{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":346517502,"defaultBranch":"main","name":"slsa","ownerLogin":"slsa-framework","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2021-03-10T23:11:57.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/80431187?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1723661876.0","currentOid":""},"activityList":{"items":[{"before":"bedd1a930a501c83d267b75c4254402ddab3f6c1","after":"91736b1bd7b66d2ddb3d8ebda6d3db19616dbc70","ref":"refs/heads/main","pushedAt":"2024-08-27T10:09:35.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"impl: Update dependency github-pages to v232 (#1119)\n\n[![Mend\r\nRenovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Change | Age | Adoption | Passing | Confidence |\r\n|---|---|---|---|---|---|\r\n| [github-pages](https://togithub.com/github/pages-gem) | `231` -> `232`\r\n|\r\n[![age](https://developer.mend.io/api/mc/badges/age/rubygems/github-pages/232?slim=true)](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[![adoption](https://developer.mend.io/api/mc/badges/adoption/rubygems/github-pages/232?slim=true)](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[![passing](https://developer.mend.io/api/mc/badges/compatibility/rubygems/github-pages/231/232?slim=true)](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[![confidence](https://developer.mend.io/api/mc/badges/confidence/rubygems/github-pages/231/232?slim=true)](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n\r\n---\r\n\r\n### Release Notes\r\n\r\n
\r\ngithub/pages-gem (github-pages)\r\n\r\n### [`v232`](https://togithub.com/github/pages-gem/releases/tag/v232)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/pages-gem/compare/v231...v232)\r\n\r\n#### What's Changed\r\n\r\n- Bump docker/build-push-action from 5 to 6 by\r\n[@​dependabot](https://togithub.com/dependabot) in\r\n[https://github.com/github/pages-gem/pull/916](https://togithub.com/github/pages-gem/pull/916)\r\n- Fix obscured gemfile issue by\r\n[@​mrmanc](https://togithub.com/mrmanc) in\r\n[https://github.com/github/pages-gem/pull/912](https://togithub.com/github/pages-gem/pull/912)\r\n- Add webrick as Ruby 3 doesn’t include it by\r\n[@​mrmanc](https://togithub.com/mrmanc) in\r\n[https://github.com/github/pages-gem/pull/914](https://togithub.com/github/pages-gem/pull/914)\r\n- Update nokogiri CVE-2024-25062 by\r\n[@​naxhh](https://togithub.com/naxhh) in\r\n[https://github.com/github/pages-gem/pull/911](https://togithub.com/github/pages-gem/pull/911)\r\n- Parkr jekyll3.10 by\r\n[@​yoannchaudet](https://togithub.com/yoannchaudet) in\r\n[https://github.com/github/pages-gem/pull/919](https://togithub.com/github/pages-gem/pull/919)\r\n- Fix improperly bound regex by\r\n[@​yoannchaudet](https://togithub.com/yoannchaudet) in\r\n[https://github.com/github/pages-gem/pull/921](https://togithub.com/github/pages-gem/pull/921)\r\n- Prep 232 by [@​yoannchaudet](https://togithub.com/yoannchaudet)\r\nin\r\n[https://github.com/github/pages-gem/pull/923](https://togithub.com/github/pages-gem/pull/923)\r\n\r\n#### New Contributors\r\n\r\n- [@​naxhh](https://togithub.com/naxhh) made their first\r\ncontribution in\r\n[https://github.com/github/pages-gem/pull/911](https://togithub.com/github/pages-gem/pull/911)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/github/pages-gem/compare/v231...v232\r\n\r\n
\r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"every weekend\" (UTC), Automerge - At\r\nany time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [ ] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR was generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View the\r\n[repository job\r\nlog](https://developer.mend.io/github/slsa-framework/slsa).\r\n\r\n\r\n\r\n---------\r\n\r\nSigned-off-by: Mend Renovate \r\nSigned-off-by: Arnaud J Le Hors \r\nCo-authored-by: Arnaud J Le Hors ","shortMessageHtmlLink":"impl: Update dependency github-pages to v232 (#1119)"}},{"before":"f6ed4d679bbe85015b0ffc026c6a62136571e430","after":"bedd1a930a501c83d267b75c4254402ddab3f6c1","ref":"refs/heads/main","pushedAt":"2024-08-26T17:03:00.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"content: Move v1.1 to Candidate Release (CR) (#1117)\n\nThis PR proposes to change the status of v1.1 to Candidate Release in\r\npreparation for final publication.\r\n\r\nI ought to point out that there is a bunch of VSA related issues that\r\nhad been targeted for this release and that have not been addressed. See\r\nIssue #900. However, until someone works on any of these issues there is\r\nno hope of making progress and waiting for these to close will delay\r\ngetting 1.1 out indefinitely. Although not ideal I therefore propose to\r\ndefer these and publish what we have.\r\n\r\nSigned-off-by: Arnaud J Le Hors ","shortMessageHtmlLink":"content: Move v1.1 to Candidate Release (CR) (#1117)"}},{"before":"ac723d1a5fab1a53afe2ecceb33796b33eff8694","after":"f6ed4d679bbe85015b0ffc026c6a62136571e430","ref":"refs/heads/main","pushedAt":"2024-08-21T13:10:27.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"TomHennen","name":"Tom Hennen","path":"/TomHennen","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5216560?s=80&v=4"},"commit":{"message":"impl: Update dependency github-pages to v232 (#1116)\n\n[![Mend\r\nRenovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Change | Age | Adoption | Passing | Confidence |\r\n|---|---|---|---|---|---|\r\n| [github-pages](https://togithub.com/github/pages-gem) | `231` -> `232`\r\n|\r\n[![age](https://developer.mend.io/api/mc/badges/age/rubygems/github-pages/232?slim=true)](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[![adoption](https://developer.mend.io/api/mc/badges/adoption/rubygems/github-pages/232?slim=true)](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[![passing](https://developer.mend.io/api/mc/badges/compatibility/rubygems/github-pages/231/232?slim=true)](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n[![confidence](https://developer.mend.io/api/mc/badges/confidence/rubygems/github-pages/231/232?slim=true)](https://docs.renovatebot.com/merge-confidence/)\r\n|\r\n\r\n---\r\n\r\n### Release Notes\r\n\r\n
