commit: f6f0669646fc6b7959721616a8e692dac11b530d
[log]
author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Mon Jun 30 11:25:19 2025 +0000
committer: GitHub <noreply@github.com>
Mon Jun 30 11:25:19 2025 +0000
tree: 81a46611e5043ee18ba14efb0a8df70f3afe5273
parent: c9e55fa64381bf9445fdb7fd02c8446d7ff82337 [diff]

Bump github.com/slsa-framework/slsa-verifier/v2 from 2.7.0 to 2.7.1 in /tooling (#4799)

Bumps [github.com/slsa-framework/slsa-verifier/v2](https://github.com/slsa-framework/slsa-verifier) from 2.7.0 to 2.7.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/slsa-framework/slsa-verifier/releases">github.com/slsa-framework/slsa-verifier/v2's releases</a>.</em></p>
<blockquote>
<h2>v2.7.1</h2>
<h2>What's Changed</h2>
<ul>
<li>chore: Update docs for v2.7.0 by <a href="https://github.com/ramonpetgrave64"><code>@ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/829">slsa-framework/slsa-verifier#829</a></li>
<li>docs(npm): &quot;exmaple&quot; spelling fix by <a href="https://github.com/scop"><code>@scop</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/832">slsa-framework/slsa-verifier#832</a></li>
<li>chore: update test files for v2.1.0 by <a href="https://github.com/ramonpetgrave64"><code>@ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/836">slsa-framework/slsa-verifier#836</a></li>
<li>feat: verify provenance for bcr modules produced by trusted reusable workflows by <a href="https://github.com/loosebazooka"><code>@loosebazooka</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/840">slsa-framework/slsa-verifier#840</a></li>
<li>chore(deps): update golang:1.23 docker digest to cc458d7 by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/838">slsa-framework/slsa-verifier#838</a></li>
<li>fix: less parallelism in tests by <a href="https://github.com/ramonpetgrave64"><code>@ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/851">slsa-framework/slsa-verifier#851</a></li>
<li>chore(deps): bump <code>@octokit/request-error</code> from 5.0.1 to 5.1.1 in /actions/installer in the npm_and_yarn group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/833">slsa-framework/slsa-verifier#833</a></li>
<li>chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 in the go_modules group by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/835">slsa-framework/slsa-verifier#835</a></li>
<li>chore(deps): bump the go_modules group across 1 directory with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/853">slsa-framework/slsa-verifier#853</a></li>
<li>fix(deps): update npm by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/843">slsa-framework/slsa-verifier#843</a></li>
<li>fix(deps): update golang.org/x/exp digest to dcc06ee by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/839">slsa-framework/slsa-verifier#839</a></li>
<li>fix: no parallel regression tests by <a href="https://github.com/ramonpetgrave64"><code>@ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/855">slsa-framework/slsa-verifier#855</a></li>
<li>chore(deps): update golang:1.23 docker digest to dd5cc4b by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/847">slsa-framework/slsa-verifier#847</a></li>
<li>chore(deps): update gcr.io/distroless/base:nonroot docker digest to 0a0dc20 by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/844">slsa-framework/slsa-verifier#844</a></li>
<li>chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/854">slsa-framework/slsa-verifier#854</a></li>
<li>feat: Bazel not experimental by <a href="https://github.com/ramonpetgrave64"><code>@ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/850">slsa-framework/slsa-verifier#850</a></li>
<li>docs: add section for verify-github-attestation by <a href="https://github.com/loosebazooka"><code>@loosebazooka</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/858">slsa-framework/slsa-verifier#858</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/scop"><code>@scop</code></a> made their first contribution in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/832">slsa-framework/slsa-verifier#832</a></li>
<li><a href="https://github.com/loosebazooka"><code>@loosebazooka</code></a> made their first contribution in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/840">slsa-framework/slsa-verifier#840</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/slsa-framework/slsa-verifier/compare/v2.7.0...v2.7.1">https://github.com/slsa-framework/slsa-verifier/compare/v2.7.0...v2.7.1</a></p>
<h2>v2.7.1-rc.2</h2>
<h2>What's Changed</h2>
<ul>
<li>chore(deps): update golang:1.23 docker digest to cc458d7 by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/838">slsa-framework/slsa-verifier#838</a></li>
<li>fix: less parallelism in tests by <a href="https://github.com/ramonpetgrave64"><code>@ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/851">slsa-framework/slsa-verifier#851</a></li>
<li>chore(deps): bump <code>@octokit/request-error</code> from 5.0.1 to 5.1.1 in /actions/installer in the npm_and_yarn group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/833">slsa-framework/slsa-verifier#833</a></li>
<li>chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 in the go_modules group by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/835">slsa-framework/slsa-verifier#835</a></li>
