v0.15.0-rc5

Changelog

• 72c405f fix: add backward compatibility for missing provenance bundles
• c103fb2 fix: add git initialization to TestDockerPackage_ExportToCache_Integration
• 61f08fe fix: extract digest from OCI layout for SLSA provenance
• f98b2e8 fix: support SBOM generation with OCI layout export
• d0c01ae fix: support container extraction with OCI layout export
• 3bf7c45 fix: upload and download provenance bundles in S3 cache
• 3a42cb4 refactor: add dedicated helpers for provenance bundle operations

v0.15.0-rc3

Changelog

• b12cf22 fix: support container extraction with OCI layout export

v0.15.0-rc2

Changelog

• c4e9408 fix: extract digest from OCI layout for SLSA provenance

v0.15.0-rc1

Changelog

• c856dab build(deps): Bump golang.org/x/crypto from 0.42.0 to 0.45.0
• c9c3898 feat!: bump provenance version and remove tar.gz fallback
• 4dbea33 feat(ci): add integration tests workflow
• d153ac3 feat(docker): pass SOURCE_DATE_EPOCH as build arg for deterministic images
• 942eb06 feat(docker): use OCI layout for deterministic image caching
• 5d71f0e feat: export SOURCE_DATE_EPOCH for build commands
• a2e0218 fix(ci): add -v flag to show determinism verification output
• 2667fac fix(docker): use deterministic timestamp in docker-export-metadata.json
• 6bc7552 fix(test): update dummyDocker mock to handle OCI layout export
• d68c06b fix: bump DockerPackage buildProcessVersion for OCI layout format change
• a45d5b0 fix: correct git timestamp retrieval and integration test issues
• cdb2518 fix: move provenance handling after packaging phase
• 809bc88 fix: update integration tests for OCI layout compatibility
• 162be1f refactor: remove provenance from tar.gz packaging
• 474d783 refactor: use ProvenanceBundleFilename constant

v0.14.0

What's Changed

• fix(signing): skip attestation upload when artifact exists by @leodido in #280
• feat(sbom): normalize SBOMs for deterministic builds by @leodido in #281
• feat(tar): add deterministic mtime for tar archives by @leodido in #282

Full Changelog: v0.13.2...v0.14.0

v0.13.2

What's Changed

• feat(sign-cache): increase default concurrency and add configurability by @leodido in #277
• fix(signing): use protojson.Marshal for standard Sigstore Bundle format by @leodido in #275
• fix(cache): use sigstore-go for attestation bundle support by @leodido in #276

Full Changelog: v0.13.1...v0.13.2

v0.13.1

What's Changed

• fix(build): improve logging and status reporting for cache operations by @leodido in #273
• fix(build): correct total count in build summary by @leodido in #274

Full Changelog: v0.13.0...v0.13.1

v0.13.0

What's Changed

• fix: make gzip compression deterministic by @leodido in #262
• fix: avoid re-uploading downloaded artifacts in sign-cache by @leodido in #263
• test: remove flaky TestS3Cache_VerificationOverhead by @leodido in #265
• fix: extract builder ID from OIDC by @leodido in #264
• Bump github.com/hashicorp/go-getter from 1.7.8 to 1.7.9 by @dependabot[bot] in #238

Full Changelog: v0.12.0...v0.13.0

v0.13.0-rc4

Changelog

• 3ecf8b3 Add comprehensive tests for artifact upload behavior
• 2d1fb81 Avoid re-uploading downloaded artifacts in sign-cache
• 16ee59d Bump github.com/hashicorp/go-getter from 1.7.8 to 1.7.9
• 5447815 Fix non-deterministic gzip compression
• 2debc63 build(deps): Bump github.com/containerd/containerd from 1.7.26 to 1.7.29
• 819464d build(deps): Bump github.com/opencontainers/runc from 1.1.10 to 1.2.8
• 95ff8c8 build(deps): Bump github.com/opencontainers/selinux
• 8932b3a build(deps): revert to v0.12.0 dependencies for v0.13.0 release
• bd51715 docs(signing): clarify Fulcio's role in builder ID extraction
• 7c393af feat(signing): enforce strict OIDC extraction, remove fallback
• cfc3325 feat(signing): support top-level job_workflow_ref claim as fallback
• a1d91f4 fix(lint): check error return value in test mock server
• b467877 fix(lint): check error return values in signing package
• 8b49f6a fix(pkg/leeway/signing): extract builder ID from OIDC
• ffb6270 fix(signing): validate whitespace-only sub claims
• 74d751f refactor(test): consolidate extractJobWorkflowRef test functions
• 666b52e refactor(test): encapsulate expected values in want struct
• c180092 refactor(test): replace os.Setenv with t.Setenv for automatic cleanup
• 130268b refactor(test): use cmp.Diff for struct comparisons
• ddea58c test(pkg/leeway/signing): test the extraction of job_workflow_ref/builder ID from OIDC sub claims

v0.12.0

What's Changed

• feat(slsa): add RequireAttestation configuration for strict SLSA verification by @leodido in #259

Full Changelog: v0.11.0...v0.12.0