v0.8.0

What's Changed

• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.209 to 1.44.210 by @dependabot in #624
• chore(deps): Bump sigstore/scaffolding from 0.5.4 to 0.6.3 by @dependabot in #622
• chore(deps): Bump sigstore/cosign-installer from 4079ad3567a89f68395480299c77e40170430341 to 77560e399fb1b0d50a89024c16dd3a908f8d44b5 by @dependabot in #625
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.210 to 1.44.211 by @dependabot in #630
• chore(deps): Bump k8s.io/api from 0.26.1 to 0.26.2 by @dependabot in #626
• chore(deps): Bump sigstore/cosign-installer from 3.0.0 to 3.0.1 by @dependabot in #633
• chore(deps): Bump mikefarah/yq from 4.31.1 to 4.31.2 by @dependabot in #634
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.211 to 1.44.212 by @dependabot in #635
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.212 to 1.44.213 by @dependabot in #636
• Use default cosign-installer version by @hectorj2f in #637
• add new required input parameter by @cpanato in #639
• update sigstore deps by @cpanato in #641
• chore(deps): Bump golang.org/x/crypto from 0.6.0 to 0.7.0 by @dependabot in #644
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.213 to 1.44.214 by @dependabot in #645
• Point README to our sigstore docs website by @hectorj2f in #646
• upgrade to use go1.20 by @cpanato in #642
• Add an optional Message to Static actions for custom fail message. by @vaikas in #652
• chore(deps): Bump actions/cache from 3.2.6 to 3.3.0 by @dependabot in #653
• chore(deps): Bump sigstore/scaffolding from 0.6.3 to 0.6.4 by @dependabot in #654
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.214 to 1.44.217 by @dependabot in #655
• chore(deps): Bump google.golang.org/protobuf from 1.28.1 to 1.29.0 by @dependabot in #650
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.217 to 1.44.218 by @dependabot in #656
• chore(deps): Bump actions/cache from 3.3.0 to 3.3.1 by @dependabot in #658
• chore(deps): Bump google.golang.org/protobuf from 1.29.0 to 1.29.1 by @dependabot in #661
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.218 to 1.44.220 by @dependabot in #660
• chore(deps): Bump github/codeql-action from 2.2.5 to 2.2.7 by @dependabot in #663
• chore(deps): Bump actions/setup-go from 3.5.0 to 4.0.0 by @dependabot in #664
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.220 to 1.44.221 by @dependabot in #665
• chore(deps): Bump google.golang.org/protobuf from 1.29.1 to 1.30.0 by @dependabot in #667
• chore(deps): Bump github.com/google/go-containerregistry from 0.13.1-0.20230203223142-b3c23b4c3f28 to 0.14.0 by @dependabot in #668
• chore(deps): Bump actions/checkout from 3.3.0 to 3.4.0 by @dependabot in #666
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.221 to 1.44.223 by @dependabot in #670
• chore(deps): Bump mikefarah/yq from 4.31.2 to 4.32.2 by @dependabot in #672
• chore(deps): Bump anchore/sbom-action from 0.13.3 to 0.13.4 by @dependabot in #671
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.223 to 1.44.225 by @dependabot in #674
• chore(deps): Bump k8s.io/apimachinery from 0.26.2 to 0.26.3 by @dependabot in #675
• chore(deps): Bump k8s.io/api from 0.26.2 to 0.26.3 by @dependabot in #677
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.225 to 1.44.226 by @dependabot in #680
• chore(deps): Bump google.golang.org/grpc from 1.53.0 to 1.54.0 by @dependabot in #679
• chore(deps): Bump github/codeql-action from 2.2.7 to 2.2.8 by @dependabot in #682
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.226 to 1.44.227 by @dependabot in #683
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.227 to 1.44.228 by @dependabot in #685
• chore(deps): Bump actions/checkout from 3.4.0 to 3.5.0 by @dependabot in #684
• chore(deps): Bump mikefarah/yq from 4.32.2 to 4.33.1 by @dependabot in #687
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.228 to 1.44.229 by @dependabot in #688
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.229 to 1.44.230 by @dependabot in #690
• chore(deps): Bump github/codeql-action from 2.2.8 to 2.2.9 by @dependabot in #686
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.230 to 1.44.231 by @dependabot in #691
• chore(deps): Bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 by @dependabot in #692
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.231 to 1.44.232 by @dependabot in #695
• chore(deps): Bump ossf/scorecard-action from 2.1.2 to 2.1.3 by @dependabot in #694
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.232 to 1.44.233 by @dependabot in #697
• chore(deps): Bump mikefarah/yq from 4.33.1 to 4.33.2 by @dependabot in #696
• Load a TrustRoot reference when using the policy-tester by @hectorj2f in #698
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.233 to 1.44.234 by @dependabot in #699
• chore(deps): Bump anchore/sbom-action from 0.13.4 to 0.14.1 by @dependabot in #700
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.234 to 1.44.235 by @dependabot in #701
• chore(deps): Bump github/codeql-action from 2.2.9 to 2.2.10 by @dependabot in #702
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.235 to 1.44.236 by @dependabot in #703
• chore(deps): Bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible by @dependabot in #705
• chore(deps): Bump github.com/sigstore/sigstore from 1.6.0 to 1.6.1 by @dependabot in #704
• chore(deps): Bump golang.org/x/net from 0.8.0 to 0.9.0 by @dependabot in #706
• chore(deps): Bump actions/github-script from 6.4.0 to 6.4.1 by @dependabot in #707
• chore(deps): Bump github/codeql-action from 2.2.10 to 2.2.11 by @dependabot in #709
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.236 to 1.44.237 by @dependabot in #708
• chore(deps): Bump sigstore/cosign-installer from 3.0.1 to 3.0.2 by @dependabot in #711
• chore(deps): Bump golang.org/x/crypto from 0.7.0 to 0.8.0 by @dependabot in #714
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.237 to 1.44.239 by @dependabot in #715
• bump scorecard script to use latest versions by @hectorj2f in #716
• chore(deps): Bump mikefarah/yq from 4.33.2 to 4.33.3 by @dependabot in #719
• chore(deps): Bump github.com/aws/aws-sdk-go from 1.44.239 to 1.44.240 by @dependabot in #720
• update links to use CDN-backed TUF endpoint by @bobcallaway in #718
• chore(deps): Bump githu...

