fix(deps): update module github.com/in-toto/in-toto-golang to v0.4.0

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/go-openapi/swag v0.22.3
 	github.com/google/go-cmp v0.5.9
 	github.com/google/go-github/v44 v44.1.0
-	github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add
+	github.com/in-toto/in-toto-golang v0.4.0
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0
 	github.com/sigstore/cosign v1.12.1
 	github.com/sigstore/rekor v0.12.2

go.sum

@@ -944,6 +944,8 @@ github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add h1:DAh7mHiRT7wc6kKepYdCpH16ElPciMPQWJaJ7H3l/ng=
 github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add/go.mod h1:DQI8vlV6h6qSY/tCOoYKtxjWrkyiNpJ3WTV/WoBllmQ=
+github.com/in-toto/in-toto-golang v0.4.0 h1:9iUcYy6d1nk8TjMzhTmEvO8sMp+oBnbgEq72QdyZ0hQ=
+github.com/in-toto/in-toto-golang v0.4.0/go.mod h1:KqmIkX/ZhX3rqGW6TzQK9YGTMHWTFaD3y82u6mxVrfs=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=

internal/builders/generic/attest_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	slsav02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 
 	"github.com/slsa-framework/slsa-github-generator/internal/errors"
 	"github.com/slsa-framework/slsa-github-generator/internal/testutil"
@@ -33,7 +33,7 @@ func TestParseSubjects(t *testing.T) {
 			expected: []intoto.Subject{
 				{
 					Name: "hoge",
-					Digest: slsav02.DigestSet{
+					Digest: slsacommon.DigestSet{
 						"sha256": "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2",
 					},
 				},
@@ -46,7 +46,7 @@ func TestParseSubjects(t *testing.T) {
 			expected: []intoto.Subject{
 				{
 					Name: "hoge fuga",
-					Digest: slsav02.DigestSet{
+					Digest: slsacommon.DigestSet{
 						"sha256": "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2",
 					},
 				},
@@ -59,7 +59,7 @@ func TestParseSubjects(t *testing.T) {
 			expected: []intoto.Subject{
 				{
 					Name: "hoge fuga",
-					Digest: slsav02.DigestSet{
+					Digest: slsacommon.DigestSet{
 						"sha256": "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2",
 					},
 				},
@@ -73,13 +73,13 @@ func TestParseSubjects(t *testing.T) {
 			expected: []intoto.Subject{
 				{
 					Name: "hoge",
-					Digest: slsav02.DigestSet{
+					Digest: slsacommon.DigestSet{
 						"sha256": "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2",
 					},
 				},
 				{
 					Name: "fuga",
-					Digest: slsav02.DigestSet{
+					Digest: slsacommon.DigestSet{
 						"sha256": "e712aff3705ac314b9a890e0ec208faa20054eee514d86ab913d768f94e01279",
 					},
 				},
@@ -97,13 +97,13 @@ func TestParseSubjects(t *testing.T) {
 			expected: []intoto.Subject{
 				{
 					Name: "hoge",
-					Digest: slsav02.DigestSet{
+					Digest: slsacommon.DigestSet{
 						"sha256": "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2",
 					},
 				},
 				{
 					Name: "fuga",
-					Digest: slsav02.DigestSet{
+					Digest: slsacommon.DigestSet{
 						"sha256": "e712aff3705ac314b9a890e0ec208faa20054eee514d86ab913d768f94e01279",
 					},
 				},

internal/builders/generic/generic.go

@@ -25,7 +25,7 @@ import (
 	"testing"
 
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	slsav02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	"github.com/slsa-framework/slsa-github-generator/internal/errors"
 	"github.com/slsa-framework/slsa-github-generator/slsa"
 )
@@ -121,7 +121,7 @@ func parseSubjects(b64str string) ([]intoto.Subject, error) {
 
 		parsed = append(parsed, intoto.Subject{
 			Name: name,
-			Digest: slsav02.DigestSet{
+			Digest: slsacommon.DigestSet{
 				"sha256": shaDigest,
 			},
 		})

internal/builders/go/pkg/provenance.go

@@ -23,7 +23,7 @@ import (
 	"github.com/slsa-framework/slsa-github-generator/signing"
 
