CHANGELOG
February 19, 2025 ยท View on GitHub
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- v2.1.0
- v2.0.0
- v1.10.0
- v1.9.0
- v1.8.0
- v1.7.0
- v1.6.0
- v1.5.0
- v1.4.0
- v1.4.0-rc.2
- v1.4.0-rc.1
- v1.4.0-rc.0
- v1.2.2
- v1.2.1
- v1.2.0
- v1.1.1
- v1.0.0
v2.1.0
v2.1.0: Sigstore Bundles for Generic Generator and Go Builder
The workflows generator_generic_slsa3.yml and builder_go_slsa3.yml
have been updated to produce signed Sigstore Bundles, just like all the other builders
that use the BYOB framework.
The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on https://search.sigstore.dev/.
v2.1.0: Vars context recorded in provenance
- Updated: GitHub
varscontext is now recorded in provenance for the generic and container generators. Thevarscontext cannot affect the build in the Go builder so it is not recorded.
v2.0.0
v2.0.0: Breaking Change: upload-artifact and download-artifact
- Our workflows now use the new
@v4s ofactions/upload-artifactandactions/download-artifact, which are incompatiblle with the prior@v3. See Our docs on the generic generator for more information and how to upgrade.
v2.0.0: Breaking Change: attestation-name Workflow Input and Output
attestation-nameas a workflow input to.github/workflows/generator_generic_slsa3.ymlis now removed. Useprovenance-nameinstead.
v2.0.0: DSSE Rekor Type
- When uploading signed provenance to the log, the entry created in the log is now a DSSE Rekor type. This fixes a bug where the current intoto type does not persist provenance signatures. The attestation will no longer be persisted in Rekor (#3299)
v1.10.0
Release v1.10.0 includes bug fixes and new features.
See the full change list.
v1.10.0: TUF fix
v1.10.0: Gradle Builder
- The Gradle Builder was fixed when the project root is the same as the repository root (#2727)
v1.10.0: Go Builder
- The
go-version-fileinput was fixed so that it can find thego.modfile (#2661)
v1.10.0: Container Generator
- A new
provenance-repositoryinput was added to allow reading provenance from a different container repository than the image itself (#2956)
v1.9.0
Release v1.9.0 includes bug fixes and new features.
See the full change list.
v1.9.0: BYOB framework (beta)
- New: A new framework to turn GitHub Actions into SLSA compliant builders.
v1.9.0: Maven builder (beta)
- New: A Maven builder to build Java projects and publish to Maven central.
v1.9.0: Gradle builder (beta)
- New: A Gradle builder to build Java projects and publish to Maven central.
v1.9.0: JReleaser builder
- New: A JReleaser builder that wraps the official JReleaser Action.
v1.8.0
Release v1.8.0 includes bug fixes and new features.
See the full change list.
v1.8.0: Generic Generator
- Added: A new
base64-subjects-as-filewas added to allow for specifying a large subject list.
v1.8.0: Node.js Builder (beta)
- Fixed: Publishing for non-scoped packages was fixed (See #2359)
- Fixed: Documentation was updated to clarify that the GitHub Actions
deploymentevent is not supported. - Changed: The file extension for the generated provenance file was changed
from
.sigstoreto.build.slsain order to make it easier to identify provenance files regardless of file format. - Fixed: The publish action was fixed to address an issue with the package name when using Node 16.
v1.7.0
This release includes the first beta release of the Container-based builder. The Container-based builder provides a GitHub Actions reusable workflow that can be used to invoke a container image with a user-specified command to generate an artifact and SLSA Build L3 compliant provenance.
v1.7.0: Go builder
- Added: A new go-version-file input was added. This allows you to specify a go.mod file in order to track which version of Go is used for your project.
v1.6.0
This release includes the first beta release of the Node.js builder. The Node.js builder provides a GitHub Actions reusable workflow that can be called to build a Node.js package, generate SLSA Build L3 compliant provenance, and publish it to the npm registry along with the package.
Summary of changes
Go builder
New Features
- A new
prereleaseinput was added to allow users to create releases marked as prerelease whenupload-assetsis set totrue. - A new input
draft-releasewas added to allow users to create releases marked as draft whenupload-assetsis set totrue. - A new output
go-provenance-nameadded which can be used to retrieve the name of the provenance file generated by the builder.
Generic generator
New Features
- A new input
draft-releasewas added to allow users to create releases marked as draft whenupload-assetsis set totrue.
Container generator
The Container Generator was updated to use cosign v2.0.0. No changes to the
workflow's inputs or outputs were made.
Changelog since v1.5.0
https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0
v1.5.0
Summary of changes
Go builder
New Features
- A new
upload-tag-nameinput was added to allow users to specify the tag name for the release whenupload-assetsis set totrue. - The environment variables included in provenance output were changed to include only those variables that are specified by the user in the slsa-goreleaser.yml configuration file in order to improve reproducibility. See #822 for more information and background.
Generic generator
New Features
- A new boolean
continue-on-errorinput was added which, when set totrue, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in theoutcomeoutput. - A new
upload-tag-nameinput was added to allow users to specify the tag name for the release whenupload-assetsis set totrue.
