Merge branch 'main' into feat/plugin

.github/workflows/codeql-analysis.yml

@@ -44,7 +44,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@489225d82a57396c6f426a40e66d461b16b3461d # v2.20.4
+        uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,7 +55,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@489225d82a57396c6f426a40e66d461b16b3461d # v2.20.4
+        uses: github/codeql-action/autobuild@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
       # Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
 
@@ -68,4 +68,4 @@ jobs:
       #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@489225d82a57396c6f426a40e66d461b16b3461d # v2.20.4
+        uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4

.github/workflows/depsreview.yml

@@ -11,4 +11,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
+        uses: actions/dependency-review-action@7d90b4f05fea31dde1c4a1fb3fa787e197ea93ab # v3.0.7

.github/workflows/pr-title.yml

@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened, edited, reopened, synchronize]
 
+permissions: read-all
+
 jobs:
   validate:
     runs-on: ubuntu-latest

.github/workflows/pre-submit.actions.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Set Node.js 16
-        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
+        uses: actions/setup-node@bea5baf987ba7aa777a8a0b4ace377a21c45c381 # v3.8.0
         with:
           node-version: 16
 

.github/workflows/pre-submit.cli.yml

@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: setup-go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version-file: "go.mod"
 

.github/workflows/pre-submit.e2e.yml

@@ -16,7 +16,7 @@ jobs:
           path: __THIS_REPO__
 
       - name: setup-go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version-file: "__THIS_REPO__/go.mod"
 

.github/workflows/pre-submit.lint.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version-file: "go.mod"
       - env:

.github/workflows/release.yml

@@ -49,7 +49,7 @@ jobs:
       actions: read # For the detection of GitHub Actions environment.
       id-token: write # For signing.
       contents: write # For asset uploads.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.7.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.8.0
     with:
       go-version-file: "go.mod"
       config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yml

.github/workflows/scorecards.yml

@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@489225d82a57396c6f426a40e66d461b16b3461d # v2.20.4
+        uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
         with:
           sarif_file: results.sarif

cli/experimental/service/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.19@sha256:83f9f840072d05ad4d90ce4ac7cb2427632d6b89d5ffc558f18f9577ec8188c0 AS base
+FROM golang:1.21@sha256:ec457a2fcd235259273428a24e09900c496d0c52207266f96a330062a01e3622 AS base
 WORKDIR /src
 ENV CGO_ENABLED=0
 COPY . ./

cli/slsa-verifier/main_regression_test.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -546,7 +545,7 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) {
 				}
 
 				// TODO(#258): invalid builder ref.
-				sv := path.Base(v)
+				sv := filepath.Base(v)
 				// For each test, we run 4 sub-tests:
 				// 	1. With the the full builderID including the semver in short form.
 				//	2. With the the full builderID including the semver in long form.
@@ -773,7 +772,7 @@ func Test_runVerifyGHAArtifactImage(t *testing.T) {
 			for _, v := range checkVersions {
 				image := filepath.Clean(filepath.Join(TEST_DIR, v, tt.artifact))
 				// TODO(#258): test for tagged builder.
-				sv := path.Base(v)
+				sv := filepath.Base(v)
 				// For each test, we run 2 sub-tests:
 				//	1. With the the full builderID including the semver in short form.
 				//	2. With the the full builderID including the semver in long form.
@@ -1220,7 +1219,7 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) {
 			}
 
 			for _, v := range checkVersions {
-				semver := path.Base(v)
+				semver := filepath.Base(v)
 				// For each test, we run 2 sub-tests:
 				// 	1. With the the full builderID including the semver.
 				//	2. With only the name of the builder.
@@ -1383,7 +1382,13 @@ func Test_runVerifyGHAContainerBased(t *testing.T) {
 
 			for _, v := range checkVersions {
 				testPath := filepath.Clean(filepath.Join(TEST_DIR, v, tt.artifacts[0]))
-				provenancePath := fmt.Sprintf("%s.intoto.sigstore", testPath)
+				sv := filepath.Base(v)
+				var provenancePath string
+				if semver.Compare(sv, "v1.8.0") >= 0 {
+					provenancePath = fmt.Sprintf("%s.intoto.build.slsa", testPath)
+				} else {
+					provenancePath = fmt.Sprintf("%s.intoto.sigstore", testPath)
+				}
 
 				artifacts := make([]string, len(tt.artifacts))
 				for i, artifact := range tt.artifacts {
@@ -1395,7 +1400,6 @@ func Test_runVerifyGHAContainerBased(t *testing.T) {
 				//	2. With the the full builderID including the semver in long form.
 				//	3. With only the name of the builder.
 				//	4. With no builder ID.
-				sv := path.Base(v)
 				builder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_container-based_slsa3.yml"
 
 				refName := "@refs/tags/"