v0.0.50

What's Changed

• Remove dependency-review pipeline by @JAORMX in #3341
• Regenerate minder protobuf gateway by @JAORMX in #3343
• Remove go generate statement from keystore by @JAORMX in #3344
• Use JSONB for encrypted redirect URL by @dmjb in #3347
• Trusty: Refactor alternative classification, add tests by @puerco in #3336
• Reduce code duplication in provider handlers by @jhrozek in #3349
• Add provider configuration to the session store by @jhrozek in #3348
• Allow KeyStore to be configured with multiple keys by @dmjb in #3335
• Auto-generated DB schema update - 2024-05-16 15:06:39 by @github-actions in #3350
• build(deps): bump github.com/bufbuild/buf from 1.31.0 to 1.32.0 in /tools by @dependabot in #3355
• build(deps): bump bufbuild/buf-setup-action from 1.31.0 to 1.32.0 by @dependabot in #3353
• build(deps): bump actions/checkout from 4.1.5 to 4.1.6 by @dependabot in #3354
• Store encrypted values in new DB column. by @dmjb in #3351
• Remove salt field from EncryptedData by @dmjb in #3357
• Github provider: Add support for checks API by @puerco in #3352
• build(deps): bump github.com/golangci/golangci-lint from 1.58.1 to 1.58.2 in /tools by @dependabot in #3366
• Do not post a pr review if no homoglyphs are found by @teodor-yanev in #3364
• Implement AES-256-GCM encryption by @dmjb in #3367
• Handle package not found in package registries by @jhrozek in #3363
• Fix table formatting for found vulnerabilities by @rdimitrov in #3369

Full Changelog: v0.0.49...v0.0.50

v0.0.49

What's Changed

• Do not construct provider when validating user ID by @dmjb in #3221
• small typo fix to CONTRIBUTING.md by @staceypotter in #3264
• Refactor engine code to use specific provider traits in more places by @dmjb in #3262
• Fix crash in 3259, add test by @evankanderson in #3275
• build(deps): bump golangci/golangci-lint-action from 6.0.0 to 6.0.1 by @dependabot in #3280
• build(deps): bump aquasecurity/trivy-action from 0.19.0 to 0.20.0 by @dependabot in #3281
• build(deps): bump github.com/openfga/cli from 0.3.1 to 0.4.0 in /tools by @dependabot in #3279
• build(deps): bump styled-components from 6.1.9 to 6.1.10 in /docs by @dependabot in #3278
• Minder's "repo register" command now checks already registered repos. by @blkt in #3236
• Added utilities to implement multi-select choices by @blkt in #3237
• Remove ProviderBuilder from engine by @dmjb in #3270
• Migrate to go-viper blessed fork of mapstructure by @evankanderson in #3149
• Remove ProviderBuilder by @dmjb in #3282
• build(deps): bump coverallsapp/github-action from 2.2.3 to 2.3.0 by @dependabot in #3290
• build(deps): bump github.com/golangci/golangci-lint from 1.58.0 to 1.58.1 in /tools by @dependabot in #3289
• build(deps): bump sigs.k8s.io/release-utils from 0.8.1 to 0.8.2 by @dependabot in #3285
• build(deps): bump github/codeql-action from 3.25.3 to 3.25.4 by @dependabot in #3291
• build(deps): bump github.com/charmbracelet/bubbletea from 0.25.0 to 0.26.2 by @dependabot in #3288
• build(deps): bump github.com/openfga/go-sdk from 0.3.6 to 0.3.7 by @dependabot in #3287
• build(deps): bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 by @dependabot in #3297
• Stored procedure responsible for Profile status transitions now covers all cases by @blkt in #3295
• Upgrade to postgres 16.2 in docker-compose file by @JAORMX in #3296
• Decouple crypto engine from encryption algorithm by @dmjb in #3293
• Add OCI providers + DockerHub and GHCR by @JAORMX in #2983
• Resolve test flake in flags_test by @evankanderson in #3305
• build(deps): bump styled-components from 6.1.10 to 6.1.11 in /docs by @dependabot in #3298
• hides CLI profile list label flag by @ChrisJBurns in #3307
• Auto-generated cli documentation update - 2024-05-11 12:35:03 by @github-actions in #3308
• build(deps): bump github.com/mikefarah/yq/v4 from 4.43.1 to 4.44.1 in /tools by @dependabot in #3313
• build(deps): bump github.com/sigstore/protobuf-specs from 0.3.1 to 0.3.2 by @dependabot in #3312
• build(deps): bump github.com/fergusstrange/embedded-postgres from 1.26.0 to 1.27.0 by @dependabot in #3311
• build(deps): bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 by @dependabot in #3310
• Multi select list is now ordered. by @blkt in #3306
• Implement EncryptedData struct by @dmjb in #3302
• verifier: Get local authenticator struct to return a usable authenticator by @JAORMX in #3318
• Support dockerhub in mindev ruletype test sub-command by @JAORMX in #3319
• verifier: Move registry to authenticator by @JAORMX in #3320
• Add dependency review by @therealnb in #3314
• Replace unpinned actions with pinned action by @stacklokbot in #3321
• build(deps): bump actions/checkout from 4.1.4 to 4.1.5 by @dependabot in #3328
• build(deps): bump github/codeql-action from 3.25.4 to 3.25.5 by @dependabot in #3327
• Make artifacts ingester work with both GitHub and OCI providers by @JAORMX in #3309
• Add new column for new encyrption format by @dmjb in #3331
• Initial KeyStore implementation by @dmjb in #3329
• build(deps): bump google.golang.org/grpc from 1.63.2 to 1.64.0 by @dependabot in #3333
• Auto-generated DB schema update - 2024-05-14 21:46:14 by @github-actions in #3332
• Improve Trusty integration by @puerco in #3277
• build(deps): bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.19.1 to 2.20.0 in /tools by @dependabot in #3337
• build(deps): bump k8s.io/client-go from 0.30.0 to 0.30.1 by @dependabot in #3338
• build(deps): bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.19.1 to 2.20.0 by @dependabot in #3340

