v0.13.1

What's Changed

• fix(build): improve logging and status reporting for cache operations by @leodido in #273
• fix(build): correct total count in build summary by @leodido in #274

Full Changelog: v0.13.0...v0.13.1

v0.13.0

What's Changed

• fix: make gzip compression deterministic by @leodido in #262
• fix: avoid re-uploading downloaded artifacts in sign-cache by @leodido in #263
• test: remove flaky TestS3Cache_VerificationOverhead by @leodido in #265
• fix: extract builder ID from OIDC by @leodido in #264
• Bump github.com/hashicorp/go-getter from 1.7.8 to 1.7.9 by @dependabot[bot] in #238

Full Changelog: v0.12.0...v0.13.0

v0.13.0-rc4

Changelog

• 3ecf8b3 Add comprehensive tests for artifact upload behavior
• 2d1fb81 Avoid re-uploading downloaded artifacts in sign-cache
• 16ee59d Bump github.com/hashicorp/go-getter from 1.7.8 to 1.7.9
• 5447815 Fix non-deterministic gzip compression
• 2debc63 build(deps): Bump github.com/containerd/containerd from 1.7.26 to 1.7.29
• 819464d build(deps): Bump github.com/opencontainers/runc from 1.1.10 to 1.2.8
• 95ff8c8 build(deps): Bump github.com/opencontainers/selinux
• 8932b3a build(deps): revert to v0.12.0 dependencies for v0.13.0 release
• bd51715 docs(signing): clarify Fulcio's role in builder ID extraction
• 7c393af feat(signing): enforce strict OIDC extraction, remove fallback
• cfc3325 feat(signing): support top-level job_workflow_ref claim as fallback
• a1d91f4 fix(lint): check error return value in test mock server
• b467877 fix(lint): check error return values in signing package
• 8b49f6a fix(pkg/leeway/signing): extract builder ID from OIDC
• ffb6270 fix(signing): validate whitespace-only sub claims
• 74d751f refactor(test): consolidate extractJobWorkflowRef test functions
• 666b52e refactor(test): encapsulate expected values in want struct
• c180092 refactor(test): replace os.Setenv with t.Setenv for automatic cleanup
• 130268b refactor(test): use cmp.Diff for struct comparisons
• ddea58c test(pkg/leeway/signing): test the extraction of job_workflow_ref/builder ID from OIDC sub claims

v0.12.0

What's Changed

• feat(slsa): add RequireAttestation configuration for strict SLSA verification by @leodido in #259

Full Changelog: v0.11.0...v0.12.0

v0.11.0

This major release introduces complete SLSA Level 3 compliance building blocks, enabling cryptographic verification of build artifacts and supply chain security for your projects.

🎉 What's New

SLSA Level 3 Support

• Automated Provenance: SLSA v0.2 attestations with complete build metadata
• Keyless Signing: Sigstore integration with GitHub OIDC
• Cache Verification: Cryptographic verification of artifacts
• In-Flight Checksumming: TOCTU attack prevention
• Docker Export Mode: Signed container images via cache
• CI/CD Command: New leeway plumbing sign-cache for separated workflows

Auto-Activation

Set provenance.slsa: true in WORKSPACE.yaml to automatically enable all SLSA L3 features:

provenance:
  enabled: true
  slsa: true

Docker Export Configuration

New 5-layer precedence: CLI flag → Environment variable → Package config → Workspace default → Global default

packages:
  - name: backend
    type: docker
    config:
      exportToCache: true  # Export for signing

⚠️ Breaking Changes

• DockerPkgConfig.ExportToCache changed from bool to *bool (enables nil vs false distinction)
• SLSA-enabled artifacts have different version hashes (includes provenance: version=3 slsa)

🔧 Other Improvements

• Configurable SBOM parallelism (defaults to CPU cores)
• Enhanced S3 cache with better concurrency
• Comprehensive test coverage and performance benchmarks
• Improved error handling and logging

PRs

• CLC-1361: Ignore ephemeral packages during scanning by @geropl in #231
• Fix devcontainer configuration drift by @akosyakov in #232
• Make builddir reporting beautiful by @csweichel in #233
• feat: add configurable SBOM parallelism with CPU core default by @WVerlaek in #240
• Implement SLSA Level 3 Cache Verification by @leodido in #242
• feat: add in-flight checksumming to prevent TOCTU attacks on build artifacts by @leodido in #243
• feat: cache artifact signing command with Sigstore integration by @leodido in #244
• feat: add environment variable support for in-flight checksumming by @leodido in #245
• build: upgrade anchore dependencies to fix mapstructure compatibility by @leodido in #246
• feat: SLSA features (in-flight checksumming + cache artifact signing) by @leodido in #257
• test: comprehensive sign-cache and cache resilience test suite by @leodido in #247
• feat: enable Docker image export to cache instead of direct push by @leodido in #248
• test(integration): add integration tests for Docker export to cache by @leodido in #249
• ci: support relese candidates by @leodido in #251
• feat: auto-enable SLSA L3 features when provenance.slsa is true by @leodido in #250
• fix(signing): explicitly fetch GitHub OIDC token for Sigstore by @leodido in #252