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	"github.com/slsa-framework/slsa-github-generator/github"
 	"github.com/slsa-framework/slsa-github-generator/internal/utils"
 	"github.com/slsa-framework/slsa-github-generator/slsa"
@@ -93,7 +93,7 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin
 		GithubActionsBuild: slsa.NewGithubActionsBuild([]intoto.Subject{
 			{
 				Name: name,
-				Digest: slsa02.DigestSet{
+				Digest: slsacommon.DigestSet{
 					"sha256": digest,
 				},
 			},
@@ -157,7 +157,7 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin
 	invEnv["os"] = os.Getenv("ImageOS")
 
 	// Add details about the runner's OS to the materials
-	runnerMaterials := slsa02.ProvenanceMaterial{
+	runnerMaterials := slsacommon.ProvenanceMaterial{
 		// TODO: capture the digest here too
 		URI: fmt.Sprintf("https://github.com/actions/virtual-environments/releases/tag/%s/%s", os.Getenv("ImageOS"), os.Getenv("ImageVersion")),
 	}

slsa/buildtype.go

@@ -22,7 +22,9 @@ import (
 	"strings"
 
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
 
 	"github.com/slsa-framework/slsa-github-generator/github"
 )
@@ -40,13 +42,13 @@ type BuildType interface {
 	BuildConfig(context.Context) (interface{}, error)
 
 	// Invocation returns an invocation for this build type.
-	Invocation(context.Context) (slsa.ProvenanceInvocation, error)
+	Invocation(context.Context) (slsa02.ProvenanceInvocation, error)
 
 	// Materials returns materials as defined by this build type.
-	Materials(context.Context) ([]slsa.ProvenanceMaterial, error)
+	Materials(context.Context) ([]slsacommon.ProvenanceMaterial, error)
 
 	// Metadata returns a metadata about the build.
-	Metadata(context.Context) (*slsa.ProvenanceMetadata, error)
+	Metadata(context.Context) (*slsa02.ProvenanceMetadata, error)
 }
 
 // GithubActionsBuild is a basic build type for builders running in GitHub Actions.
@@ -216,7 +218,7 @@ func (b *GithubActionsBuild) Invocation(ctx context.Context) (slsa.ProvenanceInv
 	i.ConfigSource.EntryPoint = entryPoint
 	i.ConfigSource.URI = b.Context.RepositoryURI()
 	if b.Context.SHA != "" {
-		i.ConfigSource.Digest = slsa.DigestSet{
+		i.ConfigSource.Digest = slsacommon.DigestSet{
 			"sha1": b.Context.SHA,
 		}
 	}
@@ -233,12 +235,12 @@ func (b *GithubActionsBuild) Invocation(ctx context.Context) (slsa.ProvenanceInv
 
 // Materials implements BuildType.Materials. It returns a list of materials
 // that includes the repository that triggered the GitHub Actions workflow.
-func (b *GithubActionsBuild) Materials(context.Context) ([]slsa.ProvenanceMaterial, error) {
-	var material []slsa.ProvenanceMaterial
+func (b *GithubActionsBuild) Materials(context.Context) ([]slsacommon.ProvenanceMaterial, error) {
+	var material []slsacommon.ProvenanceMaterial
 	if b.Context.RepositoryURI() != "" {
-		material = append(material, slsa.ProvenanceMaterial{
+		material = append(material, slsacommon.ProvenanceMaterial{
 			URI: b.Context.RepositoryURI(),
-			Digest: slsa.DigestSet{
+			Digest: slsacommon.DigestSet{
 				"sha1": b.Context.SHA,
 			},
 		})

slsa/provenance.go

@@ -20,7 +20,8 @@ import (
 	"regexp"
 
