| AArch64 | |
| ppc64le | |
| s390x | |
| x86-64 |
- Update to version 0.3.0: * Bump github.com/sigstore/sigstore from 1.8.8 to 1.8.9 in the all group * Bump actions/upload-artifact from 4.3.6 to 4.4.0 in the all group * Bump sigstore/cosign-installer from 3.5.0 to 3.6.0 in the all group * Bump github.com/sigstore/cosign/v2 from 2.3.0 to 2.4.0 * Bump the all group with 2 updates * Bump actions/upload-artifact from 4.3.5 to 4.3.6 in the all group * Bump actions/upload-artifact from 4.3.4 to 4.3.5 in the all group * test: add a leading slash to repository_url * Update pkg/ctl/implementation.go * Fix OCI repository URL resolution * Bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 in the all group * Bump github.com/docker/docker in the go_modules group * Bump sigs.k8s.io/release-utils from 0.8.3 to 0.8.4 in the all group * Bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.3.0 * Bump softprops/action-gh-release from 2.0.7 to 2.0.8 in the all group * update go.mod to 1.22.5 * update golanci-lint * Bump github.com/google/go-containerregistry in the all group * Bump softprops/action-gh-release from 2.0.6 to 2.0.7 in the all group * Bump github.com/sigstore/sigstore from 1.8.6 to 1.8.7 in the all group * Improve the generated template README * Add support to vulnerability aliases * Fix Copyright in Boilerplates * Bump actions/setup-go from 5.0.1 to 5.0.2 in the all group * Bump google.golang.org/grpc in the go_modules group * Bump github.com/google/go-containerregistry from 0.19.2 to 0.20.0 * Bump sigs.k8s.io/release-utils from 0.8.2 to 0.8.3 in the all group * Prevent from specifying subcomponents when multiple products are defined * fix(create): support multiple --product flags * Bump go to 1.22.4 * Bump github.com/sigstore/sigstore in the all group across 1 directory * Bump actions/upload-artifact from 4.3.3 to 4.3.4 in the all group * Bump github.com/hashicorp/go-retryablehttp in the go_modules group * Bump softprops/action-gh-release from 2.0.5 to 2.0.6 in the all group * Bump ko-build/setup-ko from 0.6 to 0.7 in the all group * Bump the all group with 2 updates * Bump actions/checkout from 4.1.6 to 4.1.7 in the all group * Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 * update installation methods with homebrew * Bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 in the all group * Bump github.com/package-url/packageurl-go in the all group * Bump actions/checkout from 4.1.5 to 4.1.6 in the all group * Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 in the all group * Bump golangci/golangci-lint-action from 6.0.0 to 6.0.1 in the all group * Bump sigs.k8s.io/release-utils from 0.8.1 to 0.8.2 in the all group * Bump golangci/golangci-lint-action from 5.3.0 to 6.0.0 * Bump softprops/action-gh-release from 2.0.4 to 2.0.5 in the all group * Bump the all group with 2 updates * Bump actions/setup-go from 5.0.0 to 5.0.1 in the all group * Bump kubernetes-sigs/release-actions in the all group * Bump golangci/golangci-lint-action from 5.0.0 to 5.1.0 in the all group * Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 * Bump actions/checkout from 4.1.3 to 4.1.4 in the all group * Bump actions/upload-artifact from 4.3.2 to 4.3.3 in the all group * Bump actions/checkout from 4.1.2 to 4.1.3 in the all group * Bump golang.org/x/net from 0.22.0 to 0.23.0 in the go_modules group * Bump actions/upload-artifact from 4.3.1 to 4.3.2 in the all group * Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 in the all group * Bump github.com/sigstore/cosign/v2 from 2.2.3 to 2.2.4 * Bump sigs.k8s.io/release-utils from 0.8.0 to 0.8.1 in the all group * Add support for Golang GO-* vulnerability identifier * Bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.0 * Bump the all group with 1 update * run attest in prs to test the entire release flow * Bump the all group with 1 update * Bump the all group with 1 update * fix lints * group dependabot updates * upgrade to go1.22 * Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 * Bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 * Bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 * Bump github.com/docker/docker * Bump kubernetes-sigs/release-actions from 0.1.3 to 0.1.4 * Bump github.com/google/go-containerregistry from 0.19.0 to 0.19.1 * Update release.yaml * Bump softprops/action-gh-release from 2.0.3 to 2.0.4 * Bump actions/checkout from 4.1.1 to 4.1.2 * Bump softprops/action-gh-release from 1 to 2 * Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 * Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 * Bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 * Bump github.com/sigstore/rekor from 1.3.4 to 1.3.5 * Bump github.com/sigstore/cosign/v2 from 2.2.2 to 2.2.3 * Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 * Bump github.com/google/go-containerregistry from 0.18.0 to 0.19.0 * Bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 * Bump github.com/google/go-containerregistry from 0.17.0 to 0.18.0 * Bump kubernetes-sigs/release-actions from 0.1.2 to 0.1.3 * Bump github.com/sigstore/sigstore from 1.7.6 to 1.8.0 * Fix linter errors
- Update to version 0.2.6: * Add generate test fixtures * Add generate subcommand * Add generate --init test * Add generate --init flag * Only read openvex files as templates * vexctl generate * Add Generate method * Add ReadTemplateData() function * Bump sigstore/cosign-installer from 3.2.0 to 3.3.0 * Bump actions/setup-go from 4.1.0 to 5.0.0 * go mod tidy * Attach: Add OCI annotations for keyless verification * Sign: Upload to tlog and capture sig data * Bump github.com/sigstore/cosign/v2 from 2.2.1 to 2.2.2 * Update examples to v0.2.0 * add: Split out of cmd validation logic * addOptions validation test * vexctl add: Fix bug when writing docs in-place * Bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 * Move release actions to kubernetes-sigs * Bump github.com/google/go-containerregistry from 0.16.1 to 0.17.0 * add boilerplate headers * add snapshot job * cleanup * add sboms and revamp the provanance with k8s-release actions tools * bump golangci-lint to v1.55.x
- Update to version 0.2.5: * Bump sigs.k8s.io/release-utils from 0.7.6 to 0.7.7 * Bump github.com/sigstore/cosign/v2 from 2.2.0 to 2.2.1 * Bump sigstore/cosign-installer from 3.1.2 to 3.2.0 * Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 * Bump sigs.k8s.io/release-utils from 0.7.5 to 0.7.6 * Bump github.com/sigstore/sigstore from 1.7.4 to 1.7.5 * update version comments * Bump actions/checkout from 4.1.0 to 4.1.1 * Bump github.com/sigstore/sigstore from 1.7.3 to 1.7.4 * Attest: Add refs flag, improve help and command * Split intoto subj normlzatn into image and other * Reuse hashes from existing VEX products * Reuse purl hashes in product * Bump sigs.k8s.io/release-utils from 0.7.4 to 0.7.5 * Update README examples to v0.2.0 * Bump github.com/package-url/packageurl-go from 0.1.1 to 0.1.2 * Bump actions/checkout from 4.0.0 to 4.1.0 * Factor out document write logic * Add add subcommand * Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 * fix lints * upgrade to go1.21 * Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 * Add options validation tests * Make out file option reusable * Create vex statements from st options * Refactor commands and options * Bump actions/checkout from 3.6.0 to 4.0.0 * Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 * Bump github.com/sigstore/sigstore from 1.7.2 to 1.7.3 * Bump github.com/sigstore/cosign/v2 from 2.1.1 to 2.2.0 * Update show to list * show subcommand creation for review * go.mod: Pull go-vex@v0.2.5 * Revamp tests for v0.2.2 add more fixtures * Update vexctl implementation to v0.2.0 * Update vexctl create to v0.2.0 * Rename test fixtures to versioned filenames * Drop depguard from golangci lint * Bump actions/checkout from 3.5.3 to 3.6.0 * Bump slsa-framework/slsa-github-generator from 1.8.0 to 1.9.0 * Update SARIF filtering examples * Update verify.yaml * Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 * Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 * Bump github.com/sigstore/sigstore from 1.7.1 to 1.7.2 * Bump actions/setup-go from 4.0.1 to 4.1.0 * Bump slsa-framework/slsa-github-generator from 1.7.0 to 1.8.0 * Bump github.com/google/go-containerregistry from 0.15.2 to 0.16.1