\r\ngithub/pages-gem (github-pages)\r\n\r\n### [`v232`](https://togithub.com/github/pages-gem/releases/tag/v232)\r\n\r\n[Compare\r\nSource](https://togithub.com/github/pages-gem/compare/v231...v232)\r\n\r\n#### What's Changed\r\n\r\n- Bump docker/build-push-action from 5 to 6 by\r\n[@​dependabot](https://togithub.com/dependabot) in\r\n[https://github.com/github/pages-gem/pull/916](https://togithub.com/github/pages-gem/pull/916)\r\n- Fix obscured gemfile issue by\r\n[@​mrmanc](https://togithub.com/mrmanc) in\r\n[https://github.com/github/pages-gem/pull/912](https://togithub.com/github/pages-gem/pull/912)\r\n- Add webrick as Ruby 3 doesn’t include it by\r\n[@​mrmanc](https://togithub.com/mrmanc) in\r\n[https://github.com/github/pages-gem/pull/914](https://togithub.com/github/pages-gem/pull/914)\r\n- Update nokogiri CVE-2024-25062 by\r\n[@​naxhh](https://togithub.com/naxhh) in\r\n[https://github.com/github/pages-gem/pull/911](https://togithub.com/github/pages-gem/pull/911)\r\n- Parkr jekyll3.10 by\r\n[@​yoannchaudet](https://togithub.com/yoannchaudet) in\r\n[https://github.com/github/pages-gem/pull/919](https://togithub.com/github/pages-gem/pull/919)\r\n- Fix improperly bound regex by\r\n[@​yoannchaudet](https://togithub.com/yoannchaudet) in\r\n[https://github.com/github/pages-gem/pull/921](https://togithub.com/github/pages-gem/pull/921)\r\n- Prep 232 by [@​yoannchaudet](https://togithub.com/yoannchaudet)\r\nin\r\n[https://github.com/github/pages-gem/pull/923](https://togithub.com/github/pages-gem/pull/923)\r\n\r\n#### New Contributors\r\n\r\n- [@​naxhh](https://togithub.com/naxhh) made their first\r\ncontribution in\r\n[https://github.com/github/pages-gem/pull/911](https://togithub.com/github/pages-gem/pull/911)\r\n\r\n**Full Changelog**:\r\nhttps://github.com/github/pages-gem/compare/v231...v232\r\n\r\n
\r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"every weekend\" (UTC), Automerge - At\r\nany time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [ ] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR was generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View the\r\n[repository job\r\nlog](https://developer.mend.io/github/slsa-framework/slsa).\r\n\r\n\r\n\r\n---------\r\n\r\nSigned-off-by: Mend Renovate \r\nSigned-off-by: Tom Hennen \r\nCo-authored-by: Tom Hennen ","shortMessageHtmlLink":"impl: Update dependency github-pages to v232 (#1116)"}},{"before":"7667d2966d6d7eed36f5de03efe8baeb5350d8a1","after":"ac723d1a5fab1a53afe2ecceb33796b33eff8694","ref":"refs/heads/main","pushedAt":"2024-08-20T12:27:54.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"TomHennen","name":"Tom Hennen","path":"/TomHennen","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5216560?s=80&v=4"},"commit":{"message":"nonspec: Add Marcela as new SLSA spec maintainer (#1114)\n\nI'd like to self-nominate for maintainer status of the SLSA spec. I\r\nbelieve I meet the\r\n[criteria](https://github.com/slsa-framework/slsa/blob/main/MAINTAINERS.md#becoming-a-maintainer)\r\nfor maintainer status. Thanks!\r\n\r\nSigned-off-by: Marcela Melara ","shortMessageHtmlLink":"nonspec: Add Marcela as new SLSA spec maintainer (#1114)"}},{"before":"9a9b31132612d421af3b46a9bfa5947bc3f404cc","after":"7667d2966d6d7eed36f5de03efe8baeb5350d8a1","ref":"refs/heads/main","pushedAt":"2024-08-15T15:01:11.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"TomHennen","name":"Tom Hennen","path":"/TomHennen","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5216560?s=80&v=4"},"commit":{"message":"content: source track draft: simplify and clarify level goals (#1097)\n\n### Context\r\n\r\nThis was mostly ported from\r\n[gdoc](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A#bookmark=id.gg47kpxaq1to),\r\n(requires\r\n[slsa-discussion@googlegroups.com](mailto:slsa-discussion@googlegroups.com)\r\nmembership.)\r\n\r\nThe content is intentionally incomplete. \r\nThe final draft document will need wholistic review before progressing\r\nto the full proposal phase.\r\n\r\n### Goals\r\n\r\nThe source track is about communicating trustworthy claims. \r\nThese proposals for levels try to describe the absolute bare minimum\r\npolicies and controls required to make sense of the code in a repo.\r\n\r\nThis proposal moves most of the other \"good idea\" policies into a\r\ndifferent, non-leveled, section.\r\nOne of the goals of slsa is to help teams make improvements to their\r\nprocess in a prioritized way.\r\n\r\nMany of these good ideas should be called out and documented\r\n_somewhere_, but they are not directly required for the repo to produce\r\ntrustworthy attestations, so we're proposing to document and discuss\r\nthem separately.\r\n\r\nUpdate! As discussed [in\r\nslack](https://openssf.slack.com/archives/C03NUSAPKC6/p1723156008871629?thread_ts=1723152271.940339&cid=C03NUSAPKC6),\r\nproducts like the [ossf\r\nscorecard](https://github.com/ossf/scorecard?tab=readme-ov-file#scorecard-checks)\r\nmight be better fits for describing policy details. The scorecard is\r\nmuch more opinionated about things like branch protections already!\r\n\r\nThis pr addresses the topics raised in the following issues. \r\nWe should re-valuate the status of these issues when this PR merges:\r\n* https://github.com/slsa-framework/slsa/issues/1076\r\n* https://github.com/slsa-framework/slsa/issues/1075 \r\n* https://github.com/slsa-framework/slsa/issues/1077\r\n* https://github.com/slsa-framework/slsa/issues/1095\r\n* https://github.com/slsa-framework/slsa/issues/1080\r\n\r\n---------\r\n\r\nSigned-off-by: Zachariah Cox \r\nSigned-off-by: Tom Hennen \r\nCo-authored-by: Tom Hennen \r\nCo-authored-by: Aditya Sirish <8928778+adityasaky@users.noreply.github.com>","shortMessageHtmlLink":"content: source track draft: simplify and clarify level goals (#1097)"}},{"before":"cee173986e26d9ca07dd318bcfcb39935a343702","after":null,"ref":"refs/heads/dependabot/bundler/docs/rexml-3.3.3","pushedAt":"2024-08-14T18:57:56.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"TomHennen","name":"Tom Hennen","path":"/TomHennen","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5216560?s=80&v=4"}},{"before":"b69f2373fc2391ad20bb4b4e90b48aa648cde7cf","after":"9a9b31132612d421af3b46a9bfa5947bc3f404cc","ref":"refs/heads/main","pushedAt":"2024-08-14T18:57:54.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"TomHennen","name":"Tom Hennen","path":"/TomHennen","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/5216560?s=80&v=4"},"commit":{"message":"impl: build(deps-dev): bump rexml from 3.2.8 to 3.3.3 in /docs (#1106)\n\nBumps [rexml](https://github.com/ruby/rexml) from 3.2.8 to 3.3.3.\r\n
\r\nRelease notes\r\n