v0.4.3

Changelog

• 58fbefc Merge pull request #689 from elfotografo007/fix-GHSA-vvpx-j8f3-3w6h-0.4.x

Thanks to all contributors!

@elfotografo007

What's Changed

• Bump golang.org/x/net by @elfotografo007 in #689

Full Changelog: v0.4.2...v0.4.3

v0.7.0

Changelog

• 89ef904 Merge pull request #619 from sigstore/dependabot/go_modules/github.com/aws/aws-sdk-go-1.44.209

Thanks to all contributors!

v0.6.3

Changelog

• 7de0227 change validation to avoid only setting rfc3161timestamp #7de0227 @hectorj2f
• d0d1797 fix policy conversion from v1beta1 to v1alpha1 #d0d1797 @hectorj2f

Thanks to all contributors!

@hectorj2f

v0.6.2

What's Changed

• Add TrustRoot crd. by @vaikas in #291
• keep the matrix jobs running if one fail by @cpanato in #441
• Plumb TrustRoot CRD through to CIP CRDs. Make TrustRoot available to webhook, clean up and refactor checkOpts logic. by @vaikas in #436
• update scaffolding releases to v0.5.4 by @vaikas in #443
• e2e test for bring your own keys with trustroot. by @vaikas in #444
• expose webhook validator getters by @joshrwolf in #449
• Generate slsa provenance by @hectorj2f in #447
• policy-tester: use UnmarshalStrict by @hectorj2f in #453
• Add support for policy.configMapRef in attestation / cip.spec by @vaikas in #457
• Add support for bring your own serialized tuf repository. by @vaikas in #452
• If TLog.url is specified, use it if trustroot does not have one + test. by @vaikas in #461
• Fix: Fix private multi-arch fetchConfigFile by @mattmoor in #462
• Add support for TUF remote. by @vaikas in #463
• bring in latest cosign changes + udpate interfaces. by @vaikas in #467
• fix: wrong api field ref in error msg by @hectorj2f in #470
• chore: Relax certificate authority validation in trustRoots by @hectorj2f in #471
• chore: add TSA cert chain validation by @hectorj2f in #472
• fix: script field identation by @hectorj2f in #476
• feature: add TSA support when verifying authorities by @hectorj2f in #468
• Fix: Use the apiVersion when matching resources. by @mattmoor in #482
• Feature: Create an interface for downstream CIP integrations. by @mattmoor in #480
• user sigstore cosign-installer by @hectorj2f in #485
• cleanup: switch to using cosign v2.0.0-rc.0 by @k4leung4 in #484
• Allow fully specified URLs in predicateTypes. by @vaikas in #491
• cleanup: update sigstore/cosign dep by @k4leung4 in #493
• Require issuer/subject or issuerRegExp/subjectRegExp by @vaikas in #495
• cleanup: bump cosign to latest by @k4leung4 in #501
• Fix keyless behauvior when ctlog is absent by @hectorj2f in #508
• test: change error message for empty keyless/key by @hectorj2f in #509
• Add InsecureIgnoreSCT field to the keyless authorities by @hectorj2f in #511
• Add a policy example for GCP KMS by @mathieu-benoit in #520
• Improve kms key validations and error messages for awskms by @hectorj2f in #524
• chore(deps): Bump github/codeql-action from 2.1.39 to 2.2.0 by @dependabot in #527
• Bump cosign to v2.0.0.rc.1 by @hectorj2f in #530
• Add support for Policy URLs by @hectorj2f in #518
• only sub&rbac. by @vaikas in #534
• Bump cosign e2e tests to rc2.0.0.rc.1 by @hectorj2f in #536
• cleanup: update repo to use cosign v2.0.0-rc.1 by @k4leung4 in #535
• remove COSIGN_EXPERIMENTAL evn var by @hectorj2f in #537
• bump timeout for goreleaser to 60 minutes. by @vaikas in #539
• set yes confirmation flag and bump timeout by @cpanato in #540

