-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: produce sigstore Bundles for generic generator and go builder workflows #3777
base: main
Are you sure you want to change the base?
feat: produce sigstore Bundles for generic generator and go builder workflows #3777
Conversation
20e2376
to
f9a7e3e
Compare
@@ -39,6 +39,9 @@ const ( | |||
|
|||
// OIDCToken represents the contents of a GitHub OIDC JWT token. | |||
type OIDCToken struct { | |||
// Expiry is the expiration date of the token. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lint: reordering fields by type.
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | actions/checkout | action | digest | `692973e` -> `9a9194f` | | [actions/download-artifact](https://togithub.com/actions/download-artifact) | action | patch | `v4.1.7` -> `v4.1.8` | | [actions/setup-go](https://togithub.com/actions/setup-go) | action | patch | `v5.0.1` -> `v5.0.2` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | patch | `v4.0.2` -> `v4.0.3` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | digest | `60edb5d` -> `1e60f62` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v4.3.3` -> `v4.3.5` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v3.25.11` -> `v3.25.15` | | [gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action) | action | minor | `v3.4.2` -> `v3.5.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.3.3` -> `v2.4.0` | | [softprops/action-gh-release](https://togithub.com/softprops/action-gh-release) | action | patch | `v2.0.6` -> `v2.0.8` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.8`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.8) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.7...v4.1.8) #### What's Changed - Update [@​actions/artifact](https://togithub.com/actions/artifact) version, bump dependencies by [@​robherley](https://togithub.com/robherley) in [actions/download-artifact#341 **Full Changelog**: actions/download-artifact@v4...v4.1.8 </details> <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v5.0.2`](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2) [Compare Source](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2) </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v4.0.3`](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3) [Compare Source](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.5`](https://togithub.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) ### [`v4.3.4`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.4) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.3...v4.3.4) ##### What's Changed - Update [@​actions/artifact](https://togithub.com/actions/artifact) version, bump dependencies by [@​robherley](https://togithub.com/robherley) in [actions/upload-artifact#584 **Full Changelog**: actions/upload-artifact@v4.3.3...v4.3.4 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.25.15`](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15) ### [`v3.25.14`](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14) ### [`v3.25.13`](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13) ### [`v3.25.12`](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12) </details> <details> <summary>gradle/gradle-build-action (gradle/gradle-build-action)</summary> ### [`v3.5.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v3.5.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v3.4.2...v3.5.0) > \[!IMPORTANT] > As of `v3` this action has been superceded by `gradle/actions/setup-gradle`. > Any workflow that uses `gradle/gradle-build-action@v3` will transparently delegate to `gradle/actions/setup-gradle@v3`. > > Users are encouraged to update their workflows, replacing: > > uses: gradle/gradle-build-action@v3 > > with > > uses: gradle/actions/setup-gradle@v3 > > See the [setup-gradle documentation](https://togithub.com/gradle/actions/tree/main/setup-gradle) for up-to-date documentation for `gradle/actions/setup-gradle`. For release details, see https://github.com/gradle/actions/releases/tag/v3.5.0 </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.4.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.4.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0) #### What's Changed This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the [v5.0.0 release notes](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0). Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation. - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1410 - 🐛 lower license sarif alert threshold to 9 by [@​spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1411 ##### Documentation - docs: dogfooding badge by [@​jkowalleck](https://togithub.com/jkowalleck) in [ossf/scorecard-action#1399 #### New Contributors - [@​jkowalleck](https://togithub.com/jkowalleck) made their first contribution in [ossf/scorecard-action#1399 **Full Changelog**: ossf/scorecard-action@v2.3.3...v2.4.0 </details> <details> <summary>softprops/action-gh-release (softprops/action-gh-release)</summary> ### [`v2.0.8`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.8) [Compare Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.7...v2.0.8) <!-- Release notes generated using configuration in .github/release.yml at master --> #### What's Changed ##### Other Changes 🔄 - chore(deps): bump prettier from 2.8.0 to 3.3.3 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#480 - chore(deps): bump [@​types/node](https://togithub.com/types/node) from 20.14.9 to 20.14.11 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#483 - chore(deps): bump [@​octokit/plugin-throttling](https://togithub.com/octokit/plugin-throttling) from 9.3.0 to 9.3.1 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#484 - chore(deps): bump glob from 10.4.2 to 11.0.0 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#477 - refactor: write jest config in ts by [@​chenrui333](https://togithub.com/chenrui333) in [softprops/action-gh-release#485 - chore(deps): bump [@​actions/github](https://togithub.com/actions/github) from 5.1.1 to 6.0.0 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#470 **Full Changelog**: softprops/action-gh-release@v2...v2.0.8 ### [`v2.0.7`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.7) [Compare Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.6...v2.0.7) <!-- Release notes generated using configuration in .github/release.yml at master --> #### What's Changed ##### Bug fixes 🐛 - Fix missing update release body by [@​FirelightFlagboy](https://togithub.com/FirelightFlagboy) in [softprops/action-gh-release#365 ##### Other Changes 🔄 - Bump [@​octokit/plugin-retry](https://togithub.com/octokit/plugin-retry) from 4.0.3 to 7.1.1 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#443 - Bump typescript from 4.9.5 to 5.5.2 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#467 - Bump [@​types/node](https://togithub.com/types/node) from 20.14.6 to 20.14.8 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#469 - Bump [@​types/node](https://togithub.com/types/node) from 20.14.8 to 20.14.9 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#473 - Bump typescript from 5.5.2 to 5.5.3 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#472 - Bump ts-jest from 29.1.5 to 29.2.2 by [@​dependabot](https://togithub.com/dependabot) in [softprops/action-gh-release#479 - docs: document that existing releases are updated by [@​jvanbruegge](https://togithub.com/jvanbruegge) in [softprops/action-gh-release#474 #### New Contributors - [@​jvanbruegge](https://togithub.com/jvanbruegge) made their first contribution in [softprops/action-gh-release#474 - [@​FirelightFlagboy](https://togithub.com/FirelightFlagboy) made their first contribution in [softprops/action-gh-release#365 **Full Changelog**: softprops/action-gh-release@v2.0.6...v2.0.7 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-github-generator). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
…o 25.0.6+incompatible in the go_modules group (#3760) Bumps the go_modules group with 1 update: [github.com/docker/docker](https://github.com/docker/docker). Updates `github.com/docker/docker` from 24.0.9+incompatible to 25.0.6+incompatible <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/docker/releases">github.com/docker/docker's releases</a>.</em></p> <blockquote> <h2>v25.0.6</h2> <h2>25.0.6</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:</p> <ul> <li><a href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.6">docker/cli, 25.0.6 milestone</a></li> <li><a href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.6">moby/moby, 25.0.6 milestone</a></li> <li>Deprecated and removed features, see <a href="https://github.com/docker/cli/blob/v25.0.6/docs/deprecated.md">Deprecated Features</a>.</li> <li>Changes to the Engine API, see <a href="https://github.com/moby/moby/blob/v25.0.6/docs/api/version-history.md">API version history</a>.</li> </ul> <h3>Security</h3> <p>This release contains a fix for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41110">CVE-2024-41110</a> / <a href="https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq">GHSA-v23v-6jw2-98fq</a> that impacted setups using <a href="https://docs.docker.com/engine/extend/plugins_authorization/">authorization plugins (AuthZ)</a> for access control.