v0.11.0

This major release introduces complete SLSA Level 3 compliance building blocks, enabling cryptographic verification of build artifacts and supply chain security for your projects.

🎉 What's New

SLSA Level 3 Support

• Automated Provenance: SLSA v0.2 attestations with complete build metadata
• Keyless Signing: Sigstore integration with GitHub OIDC
• Cache Verification: Cryptographic verification of artifacts
• In-Flight Checksumming: TOCTU attack prevention
• Docker Export Mode: Signed container images via cache
• CI/CD Command: New leeway plumbing sign-cache for separated workflows

Auto-Activation

Set provenance.slsa: true in WORKSPACE.yaml to automatically enable all SLSA L3 features:

provenance:
  enabled: true
  slsa: true

Docker Export Configuration

New 5-layer precedence: CLI flag → Environment variable → Package config → Workspace default → Global default

packages:
  - name: backend
    type: docker
    config:
      exportToCache: true  # Export for signing

⚠️ Breaking Changes

• DockerPkgConfig.ExportToCache changed from bool to *bool (enables nil vs false distinction)
• SLSA-enabled artifacts have different version hashes (includes provenance: version=3 slsa)

🔧 Other Improvements

• Configurable SBOM parallelism (defaults to CPU cores)
• Enhanced S3 cache with better concurrency
• Comprehensive test coverage and performance benchmarks
• Improved error handling and logging

PRs

• CLC-1361: Ignore ephemeral packages during scanning by @geropl in #231
• Fix devcontainer configuration drift by @akosyakov in #232
• Make builddir reporting beautiful by @csweichel in #233
• feat: add configurable SBOM parallelism with CPU core default by @WVerlaek in #240
• Implement SLSA Level 3 Cache Verification by @leodido in #242
• feat: add in-flight checksumming to prevent TOCTU attacks on build artifacts by @leodido in #243
• feat: cache artifact signing command with Sigstore integration by @leodido in #244
• feat: add environment variable support for in-flight checksumming by @leodido in #245
• build: upgrade anchore dependencies to fix mapstructure compatibility by @leodido in #246
• feat: SLSA features (in-flight checksumming + cache artifact signing) by @leodido in #257
• test: comprehensive sign-cache and cache resilience test suite by @leodido in #247
• feat: enable Docker image export to cache instead of direct push by @leodido in #248
• test(integration): add integration tests for Docker export to cache by @leodido in #249
• ci: support relese candidates by @leodido in #251
• feat: auto-enable SLSA L3 features when provenance.slsa is true by @leodido in #250
• fix(signing): explicitly fetch GitHub OIDC token for Sigstore by @leodido in #252

New Contributors

• @akosyakov made their first contribution in #232
• @leodido made their first contribution in #242

