starred/hardening
1
0
Fork 0
mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-27 01:35:55 +03:00
Code Issues 6 Projects Releases 4 Packages Wiki Activity

[PR #584] [CLOSED] build(deps): bump slsa-framework/slsa-github-generator from 2.0.0 to 2.1.0 #585

New issue
Closed
opened 2026-03-03 14:31:51 +03:00 by kerem · 0 comments
kerem commented 2026-03-03 14:31:51 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/konstruktoid/hardening/pull/584
Author: @dependabot[bot]
Created: 2/25/2025
Status: Closed

Base: masterHead: dependabot/github_actions/slsa-framework/slsa-github-generator-2.1.0

📝 Commits (1)

  • 23d5d1a build(deps): bump slsa-framework/slsa-github-generator

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 .github/workflows/slsa.yml (+1 -1)

📄 Description

Bumps slsa-framework/slsa-github-generator from 2.0.0 to 2.1.0.

Release notes

Sourced from slsa-framework/slsa-github-generator's releases.

v2.1.0

This is an un-finalized release.

See the CHANGELOG for details.

What's Changed

... (truncated)

Changelog

Sourced from slsa-framework/slsa-github-generator's changelog.

v2.1.0

v2.1.0: Sigstore Bundles for Generic Generator and Go Builder

The workflows generator_generic_slsa3.yml and builder_go_slsa3.yml have been updated to produce signed Sigstore Bundles, just like all the other builders that use the BYOB framework.

The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on https://search.sigstore.dev/.