New Contributors

• @staceypotter made their first contribution in #3264
• @ChrisJBurns made their first contribution in #3307

Full Changelog: v0.0.48...v0.0.49

v0.0.48

What's Changed

• Update index.md by @eryn-muetzel in #3117
• Update README.md by @eryn-muetzel in #3118
• Allow setting log level for mindev ruletype test by @jhrozek in #3119
• build(deps): bump github.com/openfga/openfga from 1.5.1 to 1.5.3 by @dependabot in #3122
• build(deps): bump k8s.io/client-go from 0.29.3 to 0.29.4 by @dependabot in #3121
• Return 500 if Github AppName is empty when enrolling provider by @dmjb in #3124
• build(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 by @dependabot in #3127
• build(deps): bump github/codeql-action from 3.25.0 to 3.25.1 by @dependabot in #3128
• build(deps): bump k8s.io/apimachinery from 0.29.4 to 0.30.0 by @dependabot in #3126
• Remove GitHub discussions from README by @eleftherias in #3129
• build(deps): bump k8s.io/client-go from 0.29.4 to 0.30.0 by @dependabot in #3125
• Implement CanImplement method for providers by @dmjb in #3115
• Don't use SELECT * when joining profile tables by @jhrozek in #3130
• Make provider class mandatory in DB by @dmjb in #3132
• build(deps): bump github.com/docker/docker from 26.0.0+incompatible to 26.0.2+incompatible in /tools by @dependabot in #3133
• build(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible by @dependabot in #3134
• build(deps): bump github.com/golang-migrate/migrate/v4 from 4.17.0 to 4.17.1 by @dependabot in #3136
• Skip or error when trying to register an archived repository by @rdimitrov in #3135
• Address review comments for labels filtering by @jhrozek in #3137
• Implement ProviderFactory and ProviderClassFactory by @dmjb in #3131
• Use provider ID instead of name when sending events by @dmjb in #3093
• Fix repo deletion by @jhrozek in #3140
• build(deps): bump actions/checkout from 4.1.2 to 4.1.3 by @dependabot in #3141
• Remove provider name from event wrapper by @dmjb in #3139
• Allow full profile updates through the PATCH handler by @jhrozek in #2990
• build(deps): bump github/codeql-action from 3.25.1 to 3.25.2 by @dependabot in #3147
• build(deps): bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0 by @dependabot in #3146
• build(deps): bump clsx from 2.1.0 to 2.1.1 in /docs by @dependabot in #3144
• Add reminder service with empty sendReminders logic by @Vyom-Yadav in #2638
• build(deps): bump bufbuild/buf-setup-action from 1.30.1 to 1.31.0 by @dependabot in #3156
• build(deps): bump github.com/styrainc/regal from 0.20.1 to 0.21.0 by @dependabot in #3157
• build(deps): bump github.com/bufbuild/buf from 1.30.1 to 1.31.0 in /tools by @dependabot in #3158
• Use go generate directives for mock generation by @dmjb in #3159
• Bump sigstore-go to v0.3.0 and add local registry for tests by @puerco in #3154
• Bump go base images to go 1.22.2 by @dmjb in #3161
• build(deps): bump go.opentelemetry.io/otel/trace from 1.25.0 to 1.26.0 by @dependabot in #3170
• build(deps): bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 by @dependabot in #3172
• build(deps): bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1 by @dependabot in #3166
• build(deps): bump actions/checkout from 4.1.3 to 4.1.4 by @dependabot in #3171
• build(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.50.0 to 0.51.0 by @dependabot in #3169
• Add ProviderManager, make provider deletion generic by @dmjb in #3162