New Contributors

• @akosyakov made their first contribution in #232
• @leodido made their first contribution in #242

Full Changelog: v0.10.5...v0.11.0

v0.11.0-rc2

Changelog

• 8978c5e fix(signing): explicitly fetch GitHub OIDC token for Sigstore

v0.11.0-rc1

Changelog

• df9b1c0 Add --in-flight-checksums CLI flag for TOCTU attack prevention
• 6e4fd22 Add SLSA environment variable constants and help documentation
• e84e764 Add SLSA verifier interface and mock implementation
• bb3f821 Add checksum storage to build context for in-flight checksumming
• de2c2fe Add comprehensive SLSA verification test suite
• 120f2f8 Add comprehensive tests for in-flight checksumming security
• 3f40064 Add end-of-build verification to complete TOCTU attack protection
• dfaa291 Add golang.org/x/time dependency for rate limiting
• d8a6af3 Add slsa-verifier dependency for cache verification
• 5e46b45 CLC-1361: Ignore ephemeral packages during scanning
• 682cb2f Clean up go.sum tidiness
• 7a04144 Extend RemoteConfig with SLSA verification settings
• 3e46a85 Fix devcontainer configuration drift
• 1db2eb5 Fix errcheck linting errors in SLSA cache implementation
• 14152de Fix test initialization to prevent SIGSEGV crashes
• 12f1210 Hook checksum recording after cache artifact creation
• 0d104b5 Ignore ephemeral packages during SBOM export
• 2979648 Implement SLSA CLI flags and configuration integration
• 3a706eb Implement SLSA verifier for cache artifact verification
• ae51001 Implement checksum helper functions for in-flight checksumming
• a09d419 Implement production-ready S3 cache with concurrency safety
• 3107908 Implement structured result approach for reliable error attribution
• 9a048c4 Improve S3Cache implementation with code deduplication and better architecture
• f95417f Make builddir reporting beautiful
• bfe3f21 Merge pull request #240 from gitpod-io/feature/sbom-parallelism
• 0680384 Refactor SLSA configuration architecture for better maintainability
• 234fa22 Update tests to use new SLSA configuration architecture
• 0a13265 build: add Sigstore dependencies for integrated signing
• 31a0be1 build: upgrade anchore dependencies to fix mapstructure compatibility
• 55bbfe5 ci: support pre-releases
• 97e5eb9 docs(readme): document exportToCache field and SLSA L3 usage
• 0a6e8b8 feat(build): implement Docker image export to cache
• 7cc4f73 feat(cli): add --docker-export-to-cache flag with proper precedence
• b892734 feat(config): add exportToCache field to DockerPkgConfig
• 3facf99 feat(slsa): implement SLSA L3 auto-enablement with precedence hierarchy
• 5f09a0d feat: add configurable SBOM parallelism with CPU core default
• 629078c feat: add environment variable support for in-flight checksumming
• aa92849 feat: add sign-cache plumbing command for CI/CD integration
• 7e31b0f feat: implement complete parallel downloads and throughput benchmarks
• a02950f feat: implement integrated SLSA signing architecture
• 0eb3851 fix: ensure benchmarks use realistic mocks for accurate performance measurement
• 322bb54 fix: replace placeholder Sigstore implementation with production API
• 12acac3 perf: implement realistic mock for meaningful performance benchmarks
• e23cbad refactor: remove build log and default to CPU cores when parallelism is 0
• 3265c9b refactor: simplify sign-cache command interface
• 87d9fb5 test(build): add comprehensive tests for export functionality
• a9124b3 test(integration): Add integration tests for Docker export to cache

v0.10.5

Changelog

• 4deef39 Change fixed-build-dir flag default to true
• dc1aee4 Merge pull request #230 from gitpod-io/qf/change-fixed-build-dir-default-to-true

v0.10.4

Changelog

• a926587 Add SBOM generation and vulnerability scanning

v0.10.3

Changelog

• 8f36db0 Add image to devcontainer.json
• cfe3e38 Fix build failure reported as success
• 1dab993 Fix gsutil cache download issue
• 122f52d Fix jq and curl in devcontainer
• d3d7dc6 Fix leeway installations script
• cbe3e0f Merge pull request #218 from gitpod-io/clu/devcontainer
• 2b9dca9 Merge pull request #223 from gitpod-io/wv/fix-build-failure-report
• a2f98b6 Merge pull request #228 from gitpod-io/pd/CLC-1324
• 59a982e Move Leeway installation to devcontainer.json
• 8c4812f Move dependency installation from Dockefile to devcontainer.json
• f0b51ae Remove Gitpod setup in favor of DevContainer setup
• 8b88ea4 Tidy up devcontainer