</p> <h3>Bug fixes and enhancements</h3> <ul> <li>[25.0] remove erroneous <code>platform</code> from image <code>config</code> OCI descriptor in <code>docker save</code> output. <a href="https://redirect.github.com/moby/moby/pull/47695">moby/moby#47695</a></li> <li>[25.0 backport] Fix a nil dereference when getting image history for images having layers without the <code>Created</code> value set. <a href="https://redirect.github.com/moby/moby/pull/47759">moby/moby#47759</a></li> <li>[25.0 backport] apparmor: Allow confined runc to kill containers. <a href="https://redirect.github.com/moby/moby/pull/47830">moby/moby#47830</a></li> <li>[25.0 backport] Fix an issue where rapidly promoting a Swarm node after another node was demoted could cause the promoted node to fail its promotion. <a href="https://redirect.github.com/moby/moby/pull/47869">moby/moby#47869</a></li> <li>[25.0 backport] don't depend on containerd platform.Parse to return a typed error. <a href="https://redirect.github.com/moby/moby/pull/47890">moby/moby#47890</a></li> <li>[25.0 backport] builder/mobyexporter: Add missing nil check <a href="https://redirect.github.com/moby/moby/pull/47987">moby/moby#47987</a></li> </ul> <h3>Packaging updates</h3> <ul> <li>Update AWS SDK Go v2 to v1.24.1 for AWS CloudWatch logging driver. <a href="https://redirect.github.com/moby/moby/pull/47724">moby/moby#47724</a></li> <li>Update Go runtime to 1.21.12, which contains security fixes for <a href="https://github.com/advisories/GHSA-hw49-2p59-3mhj">CVE-2024-24791</a> <a href="https://redirect.github.com/moby/moby/pull/48146">moby/moby#48146</a></li> <li>Update Containerd (static binaries only) to <a href="https://github.com/containerd/containerd/releases/tag/v1.7.20">v1.7.20</a>. <a href="https://redirect.github.com/moby/moby/pull/48199">moby/moby#48199</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/moby/moby/compare/v25.0.5...v25.0.6">https://github.com/moby/moby/compare/v25.0.5...v25.0.6</a></p> <h2>v25.0.5</h2> <h2>25.0.5</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:</p> <ul> <li><a href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.5">docker/cli, 25.0.5 milestone</a></li> <li><a href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.5">moby/moby, 25.0.5 milestone</a></li> <li>Deprecated and removed features, see <a href="https://github.com/docker/cli/blob/v25.0.5/docs/deprecated.md">Deprecated Features</a>.</li> <li>Changes to the Engine API, see <a href="https://github.com/moby/moby/blob/v25.0.5/docs/api/version-history.md">API version history</a>.</li> </ul> <h3>Security</h3> <p>This release contains a security fix for <a href="https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx">CVE-2024-29018</a>, a potential data exfiltration from 'internal' networks via authoritative DNS servers.</p> <h3>Bug fixes and enhancements</h3> <ul> <li> <p><a href="https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx">CVE-2024-29018</a>: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a loopback address, like systemd's 127.0.0.53. <a href="https://redirect.github.com/moby/moby/pull/47589">moby/moby#47589</a></p> </li> <li> <p>plugin: fix mounting /etc/hosts when running in UserNS. <a href="https://redirect.github.com/moby/moby/pull/47588">moby/moby#47588</a></p> </li> <li> <p>rootless: fix <code>open /etc/docker/plugins: permission denied</code>. <a href="https://redirect.github.com/moby/moby/pull/47587">moby/moby#47587</a></p> </li> <li> <p>Fix multiple parallel <code>docker build</code> runs leaking disk space. <a href="https://redirect.github.com/moby/moby/pull/47527">moby/moby#47527</a></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/moby/moby/commit/b08a51fe16eed67de3861c03b363ba403643b12e"><code>b08a51f</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/48231">#48231</a> from austinvazquez/backport-vendor-otel-v0.46.1-to-...</li> <li><a href="https://github.com/moby/moby/commit/d151b0f87f9673f206b477c90db25956e1704ba5"><code>d151b0f</code></a> vendor: OTEL v0.46.1 / v1.21.0</li> <li><a href="https://github.com/moby/moby/commit/c6ba9a5124603357bfc4a64971cbb9708180f06e"><code>c6ba9a5</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/48225">#48225</a> from austinvazquez/backport-workflow-artifact-reten...</li> <li><a href="https://github.com/moby/moby/commit/4673a3ca2c37ae30270a29c281ccd9477107dcee"><code>4673a3c</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/48227">#48227</a> from austinvazquez/backport-backport-branch-check-t...