Sourced from rexml's\r\nreleases.

\r\n
\r\n

REXML 3.3.3 - 2024-08-01

\r\n

Improvements

\r\n
    \r\n
  • \r\n

    Added support for detecting invalid XML that has unsupported\r\ncontent before root element

    \r\n
      \r\n
    • GH-184
      • \r\n
    • Patch by NAITOH Jun.
      • \r\n
    \r\n
    • \r\n
  • \r\n

    Added support for\r\nREXML::Security.entity_expansion_limit= and\r\nREXML::Security.entity_expansion_text_limit= in SAX2 and\r\npull\r\nparsers

    \r\n
      \r\n
    • GH-187
      • \r\n
    • Patch by NAITOH Jun.
      • \r\n
    \r\n
    • \r\n
  • \r\n

    Added more tests for invalid XMLs.

    \r\n
      \r\n
    • GH-183
      • \r\n
    • Patch by Watson.
      • \r\n
    \r\n
    • \r\n
  • \r\n

    Added more performance tests.

    \r\n
      \r\n
    • Patch by Watson.
      • \r\n
    \r\n
    • \r\n
  • \r\n

    Improved parse performance.

    \r\n
      \r\n
    • GH-186
      • \r\n
    • Patch by tomoya ishida.
      • \r\n
    \r\n
    • \r\n
\r\n

Thanks

\r\n
    \r\n
  • \r\n

    NAITOH Jun

    \r\n
    • \r\n
  • \r\n

    Watson

    \r\n
    • \r\n
  • \r\n

    tomoya ishida

    \r\n
    • \r\n
\r\n

REXML 3.3.2 - 2024-07-16

\r\n

Improvements

\r\n
    \r\n
  • \r\n

    Improved parse performance.

    \r\n
      \r\n
    • GH-160
      • \r\n
    • Patch by NAITOH Jun.
      • \r\n
    \r\n
    • \r\n
  • \r\n

    Improved parse performance.