New Contributors

• @joshrwolf made their first contribution in #449
• @mathieu-benoit made their first contribution in #520

Full Changelog: v0.5.2...v0.6.2

v0.5.2

Changelog

• 21c7eb0 Merge pull request #435 from sigstore/dependabot/go_modules/k8s.io/code-generator-0.26.0

Thanks to all contributors!

What's Changed

• chore(deps): Bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 by @dependabot in #433
• chore(deps): Bump github/codeql-action from 2.1.35 to 2.1.36 by @dependabot in #430
• chore(deps): Bump k8s.io/api from 0.25.3 to 0.26.0 by @dependabot in #432
• chore(deps): Bump k8s.io/code-generator from 0.25.3 to 0.26.0 by @dependabot in #435

Full Changelog: v0.5.1...v0.5.2

v0.5.1

Changelog

• 8d7653e Merge pull request #426 from sigstore/dependabot/go_modules/github.com/hashicorp/go-plugin-1.4.8

Thanks to all contributors!

What's Changed

• Feature: Add -resource to policy-tester by @mattmoor in #414

• Cleanup: Rename objectMeta to metadata to align with K8s shape. by @mattmoor in #420 (This is a breaking change in evaluating CIP level policies using objectMeta from 0.5.0)

• Bug Fix: Do not fail on first attestation that does not satisfy. by @vaikas in #422

• chore(deps): Bump golang.org/x/sys from 0.2.0 to 0.3.0 by @dependabot in #412

• chore(deps): Bump github.com/aws/aws-sdk-go-v2 from 1.17.1 to 1.17.2 by @dependabot in #409

• chore(deps): Bump golang.org/x/time from 0.2.0 to 0.3.0 by @dependabot in #410

• chore(deps): Bump golang.org/x/net from 0.2.0 to 0.3.0 by @dependabot in #411

• Initial support for rego + simple tests. by @vaikas in #413

• Update go and base image by @cpanato in #415

• chore(deps): Bump golang.org/x/crypto from 0.3.0 to 0.4.0 by @dependabot in #416

• chore(deps): Bump golang.org/x/net from 0.3.0 to 0.4.0 by @dependabot in #418

• chore(deps): Bump github.com/hashicorp/go-hclog from 1.3.1 to 1.4.0 by @dependabot in #417

• Add includeTypeMeta that includes TypeMeta (just like includeObjectMeta) by @vaikas in #421

• Fix some lint issues surfaced by #424 by @vaikas in #425

• bump golangci-lint to 1.50.1 by @cpanato in #424

• fix ioutil deprecation by @cpanato in #428

• release-script: bump golang to 1.19 (rebased version of #427) by @vaikas in #429

• chore(deps): Bump github.com/hashicorp/go-plugin from 1.4.6 to 1.4.8 by @dependabot in #426

Full Changelog: v0.5.0...v0.5.1

v0.5.0

Changelog

• ee7c481 Merge pull request #399 from hectorj2f/source_secrets

Thanks to all contributors!

