chore(deps): update slsa-framework/slsa-github-generator action to v1.9.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
slsa-framework/slsa-github-generator	action	minor	v1.4.0 -> v1.9.0

---

Release Notes

slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)

v1.9.0

Compare Source

Release [v1.9.0] includes bug fixes and new features.

See the full change list.

v1.9.0: BYOB framework (beta)

• New: A new framework to turn GitHub Actions into SLSA compliant builders.

v1.9.0: Maven builder (beta)

• New: A Maven builder to build Java projects and publish to Maven central.

v1.9.0: Gradle builder (beta)

• New: A Gradle builder to build Java projects and publish to Maven central.

v1.9.0: JReleaser builder

• New: A JReleaser builder that wraps the official JReleaser Action.

v1.8.0

Compare Source

Release [v1.8.0] includes bug fixes and new features.

See the full change list.

v1.8.0: Generic Generator

• Added: A new
  base64-subjects-as-file
  was added to allow for specifying a large subject list.

v1.8.0: Node.js Builder (beta)

• Fixed: Publishing for non-scoped packages was fixed (See
  #​2359)
• Fixed: Documentation was updated to clarify that the GitHub Actions
  deployment event is not supported.
• Changed: The file extension for the generated provenance file was changed
  from .sigstore to .build.slsa in order to make it easier to identify
  provenance files regardless of file format.
• Fixed: The publish action was fixed to address an issue with the package
  name when using Node 16.

v1.7.0

Compare Source

This release includes the first beta release of the
Container-based builder.
The Container-based builder provides a GitHub Actions reusable workflow that can
be used to invoke a container image with a user-specified command to generate an
artifact and SLSA Build L3 compliant provenance.

v1.7.0: Go builder

• Added: A new
  go-version-file
  input was added. This allows you to specify a go.mod file in order to track
  which version of Go is used for your project.

v1.6.0

Compare Source

This release includes the first beta release of the
Node.js builder.
The Node.js builder provides a GitHub Actions reusable workflow that can be
called to build a Node.js package, generate SLSA Build L3 compliant provenance,
and publish it to the npm registry along with the package.

Summary of changes

Go builder

New Features

• A new
  prerelease
  input was added to allow users to create releases marked as prerelease when
  upload-assets is set to true.
• A new input draft-release was added to allow users to create releases marked
  as draft when upload-assets is set to true.
• A new output go-provenance-name added which can be used to retrieve the name
  of the provenance file generated by the builder.

Generic generator

New Features

• A new input draft-release was added to allow users to create releases marked
  as draft when upload-assets is set to true.

Container generator

The Container Generator was updated to use cosign v2.0.0. No changes to the
workflow's inputs or outputs were made.

Changelog since v1.5.0

v1.5.0

Compare Source

Summary of changes

Go builder

New Features

• A new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true.
• The environment variables included in provenance output were changed to include only those variables that are specified by the user in the slsa-goreleaser.yml configuration file in order to improve reproducibility. See #​822 for more information and background.

Generic generator

New Features

• A new boolean continue-on-error input was added which, when set to true, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the outcome output.
• A new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true.

Container generator

New Features

• A new boolean continue-on-error input was added which, when set to true, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the outcome output.
• A new repository-username secret input was added to allow users to pass their repository username that is stored in a Github Actions encrypted secret. This secret input should only be used for high-entropy registry username values such as AWS Access Key.
• Support was added for authenticating with Google Artifact Registry and Google Container Registry using Workload Identity Federation. Users can use this new feature by using the gcp-workload-identity-provider and gcp-service-account inputs

Changelog since v1.4.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.