2024-02-17 19:14:10 -08:00
# @actions/attest Releases
2026-02-25 15:32:51 -08:00
## 3.2.0
- Add custom user-agent for more API calls [#2321 ](https://github.com/actions/toolkit/pull/2321 )
2026-02-25 11:10:52 -08:00
## 3.1.0
- Add support for `ACTIONS_ORCHESTRATION_ID` in user-agent [#2320 ](https://github.com/actions/toolkit/pull/2320 )
2026-01-29 15:19:39 -05:00
## 3.0.0
- **Breaking change**: Package is now ESM-only
- CommonJS consumers must use dynamic `import()` instead of `require()`
- Bump `@actions/core` to `^3.0.0`
- Bump `@actions/http-client` to `^4.0.0`
## 2.2.1
2026-01-27 11:59:21 -05:00
- Bump `@actions/http-client` to `3.0.2`
- Bump `undici` to `6.23.0`
2026-01-29 15:19:39 -05:00
## 2.2.0
2026-01-08 14:34:05 +00:00
- Bump @actions/core from 1.11.1 to 2.0.2
- Bump @actions/github from 6.0.0 to 7.0.0
- Bump @actions/http -client from 2.2.3 to 3.0.1
2026-01-29 15:19:39 -05:00
## 2.0.0
2025-10-20 12:07:20 +01:00
- Add support for Node 24 [#2110 ](https://github.com/actions/toolkit/pull/2110 )
- Bump @sigstore/bundle from 3.0.0 to 3.1.0
- Bump @sigstore/sign from 3.0.0 to 3.1.0
- Bump jose from 5.2.3 to 5.10.0
2026-01-29 15:19:39 -05:00
## 1.6.0
2025-02-26 08:44:32 -08:00
- Update `buildSLSAProvenancePredicate` to populate `workflow.ref` field from the `ref` claim in the OIDC token [#1969 ](https://github.com/actions/toolkit/pull/1969 )
2026-01-29 15:19:39 -05:00
## 1.5.0
2024-10-14 12:33:10 -07:00
- Bump @actions/core from 1.10.1 to 1.11.1 [#1847 ](https://github.com/actions/toolkit/pull/1847 )
- Bump @sigstore/bundle from 2.3.2 to 3.0.0 [#1846 ](https://github.com/actions/toolkit/pull/1846 )
- Bump @sigstore/sign from 2.3.2 to 3.0.0 [#1846 ](https://github.com/actions/toolkit/pull/1846 )
2024-11-01 09:45:11 -07:00
- Support for generating multi-subject attestations [#1864 ](https://github.com/actions/toolkit/pull/1865 )
- Fix bug in `buildSLSAProvenancePredicate` related to `workflow_ref` OIDC token claims containing the "@" symbol in the tag name [#1863 ](https://github.com/actions/toolkit/pull/1863 )
2024-10-14 12:33:10 -07:00
2026-01-29 15:19:39 -05:00
## 1.4.2
2024-09-04 09:52:08 -07:00
- Fix bug in `buildSLSAProvenancePredicate` /`attestProvenance` when generating provenance statement for enterprise account using customized OIDC issuer value [#1823 ](https://github.com/actions/toolkit/pull/1823 )
2024-10-14 12:33:10 -07:00
2026-01-29 15:19:39 -05:00
## 1.4.1
2024-08-22 07:50:49 -07:00
- Bump @actions/http -client from 2.2.1 to 2.2.3 [#1805 ](https://github.com/actions/toolkit/pull/1805 )
2026-01-29 15:19:39 -05:00
## 1.4.0
2024-08-14 11:21:15 -07:00
2024-08-16 12:38:04 -07:00
- Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790 ](https://github.com/actions/toolkit/pull/1790 )
- Update `buildSLSAProvenancePredicate` /`attestProvenance` to automatically derive default OIDC issuer URL from current execution context [#1796 ](https://github.com/actions/toolkit/pull/1796 )
2026-01-29 15:19:39 -05:00
## 1.3.1
2024-07-26 15:00:43 -07:00
2024-08-16 12:38:04 -07:00
- Fix bug with proxy support when retrieving JWKS for OIDC issuer [#1776 ](https://github.com/actions/toolkit/pull/1776 )
2024-07-26 15:00:43 -07:00
2026-01-29 15:19:39 -05:00
## 1.3.0
2024-05-21 13:11:37 -07:00
2024-08-16 12:38:04 -07:00
- Dynamic construction of Sigstore API URLs [#1735 ](https://github.com/actions/toolkit/pull/1735 )
- Switch to new GH provenance build type [#1745 ](https://github.com/actions/toolkit/pull/1745 )
- Fetch existing Rekor entry on 409 conflict error [#1759 ](https://github.com/actions/toolkit/pull/1759 )
- Bump @sigstore/bundle from 2.3.0 to 2.3.2 [#1738 ](https://github.com/actions/toolkit/pull/1738 )
- Bump @sigstore/sign from 2.3.0 to 2.3.2 [#1738 ](https://github.com/actions/toolkit/pull/1738 )
2024-05-21 13:11:37 -07:00
2026-01-29 15:19:39 -05:00
## 1.2.1
2024-04-24 11:31:11 -07:00
2024-08-16 12:38:04 -07:00
- Retry request on attestation persistence failure [#1725 ](https://github.com/actions/toolkit/pull/1725 )
2024-04-24 11:31:11 -07:00
2026-01-29 15:19:39 -05:00
## 1.2.0
2024-04-03 12:12:26 -07:00
2024-08-16 12:38:04 -07:00
- Generate attestations using the v0.3 Sigstore bundle format [#1701 ](https://github.com/actions/toolkit/pull/1701 )
- Bump @sigstore/bundle from 2.2.0 to 2.3.0 [#1701 ](https://github.com/actions/toolkit/pull/1701 )
- Bump @sigstore/sign from 2.2.3 to 2.3.0 [#1701 ](https://github.com/actions/toolkit/pull/1701 )
- Remove dependency on make-fetch-happen [#1714 ](https://github.com/actions/toolkit/pull/1714 )
2024-04-03 12:12:26 -07:00
2026-01-29 15:19:39 -05:00
## 1.1.0
2024-03-21 19:25:36 -07:00
2024-08-16 12:38:04 -07:00
- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement [#1693 ](https://github.com/actions/toolkit/pull/1693 )
2024-03-21 19:25:36 -07:00
2026-01-29 15:19:39 -05:00
## 1.0.0
2024-02-17 19:14:10 -08:00
- Initial release