    \r\n
      \r\n
    • GH-169
      • \r\n
    • GH-170
      • \r\n
    • GH-171
      • \r\n
    • GH-172
      • \r\n
    • GH-173
      • \r\n
    • GH-174
      • \r\n
    • GH-175
      • \r\n
    • GH-176
      • \r\n
    \r\n
    • \r\n
\r\n\r\n
\r\n

... (truncated)

\r\n
\r\n
\r\nChangelog\r\n

Sourced from rexml's\r\nchangelog.

\r\n
\r\n

3.3.3 - 2024-08-01 {#version-3-3-3}

\r\n

Improvements

\r\n
    \r\n
  • \r\n

    Added support for detecting invalid XML that has unsupported\r\ncontent before root element

    \r\n
      \r\n
    • GH-184
      • \r\n
    • Patch by NAITOH Jun.
      • \r\n
    \r\n
    • \r\n
  • \r\n

    Added support for\r\nREXML::Security.entity_expansion_limit= and\r\nREXML::Security.entity_expansion_text_limit= in SAX2 and\r\npull\r\nparsers

    \r\n
      \r\n
    • GH-187
      • \r\n
    • Patch by NAITOH Jun.
      • \r\n
    \r\n
    • \r\n
  • \r\n

    Added more tests for invalid XMLs.

    \r\n
      \r\n
    • GH-183
      • \r\n
    • Patch by Watson.
      • \r\n
    \r\n
    • \r\n
  • \r\n

    Added more performance tests.

    \r\n
      \r\n
    • Patch by Watson.
      • \r\n
    \r\n
    • \r\n
  • \r\n

    Improved parse performance.

    \r\n
      \r\n
    • GH-186
      • \r\n
    • Patch by tomoya ishida.
      • \r\n
    \r\n
    • \r\n
\r\n

Thanks

\r\n
    \r\n
  • \r\n

    NAITOH Jun

    \r\n
    • \r\n
  • \r\n

    Watson

    \r\n
    • \r\n
  • \r\n

    tomoya ishida

    \r\n
    • \r\n
\r\n

3.3.2 - 2024-07-16 {#version-3-3-2}

\r\n

Improvements

\r\n
    \r\n
  • \r\n

    Improved parse performance.

    \r\n
      \r\n
    • GH-160
      • \r\n
    • Patch by NAITOH Jun.
      • \r\n
    \r\n
    • \r\n
  • \r\n

    Improved parse performance.

    \r\n
      \r\n
    • GH-169
      • \r\n
    • GH-170
      • \r\n
    • GH-171
      • \r\n
    • GH-172
      • \r\n
    • GH-173
      • \r\n
    • GH-174
      • \r\n
    • GH-175
      • \r\n
    \r\n
    • \r\n
\r\n\r\n
\r\n

... (truncated)

