steampipe-plugin-github icon indicating copy to clipboard operation
steampipe-plugin-github copied to clipboard

Published 20 hours ago verified publisher icon turbot

Bump github.com/buildkite/go-pipeline from 0.3.1 to 0.10.0

Open dependabot[bot] opened this issue 7 months ago • 0 comments

Bumps github.com/buildkite/go-pipeline from 0.3.1 to 0.10.0.

Release notes

Sourced from github.com/buildkite/go-pipeline's releases.

v0.10.0

v0.10.0 (2024-06-25)

Full Changelog

⚠️ This release has some breaking changes to the signature subpackage.

All the following functions now take as their first param a context.Context, as well as the following changes.

The signature of signature.Sign function has changed to no longer take env map[string]string but instead use signature.WithEnv(env) as an option.

-func Sign(key jwk.Key, env map[string]string, sf SignedFielder) (*pipeline.Signature, error)
+func Sign(_ context.Context, key jwk.Key, sf SignedFielder, opts ...Option) (*pipeline.Signature, error)

The signature of signature.Verify function has also changed to take signature.WithEnv(env) as an option instead of env map[string]string.

-func Verify(s *pipeline.Signature, keySet jwk.Set, env map[string]string, sf SignedFielder)
+func Verify(ctx context.Context, s *pipeline.Signature, keySet jwk.Set, sf SignedFielder, opts ...Option) error

The signature of signature.SignSteps function has also changed to take signature.WithEnv(env) as an option instead of env map[string]string.

-func SignSteps(s pipeline.Steps, key jwk.Key, env map[string]string, repoURL string)
+func SignSteps(ctx context.Context, s pipeline.Steps, key jwk.Key, repoURL string, opts ...Option) error

Added

The following were added to the signature subpackage.

func WithEnv(env map[string]string) Option
func WithLogger(logger Logger) Option
func WithDebugSigning(debugSigning bool) Option
  • WithLogger enables logging public key thumbprints when signing and verifying steps
  • WithDebugSigning will enable debugging for signing steps. When this is enabled, along with WithLogger, will log step payloads before they are signed to assist in debugging verification failures
    • This is intended for development purposes
    • During step upload using signing this will log step payloads to the jobs log which could leak secrets to those with access to your Buildkite build page ⚠️
    • During step verification at the start of all signed jobs this will log the step payloads to the agent log

Removed

-func SignPipeline(p *pipeline.Pipeline, key jwk.Key, repo string) error

Call SignSteps instead.

Changed

  • (Described above) Log public key fingerprint in debug, log step payload in signing-debug #39 (@​patrobinson)

... (truncated)

Commits
  • 5e62e6c Merge pull request #42 from buildkite/josh-cleanups
  • 81faeec Delete SignPipeline
  • 3b5a1f4 Merge pull request #41 from buildkite/josh-cleanups
  • 2e6f3cb Replace mock logger with fake logger
  • 438c05f Fix inconsistent test error messages
  • 0f70318 Flatten debug log implementation
  • 5cb116b Pass ctx idiomatically
  • 14f1de0 Merge pull request #40 from buildkite/dependabot/go_modules/github.com/lestrr...
  • d66b4ec Merge pull request #39 from buildkite/debug-signature
  • 16b9498 Revert "Dont return error for failed key thumbprint, log message instead"
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot[bot] avatar Jul 01 '24 02:07 dependabot[bot]