</li> <li><a href="https://github.com/moby/moby/commit/30f89081028ce6fb1b49a71c02c156dacbe9aa62"><code>30f8908</code></a> github/ci: Check if backport is opened against the expected branch</li> <li><a href="https://github.com/moby/moby/commit/7454d6a2e672b0b977aaa14463c9aeb53acd06af"><code>7454d6a</code></a> ci: update workflow artifacts retention</li> <li><a href="https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919"><code>65cc597</code></a> Merge commit from fork</li> <li><a href="https://github.com/moby/moby/commit/b722836927669b414569c42f096869cd800b59a6"><code>b722836</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/48199">#48199</a> from austinvazquez/update-containerd-binary-to-1.7.20</li> <li><a href="https://github.com/moby/moby/commit/e8ecb9c76d97579ebbf3f9d3ef770d08ac303809"><code>e8ecb9c</code></a> update containerd binary to v1.7.20</li> <li><a href="https://github.com/moby/moby/commit/e6cae1f2373d4ff37499570e67f23b2cebb7a043"><code>e6cae1f</code></a> update containerd binary to v1.7.19</li> <li>Additional commits viewable in <a href="https://github.com/docker/docker/compare/v24.0.9...v25.0.6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/docker/docker&package-manager=go_modules&previous-version=24.0.9+incompatible&new-version=25.0.6+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/slsa-framework/slsa-github-generator/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) The Renovate config in this repository needs migrating. Typically this is because one or more configuration options you are using have been renamed. You don't need to merge this PR right away, because Renovate will continue to migrate these fields internally each time it runs. But later some of these fields may be fully deprecated and the migrations removed. So it's a good idea to merge this migration PR soon. 🔕 **Ignore**: Close this PR and you won't be reminded about config migration again, but one day your current config may no longer be valid. ❓ Got questions? Does something look wrong to you? Please don't hesitate to [request help here](https://togithub.com/renovatebot/renovate/discussions). --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-github-generator). Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
This reverts commit 8cde63a. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
verification Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
7d5dcde
to
91fc61e
Compare
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
@@ -53,7 +53,7 @@ func Test_CreateBuildDefinition(t *testing.T) { | |||
} | |||
|
|||
if diff := cmp.Diff(got, want); diff != "" { | |||
t.Errorf(diff) | |||
t.Error(diff) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lint: change t.Errorf
to t.Error
when not actually using any string formatting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really great!
if err != nil { | ||
return nil, err | ||
} | ||
TokenStruct, err := oidcClient.Token(ctx, []string{"sigstore"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: tokenStruct
// Bundle will have already verified that the TLog entries are signed. | ||
logIndex := innerBundle.GetVerificationMaterial().GetTlogEntries()[0].GetLogIndex() | ||
fmt.Printf("Signed attestation is in rekor with UUID %d.\n", logIndex) | ||
fmt.Printf("You could use rekor-cli to view the log entry details:\n\n"+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor thing, but I would avoid printing the info about how to look up the entry given these look ups aren't verifying inclusion. In Cosign we've always struggled with what is useful output, and I don't have a good answer there - maybe a list of steps that the client took (requested token, fetched cert, uploaded entry to log, etc)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's more of a UX thing, since I'm deleting another print statement that showed the log UUID.
I now see I need to update that text to say Log Index, not UUID.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we add any tests for this? Possibly e2e tests with a similar setup like Colleen added in Cosign? https://github.com/sigstore/cosign/blob/main/test/README.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are e2e tests in slsa-framework/example-package that will produce and verify. We can't have the e2e tests in PRs because PRs don't have the needed token permissions to sign.
Summary
fixes #3750
pending slsa-framework/slsa-verifier#799
Changes the internal go code to produce Sigstore Bundles, instead of only signed DSSE envelopes. This means that the generic generator and go builder workflows now produce Sigstore Bundles, just like the other BYOB-type workflows.
Testing Process
Testing done on a previous commit with a test workflow. It's using a slightly modified slsa-verifier that respects sls-aw workflows from non-main branches.
Followup
[ ] Produce the provenance in v1 format, rather than the current v0.2 format.
[ ] fix initialism of
[build]invocationID
to[build]invocationId
#3876Checklist