\r\n
\r\n
\r\nCommits\r\n
    \r\n
  • e4a067e\r\nAdd 3.3.3 entry
    • \r\n
  • 17ff3e7\r\ntest: add a performance test for attribute list declaration
    • \r\n
  • be86b3d\r\ntest: fix wrong test name
    • \r\n
  • b93d790\r\ntest: use double quote for string literal
    • \r\n
  • 0fbe7d5\r\ntest: don't use abbreviated name
    • \r\n
  • 1599e87\r\ntest: add a performance test for PI with many tabs
    • \r\n
  • e2546e6\r\nparse pi: improve invalid case detection
    • \r\n
  • 73661ef\r\ntest: fix a typo
    • \r\n
  • 850488a\r\ntest: use double quote for string literal
    • \r\n
  • 46c6397\r\ntest: add performance tests for entity declaration
    • \r\n
  • Additional commits viewable in compare\r\nview
    • \r\n
\r\n
\r\n
\r\n\r\n\r\n[![Dependabot compatibility\r\nscore](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=rexml&package-manager=bundler&previous-version=3.2.8&new-version=3.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\r\n\r\nDependabot will resolve any conflicts with this PR as long as you don't\r\nalter it yourself. You can also trigger a rebase manually by commenting\r\n`@dependabot rebase`.\r\n\r\n[//]: # (dependabot-automerge-start)\r\n[//]: # (dependabot-automerge-end)\r\n\r\n---\r\n\r\n
\r\nDependabot commands and options\r\n
\r\n\r\nYou can trigger Dependabot actions by commenting on this PR:\r\n- `@dependabot rebase` will rebase this PR\r\n- `@dependabot recreate` will recreate this PR, overwriting any edits\r\nthat have been made to it\r\n- `@dependabot merge` will merge this PR after your CI passes on it\r\n- `@dependabot squash and merge` will squash and merge this PR after\r\nyour CI passes on it\r\n- `@dependabot cancel merge` will cancel a previously requested merge\r\nand block automerging\r\n- `@dependabot reopen` will reopen this PR if it is closed\r\n- `@dependabot close` will close this PR and stop Dependabot recreating\r\nit. You can achieve the same result by closing it manually\r\n- `@dependabot show ignore conditions` will show all\r\nof the ignore conditions of the specified dependency\r\n- `@dependabot ignore this major version` will close this PR and stop\r\nDependabot creating any more for this major version (unless you reopen\r\nthe PR or upgrade to it yourself)\r\n- `@dependabot ignore this minor version` will close this PR and stop\r\nDependabot creating any more for this minor version (unless you reopen\r\nthe PR or upgrade to it yourself)\r\n- `@dependabot ignore this dependency` will close this PR and stop\r\nDependabot creating any more for this dependency (unless you reopen the\r\nPR or upgrade to it yourself)\r\nYou can disable automated security fix PRs for this repo from the\r\n[Security Alerts\r\npage](https://github.com/slsa-framework/slsa/network/alerts).\r\n\r\n
\r\n\r\nSigned-off-by: dependabot[bot] \r\nCo-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>","shortMessageHtmlLink":"impl: build(deps-dev): bump rexml from 3.2.8 to 3.3.3 in /docs (#1106)"}},{"before":"a7a5084c65b829d333a311f8df50dcd0c4bd08bf","after":"b69f2373fc2391ad20bb4b4e90b48aa648cde7cf","ref":"refs/heads/main","pushedAt":"2024-08-12T15:49:14.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"arewm","name":"Andrew McNamara","path":"/arewm","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/16674323?s=80&v=4"},"commit":{"message":"nonspec: Document the spec versions management (#1093)\n\nExpand CONTRIBUTING.md with information on how we manage the various\r\nversions of the specification in the repository.\r\n\r\n---------\r\n\r\nSigned-off-by: Arnaud J Le Hors ","shortMessageHtmlLink":"nonspec: Document the spec versions management (#1093)"}},{"before":"f3c54b12de2666628039f8478ac5b6f286dbe3ae","after":null,"ref":"refs/heads/dependabot/bundler/docs/rexml-3.3.2","pushedAt":"2024-08-02T16:37:37.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"}},{"before":null,"after":"cee173986e26d9ca07dd318bcfcb39935a343702","ref":"refs/heads/dependabot/bundler/docs/rexml-3.3.3","pushedAt":"2024-08-02T16:37:33.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"build(deps-dev): bump rexml from 3.2.8 to 3.3.3 in /docs\n\nBumps [rexml](https://github.com/ruby/rexml) from 3.2.8 to 3.3.3.\n- [Release notes](https://github.com/ruby/rexml/releases)\n- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)\n- [Commits](https://github.com/ruby/rexml/compare/v3.2.8...v3.3.3)\n\n---\nupdated-dependencies:\n- dependency-name: rexml\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] ","shortMessageHtmlLink":"build(deps-dev): bump rexml from 3.2.8 to 3.3.3 in /docs"}},{"before":null,"after":"f3c54b12de2666628039f8478ac5b6f286dbe3ae","ref":"refs/heads/dependabot/bundler/docs/rexml-3.3.2","pushedAt":"2024-07-23T21:15:02.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"build(deps-dev): bump rexml from 3.2.8 to 3.3.2 in /docs\n\nBumps [rexml](https://github.com/ruby/rexml) from 3.2.8 to 3.3.2.\n- [Release notes](https://github.com/ruby/rexml/releases)\n- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)\n- [Commits](https://github.com/ruby/rexml/compare/v3.2.8...v3.3.2)\n\n---\nupdated-dependencies:\n- dependency-name: rexml\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] ","shortMessageHtmlLink":"build(deps-dev): bump rexml from 3.2.8 to 3.3.2 in /docs"}},{"before":"ac0c409577020382f8ba5941576a741eb6961ee4","after":"a7a5084c65b829d333a311f8df50dcd0c4bd08bf","ref":"refs/heads/main","pushedAt":"2024-07-15T09:19:29.