This release of gittuf includes some significant changes under the hood. Most significantly, gittuf supports thresholds for protection rules as well as policy metadata via the policy-staging feature. This release also marks the start of our dogfooding of gittuf, which means this is the first release of gittuf you can verify the tag for using gittuf (gittuf verify-ref --verbose v0.4.0
)!
Changelog
- Added support for
policy-staging
for sequential signing of metadata to meet a threshold - Added support for minimum required signatures for rules
- Added support for profiling with pprof
- Added
--from-entry
toverify-ref
- Added debug statements for
--verbose
flag - Added caching of verifiers for each verified namespace (reference or file path) to avoid repeated searches of the same policy state
- Added separated
add-rule
andupdate-rule
workflows for policy - Added dogfooding plan
- Added CI workflows for phase 1 of dogfooding
- Added OpenSSF Scorecard for the repository
- Updated policy to require each rule name to be unique across all rule files
- Updated file rules verification to use same policy as branch protection rules verification
- Update reference authorization attestations to use merge tree for the change being authorized
- Updated design document with definitions and a diagram
- Updated tag verification to check the tag's RSL entry points to either the tag object or the tag's target object
- Updated roadmap to indicate status for each item
- Updated minimum Go version to 1.22
- Updated pointer to gittuf community details
- Updated various dependencies and CI workflows
Contributors
This releases includes work by @neilnaveen, @naveensrinivasan, @patzielinski, @spectre10, @inosmeet, @webchick, @nealmcb, @JustinCappos, @wlynch, and @adityasaky. And of course, we've had many a dependency update courtesy of @dependabot.