Releases: chainloop-dev/chainloop
Releases · chainloop-dev/chainloop
v0.87.2
What's Changed
- Bump Helm Chart Version => v0.87.1 by @github-actions in #770
- feat(release): Add missing amd64 binaries by @javirln in #771
- chore(docs): Add CSAF contract example by @javirln in #773
- fix(authz): allow viewer to download artifacts by @migmartri in #774
- refactor(cli): Consolidates API Token and Robot Account into Token on attestations by @javirln in #777
- feat(ci): Add source code tarball by @javirln in #772
Full Changelog: v0.87.1...v0.87.2
Contributors
migmartri and javirln
Assets 15
v0.87.1
Additional Attestation Authz provider, Chainloop API token
A new released on Chainloop is live and with it, the support of API Tokens on the creation of Workflows and Attestations life cycle 🎉
Now it's possible to create Workflows directly using an API Token beside the regular Robot Accounts, just pass the flag --skip-robot-account-create to avoid creating unnecessary Robot Account:
$ chainloop wf create --name javirln-demo-wf --description "Showcase of API Token creating wf" --project core --token $API_TOKEN --skip-robot-account-create
INF API token provided to the command line
┌──────────────────────────────────────┬─────────────────┬─────────┬─────────────────────┬────────┬─────────────────┐
│ ID │ NAME │ PROJECT │ CREATED AT │ RUNNER │ LAST RUN STATUS │
├──────────────────────────────────────┼─────────────────┼─────────┼─────────────────────┼────────┼─────────────────┤
│ 0cfff272-2a7d-43cf-bbb0-087043fc028c │ javirln-demo-wf │ core │ 13 May 24 11:08 UTC │ │ │
└──────────────────────────────────────┴─────────────────┴─────────┴─────────────────────┴────────┴─────────────────┘And start a new attestation with them, just pass the new flag workflow-name or set the env variable CHAINLOOP_WORKFLOW_NAME:
$ chainloop attestation init --workflow-name javirln-demo-wf --token $API_TOKEN
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────┬──────────────────────────────────────┐
│ Initialized At │ 13 May 24 12:23 UTC │
├───────────────────┼──────────────────────────────────────┤
│ Attestation ID │ 810472ab-484f-4499-8805-f2024d2b4a47 │
│ Name │ javirln-demo-wf │
│ Team │ │
│ Project │ core │
│ Contract Revision │ 1 │
└───────────────────┴──────────────────────────────────────┘What's Changed
- Bump Helm Chart Version => v0.86.0 by @github-actions in #759
- chore(ci): bump chainloop CLI version by @migmartri in #760
- feat(tokens): allow API tokens to create and read workflows by @jiparis in #762
- Revert "feat(policies): Add attestation as new resource type and workflow create permission (#754) by @javirln in #758
- fix(chainloop): add missing policy by @jiparis in #764
- chore(controlplane): remove robot-account relationship from workflowrun by @migmartri in #765
- feat(attestations): support API tokens for attestations by @javirln in #763
- refactor(cli): Use attestation state to pass workflow-name by @javirln in #766
- Bump Helm Chart Version => v0.87.0 by @github-actions in #767
- chore(docs): enable posthog by @migmartri in #769
- fix(attestation): Send workflow-name on attestation init API call by @javirln in #768
Full Changelog: v0.86.0...v0.87.1
Contributors
migmartri, jiparis, and javirln
Assets 15
v0.87.0
Changelog
- 5fbff91 refactor(cli): Use attestation state to pass workflow-name (#766)
- e0d3c80 feat(attestations): support API tokens for attestations (#763)
- 055c36c chore(controlplane): remove robor-account relatioship from workflowrun (#765)
- 6a4d91a fix(chainloop): add missing policy (#764)
- 77a30fc Revert "feat(policies): Add attestation as new resource type and workflow create permission (#754) (#758)
- 391f047 feat(tokens): allow API tokens to create and read workflows (#762)
- 5cbec8c chore(ci): bump chainloop CLI version (#760)
- 4efa0c0 Bump Helm Chart Version => v0.86.0 (#759)
v0.86.0
CSAF support
CycloneDX 1.6 support
Chainloop now supports (#751) CycloneDX 1.6 Software Bill Of Materials (SBOM) as a piece of evidence in your attestations.
Note that our Dependency-Track integration will not send such versions to Dep-Track until DependencyTrack/dependency-track#3584 is fixed.