• Read the webhook secret from a file by @jhrozek in #3175
• More descriptive error message when validating secrets with any of the fallback webhooks fails by @jhrozek in #3176
• build(deps): bump react from 18.2.0 to 18.3.0 in /docs by @dependabot in #3179
• build(deps): bump github/codeql-action from 3.25.2 to 3.25.3 by @dependabot in #3185
• build(deps): bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 by @dependabot in #3186
• build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.50.0 to 0.51.0 by @dependabot in #3184
• build(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.25.0 to 1.26.0 by @dependabot in #3182
• build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace from 1.25.0 to 1.26.0 by @dependabot in #3183
• build(deps): bump go.opentelemetry.io/otel/exporters/prometheus from 0.47.0 to 0.48.0 by @dependabot in #3181
• Initial implementation of IDP interface and Keycloak implementation by @evankanderson in #3155
• Add Helm configuration for feature flags by @evankanderson in #3188
• build(deps): bump anchore/sbom-action from 0.15.10 to 0.15.11 by @dependabot in #3197
• build(deps): bump react from 18.3.0 to 18.3.1 in /docs by @dependabot in #3195
• build(deps): bump github.com/open-feature/go-sdk-contrib/providers/go-feature-flag from 0.1.35 to 0.1.36 by @dependabot in #3192
• build(deps): bump github.com/styrainc/regal from 0.21.0 to 0.21.3 by @dependabot in #3193
• build(deps): bump github.com/signalfx/splunk-otel-go/instrumentation/github.com/lib/pq/splunkpq from 1.15.0 to 1.16.0 by @dependabot in #3190
• build(deps): bump react-dom from 18.2.0 to 18.3.1 in /docs by @dependabot in #3198
• build(deps): bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.1 by @dependabot in #3191
• Add docs for using feature flags when developing Minder by @evankanderson in #3189
• Use webhook secrets from files by @jhrozek in #3177
• Fix webhook secret file names by @jhrozek in #3201
• Delete docs/docs/how-to/using-minder-with-ghas.md by @meganbruce in #3204
• build(deps): bump github.com/go-playground/validator/v10 from 10.19.0 to 10.20.0 by @dependabot in #3205
• build(deps): bump github.com/openfga/cli from 0.3.0 to 0.3.1 in /tools by @dependabot in #3207
• build(deps): bump golangci/golangci-lint-action from 5.0.0 to 5.1.0 by @dependabot in #3206
• Refactor repo deletion to move db/provider logic behind interface by @dmjb in #3200
• Warn about empty secret and skip the update in the webhook updater tool by @jhrozek in #3208
• Use ProviderManager in webhook handler by @dmjb in #3202
• Implement GitHubClientFactory by @dmjb in #3203
• build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 in /tools by @dependabot in #3216
• build(deps): bump styled-components from 6.1.8 to 6.1.9 in /docs by @dependabot in #3215
• build(deps): bump github.com/openfga/go-sdk from 0.3.5 to 0.3.6 by @dependabot in #3218
• build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 by @dependabot in #3217
• Return verified attestation in verification results by @puerco in #3212
• Fix bug handling images with slashes in ref by @puerco in #3211
• Bug: Remove impossible condition by @puerco in #3213
• Don't trim path from builder URI by @puerco in #3214
• Pass RestClientCache as constructor param by @dmjb in #3222
• Remove use of ProviderBuilder by repo handler by @dmjb in #3224
• Make Project Create/Delete a service...

