v0.2.1

⚠️ Warning ⚠️

go modules have been renamed from github.com/testifysec/go-witness => github.com/in-toto/go-witness

What's Changed

• Create SECURITY.md by @jkjell in #107
• chore: bump github/codeql-action from 2.22.9 to 3.22.11 by @dependabot in #110
• chore: bump actions/download-artifact from 3.0.2 to 4.0.0 by @dependabot in #112
• chore: bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #111
• chore: bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot in #115
• chore: bump github.com/go-git/go-git/v5 from 5.5.2 to 5.11.0 by @dependabot in #119
• chore: bump github/codeql-action from 3.22.11 to 3.22.12 by @dependabot in #118
• chore: bump actions/download-artifact from 4.0.0 to 4.1.0 by @dependabot in #117
• chore: bump k8s.io/apimachinery from 0.26.11 to 0.26.12 by @dependabot in #116
• Update SECURITY-INSIGHTS.yml with additional information by @jkjell in #108
• chore: bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 by @dependabot in #121
• chore: bump actions/dependency-review-action from 3.1.4 to 3.1.5 by @dependabot in #123
• chore: bump github/codeql-action from 3.22.12 to 3.23.0 by @dependabot in #122
• fix: added oidc redirect url option for fulcio by @pkwiatkowski1 in #76
• chore: bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #126
• chore: bump actions/download-artifact from 4.1.0 to 4.1.1 by @dependabot in #127
• Adding function to add a single attestor by @ChaosInTheCRD in #128

New Contributors

• @pkwiatkowski1 made their first contribution in #76

Full Changelog: v0.2.0...v0.2.1

v0.2.0

Changelog

First release since moving to in-toto org.

⚠️ Warning ⚠️

go modules have been renamed from github.com/testifysec/go-witness => github.com/in-toto/go-witness

What's Changed

• Add support for controller-gen deepcopy by @jkjell in #53
• chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 by @dependabot in #44
• chore(deps): bump golang.org/x/net from 0.7.0 to 0.17.0 by @dependabot in #54
• chore(deps): bump google.golang.org/grpc from 1.53.0 to 1.56.3 by @dependabot in #60
• Add maintainers file by @jkjell in #64
• Add dependabot config, reusable witness workflow, and update pipeline by @jkjell in #67
• Changed to pointer receiver when both were mixed by @naveensrinivasan in #58
• chore: bump actions/checkout from 2 to 4 by @dependabot in #68
• chore: bump actions/setup-go from 2 to 4 by @dependabot in #69
• chore: bump github.com/aws/aws-sdk-go from 1.44.207 to 1.44.334 by @dependabot in #70
• chore: bump github.com/spiffe/go-spiffe/v2 from 2.1.2 to 2.1.6 by @dependabot in #71
• chore: bump go.step.sm/crypto from 0.25.0 to 0.25.2 by @dependabot in #72
• chore: bump k8s.io/apimachinery from 0.26.1 to 0.26.10 by @dependabot in #73
• chore: bump github.com/sigstore/sigstore from 1.5.1 to 1.5.2 by @dependabot in #74
• chore: bump github.com/stretchr/testify from 1.8.2 to 1.8.4 by @dependabot in #80
• chore: bump k8s.io/apimachinery from 0.26.10 to 0.26.11 by @dependabot in #79
• chore: bump github.com/mattn/go-isatty from 0.0.17 to 0.0.20 by @dependabot in #77
• chore: bump github.com/open-policy-agent/opa from 0.49.1 to 0.49.2 by @dependabot in #78
• chore: bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in #81
• Update link to attestor examples by @noqcks in #84
• Refactoring error messages to use %w formatting directive and fix logging issue by @ChaosInTheCRD in #85
• [StepSecurity] Apply security best practices by @step-security-bot in #86
• Fix pre-commit violations by @jkjell in #87
• Changes to improve CLOMonitor Score by @jkjell in #88
• Don't run FOSSA Scan on PR from fork by @jkjell in #95
• chore: bump ossf/scorecard-action from 2.0.6 to 2.3.1 by @dependabot in #89
• chore: bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in #93
• chore: bump actions/checkout from 3.6.0 to 4.1.1 by @dependabot in #92
• chore: bump actions/dependency-review-action from 2.5.1 to 3.1.4 by @dependabot in #91
• chore: bump github/codeql-action from 2.22.8 to 2.22.9 by @dependabot in #90
• Improving --signer-fulcio-token flag to accept both path and raw token string by @ChaosInTheCRD in #82
• Updating README by @ChaosInTheCRD in #97
• Adding go test command to Makefile by @ChaosInTheCRD in #96
• WIP: Migrating Go module to in-toto by @ChaosInTheCRD in #101
• Fixing bug introduced in logs - warning and debug logs not printing by @ChaosInTheCRD in #103
• Point to v0.2.0 of archivista by @jkjell in #105