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"nonspec: add instructions for checking markdown formatting (#1096)\n\nAdd instructions for checking markdown formatting using\r\nmarkdownlint-cli2.\r\n\r\nI got tired of getting errors after sending and updating PRs but didn't\r\nknow how to run the style checker locally. Once I figured it out I\r\nsuspected other folks might have a similar problem.\r\n\r\nSigned-off-by: Tom Hennen ","shortMessageHtmlLink":"nonspec: add instructions for checking markdown formatting (#1096)"}},{"before":"7c6ba2398027a00e69a9e2497a61d2e45b1355bf","after":"ac0c409577020382f8ba5941576a741eb6961ee4","ref":"refs/heads/main","pushedAt":"2024-07-15T09:18:17.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"content: Add v1.1 without source track (#1092)\n\nThis is meant to include all the updates we have accumulated so far\r\nagainst 1.0, without any of the new levels or tracks. The goal is to\r\npublish this ASAP as a minor update to 1.0.\r\n\r\nSigned-off-by: Arnaud J Le Hors ","shortMessageHtmlLink":"content: Add v1.1 without source track (#1092)"}},{"before":"772967cdccd5db07563d8a96be1aad4fcc9a59fa","after":"7c6ba2398027a00e69a9e2497a61d2e45b1355bf","ref":"refs/heads/main","pushedAt":"2024-07-15T09:17:37.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"content: draft: define source-track objective in terms of revisions and provenance. (#1083)\n\nfixes https://github.com/slsa-framework/slsa/issues/1072\r\n\r\nThis PR modifies _draft_ content of the slsa spec. \r\n\r\n## Context\r\nBased on discussion from\r\nhttps://github.com/slsa-framework/slsa/pull/1037\r\n\r\nSee [discussion\r\nhere](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A#heading=h.svjr333bawb).\r\n\r\nCopied from [draft proposal\r\nhere](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A#bookmark=id.4qr65cfy6ufj).\r\n\r\nGoogle document requires slsa-discussion@googlegroups.com membership.\r\n\r\n## Source revision provenance\r\nRepos contain many revisions, most of which are not \"official\" or\r\notherwise approved for release.\r\nThe goal of the source track is to attest to why a specific revision\r\n_was_ approved for release.\r\n\r\nWe can think of the SCP / code review tool as “building” the next\r\nofficial revision of a repository using a codified process that involves\r\ncollecting commits, acquiring reviews, running CI, etc.\r\nIf the change review process is successful, the code review tooling will\r\nmerge the code changes and attest to the process used to produce the new\r\nrevision.\r\n\r\nThe source provenance attestations associate a specific revision of a\r\nrepository to security claims and documents (basically build logs) of\r\nthe process that produced it.\r\n\r\nIn GitHub terms, a merged pull request and its associated rules\r\nevaluation justify why and how a specific git SHA is reachable from a\r\nprotected branch.\r\n\r\n## Example Scenario\r\n1. A CI system is trying to build some artifact and will download all\r\nnecessary resources, including repos and packages.\r\n2. After download, the system will proceed to verify all fetched\r\nresources.\r\n1. For package artifacts, it takes the hash and looks for build\r\nprovenance attestations from sigstore or github.\r\n1. For source artifacts that are not packaged (EG, cloned via git), it\r\ntakes the revision id and looks for the source provenance from sigstore\r\nor github.\r\n5. Based on the claims in the provenance attestations, the CI system can\r\ndetermine if all resources comply with required policy and choose to\r\nproceed.\r\n\r\n---------\r\n\r\nSigned-off-by: Zachariah Cox \r\nCo-authored-by: Joshua Lock \r\nCo-authored-by: Tom Hennen ","shortMessageHtmlLink":"content: draft: define source-track objective in terms of revisions a…"}},{"before":"fd2670bc2b6c52583b26af35f781ca6e67efbae9","after":"772967cdccd5db07563d8a96be1aad4fcc9a59fa","ref":"refs/heads/main","pushedAt":"2024-07-13T07:23:24.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"impl: Update actions/setup-node action to v4.0.3 (#1098)\n\n[![Mend\r\nRenovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Type | Update | Change |\r\n|---|---|---|---|\r\n| [actions/setup-node](https://togithub.com/actions/setup-node) | action\r\n| patch | `v4.0.2` -> `v4.0.3` |\r\n\r\n---\r\n\r\n### Release Notes\r\n\r\n
\r\nactions/setup-node (actions/setup-node)\r\n\r\n###\r\n[`v4.0.3`](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3)\r\n\r\n
\r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"every weekend\" (UTC), Automerge - At\r\nany time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [ ] If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR has been generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View\r\nrepository job log\r\n[here](https://developer.mend.io/github/slsa-framework/slsa).\r\n\r\n\r\n\r\nSigned-off-by: Mend Renovate ","shortMessageHtmlLink":"impl: Update actions/setup-node action to v4.0.3 (#1098)"}},{"before":"9a04d1ee393b5be2773b1ce204f61fe0fd02366a","after":"fd2670bc2b6c52583b26af35f781ca6e67efbae9","ref":"refs/heads/main","pushedAt":"2024-07-13T07:17:33.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"nonspec: Add TomHennen as a maintainer (#1091)\n\nI'd like to propose making myself a maintainer.