Bump slsa-framework/slsa-github-generator from 1.2.2 to 1.7.0

[dependabot]

Bumps slsa-framework/slsa-github-generator from 1.2.2 to 1.7.0.

Release notes

Sourced from slsa-framework/slsa-github-generator's releases.

v1.7.0

See the CHANGELOG for details.

v1.7.0-rc.1

See the CHANGELOG for details.

v1.7.0-rc.0

See the CHANGELOG for details.

This is UNFINALIZED.

v1.6.0

See the CHANGELOG for details.

v1.6.0-rc.3

See the CHANGELOG for details.

v1.6.0-rc.2

See the CHANGELOG for details.

v1.6.0-rc.1

This is an un-finalized pre-release.

See the CHANGELOG for details.

v1.6.0-rc.0

See the CHANGELOG for details.

v1.5.0

See the CHANGELOG for details.

v1.5.0-rc.0

See the CHANGELOG for details.

v1.4.0

What's Changed

🥳 This release is the first Generally Available version of the Container Generator workflow. The Container Generator workflow is now considered stable and can be included in your production GitHub Actions workflows 🥳

🎉 This is also the first release (technically the second) with support for the generally available version of sigstore!! 🎉 We hope to have fewer issues with sigstore infrastructure moving forward.

Generic Generator

Bug fixes

1. Allow users of the Generic Generator to generate provenance for artifacts created in a project subdirectory (#1225)

Go Builder

... (truncated)

Changelog

Sourced from slsa-framework/slsa-github-generator's changelog.

v1.7.0

This release includes the first beta release of the Container-based builder. The Container-based builder provides a GitHub Actions reusable workflow that can be used to invoke a container image with a user-specified command to generate an artifact and SLSA Build L3 compliant provenance.

v1.7.0: Go builder

• Added: A new go-version-file input was added. This allows you to specify a go.mod file in order to track which version of Go is used for your project.

v1.6.0

This release includes the first beta release of the Node.js builder. The Node.js builder provides a GitHub Actions reusable workflow that can be called to build a Node.js package, generate SLSA Build L3 compliant provenance, and publish it to the npm registry along with the package.

Summary of changes

Go builder

New Features

• A new prerelease input was added to allow users to create releases marked as prerelease when upload-assets is set to true.
• A new input draft-release was added to allow users to create releases marked as draft when upload-assets is set to true.
• A new output go-provenance-name added which can be used to retrieve the name of the provenance file generated by the builder.

Generic generator

New Features

• A new input draft-release was added to allow users to create releases marked as draft when upload-assets is set to true.

Container generator

The Container Generator was updated to use cosign v2.0.0. No changes to the workflow's inputs or outputs were made.

... (truncated)

Commits

• e55b76c chore: update documentation and references to v1.7.0 (#2239)
• 2c15ebe chore: update version references to v1.7.0-rc.1 (#2232)
• 1afe15e fix: remove verify-token schedule presubmit (#2231)
• 796d1f6 docs: Update CHANGELOG for v1.7.0 (#2196)
• e9db5e5 chore: remove RC version references for v1.7.0-rc.0 (#2228)
• 921bfa1 chore: release candidate v1.7.0-rc.0 (#2219)
• 87a3074 fix: version comments for GHA references (#2205)
• 0f7720d fix: verify-token daily runs (#2213)
• 0a4b841 chore(deps): update dependency eslint to v8.42.0 (#2214)
• 2bec132 fix: fix jq script syntax (#2211)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)