Releases: gittuf/gittuf
v0.10.0
This is the first beta release of gittuf! While some sharp edges remain, a lot of work has gone into enabling policy schema changes in a backwards compatible way.
Changelog
Added
- Added a sync workflow that updates gittuf metadata as needed before making policy changes
- Added functionality to list and update global rules
- Added support to the API for loading repositories in a specified directory
- Added features and workflows to support deploying gittuf over multiple repositories
- Added gittuf hooks, which enable support for user-defined checks in gittuf metadata that are run in a sandboxed lua environment
Updated
- Set v02 of gittuf's metadata as the default
- Made Fulcio support no longer restricted to developer mode
- Updated the policy staging and apply workflows to now use the sync workflow
- Updated gitinterface to now support systems with different locales than en_US
- Updated gittuf's roadmap
- Updated various dependencies and CI workflows
Contributors
This release includes work by @Yasho-Bapat, @yongjae354, @fr0m-scratch, @Horiodino, @wlynch, @patzielinski, and @adityasaky. Dependency updates are courtesy of @dependabot.
Contributors
Assets 51
- 26.6 MB
2025-04-23T21:25:17Z - 3.05 KB
2025-04-23T21:25:29Z - 96 Bytes
2025-04-23T21:25:29Z - 25.4 MB
2025-04-23T21:25:21Z - 3.05 KB
2025-04-23T21:25:30Z - 96 Bytes
2025-04-23T21:25:29Z - 25.8 MB
2025-04-23T21:25:21Z - 3.05 KB
2025-04-23T21:25:30Z - 96 Bytes
2025-04-23T21:25:30Z - 24.5 MB
2025-04-23T21:25:27Z -
2025-04-23T21:18:21Z -
2025-04-23T21:18:21Z - Loading
v0.9.0
This release includes multiple quality-of-life improvements as well as changes to support gittuf policies that work across multiple repositories. This is possibly our last alpha minor version!
Changelog
Added
- Added a terminal UI (TUI) to enable managing gittuf policy interactively
- Added global rules to set thresholds and prohibit force pushes to help set security baselines in repositories with gittuf
- Added workflows to support synchronizing/propagating policy and RSL changes across multiple repositories
- Added local persistent cache functionality to reduce the time taken for verification of a repository after successful initial verification
- Added functionality to set a repository's canonical location in gittuf metadata
- Added a control for RSL recording to skip checking for duplicates
- Added the gittuf Augmentation Process (GAP) for formalizing changes to gittuf
- Added color output for various gittuf logging flows
- Added functionality to discard currently staged changes to policy
- Added functionality to remove principals and keys no longer used by rules in the metadata
Updated
- Updated RSL printing to now use buffered output, improving performance
- Improved testing coverage of
gitinterface - Updated the design document for clarity and to reflect recent changes to gittuf
- Updated various dependencies and CI workflows
Contributors
This release includes work by @haotran-california, @fr0m-scratch, @yongjae354, @Raghava-Gatadi, @Horiodino, @patzielinski, @JustinCappos, and @adityasaky, with dependency updates courtesy of @dependabot.
Contributors
Assets 51
v0.8.1
This is a quick patch release fixing how legacy ECDSA keys are loaded.
Changelog
- Fixed loading of legacy ECDSA key format
- Replaced
showwithrev-parsein some gitinterface APIs - Added gittuf/demo run to CI
- Updated various dependencies and CI workflows
Contributors
This release includes work by @vladkanatov, @patzielinski, @wlynch, and @adityasaky. As always, we've had dependency updates thanks to @dependabot.
Contributors
Assets 51
v0.8.0
This release exposes a Go API for gittuf. It also includes various quality-of-life improvements such as support for "persons" in experimental v0.2 policy metadata and transport fixes.
Changelog
- Added an experimental gittuf Go API
- Added an experimental version (
v0.2) of policy metadata, which adds support for "principals" in gittuf - Added an experimental flow to determine a feature ref's mergeability
- Optimized some preprocessing flows in the
policypackage - Improved gittuf's design documentation
- Improved testing coverage of
gittufandrsl - Fixed an internal issue with git-remote-gittuf and Go's builtin max
- Fixed issue with
git-remote-gittufwith server responses on push - Fixed issue with
git-remote-gittufwhen pushing to a remote repository without gittuf enabled - Fixed issue with
git-remote-gittuffreezing upon failure to authenticate with the remote repository when using HTTP - Updated various dependencies and CI workflows
Contributors
This release includes work by @yongjae354, @rishabhBudhouliya, @patzielinski, and @adityasaky. As always, we've had many dependency updates, courtesy of @dependabot.
Contributors
Assets 51
v0.7.0
This release includes experimental support for signing gittuf metadata with Sigstore! To try it out, set GITTUF_DEV=1.
Changelog
- Added support for metadata signing using Sigstore (currently
GITTUF_DEVonly) - Removed use of legacy custom securesystemslib key formats in gittuf's tests
- Removed vendored signerverifier library
- Unified SSH signature verification for Git commits and tags
- Refactored
policyandtufpackages to support versioning policy metadata - Updated various dependencies and CI workflows
Contributors
This release includes work by @wlynch, @patzielinski, and @adityasaky. Dependency updates courtesy of @dependabot.
Contributors
Assets 51
v0.6.2
This release adds git-remote-gittuf to the repository's release artifacts. Functionally, it is identical to v0.6.1.
v0.6.1
This release includes various fixes, especially to the git-remote-gittuf transport.
Changelog
- Added a counter to RSL entries to support persistent caching
- Added experimental support for signature extensions to vendored DSSE library
- Refactored
GetLatestReferenceEntryRSL API - Fixed Makefile build on Windows
- Moved
update-root-thresholdandupdate-policy-thresholdout of developer mode - Fixed issue with git-remote-gittuf using the wrong transport when fetching the RSL
- Fixed issue with git-remote-gittuf when explicitly pushing the RSL
- Fixed issue with git-remote-gittuf and
curlfetches and pushes on Windows - Increased testing coverage of
policyandgitinterface - Improved documentation for getting started with gittuf, especially on Windows platforms
- Added copyright notices to code files
- Updated various dependencies and CI workflows
Contributors
This release includes work by @Yasho-Bapat, @patzielinski, and @adityasaky, with dependency updates courtesy of @dependabot.
Contributors
Assets 27
v0.6.0
This release adds various improvements such as compatibility with older Git versions, a command to reorder policy rules, and an attestation predicate type for integrations with code review systems like GitHub pull requests.
Changelog
- Added command to reorder policy rules
- Added support for older Git versions
- Added support for GitHub pull request approval attestations
- Added support for using enterprise GitHub instances
- Added caching for the RSL APIs
GetEntryandGetParentForEntry - Added parallelization for some unit tests
- Removed some deprecated flows such as
FindPublicKeysForPathand refactored verification APIs - Added CodeQL scanning for the repository
- Updated various dependencies and CI workflows
Contributors
This release includes work by @zsun6, @fr0m-scratch, @wlynch, @patzielinski, and @adityasaky. As always, we've had many dependency updates, courtesy of @dependabot.
Contributors
Assets 27
v0.5.2
This release fixes bugs in the git-remote-gittuf transport and updates certain dependencies.
Changelog
- Fixed issue with git-remote-gittuf when force pushing
- Fixed issue with git-remote-gittuf not fetching RSL before adding new entries
- Updated various dependencies
v0.5.1
This release includes a fix for GoReleaser. Functionally, it is identical to v0.5.0.