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
+	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
 )
 
 const (
@@ -101,12 +102,12 @@ func (g *HostedActionsGenerator) Generate(ctx context.Context) (*intoto.Provenan
 	return &intoto.ProvenanceStatement{
 		StatementHeader: intoto.StatementHeader{
 			Type:          intoto.StatementInTotoV01,
-			PredicateType: slsa.PredicateSLSAProvenance,
+			PredicateType: slsa02.PredicateSLSAProvenance,
 			Subject:       subject,
 		},
-		Predicate: slsa.ProvenancePredicate{
+		Predicate: slsa02.ProvenancePredicate{
 			BuildType: g.buildType.URI(),
-			Builder: slsa.ProvenanceBuilder{
+			Builder: slsacommon.ProvenanceBuilder{
 				ID: builderID,
 			},
 			Invocation:  invocation,

slsa/provenance_test.go

@@ -7,7 +7,8 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
+	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
 	"github.com/slsa-framework/slsa-github-generator/github"
 )
 
@@ -49,15 +50,15 @@ func TestHostedActionsProvenance(t *testing.T) {
 			expected: &intoto.ProvenanceStatement{
 				StatementHeader: intoto.StatementHeader{
 					Type:          intoto.StatementInTotoV01,
-					PredicateType: slsa.PredicateSLSAProvenance,
+					PredicateType: slsa02.PredicateSLSAProvenance,
 				},
-				Predicate: slsa.ProvenancePredicate{
-					Builder: slsa.ProvenanceBuilder{
+				Predicate: slsa02.ProvenancePredicate{
+					Builder: slsacommon.ProvenanceBuilder{
 						ID: GithubHostedActionsBuilderID,
 					},
 					BuildType:   testBuildType,
 					BuildConfig: testBuildConfig,
-					Invocation: slsa.ProvenanceInvocation{
+					Invocation: slsa02.ProvenanceInvocation{
 						Environment: map[string]interface{}{
 							"github_run_id":           "",
 							"github_run_attempt":      "",
@@ -72,7 +73,7 @@ func TestHostedActionsProvenance(t *testing.T) {
 							"github_sha1":             "",
 						},
 					},
-					Metadata: &slsa.ProvenanceMetadata{},
+					Metadata: &slsa02.ProvenanceMetadata{},
 				},
 			},
 		},
@@ -99,15 +100,15 @@ func TestHostedActionsProvenance(t *testing.T) {
 			expected: &intoto.ProvenanceStatement{
 				StatementHeader: intoto.StatementHeader{
 					Type:          intoto.StatementInTotoV01,
-					PredicateType: slsa.PredicateSLSAProvenance,
+					PredicateType: slsa02.PredicateSLSAProvenance,
 				},
-				Predicate: slsa.ProvenancePredicate{
-					Builder: slsa.ProvenanceBuilder{
+				Predicate: slsa02.ProvenancePredicate{
+					Builder: slsacommon.ProvenanceBuilder{
 						ID: GithubHostedActionsBuilderID,
 					},
 					BuildType:   testBuildType,
 					BuildConfig: testBuildConfig,
-					Invocation: slsa.ProvenanceInvocation{
+					Invocation: slsa02.ProvenanceInvocation{
 						Environment: map[string]interface{}{
 							"github_run_id":           "12345",
 							"github_run_attempt":      "1",
@@ -121,13 +122,13 @@ func TestHostedActionsProvenance(t *testing.T) {
 							"github_run_number":       "102937",
 							"github_sha1":             "abcde",
 						},
-						ConfigSource: slsa.ConfigSource{
-							Digest: slsa.DigestSet{
+						ConfigSource: slsa02.ConfigSource{
+							Digest: slsacommon.DigestSet{
 								"sha1": "abcde",
 							},
 						},
 					},
-					Metadata: &slsa.ProvenanceMetadata{
+					Metadata: &slsa02.ProvenanceMetadata{
 						BuildInvocationID: "12345-1",
 					},
 				},