CSAF 2.1, 2.2 profiles support
In addition to the existing Common Security Advisory Framework (CSAF) VEX profile, Chainloop now supports three additional ones: Security Advisory, Informational Advisory, and Security Incident Response.
schemaVersion: v1
materials:
- type: CSAF_INFORMATIONAL_ADVISORY
name: informational-advisory
- type: CSAF_SECURITY_ADVISORY
name: security-advisory
- type: CSAF_SECURITY_INCIDENT_RESPONSE
name: security-incident-responseWhat's Changed
- Bump Helm Chart Version => v0.85.1 by @github-actions in #746
- feat(attestation): add tag to container image attestation by @migmartri in #747
- feat(materials): Add support for schema validators and CycloneDX 1.6 by @javirln in #751
- feat(policies): Add attestation as new resource type and workflow create permission by @javirln in #754
- feat(workflows): describe workflow by name by @jiparis in #756
- feat(materials): Add support for CSAF 2.0 and 2.1 schemas and remaining CSAF_* materials by @javirln in #749
Full Changelog: v0.85.1...v0.86.0
Contributors
migmartri, jiparis, and javirln
Assets 15
v0.85.1
What's Changed
- Bump Helm Chart Version => v0.84.0 by @github-actions in #700
- feat(ci): Adds chainloop to scorecards pipeline by @javirln in #710
- feat(docs-deploy): Bump version of chainloop action to perform checkout before init by @javirln in #708
- fix(scorecards): Move env variable to individual steps by @javirln in #713
- fix(ci): Bump version of chainloop action by @javirln in #714
- fix(ci): Use chainloop action on scorecard pipeline by @javirln in #715
- feat(package): attest container images in helm package gh action by @jiparis in #701
- feat(chainloop): add EVIDENCE material type by @jiparis in #702
- feat(referrer): store backlinks unconditionally by @migmartri in #712
- feat(ci): Adds chainloop to codeql pipeline by @javirln in #711
- fix(ci): do not add materials on pull_request by @migmartri in #722
- fix(cli): Send pagination message to stderr by @jiparis in #721
- feat(cli): Workflow run can receive a status flag by @javirln in #723
- feat(apitoken): Adds workflow run list policy to default apitoken policies by @javirln in #724
- fix(cli): sanitize remote url by @migmartri in #729
- feat(cli): Allow to pass --output flag to artifact download by @javirln in #726
- feat(cli): add json output to attestation push by @migmartri in #730
- feat(backend): ATTESTATION material type by @jiparis in #727
- feat(ci): Declarative Chainloop contracts by @javirln in #731
- feat(controlplane): verify that dependent attestations exist by @migmartri in #732
- Bump Helm Chart Version => v0.85.0 by @github-actions in #734
- feat(ci): Add README.md to contracts and fix helm package contract by @javirln in #733
- feat(ci): Use reusable workflow for sync contracts by @javirln in #737
- fix(ci): Only run contract sync on changes in contracts path by @javirln in #738
- fix(ci): Fixes level of indentation by @javirln in #739
- feat(ci): Update bedrock releases contract to add missing binaries by @javirln in #741
- feat(ci): Update release pipeline to include all architecture binaries by @javirln in #742
- feat(ci): Updatees contracts' README file by @javirln in #743
- feat(ci): Update contract names by @javirln in #744
- chore: validate dependent attestation in referrer endpoint by @migmartri in #745
Full Changelog: v0.84.0...v0.85.1
Contributors
migmartri, jiparis, and javirln
Assets 15
v0.85.0
The new core contributors @javirln and @jiparis have been busy preparing this new release 🚀
Highlights
New Material types
You can now attest two new kinds of material types, EVIDENCE and ATTESTATION.
- To differentiate between software artifacts and pieces of evidence, we have introduced an
Evidencetype. It allows you to provide arbitrary information that can be attached to your attestations - The
ATTESTATIONtype can be used toconnectdifferent attestations generated by chainloop and in practice is a mechanism to represent dependencies.
What's Changed
- Bump Helm Chart Version => v0.84.0 by @github-actions in #700
- feat(ci): Adds chainloop to scorecards pipeline by @javirln in #710
- feat(docs-deploy): Bump version of chainloop action to perform checkout before init by @javirln in #708
- fix(scorecards): Move env variable to individual steps by @javirln in #713
- fix(ci): Bump version of chainloop action by @javirln in #714
- fix(ci): Use chainloop action on scorecard pipeline by @javirln in #715
- feat(package): attest container images in helm package gh action by @jiparis in #701
- feat(chainloop): add EVIDENCE material type by @jiparis in #702
- feat(referrer): store backlinks unconditionally by @migmartri in #712
- feat(ci): Adds chainloop to codeql pipeline by @javirln in #711
- fix(ci): do not add materials on pull_request by @migmartri in #722
- fix(cli): Send pagination message to stderr by @jiparis in #721
- feat(cli): Workflow run can receive a status flag by @javirln in #723
- feat(apitoken): Adds workflow run list policy to default apitoken policies by @javirln in #724
- fix(cli): sanitize remote url by @migmartri in #729
- feat(cli): Allow to pass --output flag to artifact download by @javirln in #726
- feat(cli): add json output to attestation push by @migmartri in #730
- feat(backend): ATTESTATION material type by @jiparis in #727
- feat(ci): Declarative Chainloop contracts by @javirln in #731
- feat(controlplane): verify that dependent attestations exist by @migmartri in #732
Full Changelog: v0.84.0...v0.85.0
Contributors
migmartri, jiparis, and javirln
Assets 15
v0.84.0
v0.83.0
And with this release we welcome to new Chainloop core maintainers @javirln and @jiparis 🚀
Highlights
Helm Chart Support
You can now provide Helm Charts as a piece of evidence in your attestations, where they will get validated and uploaded to the content addressable storage.