\r\n\r\nI believe I meet the requirements [listed\r\nhere](https://github.com/slsa-framework/slsa/blob/main/MAINTAINERS.md#becoming-a-maintainer).\r\n\r\nSigned-off-by: Tom Hennen ","shortMessageHtmlLink":"nonspec: Add TomHennen as a maintainer (#1091)"}},{"before":"4b969addc129ef585d141278ed838656a386ef50","after":"9a04d1ee393b5be2773b1ce204f61fe0fd02366a","ref":"refs/heads/main","pushedAt":"2024-07-09T18:23:03.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"impl: Rename latest draft (v1.1) to draft (#1090)\n\nAdd clear disclaimer about the status of this document, and unhide it.\r\n\r\nThis closes issue #1086\r\n\r\n---------\r\n\r\nSigned-off-by: Arnaud J Le Hors ","shortMessageHtmlLink":"impl: Rename latest draft (v1.1) to draft (#1090)"}},{"before":"dae80acb36e2c8c9a8d404397270d5bb9a3d1933","after":"4b969addc129ef585d141278ed838656a386ef50","ref":"refs/heads/main","pushedAt":"2024-07-08T19:06:55.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"content: source track v.next draft, address remainder of pre-merge issues (#1088)\n\ncloses out the remainder of the pre-merge\r\n[issues](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A#heading=h.au8zjzii8lgw).\r\n\r\n## changes\r\n\r\n1. adds high-level document status section. \r\n2. add outstanding TODOs from ☝️ gdoc\r\n3. add link to `label:source-track` issues in slsa repo\r\n4. removes reference to \"time\" in the definition of \"revision.\"\r\n5. adds source track links to what's new file.\r\n\r\n---------\r\n\r\nSigned-off-by: Zachariah Cox \r\nCo-authored-by: Joshua Lock ","shortMessageHtmlLink":"content: source track v.next draft, address remainder of pre-merge is…"}},{"before":"694afabcc0d0b6f8246ca497d67cad9ebc95755c","after":"dae80acb36e2c8c9a8d404397270d5bb9a3d1933","ref":"refs/heads/main","pushedAt":"2024-07-08T19:04:07.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"editorial: Expand SLSA acronym in docs (#1087)\n\nWhen visiting slsa.dev/spec/$version/about, I didn't see any mention of\r\nwhat the SLSA acronym actually stands for.\r\nThis change simply expands the acronym in the docs.","shortMessageHtmlLink":"editorial: Expand SLSA acronym in docs (#1087)"}},{"before":"0a6dbca72bcfc1fb2fdc2181059be43639399d98","after":"694afabcc0d0b6f8246ca497d67cad9ebc95755c","ref":"refs/heads/main","pushedAt":"2024-07-01T16:23:31.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"impl: Update amannn/action-semantic-pull-request action to v5.5.3 (#1084)\n\namannn/action-semantic-pull-request v5.5.2 -> v5.5.3\r\n\r\nSigned-off-by: Mend Renovate ","shortMessageHtmlLink":"impl: Update amannn/action-semantic-pull-request action to v5.5.3 (#1084"}},{"before":"306642f21dbdaca2eaafe2df8e98432b4d4f2f02","after":"0a6dbca72bcfc1fb2fdc2181059be43639399d98","ref":"refs/heads/main","pushedAt":"2024-06-28T16:17:20.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"content: Add draft of the Source track. (#1037)\n\nThis change adds the working draft of SLSA's Source track. It includes\nbasic terminology and level requirements.\n\n---------\n\nSigned-off-by: kpk47 \nSigned-off-by: Mark Lodato \nSigned-off-by: Joshua Lock \nCo-authored-by: Mark Lodato \nCo-authored-by: Zachariah Cox \nCo-authored-by: Joshua Lock ","shortMessageHtmlLink":"content: Add draft of the Source track. (#1037)"}},{"before":"bee177a10283a62b26c9c9afe3b951c9a7cdbda0","after":"306642f21dbdaca2eaafe2df8e98432b4d4f2f02","ref":"refs/heads/main","pushedAt":"2024-06-17T09:03:59.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"impl: Update actions/checkout action to v4.1.7 (#1068)\n\nactions/checkout `v4.1.6` -> `v4.1.7`\r\n\r\nSigned-off-by: Mend Renovate ","shortMessageHtmlLink":"impl: Update actions/checkout action to v4.1.7 (#1068)"}},{"before":"96cdd135351885e380bd34c4c03be152cf395d20","after":"bee177a10283a62b26c9c9afe3b951c9a7cdbda0","ref":"refs/heads/main","pushedAt":"2024-06-11T11:03:36.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"blog: Add blog post on Tekton Chains and IBM DevSecOps (#1048)\n\nAs discussed on a recent call, Tekton Chains supports SLSA Provenance v1\r\nbut the configuration isn't the most straightforward. This post\r\nhighlights support for SLSA and gives people the right configuration to\r\nuse to get the v1 format. It also informs people that IBM has an\r\noffering based on this technology and gives them a few pointers to the\r\nrelevant documentation.\r\n\r\n---------\r\n\r\nSigned-off-by: Arnaud J Le Hors ","shortMessageHtmlLink":"blog: Add blog post on Tekton Chains and IBM DevSecOps (#1048)"}},{"before":"d28bc77c445662e7b43b3f4b3f6e64b3b08ecfb7","after":"96cdd135351885e380bd34c4c03be152cf395d20","ref":"refs/heads/main","pushedAt":"2024-06-05T15:54:24.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"content: refactor threat diagram and add overview (#1057)\n\nRefactor the threat diagram to address clarity concerns and to expand it\r\nbeyond tampering. The intent is that this threat model can be useful for\r\nany software supply chain security effort. Many of the threats\r\npreviously called \"out of scope\" should be listed here, even if the SLSA\r\nladder does not (yet!) cover them.\r\n\r\nNOTE: this is a partial solution, but more work is needed. I want to\r\nat least merge what we have so far so that others can iterate on it.\r\n\r\nThis design is the result of much discussion on Slack. Thank you to\r\n@adityasaky, @arewm, @david-a-wheeler, @jkjell, @mlieberman85,\r\n@marcelamelara, and @trishankatdatadog for your contributions and\r\nsuggestions.