Full Changelog: v0.10.5...v0.11.0

v0.11.0-rc2

Changelog

• 8978c5e fix(signing): explicitly fetch GitHub OIDC token for Sigstore

v0.11.0-rc1

Changelog

• df9b1c0 Add --in-flight-checksums CLI flag for TOCTU attack prevention
• 6e4fd22 Add SLSA environment variable constants and help documentation
• e84e764 Add SLSA verifier interface and mock implementation
• bb3f821 Add checksum storage to build context for in-flight checksumming
• de2c2fe Add comprehensive SLSA verification test suite
• 120f2f8 Add comprehensive tests for in-flight checksumming security
• 3f40064 Add end-of-build verification to complete TOCTU attack protection
• dfaa291 Add golang.org/x/time dependency for rate limiting
• d8a6af3 Add slsa-verifier dependency for cache verification
• 5e46b45 CLC-1361: Ignore ephemeral packages during scanning
• 682cb2f Clean up go.sum tidiness
• 7a04144 Extend RemoteConfig with SLSA verification settings
• 3e46a85 Fix devcontainer configuration drift
• 1db2eb5 Fix errcheck linting errors in SLSA cache implementation
• 14152de Fix test initialization to prevent SIGSEGV crashes
• 12f1210 Hook checksum recording after cache artifact creation
• 0d104b5 Ignore ephemeral packages during SBOM export
• 2979648 Implement SLSA CLI flags and configuration integration
• 3a706eb Implement SLSA verifier for cache artifact verification
• ae51001 Implement checksum helper functions for in-flight checksumming
• a09d419 Implement production-ready S3 cache with concurrency safety
• 3107908 Implement structured result approach for reliable error attribution
• 9a048c4 Improve S3Cache implementation with code deduplication and better architecture
• f95417f Make builddir reporting beautiful
• bfe3f21 Merge pull request #240 from gitpod-io/feature/sbom-parallelism
• 0680384 Refactor SLSA configuration architecture for better maintainability
• 234fa22 Update tests to use new SLSA configuration architecture
• 0a13265 build: add Sigstore dependencies for integrated signing
• 31a0be1 build: upgrade anchore dependencies to fix mapstructure compatibility
• 55bbfe5 ci: support pre-releases
• 97e5eb9 docs(readme): document exportToCache field and SLSA L3 usage
• 0a6e8b8 feat(build): implement Docker image export to cache
• 7cc4f73 feat(cli): add --docker-export-to-cache flag with proper precedence
• b892734 feat(config): add exportToCache field to DockerPkgConfig
• 3facf99 feat(slsa): implement SLSA L3 auto-enablement with precedence hierarchy
• 5f09a0d feat: add configurable SBOM parallelism with CPU core default
• 629078c feat: add environment variable support for in-flight checksumming
• aa92849 feat: add sign-cache plumbing command for CI/CD integration
• 7e31b0f feat: implement complete parallel downloads and throughput benchmarks
• a02950f feat: implement integrated SLSA signing architecture
• 0eb3851 fix: ensure benchmarks use realistic mocks for accurate performance measurement
• 322bb54 fix: replace placeholder Sigstore implementation with production API
• 12acac3 perf: implement realistic mock for meaningful performance benchmarks
• e23cbad refactor: remove build log and default to CPU cores when parallelism is 0
• 3265c9b refactor: simplify sign-cache command interface
• 87d9fb5 test(build): add comprehensive tests for export functionality
• a9124b3 test(integration): Add integration tests for Docker export to cache

v0.10.5

Changelog

• 4deef39 Change fixed-build-dir flag default to true
• dc1aee4 Merge pull request #230 from gitpod-io/qf/change-fixed-build-dir-default-to-true

v0.10.4

Changelog

• a926587 Add SBOM generation and vulnerability scanning

v0.10.3

Changelog

• 8f36db0 Add image to devcontainer.json
• cfe3e38 Fix build failure reported as success
• 1dab993 Fix gsutil cache download issue
• 122f52d Fix jq and curl in devcontainer
• d3d7dc6 Fix leeway installations script
• cbe3e0f Merge pull request #218 from gitpod-io/clu/devcontainer
• 2b9dca9 Merge pull request #223 from gitpod-io/wv/fix-build-failure-report
• a2f98b6 Merge pull request #228 from gitpod-io/pd/CLC-1324
• 59a982e Move Leeway installation to devcontainer.json
• 8c4812f Move dependency installation from Dockefile to devcontainer.json
• f0b51ae Remove Gitpod setup in favor of DevContainer setup
• 8b88ea4 Tidy up devcontainer

v0.10.2

Changelog

• 365a667 Add option to build in the same directory, to better use caches
• b68957b Merge pull request #222 from gitpod-io/wv/fixed-build-dir

v0.10.1

Changelog

• 86ff92d Log build phase durations
• c5d5037 Merge pull request #221 from gitpod-io/wv/log-build-phase-durations

v0.10.0

What's Changed

• Refactor docker builds by @aledbf in #215

Breaking change:

The local Docker tasks now contain the files from the container image rather than the manifests and metadata.

Full Changelog: v0.9.6...v0.10.0

v0.9.6

What's Changed

• Disable S3 checksum warning by @aledbf in #213
• Do not return an error uploading to remote cache by @aledbf in #212
• Improve error handling in build process by @aledbf in #211

Full Changelog: v0.9.5...v0.9.6