Container generator
New Features
- A new boolean
continue-on-errorinput was added which, when set totrue, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in theoutcomeoutput. - A new
repository-usernamesecret input was added to allow users to pass their repository username that is stored in a Github Actions encrypted secret. This secret input should only be used for high-entropy registry username values such as AWS Access Key. - Support was added for authenticating with Google Artifact Registry and Google Container Registry using Workload Identity Federation. Users can use this new feature by using the
gcp-workload-identity-providerandgcp-service-accountinputs
Changelog since v1.4.0
https://github.com/slsa-framework/slsa-github-generator/compare/v1.4.0...v1.5.0
v1.4.0
What's Changed
This release is the first Generally Available version of the Container Generator workflow. The Container Generator workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release (technically the second) with support for the generally available version of sigstore!! We hope to have fewer issues with sigstore infrastructure moving forward.
Generic Generator
Bug fixes
- Allow users of the Generic Generator to generate provenance for artifacts created in a project subdirectory (#1225)
Go Builder
Bug fixes
- Allow environment variables to contain '=' characters in the Go builder (#1231)
New Contributors
- @cfergeau made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1232
- @DanAlbert made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1239
- @gal-legit made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1252
Full Changelog
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0
v1.4.0-rc.2
*This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.
What's Changed
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release with support for the generally available version of sigstore!
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
New Contributors
- @cfergeau made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1232
- @DanAlbert made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1239
- @gal-legit made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1252
Full Changelog
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.2
v1.4.0-rc.1
*This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.
What's Changed
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release with support for the generally available version of sigstore!
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
New Contributors
- @cfergeau made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1232
- @DanAlbert made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1239
- @gal-legit made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1252
Full Changelog
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.1
v1.4.0-rc.0
This is a pre-release. It is not meant for general consumption. The following is the proposed release notes for the official release.
What's Changed
This release is the first Generally Available version of the generic container workflow. The generic container workflow is now considered stable and can be included in your production GitHub Actions workflows
This is also the first release with support for the generally available version of sigstore!
This release also includes a couple of bug fixes:
- Allow users of the generic generator workflow to generate provenance using for artifacts created in a project subdirectory (#1225)
- Allow environment variables to contain '=' characters in the Go workflow (#1231)
New Contributors
- @cfergeau made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1232
- @DanAlbert made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1239
- @gal-legit made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1252
Full Changelog
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.2...v1.4.0-rc.0
v1.2.2
What's Changed
This release fixes issues with signing provenance due to a change in Sigstore TUF root certificates (#1163). This release also includes better handling of transient errors from the Rekor transparency logs.
New Contributors
- @suzuki-shunsuke made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1061
- @datosh made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1074
- @pnacht made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1187
- @dongheelee92 made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/1209
Full Changelog
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.1...v1.2.2
v1.2.1
DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #1163. Please upgrade to v1.2.2 or later.
What's Changed
This release fixes an error that occurs on the "Generate Builder" step for various workflows.
FAILED: SLSA verification failed: could not find a matching valid signature entry
See #942
Generic generator
buildType
This release changes the buildType used in provenance created by the generic generator.
The previous value was:
"buildType": "https://github.com/slsa-framework/slsa-github-generator@v1",
The new value is:
"buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v1",
See #627
Provenance file names
Previously the default file name for provenance was attestation.intoto.jsonl. This has been updated to be in line with intoto attestation file naming conventions. The file name now defaults to <artifact filename>.intoto.jsonl if there is a single artifact, or multiple.intoto.jsonl if there are multiple artifacts.
See #654
Explicit opt-in for private repos
Private repository support was enhanced to required the private-repository input field as the repository name will be made public in the public Rekor transparency log.
Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.
with:
private-repository: true
See #823
Go builder
Support private repos
Support for private repositories was fixed. If using a private repository you must specify the private-repository input field as the repository name will be made public in the public Rekor transparency log.
Please add the following to your workflows if you opt into allowing repository names to be recorded in the public Rekor transparency log.
with:
private-repository: true
See #823
New Contributors
- @sethmlarson made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/758
- @yunginnanet made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/776
- @diogoteles08 made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/957
Full Changelog
https://github.com/slsa-framework/slsa-github-generator/compare/v1.2.0...v1.2.1
v1.2.0
DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in #942. Please upgrade to v1.2.2 or later.
What's Changed
Generic generator
The highlight of this release is a new re-usable workflow called the "Generic generator". It lets users build artifacts on their own and generate a provenance that satisfies SLSA provenance 3 requirement. It's perfect to get started with SLSA with minimal changes to an existing build workflow. To use it, check the README.md!
Go builder
No changes.
New Contributors
- @naveensrinivasan made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/352
- @renovate-bot made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/401
- @rarkins made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/489
- @developer-guy made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/497
- @loosebazooka made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/573
Full Changelog
https://github.com/slsa-framework/slsa-github-generator/compare/v1.1.1...v1.2.0
v1.1.1
What's Changed
- Improve documentation
- Fix filename issue when resolving it with variables
- Add support for environment variables in artifact filename
New Contributors
- @joshuagl made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/199
- @mihaimaruseac made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/202
- @MarkLodato made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/312
- @chipzoller made their first contribution in https://github.com/slsa-framework/slsa-github-generator/pull/354
Full Changelog
https://github.com/slsa-framework/slsa-github-generator/compare/v1.0.0...v1.1.1
v1.0.0
What's Changed
This is the first official release of the generator. The first builder we are releasing is for Golang projects. To learn how to use it, see ./README.md#golang-projects
Contributors
@asraa @ianlewis @MarkLodato @joshuagl @laurentsimon