\r\n\r\nSummary of major changes:\r\n\r\n* Add threat indicators for Producer and Consumer, remove for\r\n Dependencies.\r\n* Rename \"Package\" to \"Distribution\".\r\n* Rewrite titles to describe the position rather than the tampering\r\n threat.\r\n\r\nDetailed diagram changes:\r\n\r\n* Update the threat markers:\r\n - Add a threat for Producer to cover malicious intent. For example, if you\r\n install malware, it's not tampering---the producer really did intend to\r\n write malware, and no amount of code review will \"fix\" that! (Previously\r\n this was called \"out of scope\".)\r\n - Add a threat for Consumer to cover...? It makes the diagram nicer and I\r\n assume we want something here, but I don't know what that is yet!\r\n - Remove the threat for Dependency, since it generated a lot of confusion. The\r\n intent was that it is recursive, so the hope is that the diagram and text\r\n make this clear enough.\r\n - Re-letter the threat markers accordingly.\r\n - Update the threat titles to describe the position rather than the tampering\r\n threat. The old titles generated a lot of disagreement, and they relied on\r\n understanding the non-obvious interpretation of the model. Now, the new\r\n titles just describe that model, which is hopefully more clear to everyone.\r\n* Rename \"Package\" to \"Distribution\" to better reflect what that box means.\r\n* Move the arrow from Distribution to Dependency to make it clear that (H) is\r\n also recursive.\r\n - Also make the arrow solid instead of dashed, but keep the dashed box around\r\n Dependency. The idea is that the use of the dependency is a real input to\r\n the build, while Dependency itself is really just another package.\r\n* Move \"build params\" to \"Build threats\" instead of \"Source threats\",\r\n and add new \"Usage threats\" category.\r\n* (minor) Use the same green color throughout, rather than having a\r\n slightly different green color for arrows.\r\n\r\nText changes:\r\n\r\n* Add an overview section that explains a bit more about the threat model.\r\n* Add Dependency Confusion.\r\n* Update text to match the new diagram (only partially done).\r\n\r\nSigned-off-by: Mark Lodato ","shortMessageHtmlLink":"content: refactor threat diagram and add overview (#1057)"}},{"before":"0a125980dcb82e3793ee86f3d486ce7b5948ea44","after":"d28bc77c445662e7b43b3f4b3f6e64b3b08ecfb7","ref":"refs/heads/main","pushedAt":"2024-05-30T20:28:44.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"impl: Update actions/checkout action to v4.1.6 (#1059)\n\nactions/checkout `v4.1.5` -> `v4.1.6`\r\n\r\nSigned-off-by: Mend Renovate ","shortMessageHtmlLink":"impl: Update actions/checkout action to v4.1.6 (#1059)"}},{"before":"1121710a76fdc92c82f1dbb06bc2e028134ac5d8","after":"0a125980dcb82e3793ee86f3d486ce7b5948ea44","ref":"refs/heads/main","pushedAt":"2024-05-27T20:43:12.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"impl: Update dependency markdownlint-cli to v0.41.0 (#1060)\n\nmarkdownlint-cli `0.40.0` -> `0.41.0`\r\n\r\nSigned-off-by: Mend Renovate ","shortMessageHtmlLink":"impl: Update dependency markdownlint-cli to v0.41.0 (#1060)"}},{"before":"9ff9f8d2209eee46c53b11684fcbee0b3d47c88d","after":null,"ref":"refs/heads/dependabot/bundler/docs/rexml-3.2.8","pushedAt":"2024-05-17T18:19:44.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"}},{"before":"2197af8d848acd068c76a81897cb0dd0578103a5","after":"1121710a76fdc92c82f1dbb06bc2e028134ac5d8","ref":"refs/heads/main","pushedAt":"2024-05-17T18:19:43.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"impl: bump rexml from 3.2.6 to 3.2.8 (#1058)\n\nSigned-off-by: dependabot[bot] ","shortMessageHtmlLink":"impl: bump rexml from 3.2.6 to 3.2.8 (#1058)"}},{"before":null,"after":"9ff9f8d2209eee46c53b11684fcbee0b3d47c88d","ref":"refs/heads/dependabot/bundler/docs/rexml-3.2.8","pushedAt":"2024-05-16T21:28:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"build(deps-dev): bump rexml from 3.2.6 to 3.2.8 in /docs\n\nBumps [rexml](https://github.com/ruby/rexml) from 3.2.6 to 3.2.8.\n- [Release notes](https://github.com/ruby/rexml/releases)\n- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)\n- [Commits](https://github.com/ruby/rexml/compare/v3.2.6...v3.2.8)\n\n---\nupdated-dependencies:\n- dependency-name: rexml\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] ","shortMessageHtmlLink":"build(deps-dev): bump rexml from 3.2.6 to 3.2.8 in /docs"}},{"before":"9c4e9d3cae882095232c693a5a54610629c0f7a3","after":"2197af8d848acd068c76a81897cb0dd0578103a5","ref":"refs/heads/main","pushedAt":"2024-05-14T09:38:15.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"content: re-add threats (A) and (B) from v0.1 (#1056)\n\nRe-add the threat descriptions for (A) and (B) from v0.1 to v1.1. They\r\nare copied verbatim, except for removing the `(SLSA 4)`\r\nand `...` labels, which no longer apply to the current\r\nversion.\r\n\r\nFuture PRs will tweak the content of these threat descriptions. But for\r\nthis PR, I want to just add them as-is so that we can track cleanly in\r\nversion control.\r\n\r\nSigned-off-by: Mark Lodato ","shortMessageHtmlLink":"content: re-add threats (A) and (B) from v0.1 (#1056)"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEpTR9fwA","startCursor":null,"endCursor":null}},"title":"Activity · slsa-framework/slsa"}