v0.4.0

This release of gittuf includes some significant changes under the hood. Most significantly, gittuf supports thresholds for protection rules as well as policy metadata via the policy-staging feature. This release also marks the start of our dogfooding of gittuf, which means this is the first release of gittuf you can verify the tag for using gittuf (gittuf verify-ref --verbose v0.4.0)!

Changelog

• Added support for policy-staging for sequential signing of metadata to meet a threshold
• Added support for minimum required signatures for rules
• Added support for profiling with pprof
• Added --from-entry to verify-ref
• Added debug statements for --verbose flag
• Added caching of verifiers for each verified namespace (reference or file path) to avoid repeated searches of the same policy state
• Added separated add-rule and update-rule workflows for policy
• Added dogfooding plan
• Added CI workflows for phase 1 of dogfooding
• Added OpenSSF Scorecard for the repository
• Updated policy to require each rule name to be unique across all rule files
• Updated file rules verification to use same policy as branch protection rules verification
• Update reference authorization attestations to use merge tree for the change being authorized
• Updated design document with definitions and a diagram
• Updated tag verification to check the tag's RSL entry points to either the tag object or the tag's target object
• Updated roadmap to indicate status for each item
• Updated minimum Go version to 1.22
• Updated pointer to gittuf community details
• Updated various dependencies and CI workflows

Contributors

This releases includes work by @neilnaveen, @naveensrinivasan, @patzielinski, @spectre10, @inosmeet, @webchick, @nealmcb, @JustinCappos, @wlynch, and @adityasaky. And of course, we've had many a dependency update courtesy of @dependabot.