- Update to version 0.2.3: * Rename artifacts to vexctl * refactor release job * fix deprecated flag * Add ko installer to release workflow * Add missing ldflags script * go.mod: Pull go-vex v0.2.1 * Drop deprecated vex.StatementFromID * Bump github.com/secure-systems-lab/go-securesystemslib * Fix --subcomponents flag * Add support for PRISMA- identifiers * Bump github.com/sigstore/cosign/v2 from 2.1.0 to 2.1.1 * Bump sigstore/cosign-installer from 3.1.0 to 3.1.1 * Bump sigstore/cosign-installer from 3.0.5 to 3.1.0 * Bump github.com/sigstore/cosign/v2 * Bump github.com/sigstore/sigstore from 1.7.0 to 1.7.1 * Pull go-vex @ HEAD * Use vex.Open instead of vex.Load to support multi format vex * Add initial CSAF example files * Add OpenVEX examples * vexctl create: add --impaact-statement * filter: Drop debug messages, improve output * Add RUSTSEC, GHSA, RHSA to known identifiers * Bump github.com/package-url/packageurl-go from 0.1.0 to 0.1.1 * Bump github.com/sigstore/sigstore from 1.6.5 to 1.7.0 * Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 * Bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 * Bump actions/checkout from 3.5.2 to 3.5.3 * Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 * Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 * Bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 * Bump github.com/sigstore/sigstore from 1.6.4 to 1.6.5 * Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 * Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 * Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 * Bump github.com/google/go-containerregistry from 0.15.1 to 0.15.2 * Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 * Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 * Bump sigs.k8s.io/release-utils from 0.7.3 to 0.7.4 * Bump actions/setup-go from 4.0.0 to 4.0.1 * fix lints * bump to go 1.20 and update some dependencies * Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 * Bump github.com/sigstore/sigstore from 1.6.3 to 1.6.4 * Bump github.com/in-toto/in-toto-golang from 0.8.0 to 0.9.0 * Bump github.com/sigstore/cosign/v2 from 2.0.1 to 2.0.2 * Bump github.com/in-toto/in-toto-golang from 0.7.1 to 0.8.0 * Bump github.com/sigstore/sigstore from 1.6.2 to 1.6.3 * Bump sigstore/cosign-installer from 3.0.2 to 3.0.3 * Bump actions/checkout from 3.5.1 to 3.5.2 * Bump actions/checkout from 3.5.0 to 3.5.1 * Bump github.com/sigstore/sigstore from 1.6.1 to 1.6.2 * Bump sigstore/cosign-installer from 3.0.1 to 3.0.2 * Bump github.com/sigstore/cosign/v2 * Bump github.com/sigstore/sigstore from 1.6.0 to 1.6.1 * Bump github.com/in-toto/in-toto-golang from 0.7.0 to 0.7.1 * Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 * Bump actions/checkout from 3.4.0 to 3.5.0 * Bump actions/setup-go from 3.5.0 to 4.0.0 * Bump github.com/google/go-containerregistry * Bump actions/checkout from 3.3.0 to 3.4.0 * set cosign yes env var * Bump sigstore/cosign-installer from 2.8.1 to 3.0.1 * update dependencies and cosign to v2 * Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 * Bump slsa-framework/slsa-github-generator from 1.4.0 to 1.5.0 * Bump github.com/sigstore/sigstore from 1.5.1 to 1.5.2 * Bump github.com/in-toto/in-toto-golang * Bump github.com/openvex/go-vex * Fix broken parameters * Fix examples based on actual command output * Update maintainers to match community * Add boilerplate to newfile * Add unit test to references verifier * Ensure attested refs are in doc * --attach implies --sign * Update attest subcm help * Drop attestation targets from CLI * Add test for ListDocumentProducts * Rework attestation code * go mod: pull purl module * Add images test document * Add test for NormalizeImageRefs * Bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 * Fix exmple and testdata * Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 * Bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 * fix: missing metadata on document merge * small fixes * add provenance and refactor release job * build vexctl image using ko * Add initial MAINTAINERS.md * update license headers * More improvements to README * Update README * Bump github.com/sigstore/sigstore from 1.5.0 to 1.5.1