<li>chore(deps): bump the go_modules group across 1 directory with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/853">slsa-framework/slsa-verifier#853</a></li>
<li>fix(deps): update npm by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/843">slsa-framework/slsa-verifier#843</a></li>
<li>fix(deps): update golang.org/x/exp digest to dcc06ee by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/839">slsa-framework/slsa-verifier#839</a></li>
<li>fix: no parallel regression tests by <a href="https://github.com/ramonpetgrave64"><code>@ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/855">slsa-framework/slsa-verifier#855</a></li>
<li>chore(deps): update golang:1.23 docker digest to dd5cc4b by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/847">slsa-framework/slsa-verifier#847</a></li>
<li>chore(deps): update gcr.io/distroless/base:nonroot docker digest to 0a0dc20 by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/844">slsa-framework/slsa-verifier#844</a></li>
<li>chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/854">slsa-framework/slsa-verifier#854</a></li>
<li>feat: Bazel not experimental by <a href="https://github.com/ramonpetgrave64"><code>@ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/850">slsa-framework/slsa-verifier#850</a></li>
<li>docs: add section for verify-github-attestation by <a href="https://github.com/loosebazooka"><code>@loosebazooka</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/858">slsa-framework/slsa-verifier#858</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/slsa-framework/slsa-verifier/compare/v2.7.1-rc.1...v2.7.1-rc.2">https://github.com/slsa-framework/slsa-verifier/compare/v2.7.1-rc.1...v2.7.1-rc.2</a></p>
<h2>v2.7.1-rc.1</h2>
<h2>What's Changed</h2>
<ul>
<li>chore: Update docs for v2.7.0 by <a href="https://github.com/ramonpetgrave64"><code>@ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/829">slsa-framework/slsa-verifier#829</a></li>
<li>docs(npm): &quot;exmaple&quot; spelling fix by <a href="https://github.com/scop"><code>@scop</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/832">slsa-framework/slsa-verifier#832</a></li>
<li>chore: update test files for v2.1.0 by <a href="https://github.com/ramonpetgrave64"><code>@ramonpetgrave64</code></a> in <a href="https://redirect.github.com/slsa-framework/slsa-verifier/pull/836">slsa-framework/slsa-verifier#836</a></li>
</ul>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/slsa-framework/slsa-verifier/commit/ea584f4502babc6f60d9bc799dbbb13c1caa9ee6"><code>ea584f4</code></a> docs: add section for verify-github-attestation (<a href="https://redirect.github.com/slsa-framework/slsa-verifier/issues/858">#858</a>)</li>
<li><a href="https://github.com/slsa-framework/slsa-verifier/commit/295020463fbf202133b4cc66c0271955ea941102"><code>2950204</code></a> feat: Bazel not experimental (<a href="https://redirect.github.com/slsa-framework/slsa-verifier/issues/850">#850</a>)</li>
<li><a href="https://github.com/slsa-framework/slsa-verifier/commit/08d54ab1de7093828bf27f41cd0dd62064119e1d"><code>08d54ab</code></a> chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates ...</li>
<li><a href="https://github.com/slsa-framework/slsa-verifier/commit/09889f2e46a735f631547686b1a39144f6117a9b"><code>09889f2</code></a> chore(deps): update gcr.io/distroless/base:nonroot docker digest to 0a0dc20 (...</li>
<li><a href="https://github.com/slsa-framework/slsa-verifier/commit/713575576b8614ebd1bc001a24b2ed5e652d87c2"><code>7135755</code></a> chore(deps): update golang:1.23 docker digest to dd5cc4b (<a href="https://redirect.github.com/slsa-framework/slsa-verifier/issues/847">#847</a>)</li>
<li><a href="https://github.com/slsa-framework/slsa-verifier/commit/4f28a9512a5297eda8adf97f312fa814a70eb7d0"><code>4f28a95</code></a> fix: no parallel regression tests (<a href="https://redirect.github.com/slsa-framework/slsa-verifier/issues/855">#855</a>)</li>
<li><a href="https://github.com/slsa-framework/slsa-verifier/commit/1595a06d9256113c6d1d325923abd6f61bd76e3b"><code>1595a06</code></a> fix(deps): update golang.org/x/exp digest to dcc06ee (<a href="https://redirect.github.com/slsa-framework/slsa-verifier/issues/839">#839</a>)</li>
<li><a href="https://github.com/slsa-framework/slsa-verifier/commit/e0b3ab793c3a65f943df669a0b279a9cea94cbd4"><code>e0b3ab7</code></a> fix(deps): update npm (<a href="https://redirect.github.com/slsa-framework/slsa-verifier/issues/843">#843</a>)</li>
<li><a href="https://github.com/slsa-framework/slsa-verifier/commit/b02ea5056cc7325930aa45ef4b3747f80c4de8d1"><code>b02ea50</code></a> chore(deps): bump the go_modules group across 1 directory with 2 updates (<a href="https://redirect.github.com/slsa-framework/slsa-verifier/issues/853">#853</a>)</li>
<li><a href="https://github.com/slsa-framework/slsa-verifier/commit/f6be75a9c88cfd83e0cc8ceeb9d683599b1568c9"><code>f6be75a</code></a> chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 in the go...</li>
<li>Additional commits viewable in <a href="https://github.com/slsa-framework/slsa-verifier/compare/v2.7.0...v2.7.1">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/slsa-framework/slsa-verifier/v2&package-manager=go_modules&previous-version=2.7.0&new-version=2.7.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>

