v0.5.4

What's Changed

• pin action by @cpanato in #942
• update permissions doc by @cpanato in #944
• hosted_zone_logging_enabled to false by @cpanato in #957
• feat: Optional EVENT_INGRESS_URI by @yagihash in #950
• set require_team to false in the gclb by @cpanato in #973
• fix prober missing variable by @cpanato in #977
• Exchange: Return InvalidArgument if scope or identity are missing by @wlynch in #1001
• revert sdk bump to v0.1.39 by @cpanato in #1006
• add new field to the bq schema by @cpanato in #1012
• add event_name to the claim_pattern struct by @cpanato in #1015
• add repository in the claim_pattern schema by @cpanato in #1017
• upgrade sdk to v0.1.40 and keep the deprecated function for now by @cpanato in #1008
• add timestamp field to event for better debugging by @k4leung4 in #1029
• Treat foo/.github scope the same as foo. by @mattmoor in #1055
• bump github.com/bradleyfalzon/ghinstallation/v2 and go-github by @cpanato in #1074
• Fix error message order in trust policy pattern matching by @tcnghia in #1099
• Add jsonschema for autocomplete. by @wlynch in #1094
• Fix link to raw GitHub content in README. by @wlynch in #1108
• [bugfix] fix loading app secret cert from env var by @jeffgran-dox in #1085
• check if err.Response is not nil by @cpanato in #1154
• update CI and add .go-version and .terraform-version by @cpanato in #1153
• bump versions by @cpanato in #1171

And several dependencies updates

New Contributors

• @yagihash made their first contribution in #950
• @tcnghia made their first contribution in #1099
• @jeffgran-dox made their first contribution in #1085

Full Changelog: v0.5.3...v0.5.4

v0.5.3

What's Changed

Fix

• Unauthenticated SSRF with HTTP Response Reflection in OIDC Flow (CVE-2025-52477): GHSA-h3qp-hwvr-9xcq

Full Changelog: v0.5.2...v0.5.3

v0.5.2

What's Changed

• Add exponential backoff retry logic to OIDC provider initialization by @mgreau in #928

New Contributors

• @mgreau made their first contribution in #928

Full Changelog: v0.5.1...v0.5.2

v0.5.1

What's Changed

• update doc permission by @cpanato in #918
• Drop noisy logging by @egibs in #919

New Contributors

• @egibs made their first contribution in #919

Full Changelog: v0.5.0...v0.5.1

v0.5.0

What's Changed

• add initial release cadence and permissions update by @cpanato in #484
• Support for custom audience by @pdeslaur in #508
• Update go to 1.23 and terraform to 1.9 by @cpanato in #535
• add new field to bq by @cpanato in #540
• add new field to bq (audience_pattern) by @cpanato in #541
• add new field to bq (audience) by @cpanato in #542
• Plumb through a deletion protection option. by @mattmoor in #544
• add github verify check mark by @cpanato in #572
• document current github permissions enabled by @cpanato in #582
• fix: wording for trust policy not found error by @luhring in #585
• Add exchange unit testing. by @wlynch in #588
• ignore sts policy validation if the file is removed by @cpanato in #589
• set require_squad to false by @cpanato in #607
• add require_squad and set to false by @cpanato in #616
• add new field to the bq schema by @cpanato in #703
• update list of active permissions by @cpanato in #717
• Leverage GRPC errors in CheckToken. by @mattmoor in #737
• bump dependencies and upgrade to go1.24 by @cpanato in #770
• Bump the all group across 1 directory with 4 updates by @cpanato in #788
• pin reviewdog/action-tflint github action to full-length commit SHA by @eslerm in #811
• update octo-sts permission list by @cpanato in #818
• remove insecure.NewCredentials by @imjasonh in #821
• Revert "remove insecure.NewCredentials (#821)" by @imjasonh in #822
• app: remove insecure transport credentials by @wlynch in #823
• Revert "app: remove insecure transport credentials (#823)" by @wlynch in #824
• Dependencies update / ci clean up by @cpanato in #843
• Add best practices to README by @wlynch in #891
• update permissions doc page by @cpanato in #898
• handle and reply when accessing / by @cpanato in #745

pluse several dependabot updates

New Contributors

• @pdeslaur made their first contribution in #508
• @luhring made their first contribution in #585
• @eslerm made their first contribution in #811

Full Changelog: v0.4.2...v0.5.0

v0.4.2

What's Changed

• Fix yaml tag parsing by @wlynch in #486
• Fix webhook filter envvar. by @wlynch in #487
• Fix panic on successful policy validation where err == nil. by @wlynch in #488
• Remove webhook filter from deployed config by @wlynch in #489

Full Changelog: v0.4.1...v0.4.2

v0.4.1

What's Changed

• Fix github webhook secret envvar name. by @wlynch in #485

Full Changelog: v0.4.0...v0.4.1

v0.4.0

What's Changed

• Ignore "Abnormal KMS Access" for GetIamPolicy by @imjasonh in #443
• Bump chainguard/tf-common-infra to 0.6.74 by @wlynch in #472
• feat: allow webhook to use env vars or cert files for github app secret by @karlhaworth in #470
• if we got a zerohash get the contents of the directory that we are interested by @cpanato in #309
• Add org filter to webhook. by @wlynch in #476

Full Changelog: v0.3.1...v0.4.0

v0.3.1

What's Changed

• Bump chainguard-dev/common/infra from 0.6.19 to 0.6.60 in /iac/bootstrap in the all group across 1 directory by @dependabot in #425
• fix: environment variable app secret by @karlhaworth in #432
• Bump google.golang.org/api from 0.189.0 to 0.190.0 by @dependabot in #431

Full Changelog: v0.3.0...v0.3.1

v0.3.0

What's Changed

• Pull the GCLB and DNS out of the app module by @mattmoor in #284
• Bump chainguard-dev/common/infra from 0.6.18 to 0.6.19 in /iac in the all group by @dependabot in #273
• Bump chainguard-dev/common/infra from 0.6.18 to 0.6.19 in /iac/bootstrap in the all group by @dependabot in #277
• Add a webhook to validate trust policies by @mattmoor in #285
• only run deploy if is the upstream repo by @cpanato in #295
• update go-github to v61 and github.com/bradleyfalzon/ghinstallation to align the versions by @cpanato in #294
• Add several fields to DTS schema by @mattmoor in #403
• Bump the all group across 1 directory with 6 updates by @dependabot in #404
• Bump chainguard-dev/common/infra from 0.6.18 to 0.6.52 in /modules/app in the all group across 1 directory by @dependabot in #402
• Bump chainguard-dev/common/infra from 0.6.18 to 0.6.52 in /iac in the all group across 1 directory by @dependabot in #401
• feat: allow flexible options for github app secret and metrics by @karlhaworth in #412
• Dependabot/go modules/all 373d5795f5 by @wlynch in #429
• Bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 in the all group by @dependabot in #427
• Bump the all group across 1 directory with 2 updates by @dependabot in #430
• Bump chainguard-dev/common/infra from 0.6.52 to 0.6.60 in /iac in the all group across 1 directory by @dependabot in #421

New Contributors

• @karlhaworth made their first contribution in #412
• @wlynch made their first contribution in #429

Full Changelog: v0.2.0...v0.3.0