Skip to content

Update slsa-framework/slsa-github-generator action to v2 #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 4, 2025
Merged

Update slsa-framework/slsa-github-generator action to v2 #2

merged 1 commit into from
Aug 4, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jul 25, 2025

This PR contains the following updates:

Package Type Update Change
slsa-framework/slsa-github-generator action major v1.4.0 -> v2.1.0

Release Notes

slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)

v2.1.0

Compare Source

v2.1.0: Sigstore Bundles for Generic Generator and Go Builder

The workflows generator_generic_slsa3.yml and builder_go_slsa3.yml
have been updated to produce signed Sigstore Bundles, just like all the other builders
that use the BYOB framework.

The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on
https://search.sigstore.dev/.

v2.1.0: Vars context recorded in provenance
  • Updated: GitHub vars context is now recorded in provenance for the generic and
    container generators. The vars context cannot affect the build in the Go
    builder so it is not recorded.

v2.0.0

Compare Source

v2.0.0: Breaking Change: upload-artifact and download-artifact
  • Our workflows now use the new @v4s of actions/upload-artifact and
    actions/download-artifact, which are incompatiblle with the prior @v3. See
    Our docs on the generic generator
    for more information and how to upgrade.
v2.0.0: Breaking Change: attestation-name Workflow Input and Output
  • attestation-name as a workflow input to
    .github/workflows/generator_generic_slsa3.yml is now removed. Use
    provenance-name instead.
v2.0.0: DSSE Rekor Type
  • When uploading signed provenance to the log, the entry created in the log is now
    a DSSE Rekor type. This fixes a bug where the current intoto type does not
    persist provenance signatures. The attestation will no longer be persisted
    in Rekor (#​3299)

v1.10.0

Compare Source

Release v1.10.0 includes bug fixes and new features.

See the full change list.

v1.10.0: TUF fix
  • The cosign TUF roots were fixed (#​3350).
    More details here.
v1.10.0: Gradle Builder
  • The Gradle Builder was fixed when the project root is the same as the
    repository root (#​2727)
v1.10.0: Go Builder
  • The go-version-file input was fixed so that it can find the go.mod file
    (#​2661)
v1.10.0: Container Generator
  • A new provenance-repository input was added to allow reading provenance from
    a different container repository than the image itself (#​2956)

v1.9.1

Compare Source

This is an un-finalized release.

See the CHANGELOG for details.

v1.9.0

Compare Source

Release [v1.9.0] includes bug fixes and new features.

See the full change list.

v1.9.0: BYOB framework (beta)
  • New: A new framework to turn GitHub Actions into SLSA compliant builders.
v1.9.0: Maven builder (beta)
  • New: A Maven builder to build Java projects and publish to Maven central.
v1.9.0: Gradle builder (beta)
  • New: A Gradle builder to build Java projects and publish to Maven central.
v1.9.0: JReleaser builder

v1.8.0

Compare Source

Release [v1.8.0] includes bug fixes and new features.

See the full change list.

v1.8.0: Generic Generator
v1.8.0: Node.js Builder (beta)
  • Fixed: Publishing for non-scoped packages was fixed (See
    #​2359)
  • Fixed: Documentation was updated to clarify that the GitHub Actions
    deployment event is not supported.
  • Changed: The file extension for the generated provenance file was changed
    from .sigstore to .build.slsa in order to make it easier to identify
    provenance files regardless of file format.
  • Fixed: The publish action was fixed to address an issue with the package
    name when using Node 16.

v1.7.0

Compare Source

This release includes the first beta release of the
Container-based builder.
The Container-based builder provides a GitHub Actions reusable workflow that can
be used to invoke a container image with a user-specified command to generate an
artifact and SLSA Build L3 compliant provenance.

v1.7.0: Go builder
  • Added: A new
    go-version-file
    input was added. This allows you to specify a go.mod file in order to track
    which version of Go is used for your project.

v1.6.0

Compare Source

This release includes the first beta release of the
Node.js builder.
The Node.js builder provides a GitHub Actions reusable workflow that can be
called to build a Node.js package, generate SLSA Build L3 compliant provenance,
and publish it to the npm registry along with the package.

Summary of changes
Go builder
New Features
  • A new
    prerelease
    input was added to allow users to create releases marked as prerelease when
    upload-assets is set to true.
  • A new input draft-release was added to allow users to create releases marked
    as draft when upload-assets is set to true.
  • A new output go-provenance-name added which can be used to retrieve the name
    of the provenance file generated by the builder.
Generic generator
New Features
  • A new input draft-release was added to allow users to create releases marked
    as draft when upload-assets is set to true.
Container generator

The Container Generator was updated to use cosign v2.0.0. No changes to the
workflow's inputs or outputs were made.

Changelog since v1.5.0

v1.5.0

Compare Source

Summary of changes
Go builder
New Features
  • A new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true.
  • The environment variables included in provenance output were changed to include only those variables that are specified by the user in the slsa-goreleaser.yml configuration file in order to improve reproducibility. See #​822 for more information and background.
Generic generator
New Features
  • A new boolean continue-on-error input was added which, when set to true, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the outcome output.
  • A new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true.
Container generator
New Features
Changelog since v1.4.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@ahmed734105204 ahmed734105204 merged commit c3f7f2a into main Aug 4, 2025
1 check passed
@renovate renovate bot deleted the renovate/slsa-framework-slsa-github-generator-2.x branch August 4, 2025 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ahmed734105204