Skip to content

v0.11.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 25 Oct 11:04
· 25 commits to main since this release
v0.11.0
aae072b

This major release introduces complete SLSA Level 3 compliance building blocks, enabling cryptographic verification of build artifacts and supply chain security for your projects.

🎉 What's New

SLSA Level 3 Support

  • Automated Provenance: SLSA v0.2 attestations with complete build metadata
  • Keyless Signing: Sigstore integration with GitHub OIDC
  • Cache Verification: Cryptographic verification of artifacts
  • In-Flight Checksumming: TOCTU attack prevention
  • Docker Export Mode: Signed container images via cache
  • CI/CD Command: New leeway plumbing sign-cache for separated workflows

Auto-Activation

Set provenance.slsa: true in WORKSPACE.yaml to automatically enable all SLSA L3 features:

provenance:
  enabled: true
  slsa: true

Docker Export Configuration

New 5-layer precedence: CLI flag → Environment variable → Package config → Workspace default → Global default

packages:
  - name: backend
    type: docker
    config:
      exportToCache: true  # Export for signing

⚠️ Breaking Changes

  • DockerPkgConfig.ExportToCache changed from bool to *bool (enables nil vs false distinction)
  • SLSA-enabled artifacts have different version hashes (includes provenance: version=3 slsa)

🔧 Other Improvements

  • Configurable SBOM parallelism (defaults to CPU cores)
  • Enhanced S3 cache with better concurrency
  • Comprehensive test coverage and performance benchmarks
  • Improved error handling and logging

PRs

  • CLC-1361: Ignore ephemeral packages during scanning by @geropl in #231
  • Fix devcontainer configuration drift by @akosyakov in #232
  • Make builddir reporting beautiful by @csweichel in #233
  • feat: add configurable SBOM parallelism with CPU core default by @WVerlaek in #240
  • Implement SLSA Level 3 Cache Verification by @leodido in #242
  • feat: add in-flight checksumming to prevent TOCTU attacks on build artifacts by @leodido in #243
  • feat: cache artifact signing command with Sigstore integration by @leodido in #244
  • feat: add environment variable support for in-flight checksumming by @leodido in #245
  • build: upgrade anchore dependencies to fix mapstructure compatibility by @leodido in #246
  • feat: SLSA features (in-flight checksumming + cache artifact signing) by @leodido in #257
  • test: comprehensive sign-cache and cache resilience test suite by @leodido in #247
  • feat: enable Docker image export to cache instead of direct push by @leodido in #248
  • test(integration): add integration tests for Docker export to cache by @leodido in #249
  • ci: support relese candidates by @leodido in #251
  • feat: auto-enable SLSA L3 features when provenance.slsa is true by @leodido in #250
  • fix(signing): explicitly fetch GitHub OIDC token for Sigstore by @leodido in #252

New Contributors

Full Changelog: v0.10.5...v0.11.0

Contributors

leodido, akosyakov, and 3 other contributors
Assets 7
Loading