v2.1.0: Vars context recorded in provenance

  • Updated: GitHub vars context is now recorded in provenance for the generic and container generators. The vars context cannot affect the build in the Go builder so it is not recorded.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/konstruktoid/hardening/pull/584 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 2/25/2025 **Status:** ❌ Closed **Base:** `master` ← **Head:** `dependabot/github_actions/slsa-framework/slsa-github-generator-2.1.0` --- ### 📝 Commits (1) - [`23d5d1a`](https://github.com/konstruktoid/hardening/commit/23d5d1a13ca63b4634ddb882f2a22c3bb93cb0ce) build(deps): bump slsa-framework/slsa-github-generator ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/slsa.yml` (+1 -1) </details> ### 📄 Description Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 2.0.0 to 2.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/slsa-framework/slsa-github-generator/releases">slsa-framework/slsa-github-generator's releases</a>.</em></p> <blockquote> <h2>v2.1.0</h2> <p><strong>This is an un-finalized release.</strong></p> <p>See the <a href="https://github.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md">CHANGELOG</a> for details.</p> <h2>What's Changed</h2> <ul> <li>chore: v2.0.0: update tags to v2.0.0 by <a href="https://github.com/ramonpetgrave64"><code>@​ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3584">slsa-framework/slsa-github-generator#3584</a></li> <li>fix: use <code>@​sigstore/cli</code> in e2e.sign-attestations.schedule.yml by <a href="https://github.com/ramonpetgrave64"><code>@​ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3572">slsa-framework/slsa-github-generator#3572</a></li> <li>docs: fix broken links by <a href="https://github.com/suzuki-shunsuke"><code>@​suzuki-shunsuke</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3605">slsa-framework/slsa-github-generator#3605</a></li> <li>chore(setup-go): update actions/setup-go to resolve the warning by <a href="https://github.com/suzuki-shunsuke"><code>@​suzuki-shunsuke</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3604">slsa-framework/slsa-github-generator#3604</a></li> <li>fix: Update release docs by <a href="https://github.com/ramonpetgrave64"><code>@​ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3589">slsa-framework/slsa-github-generator#3589</a></li> <li>docs: Add Atsign-Foundation NoPorts to the Hall of Fame by <a href="https://github.com/cpswan"><code>@​cpswan</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3616">slsa-framework/slsa-github-generator#3616</a></li> <li>docs: Add v2.0.0 to SECURITY.md by <a href="https://github.com/ianlewis"><code>@​ianlewis</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3630">slsa-framework/slsa-github-generator#3630</a></li> <li>docs: Add links to CHANGELOG by <a href="https://github.com/ianlewis"><code>@​ianlewis</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3631">slsa-framework/slsa-github-generator#3631</a></li> <li>ci: fix PR title checker by <a href="https://github.com/ianlewis"><code>@​ianlewis</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3632">slsa-framework/slsa-github-generator#3632</a></li> <li>ci: Add issue reopener by <a href="https://github.com/ianlewis"><code>@​ianlewis</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3629">slsa-framework/slsa-github-generator#3629</a></li> <li>fix: update softprops/action-gh-release to v2.0.5 by <a href="https://github.com/suzuki-shunsuke"><code>@​suzuki-shunsuke</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3619">slsa-framework/slsa-github-generator#3619</a></li> <li>chore(renovate): use cron syntax for schedule by <a href="https://github.com/rarkins"><code>@​rarkins</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3638">slsa-framework/slsa-github-generator#3638</a></li> <li>chore: Fix Renovate config by <a href="https://github.com/ianlewis"><code>@​ianlewis</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3635">slsa-framework/slsa-github-generator#3635</a></li> <li>feat: workflow to update actions dist by <a href="https://github.com/ramonpetgrave64"><code>@​ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3653">slsa-framework/slsa-github-generator#3653</a></li> <li>fix(deps): update dependency <code>@​sigstore/rekor-types</code> to v2 by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3650">slsa-framework/slsa-github-generator#3650</a></li> <li>chore(deps): update github-actions (major) by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3648">slsa-framework/slsa-github-generator#3648</a></li> <li>fix(deps): update dependency org.json:json to v20231013 [security] by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3641">slsa-framework/slsa-github-generator#3641</a></li> <li>fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3640">slsa-framework/slsa-github-generator#3640</a></li> <li>chore(deps): update dependency pathspec to v0.12.1 by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3644">slsa-framework/slsa-github-generator#3644</a></li> <li>fix(deps): update dependency <code>@​actions/github</code> to v6 by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3649">slsa-framework/slsa-github-generator#3649</a></li> <li>fix(deps): update module golang.org/x/oauth2 to v0.20.0 by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3646">slsa-framework/slsa-github-generator#3646</a></li> <li>fix(deps): update npm by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3647">slsa-framework/slsa-github-generator#3647</a></li> <li>chore: formatting by <a href="https://github.com/ianlewis"><code>@​ianlewis</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3655">slsa-framework/slsa-github-generator#3655</a></li> <li>chore(deps): update github-actions by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3642">slsa-framework/slsa-github-generator#3642</a></li> <li>docs: Add openfga as another user of slsa-github-generator via Github Actions by <a href="https://github.com/aaguiarz"><code>@​aaguiarz</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/2950">slsa-framework/slsa-github-generator#2950</a></li> <li>fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3645">slsa-framework/slsa-github-generator#3645</a></li> <li>chore: allow Renovate to create new config warning issues by <a href="https://github.com/HonkingGoose"><code>@​HonkingGoose</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3662">slsa-framework/slsa-github-generator#3662</a></li> <li>chore: Fix markdown issues by <a href="https://github.com/ianlewis"><code>@​ianlewis</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3658">slsa-framework/slsa-github-generator#3658</a></li> <li>chore(deps): update npm dev