Skip to content

Releases: ossf/allstar

v4.4

20 May 21:45
@github-actions github-actions
v4.4
5b357d5
Compare
Choose a tag to compare
v4.4 Latest
Latest

Images:

  • ghcr.io/ossf/allstar:v4.4
  • ghcr.io/ossf/allstar:v4.4-busybox

What's Changed

  • build(deps): bump the go_modules group with 2 updates by @dependabot in #624
  • build(deps): bump github.com/bradleyfalzon/ghinstallation/v2 from 2.12.0 to 2.13.0 by @dependabot in #621
  • build(deps): bump github.com/rhysd/actionlint from 1.7.4 to 1.7.7 by @dependabot in #630
  • build(deps): bump github/codeql-action from 3.27.9 to 3.28.5 by @dependabot in #635
  • build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by @dependabot in #631
  • build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 by @dependabot in #629
  • build(deps): bump ko-build/setup-ko from 0.7 to 0.8 by @dependabot in #628
  • build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.0 by @dependabot in #625
  • build(deps): bump github.com/evanphx/json-patch/v5 from 5.9.0 to 5.9.11 by @dependabot in #638
  • build(deps): bump github/codeql-action from 3.28.5 to 3.28.8 by @dependabot in #639
  • build(deps): bump golang.org/x/sync from 0.10.0 to 0.11.0 by @dependabot in #640
  • build(deps): bump sigstore/cosign-installer from 3.7.0 to 3.8.0 by @dependabot in #642
  • build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.0 by @dependabot in #641
  • build(deps): bump golangci/golangci-lint-action from 6.3.0 to 6.5.0 by @dependabot in #650
  • build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 by @dependabot in #643
  • build(deps): bump github.com/ossf/scorecard/v5 from 5.0.0 to 5.1.1 by @dependabot in #651
  • Update workflow policy to scan all branches for dangerous workflows #569 by @serb-google in #622
  • Add auth workflow to clone private repos by @serb-google in #660
  • build(deps): bump sigstore/cosign-installer from 3.8.0 to 3.8.1 by @dependabot in #652
  • build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in #653
  • build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @dependabot in #654
  • build(deps): bump github/codeql-action from 3.28.9 to 3.28.11 by @dependabot in #661
  • build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @dependabot in #663
  • build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot in #670
  • Looping container image signing by @blockmar in #618
  • dependabot: Enable grouped updates and set update interval to weekly by @justaugustus in #671
  • build(deps): bump the github-owned group with 2 updates by @dependabot in #672
  • build(deps): bump the gomod group with 3 updates by @dependabot in #673
  • build(deps): bump golang.org/x/net from 0.34.0 to 0.36.0 in the go_modules group by @dependabot in #662
  • build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 in the go_modules group by @dependabot in #675
  • build(deps): bump golang.org/x/sync from 0.11.0 to 0.12.0 by @dependabot in #658
  • build(deps): bump github.com/go-git/go-git/v5 from 5.13.2 to 5.14.0 in the gomod group by @dependabot in #674
  • build(deps): bump the github-owned group with 2 updates by @dependabot in #678
  • build(deps): bump github/codeql-action from 3.28.14 to 3.28.15 in the github-owned group by @dependabot in #681
  • build(deps): bump golang.org/x/sync from 0.12.0 to 0.13.0 in the golang-x group by @dependabot in #679
  • build(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 in the go_modules group by @dependabot in #683
  • build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 in the github-owned group by @dependabot in #686
  • Add config option to specify branches for dangerous workflow by @serb-google in #677
  • build(deps): bump the gomod group across 1 directory with 3 updates by @dependabot in #685
  • Update Go to 1.24 by @jeffmendoza in #688
  • build(deps): bump the github-owned group across 1 directory with 3 updates by @dependabot in #691
  • build(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the golang-x group by @dependabot in #689
  • build(deps): bump the github-actions group across 1 directory with 3 updates by @dependabot in #687
  • Bump workflow runner on release workflow by @jeffmendoza in #693

New Contributors

Full Changelog: v4.3...v4.4

Contributors

justaugustus, jeffmendoza, and 3 other contributors
Assets 2
Loading

v4.2

23 Jul 18:07
@github-actions github-actions
v4.2
38d990d
Compare
Choose a tag to compare
v4.2

Highlights

  • Updated Scorecard to v5
  • Renamed Scorecard policy name to "OpenSSF Scorecard" (previously "Security Scorecards")
  • Updated other dependencies

Images

  • ghcr.io/ossf/allstar:v4.2
  • ghcr.io/ossf/allstar:v4.2-busybox

Notes on policy name change

  • If running Allstar with the -policy cli option, you must specify the new "OpenSSF Scorecard" name to run that policy.
  • If interpreting structured logging, the area: value now uses the "OpenSSF Scorecard" name for logs in that policy.
  • If interpreting the "EnforceAll complete." structured summary log, the results: value will use the new "OpenSSF Scorecard" name for that policy.

Detailed changelog

New Contributors

Full Changelog: v4.1...v4.2

Contributors

justaugustus, dependabot, and step-security-bot
Loading

v4.1

03 May 21:24
@github-actions github-actions
v4.1
cc8cc68
Compare
Choose a tag to compare
v4.1

Highlights:

  • Parameterize number of concurrent workers
  • Ignore Inconclusive results in dangerous workflow check
  • Clear cache between installation runs
  • Update dependencies including Scorecard

Images:

  • ghcr.io/ossf/allstar:v4.1
  • ghcr.io/ossf/allstar:v4.1-busybox

Full Changelog: v4.0...v4.1

Loading

v4.0

31 Jul 22:08
@github-actions github-actions
v4.0
7abad14
Compare
Choose a tag to compare
v4.0

Highlights:

  • Many updates to Admin policy
  • Add Org/Repo allow list to operator parameters
  • CODEOWNERS policy
  • Avoid caching tarball downloads for Scorecard policy

Images:

  • ghcr.io/ossf/allstar:v4.0
  • ghcr.io/ossf/allstar:v4.0-busybox

Full Changelog: v3.0...v4.0

Loading

v3.0

10 Feb 21:11
@github-actions github-actions
v3.0
65d6096
Compare
Choose a tag to compare
v3.0

ghcr.io/ossf/allstar:v3.0

  • Branch Protection policy is more complete with support for requireSignedCommits, enforceOnAdmins, requireCodeOwnerReviews. Link

  • You may now opt-out repos that are forks with the optOutForkedRepos option.

  • GitHub Actions policy added to allow/require/deny configured actions in workflows. Docs

  • Generic Scorecard policy added to run any Scorecard check with a score threshold. Docs

  • Issue creation and pinging can be enabled / disabled based on a weekly schedule. Link

  • The Outside Collaborators policy now allows exemptions. Link

  • When the Allstar action is changed from issue to fix. Existing issues will be closed.

  • Issue ping duration is configurable at the operator level with NOTICE_PING_DURATION_HOURS. Link

  • Org config may now point to a secondary repository for config and merge overrides. Docs

  • Individual repo config files are now allowed to be placed in the central org config repository. Example: in the .allstar repo, you can have a /branch_protection.yaml file with specific settings for that repo. Docs

  • Binary Artifacts policy configuration updated to have an ignore list. Link

  • Dangerous Workflow policy added. This policy checks the GitHub Actions workflow configuration files (.github/workflows), for any patterns that match known dangerous behavior. Docs

Loading

v2.0

25 Mar 17:12
@github-actions github-actions
v2.0
221073f
Compare
Choose a tag to compare
v2.0

ghcr.io/ossf/allstar:v2.0

Loading