New Contributors

• @jkjell made their first contribution in #53
• @naveensrinivasan made their first contribution in #58
• @noqcks made their first contribution in #84
• @ChaosInTheCRD made their first contribution in #85
• @step-security-bot made their first contribution in #86

Full Changelog: v0.1.17...v0.2.0

v0.1.17

What's Changed

• fix: calculate subjects on demand always by @mikhailswift in #46
• fix: use witness-run-action instead of testifysec-run-action by @mikhailswift in #47
• fix: update github actions to use new fulcio url by @mikhailswift in #48
• fix(witness): witness should not error on an empty git repo with no commits by @kriscoleman in #51
• feat: vault signer by @mikhailswift in #52

New Contributors

• @kriscoleman made their first contribution in #51

Full Changelog: v0.1.16...v0.1.17

v0.1.16

What's Changed

• chore: dogfood testify run action by @colek42 in #26
• feat: add gitbom support by @fkautz in #27
• fix: fixes 201 bug for TSP by @colek42 in #29
• feat: add github attestor by @colek42 in #22
• fix: fixes bug where files under 512 bytes would cause EOF error by @colek42 in #31
• chore(deps): bump github.com/containerd/containerd from 1.6.6 to 1.6.12 by @dependabot in #28
• chore(deps): bump github.com/containerd/containerd from 1.6.12 to 1.6.18 by @dependabot in #33
• chore: update archivst -> archivista by @mikhailswift in #34
• ci: update golanglint-ci job by @mikhailswift in #35
• feat: add manifest digest as a subject by @colek42 in #38
• chore: remove syft, sbom, and scorecard attestors by @colek42 in #37
• feat: attestor config options by @mikhailswift in #32
• Add additional git info by @colek42 in #39
• feat: add support for github id token by @colek42 in #36
• feat: attestation timestamps by @colek42 in #42
• feat: add include and exclude glob options to product attestor by @mikhailswift in #41

New Contributors

• @fkautz made their first contribution in #27

Full Changelog: v0.1.15...v0.1.16

v0.1.15

What's Changed

• feat: add timestamping options by @mikhailswift in #23

Full Changelog: v0.1.14...v0.1.15

v0.1.14

What's Changed

• feat: add image tag to oci subjects by @colek42 in #17
• refactor: uses new version of archivist without grpc endpoint by @mikhailswift in #21
• RFC 3161 Timestamping Support by @mikhailswift in #16
• Feat/spdx sbom by @colek42 in #18

Full Changelog: v0.1.13...v0.1.14

v0.1.13

What's Changed

• chore: removal of deprecated apis, fmt changes by @mikhailswift in #11
• fix: don't return error on EOF, break instead. by @colek42 in #12
• chore: remove fmt.Print functions in favor of log library by @mikhailswift in #13
• bug: gracefully handle broken symlinks by @mikhailswift in #14
• feat!: add attestation source library and re-work policy logic by @mikhailswift in #10
• chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 by @dependabot in #15

Full Changelog: v0.1.12...v0.1.13

v0.1.12

Changelog

Features

• d500165: feat: add dsse verifier threshold (@mikhailswift)

Others

• 1c32945: chore: update go modules (@mikhailswift)

v0.1.11

Changelog

Bug fixes

• a2ea846: fix: Use gitlab's CI_SERVER_URL to build jwks url (@mikhailswift)

Others

• b71e6aa: chore: refactor CI/CD config to support library (@mikhailswift)
• c59280e: chore(deps): bump github.com/open-policy-agent/opa from 0.38.0 to 0.40.0 (@dependabot[bot])