v0.0.47

What's Changed

• Provide a default configuration for the Trusty evaluator by @jhrozek in #3078
• Auto-generated cli documentation update - 2024-04-12 17:35:16 by @github-actions in #3077
• Log requests using Debug() by @puerco in #3081
• build(deps): bump github.com/signalfx/splunk-otel-go/instrumentation/github.com/lib/pq/splunkpq from 1.14.0 to 1.15.0 by @dependabot in #3061
• build(deps): bump peter-evans/create-pull-request from 6.0.2 to 6.0.3 by @dependabot in #3084
• Frizbee: Cache GitHub action entries by @JAORMX in #3083
• Upgrade to frizbee v0.0.15 by @JAORMX in #3086
• Restructure docs pages by @eleftherias in #3085
• Reorder documentation headers by @eleftherias in #3089
• Restructure docs for how Minder works by @eleftherias in #3090
• Add ProviderID field to EntityInfoWrapper by @dmjb in #3072
• Ignore description and defaults when validing ruletype updates by @jhrozek in #3092
• Handle bad_verification_code error when doing OAuth2 flow by @JAORMX in #3094
• Using capital case for how-to docs by @eleftherias in #3095
• Do not delete user from OpenFGA in a DB transaction to avoid issues with minder auth delete by @jhrozek in #3082
• Delete (only) root projects if they have no admins (rather than any users) by @evankanderson in #3098
• Docs updates by @ethomson in #3091
• Update docs "understand" section by @ethomson in #3101
• build(deps): bump azure/setup-helm from 4.1.0 to 4.2.0 by @dependabot in #3105
• build(deps): bump github/codeql-action from 3.24.10 to 3.25.0 by @dependabot in #3106
• Add docs for user roles by @eleftherias in #3099
• Add tutorial about writing rule types using rego by @JAORMX in #3103
• Add tutorial on using mindev by @JAORMX in #3104
• Remove a link that is overlayed in downstream docs by @jhrozek in #3108
• Use relative link to CLI docs, not localhost by @jhrozek in #3109
• Update Minder roadmap by @ethomson in #3110
• Fix make gen by @dmjb in #3111
• Add minder auth token command by @JAORMX in #3107
• Auto-generated cli documentation update - 2024-04-16 12:56:05 by @github-actions in #3112
• Remove managed profiles for OSS docs by @eleftherias in #3114
• Fix endless remediation loop caused by PR create conflict by @rdimitrov in #3113

Full Changelog: v0.0.46...v0.0.47

v0.0.46

What's Changed

• Fix deleting project with artifacts by @jhrozek in #3073
• Add cascade deletion to project ID FK in EEA by @JAORMX in #3075
• Rename ProviderService to GitHubProviderService by @dmjb in #3074
• Fix invalid condition in repo register by @JAORMX in #3076

Full Changelog: v0.0.45...v0.0.46

v0.0.45

What's Changed

• Hide deprecated flag from help by @dmjb in #3046
• Add docs for setting up GitHub App by @eleftherias in #3047
• Auto-generated cli documentation update - 2024-04-11 15:49:20 by @github-actions in #3048
• zerolog: Don't reuse event in Eval call by @JAORMX in #3049
• Fix CLI doc generation bug by @dmjb in #3050
• Support Logging GitHub requests by @puerco in #3054
• Add sensible defaults to the OSV evaluator to allow running without any configuration by @jhrozek in #3053
• New documentation by @JAORMX in #3058
• Add no-op handler for GitHub Marketplace events by @eleftherias in #3064
• Fix documentation sidebar titles by @eleftherias in #3065
• skip remote repo listing if name(s) are given by @JAORMX in #3059
• Update docs label for CLI commands by @eleftherias in #3067
• Don't advertise the owner flag for enroll and upate screenshots by @jhrozek in #3051
• Log webhook token type by @rdimitrov in #3068
• Auto-generated cli documentation update - 2024-04-12 11:41:32 by @github-actions in #3066
• Revert "Log webhook token type" by @rdimitrov in #3069
• Log the token type while creating the installation token and during the ping received event by @rdimitrov in #3070

Full Changelog: v0.0.44...v0.0.45

v0.0.44

What's Changed

• Auto-generated cli documentation update - 2024-04-11 09:40:13 by @github-actions in #3042
• Fix enrollment issue by @dmjb in #3044