What's Changed
- Bump Helm Chart Version => v0.82.0 by @github-actions in #676
- docs: document API tokens by @migmartri in #675
- chore(deps): Bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #679
- fix(makefile): fixes atlas installation by using its own install script by @jiparis in #688
- feat(materials): Helm Chart material support by @javirln in #689
- feat(docs): Update documentation to reflect the HELM_CHART material type by @javirln in #691
- fix(controlplane): return Notfound errror if robot account doesn't exist by @jiparis in #690
Full Changelog: v0.82.0...v0.83.0
Contributors
migmartri, jiparis, and 2 other contributors
Assets 15
v0.82.0
What's Changed
- Bump Helm Chart Version => v0.81.2 by @github-actions in #656
- fix(ci): fix dagger module linter by @migmartri in #661
- fix(controlplane): allow generating downloadURL by @migmartri in #659
- feat: add unique name to cas-backends by @migmartri in #662
- feat: add unique name to API token entity by @migmartri in #664
- chore: migrate configs to protovalidate by @migmartri in #667
- chore(CAS): migrate proto validations by @migmartri in #668
- chore(deps): Bump github.com/sigstore/cosign/v2 from 2.2.3 to 2.2.4 by @dependabot in #671
- chore: migrate crafter/attestations to protovalidate by @migmartri in #670
- fix: auto-create contract by @migmartri in #669
- chore: fix generated code by @migmartri in #672
- chore: migrate controlplane to protovalidate by @migmartri in #673
- feat(contracts): updates by name by @migmartri in #674
Full Changelog: v0.81.2...v0.82.0
Contributors
migmartri and dependabot
Assets 15
v0.81.2
What's Changed
- Bump Helm Chart Version => v0.80.1 by @github-actions in #614
- Improving documentation deployment + adding Chainloop by @danlishka in #610
- Updating references after documentation migration by @danlishka in #611
- chore(deps): Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by @dependabot in #615
- docs: add dagger demo by @migmartri in #616
- fix(authz): add read permissions in workflow.View by @migmartri in #617
- chore(deps): Bump github.com/jackc/pgx/v5 from 5.4.3 to 5.5.4 by @dependabot in #619
- fix(docs-release) Fixed docs release and chainloop integration by @danlishka in #621
- chore(deps): Bump follow-redirects from 1.15.4 to 1.15.6 in /docs by @dependabot in #620
- fix(docs-release) Fixed docs release and chainloop integration by @danlishka in #623
- chore(api): handle context.Canceled error by @migmartri in #628
- chore(deps): Bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /docs by @dependabot in #631
- chore(deps): Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible by @dependabot in #626
- chore: upgrade dependencies by @migmartri in #630
- chore(ci): bump actions by @migmartri in #632
- fix(cli): allow updating only the contract description by @migmartri in #633
- docs: dependency track parentID field by @sedan07 in #637
- fix(controlplane): handle not-found contract on update by @migmartri in #638
- feat(controlplane): always store the digest of the attestation by @migmartri in #639
- chore(deps): Bump express from 4.18.2 to 4.19.2 in /docs by @dependabot in #634
- fix(cli): send digest to stderr by @migmartri in #642
- feat(controlplane): add extra info to discovery endpoint by @migmartri in #641
- feat(api): support set workflow visibility on creation by @migmartri in #640
- feat(controlplane): add unique name to registered integrations by @migmartri in #643
- chore(ci): bump cosign version on release process by @migmartri in #644
- feat: add contract selection on workflow update by @migmartri in #646
- Bump Helm Chart Version => v0.81.0 by @github-actions in #647
- chore: upgrade aws-sdk by @migmartri in #648
- Bump Helm Chart Version => v0.81.1 by @github-actions in #650
- dagger: upgrade module to v0.81.1 by @migmartri in #651
- ci: update module by @migmartri in #652
- chore: remove unused generated typescript files by @migmartri in #649
- fix(api): validate material type by @migmartri in #653
- chore: upgrade golang 1.22.2 by @migmartri in #654
- fix(api); validate runner type by @migmartri in #655
Full Changelog: v0.80.1...v0.81.2
Contributors
danlishka, migmartri, and 2 other contributors