What's Changed

• chore(deps): Bump anchore/sbom-action from 0.13.0 to 0.13.1 by @dependabot in #365
• chore(deps): Bump github/codeql-action from 2.1.30 to 2.1.31 by @dependabot in #366
• chore(deps): Bump golang.org/x/sys from 0.1.0 to 0.2.0 by @dependabot in #367
• chore(deps): Bump golang.org/x/time from 0.1.0 to 0.2.0 by @dependabot in #368
• chore(deps): Bump golang.org/x/crypto from 0.1.0 to 0.2.0 by @dependabot in #373
• chore(deps): Bump google-github-actions/auth from 0.8.3 to 1.0.0 by @dependabot in #371
• chore(deps): Bump google-github-actions/setup-gcloud from 0.6.2 to 1.0.0 by @dependabot in #370
• CI: bump scaffolding version by @hectorj2f in #377
• chore(deps): Bump google-github-actions/setup-gcloud from 1.0.0 to 1.0.1 by @dependabot in #376
• chore(deps): Bump github.com/hashicorp/go-plugin from 1.4.5 to 1.4.6 by @dependabot in #374
• chore(deps): Bump mikefarah/yq from 4.28.2 to 4.30.1 by @dependabot in #378
• chore(deps): Bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 by @dependabot in #379
• chore(deps): Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 by @dependabot in #381
• chore(deps): Bump github.com/sigstore/rekor from 1.0.0 to 1.0.1 by @dependabot in #380
• chore(deps): Bump github/codeql-action from 2.1.31 to 2.1.32 by @dependabot in #384
• chore(deps): Bump mikefarah/yq from 4.30.1 to 4.30.2 by @dependabot in #383
• chore(deps): Bump golang.org/x/crypto from 0.2.0 to 0.3.0 by @dependabot in #390
• chore(deps): Bump google.golang.org/grpc from 1.50.1 to 1.51.0 by @dependabot in #392
• fix: v1beta1 version converter that ignored the field spec.policy by @hectorj2f in #393
• Drop service account lookups when signaturePullSecrets are specified by @hectorj2f in #388
• Add FetchConfigFile to Policy that allows you to fetch and evaluate policy against container image configfile. by @vaikas in #389
• add gh actions to verify docs by @hectorj2f in #395
• chore(deps): Bump github.com/hashicorp/golang-lru from 0.5.4 to 1.0.1 by @dependabot in #387
• chore(deps): Bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 by @dependabot in #397
• chore(deps): Bump github/codeql-action from 2.1.32 to 2.1.35 by @dependabot in #402
• chore(deps): Bump actions/setup-go from 3.3.1 to 3.4.0 by @dependabot in #403
• chore(deps): Bump go.uber.org/zap from 1.23.0 to 1.24.0 by @dependabot in #404
• Attach highest level resource spec to PolicyResult if so desired. by @vaikas in #406
• chore(deps): Bump mikefarah/yq from 4.30.2 to 4.30.5 by @dependabot in #405
• Add includeObjectMetadata for including objectMeta in CIP policy eval. by @vaikas in #407
• feat: configurable ClusterImagePolicy resync period by @DennyHoang in #398
• feat: accept source without setting any oci repository by @hectorj2f in #399

New Contributors

• @DennyHoang made their first contribution in #398

Full Changelog: v0.4.2...v0.5.0

v0.4.2

What's Changed

• chore(deps): Bump anchore/sbom-action from 0.12.0 to 0.13.0 by @dependabot in #356
• chore(deps): Bump mikefarah/yq from 4.28.2 to 4.29.2 by @dependabot in #357
• fix: error message by @hectorj2f in #359
• chore(deps): Bump github.com/hashicorp/vault/sdk from 0.6.0 to 0.6.1 by @dependabot in #358
• chore(deps): Bump github/codeql-action from 2.1.29 to 2.1.30 by @dependabot in #363
• fix: allow spec.authorities field to not be specified by @wojciechka in #362
• Fix issue 354. by @vaikas in #355

New Contributors

• @wojciechka made their first contribution in #362

Full Changelog: v0.4.1...v0.4.2

v0.4.1

What's Changed

• update README with some new features by @hectorj2f in #304
• run codeql on post-merge by @hectorj2f in #308
• Feature: add support for ephemeral containers by @hectorj2f in #299
• Add api docs generator by @hectorj2f in #311
• update images to the new path by @cpanato in #328
• switch to reusable workflow by @bobcallaway in #330
• Fix: Always use kubeclient.Get() for fetching k8s client. by @mattmoor in #340
• Add validation for the oci repository field by @hectorj2f in #337
• Move validation code to its own function by @hectorj2f in #341
• Fix: switch from all to ALL when dropping capabilities. by @mattmoor in #346
• Add policy name to the cache by @hectorj2f in #348
• Feature: Incorporate an identifier for signatures and attestations. by @mattmoor in #350
• Manually bump all go deps to latest by @hectorj2f in #351

New Contributors

• @bobcallaway made their first contribution in #330

Full Changelog: v0.4.0...v0.4.1