Full Changelog: v0.0.43...v0.0.44

v0.0.43

What's Changed

• CLI: Get rule type by name by @JAORMX in #3009
• Add remediation URL to all evaluation responses by @puerco in #2972
• CLI: Print applicable entity when getting rule type info by @JAORMX in #3013
• Issue a bespoke profile update message on patching a profile by @jhrozek in #3012
• Handle entity delete events, i.e. when a repo is deleted by @rdimitrov in #2940
• build(deps): bump github.com/stacklok/frizbee from 0.0.13 to 0.0.14 by @dependabot in #3020
• build(deps): bump github.com/styrainc/regal from 0.20.0 to 0.20.1 by @dependabot in #3018
• build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.49.0 to 0.50.0 by @dependabot in #3019
• Remove hardcoded dependency between artifacts and projects by @JAORMX in #2991
• Artifact index for repos was not meant to be unique by @JAORMX in #3022
• Auto-generated DB schema update - 2024-04-10 11:50:40 by @github-actions in #3023
• Proceed with provider delete if repo delete fails by @eleftherias in #3025
• Use ProviderID in telemetry data by @dmjb in #3026
• Uninstall GitHub Apps when a user account is deleted by @eleftherias in #3024
• Disable linter rules for pre-Go 1.22 loop var issue by @dmjb in #3029
• Avoid deleting GH App installation if already deleted by @eleftherias in #3031
• git ingester: Handle empty repository by skipping it by @JAORMX in #3033
• Skip branch protection remediations for repos with no branches by @jhrozek in #3035
• build(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 by @dependabot in #3037
• Only run deletion reconciler on repo deleted events by @JAORMX in #3036
• Don't crash if there's no package list client by @jhrozek in #3034
• Default to github-app in provider enroll by @dmjb in #3032
• Allow reading secrets from file for GH App config by @eleftherias in #3040
• A nicer error message when listing remote repos without an enrolled provider by @jhrozek in #2976
• Use output.formats.format in golangci.yaml by @jhrozek in #3041

Full Changelog: v0.0.42...v0.0.43

v0.0.42

What's Changed

• Use fallback token for listing artifacts with GH App by @eleftherias in #2992
• build(deps): bump google.golang.org/grpc from 1.63.0 to 1.63.2 by @dependabot in #2999
• build(deps): bump go.opentelemetry.io/otel/exporters/prometheus from 0.46.0 to 0.47.0 by @dependabot in #2998
• build(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.49.0 to 0.50.0 by @dependabot in #2996
• build(deps): bump github.com/styrainc/regal from 0.19.0 to 0.20.0 by @dependabot in #2997
• build(deps): bump docker/setup-buildx-action from 3.2.0 to 3.3.0 by @dependabot in #3000
• build(deps): bump peaceiris/actions-gh-pages from 3.9.3 to 4.0.0 by @dependabot in #3001
• Handle when the user declines T&C in minder auth login by @jhrozek in #2995
• Use TEXT as type of license instead of VARCHAR(255) by @dmjb in #2994
• Remove duplicate clause in profile status query by @dmjb in #2993
• Upgrade go-github to go-github/v61 by @JAORMX in #3003
• Validate query parameters in GitHub App callback by @eleftherias in #3007
• Return a nicer error message when a ruletype can't be found by @jhrozek in #3005

Full Changelog: v0.0.41...v0.0.42

v0.0.41

What's Changed

• Track whether GitHub App is installed on org by @eleftherias in #2947
• Auto-generated DB schema update - 2024-04-05 11:33:16 by @github-actions in #2960
• Bump google.golang.org/grpc to v1.63.0 by @jhrozek in #2961
• Add label flag to profile list command by @dmjb in #2964
• Modify GRPCClientWrapRunE to pass positional arguments by @dmjb in #2967
• Allow profile/ruletype URLs to accept slashes by @dmjb in #2970
• Actions: Complete version tags in workflow comments by @puerco in #2974
• Add a unit test for switch of a profile state to pending by @jhrozek in #2977
• build(deps): bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #2989
• build(deps): bump github.com/go-critic/go-critic from 0.11.2 to 0.11.3 in /tools by @dependabot in #2984
• build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace from 1.24.0 to 1.25.0 by @dependabot in #2987
• build(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 by @dependabot in #2988
• build(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.24.0 to 1.25.0 by @dependabot in #2985

Full Changelog: v0.0.40...v0.0.41