: read packages: write if: startsWith(github.ref, 'refs/tags/') - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0 with: image: ${{ needs.build.outputs.image }} digest: ${{ needs.build.outputs.digest }} diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index aff97d9690..81c858a774 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -86,7 +86,7 @@ provenance: actions: read # Needed for detection of GitHub Actions environment. id-token: write # Needed for provenance signing and ID contents: write # Needed for release uploads - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" ``` @@ -143,7 +143,7 @@ jobs: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" # Upload provenance to a new release @@ -382,7 +382,7 @@ provenance: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" upload-assets: true # upload to a new release @@ -424,7 +424,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" upload-assets: true # upload to a new release @@ -481,7 +481,7 @@ provenance: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -523,7 +523,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -582,7 +582,7 @@ provenance: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -629,7 +629,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -676,7 +676,7 @@ provenance: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -719,7 +719,7 @@ jobs: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -771,7 +771,7 @@ provenance: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -810,7 +810,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -867,7 +867,7 @@ provenance: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -912,7 +912,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -974,7 +974,7 @@ provenance: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -1021,7 +1021,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -1112,7 +1112,7 @@ except that it relies on `combine_hashes` instead of the `build` job. actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -1165,7 +1165,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release @@ -1204,7 +1204,7 @@ function. actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs[format('hash-{0}-{1}', matrix.color, matrix.flavor)] }}" upload-assets: true # Optional: Upload to a new release @@ -1245,7 +1245,7 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs[format('hash-{0}-{1}', matrix.color, matrix.flavor)] }}" upload-assets: true # Optional: Upload to a new release @@ -1277,5 +1277,5 @@ downloading the latest release. Make sure you continue to reference the workflow using a release tag in order to allow verification by `slsa-verifier`. ```yaml -uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0-rc.0 +uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 ``` diff --git a/internal/builders/go/README.md b/internal/builders/go/README.md index 5280be4c5c..9ec72217ae 100644 --- a/internal/builders/go/README.md +++ b/internal/builders/go/README.md @@ -165,7 +165,7 @@ It's easy to generate binaries for multiple platforms. To accomplish this, we ca arch: - amd64 - arm64 - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0 with: go-version: 1.19 config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yml @@ -230,7 +230,7 @@ jobs: contents: write # To upload assets to release. actions: read # To read the workflow path. needs: args - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0-rc.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0 with: go-version: 1.17 # Optional: only needed if using ldflags. @@ -399,5 +399,5 @@ the latest release. Make sure you continue to reference the workflow using a release tag in order to allow verification by `slsa-verifier`. ```yaml -uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0-rc.0 +uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0 ```