by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3643">slsa-framework/slsa-github-generator#3643</a></li> <li>feat: Record vars in SLSA generators by <a href="https://github.com/ianlewis"><code>@​ianlewis</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3633">slsa-framework/slsa-github-generator#3633</a></li> <li>chore(deps): update github-actions by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3679">slsa-framework/slsa-github-generator#3679</a></li> <li>fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.7 by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3680">slsa-framework/slsa-github-generator#3680</a></li> <li>docs: Remove expected GA for Node.js builder by <a href="https://github.com/ianlewis"><code>@​ianlewis</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3659">slsa-framework/slsa-github-generator#3659</a></li> <li>ci: Add formatting pre-submit check by <a href="https://github.com/ianlewis"><code>@​ianlewis</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3654">slsa-framework/slsa-github-generator#3654</a></li> <li>fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.8 by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3712">slsa-framework/slsa-github-generator#3712</a></li> <li>chore(deps): bump the npm_and_yarn group across 10 directories with 2 updates by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3714">slsa-framework/slsa-github-generator#3714</a></li> <li>chore(deps): update github-actions by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3711">slsa-framework/slsa-github-generator#3711</a></li> <li>chore(deps): bump the go_modules group with 2 updates by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3715">slsa-framework/slsa-github-generator#3715</a></li> <li>chore: slsa-verifier v2.6.0: Update action.yml by <a href="https://github.com/ramonpetgrave64"><code>@​ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3736">slsa-framework/slsa-github-generator#3736</a></li> <li>fix: Update maven helper plugin build by <a href="https://github.com/loosebazooka"><code>@​loosebazooka</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3746">slsa-framework/slsa-github-generator#3746</a></li> <li>fix: maven e2e: remove verify job by <a href="https://github.com/ramonpetgrave64"><code>@​ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3748">slsa-framework/slsa-github-generator#3748</a></li> <li>chore(deps): update github-actions by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3753">slsa-framework/slsa-github-generator#3753</a></li> <li>chore(deps): bump github.com/docker/docker from 24.0.9+incompatible to 25.0.6+incompatible in the go_modules group by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3760">slsa-framework/slsa-github-generator#3760</a></li> <li>chore(config): migrate renovate config by <a href="https://github.com/renovate-bot"><code>@​renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-github-generator/pull/3774">slsa-framework/slsa-github-generator#3774</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md">slsa-framework/slsa-github-generator's changelog</a>.</em></p> <blockquote> <h2>v2.1.0</h2> <h3>v2.1.0: Sigstore Bundles for Generic Generator and Go Builder</h3> <p>The workflows <code>generator_generic_slsa3.yml</code> and <code>builder_go_slsa3.yml</code> have been updated to produce signed Sigstore Bundles, just like all the other builders that use the BYOB framework.</p> <p>The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on <a href="https://search.sigstore.dev/">https://search.sigstore.dev/</a>.</p> <h3>v2.1.0: Vars context recorded in provenance</h3> <ul> <li><strong>Updated</strong>: GitHub <code>vars</code> context is now recorded in provenance for the generic and container generators. The <code>vars</code> context cannot affect the build in the Go builder so it is not recorded.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/slsa-framework/slsa-github-generator/commit/f7dd8c54c2067bafc12ca7a55595d5ee9b75204a"><code>f7dd8c5</code></a> update the ref in the pre-submit</li> <li><a href="https://github.com/slsa-framework/slsa-github-generator/commit/0a5124b181e38cc2890f186c2990ecec131012bc"><code>0a5124b</code></a> fix jq for the sigstore bundles</li> <li><a href="https://github.com/slsa-framework/slsa-github-generator/commit/fbeecf0c1e9cbb70c6828b0d311037a9e6cce717"><code>fbeecf0</code></a> update docs</li> <li><a href="https://github.com/slsa-framework/slsa-github-generator/commit/f701310a334f5d712a8869541c8e19ecb4eefc24"><code>f701310</code></a> update workflows</li> <li><a href="https://github.com/slsa-framework/slsa-github-generator/commit/361859811395a7dfc81e24fb4dfe843a59715a40"><code>3618598</code></a> v2.1.0-rc.3</li> <li><a href="https://github.com/slsa-framework/slsa-github-generator/commit/46f81fc6ad1b81b30ecdcf73ef9968b9787dc2c5"><code>46f81fc</code></a> chore: update refs to v2.1.0-rc.1 (<a href="https://redirect.github.com/slsa-framework/slsa-github-generator/issues/4120">#4120</a>)</li> <li><a href="https://github.com/slsa-framework/slsa-github-generator/commit/5d20c9315555cc3ea10212f5ab25b0d883f3d428"><code>5d20c93</code></a> chore: use builder tag v2.1.0-rc.0 (<a href="https://redirect.github.com/slsa-framework/slsa-github-generator/issues/4118">#4118</a>)</li> <li><a href="https://github.com/slsa-framework/slsa-github-generator/commit/e27b237be2003c8ae32f1300b9f5c3cc9c71dce7"><code>e27b237</code></a> chore: braces and ejs vulns (<a href="https://redirect.github.com/slsa-framework/slsa-github-generator/issues/4116">#4116</a>)</li> <li><a href="https://github.com/slsa-framework/slsa-github-generator/commit/8967e1c98e3dcee60e8651c796b4f5a99300eadc"><code>8967e1c</code></a> chore: Update CODEOWNERS (<a href="https://redirect.github.com/slsa-framework/slsa-github-generator/issues/4115">#4115</a>)</li> <li><a href="https://github.com/slsa-framework/slsa-github-generator/commit/47d1954c9e926d98abb20faffbf6352b3f736dce"><code>47d1954</code></a> chore: update octokit deps (<a href="https://redirect.github.com/slsa-framework/slsa-github-generator/issues/4114">#4114</a>)</li> <li>Additional commits viewable in <a href="https://github.com/slsa-framework/slsa-github-generator/compare/v2.0.0...v2.1.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=slsa-framework/slsa-github-generator&package-manager=github_actions&previous-version=2.0.0&new-version=2.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem closed this issue 2026-03-03 14:31:51 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/github-codeql-action-4.x
v2.2.0
v2.1.0
v2.0.0
v1.0.0
v1.0
Labels
Clear labels   
Stale

   
bug

   
bug

   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
Stale
bug
bug
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hardening#585
No description provided.