+
Skip to content

Release predicate v0.2 #495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 14, 2025
Merged

Release predicate v0.2 #495

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
12ccefd
release predicate v0.2
bdehamer Oct 7, 2025
1e96a19
add proto for release predicate v0.2
bdehamer Oct 8, 2025
35f2205
linter fixes for release predicate spec
bdehamer Oct 10, 2025
86ac58e
move v0.1 release proto to new dir
bdehamer Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
0 ...ation/predicates/release/v0/release.proto → ...ion/predicates/release/v0.1/release.proto
View file
Open in desktop
File renamed without changes.
11 changes: 11 additions & 0 deletions protos/in_toto_attestation/predicates/release/v0.2/release.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
syntax = "proto3";

package in_toto_attestation.predicates.release.v02;

option go_package = "github.com/in-toto/attestation/go/predicates/release/v02";
option java_package = "io.github.intoto.attestation.predicates.release.v02";

message Release {
string purl = 1;
optional string package_id = 2;
}
18 changes: 12 additions & 6 deletions spec/predicates/release.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Type URI: https://in-toto.io/attestation/release

Version 0.1
Version 0.2

## Purpose

Expand Down Expand Up @@ -74,7 +74,7 @@ B.
"predicateType": "https://in-toto.io/attestation/release/v0.1",
"predicate": {
"purl": <ResourceURI>,
"releaseId": "..."
"packageId": "..."
}
}
```
Expand All @@ -90,14 +90,14 @@ The filename of the artifact as it would appear on disk.
A purl uniquely identifying a specific release name and version from a package
registry.

**`predicate.releaseId`** string
**`predicate.packageId`** string

Stable identifier for a release; this should remain unchanged between release
Stable identifier for a package; this should remain unchanged between release
versions (e.g. it's associated with urllib3, not urllib3 v2.1.0). This will
allow users to confirm that a release has moved to a new name, and prevent
confusion if the old name is re-used. This could be an automatically
incrementing database key, or a UUID that is initially randomly generated and
then durably associated with the release name.
then durably associated with a named package.

### Parsing Rules

Expand All @@ -122,7 +122,7 @@ a release (as a counter-example `type:oci` would include `qualifiers`).
"predicateType": "https://in-toto.io/attestation/release/v0.1",
"predicate": {
"purl": "pkg:npm/@angular/http@7.2.16",
"releaseId": 1234567890
"packageId": "1234567890"
}
}
```
Expand Down Expand Up @@ -176,6 +176,12 @@ Here's what a release with a container image looks like:

## Changelog and Migrations

### v0.2

- Renamed the `releaseId` predicate field to `packageId` to clarify intended use.

### v0.1

As this is the initial version, no changes or migrations to previous versions.
The required fields in this specification are a subset of the information
in the existing npm [publish attestation], so npm could easily migrate to this
Expand Down
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载