slsa-verifier

slsa-verifier copied to clipboard

Reducing dependency update burden for Actions

12

Rebovatebot is inundating us with hash updates. Until https://github.com/renovatebot/renovate/issues/4404 is landed, I would like to propose that for unprivileged workflows(not write permissions AND no secrets), we use floating tags instead....

laurentsimon

Maintaining release versions and backporting fixes

3

c/f https://github.com/slsa-framework/slsa-verifier/pull/132 Version 1.0.0 required a fix after a Rekor change, and this backported fix needs to be added to older releases. In order to support backports, we need to:...

asraa

It would be nice to use a logging library or a more standard way to log errors, especially with a good formatting

laurentsimon

Maven plugin for verification

2

We can use https://github.com/sigstore/sigstore-maven-plugin as an example.

laurentsimon

Config file for builders

7

This is something @asraa proposed in the past but I'm not able to find the issue, so creating this one. We currently hardcode builders. It's fine to have a pre-defined...

laurentsimon

SLSA verifier as a service

3

To make the verifier accessible to everyone easily, we could have a REST/gRPC API to verify as a service. Possible use cases: - OSSF or another org runs a verifier...

laurentsimon

feat(action): Node20, multi-OS/Arch, caching, tests, and Workflows

1

Hi! This PR relates to the discussion from #806 regarding the Node16 deprecation notice. During this we talked about adding support for multiple OSes, as well as addressing the caching...

IAreKyleW00t

fix(deps): update module github.com/sigstore/sigstore-go to v0.6.1 [security]

1

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/sigstore/sigstore-go](https://redirect.github.com/sigstore/sigstore-go) | `v0.5.1` -> `v0.6.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/)...

renovate-bot

Installer Action Node16 Deprecation Notice

13

I noticed that the installer Action is still using Node16 and throws a warning at users since it has been deprecated. Would it be possible to bump this to Node20?...

IAreKyleW00t

fix(deps): update golang.org/x/exp digest to 701f63a

1

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang.org/x/exp | require | digest | `7f521ea` -> `701f63a` | --- ### Configuration...

renovate-bot