2 files changed

tree: 81a46611e5043ee18ba14efb0a8df70f3afe5273

README.md

Cocoon is a Dart App Engine custom runtime (backend) with a frontend of Flutter apps (build and repository dashboard). Cocoon coordinates and aggregates the results of flutter/flutter builds.

It is not designed to help developers build Flutter apps.

Cocoon is not a Google product.

Using Cocoon

Forcing a refresh from GitHub

The server is driven by commits made to https://github.com/flutter/flutter repo. It periodically syncs new commits. If you need to manually force a refresh, query https://flutter-dashboard.appspot.com/api/refresh-github-commits.

You will need to be authenticated with Cocoon to do this.

Developing Cocoon

Cocoon has several components:

A server, which coordinates everything. This is a Dart App Engine application. If you have never used that before, you may want to peruse the samples for Dart App Engine. The server is found in app_dart.
A Flutter app (generally used as a Web app) for the build dashboards. The dashboard is found in dashboard.

Cocoon creates a checklist for each Flutter commit. A checklist is made of multiple tasks. Tasks are performed by LUCI bots.

Getting started

First, set up a Flutter development environment. This will, as a side-effect, provide you with a Dart SDK. Your life will be easier if you add that (.../flutter/bin/cache/dart-sdk/bin/) to your path.

To update the production server, you will need the Google Cloud SDK. Since there is no Dart SDK, we just use the command line tools.

Developing the server

All the commands in this section assume that you are in the app_dart/ directory.

Running a local dev server

dart bin/local_server.dart

This will output Serving requests at 0.0.0.0:8080 indicating the server is working.

New requests will be logged to the console.

Deploying a test version on Google Cloud

To run live tests, build the app, and provide instructions for deploying to Google App Engine, run this command:

dart dev/deploy.dart --project {PROJECT} --version {VERSION}

You can test the new version by accessing {VERSION}-dot-flutter-dashboard.appspot.com in your browser. If the result is satisfactory, the new version can be activated by using the Cloud Console UI: https://console.cloud.google.com/appengine/versions?project=flutter-dashboard&serviceId=default

Optional flags

--profile: Deploy a profile mode of dashboard application for debugging purposes.

--ignore-version-check: Ignore the version of Flutter on path (expects to be relatively recent)

Developing the dashboard

The dashboard application will use dummy data when it is not connected to the server, so it can be developed locally without a dev server.

To run the dashboard locally, go into the dashboard directory and run flutter run -d chrome. The dashboard will be served from localhost (the exact address will be given on the console); copy the URL into your browser to view the application. (The dashboard should also be able to run on non-Web platforms, but since the Web is our main target that is the one that should generally be used for development.)

You can run flutter packages upgrade to update the dependencies. This may be necessary if you see a failure in the dependencies.