Merge remote-tracking branch 'upstream/main' into support-alibaba-acr…

…-keychain
sigstore · Aug 20, 2022 · 3771279 · 3771279
2 parents 2327e84 + 8f29f03
commit 3771279
Show file tree

Hide file tree

Showing 613 changed files with 1,978 additions and 83,667 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -35,17 +35,15 @@ jobs:
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
 
-      - uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 # v2.3.0
+      - uses: sigstore/cosign-installer@b3413d484cc23cf8778c3d2aa361568d4eb54679 # v2.3.0
 
-      - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0
+      - uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2.2.0
         with:
-          go-version: '1.17'
+          go-version: '1.18'
           check-latest: true
 
       # will use the latest release available for ko
-      - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
-
-      - uses: chainguard-dev/actions/goimports@84c993eaf02da1c325854fb272a4df9184bd80fc # main
+      - uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d # v0.4
 
       - name: Set up Cloud SDK
         uses: google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955 # v0.8.0

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -42,7 +42,7 @@ jobs:
       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
 
     - name: Utilize Go Module Cache
-      uses: actions/cache@c3f1317a9e7b1ef106c153ac8c0f00fed3ddbc0d # v3.0.3
+      uses: actions/cache@a7c34adf76222e77931dedbf4a45b2e4648ced19 # v3.0.3
       with:
         path: |
           ~/go/pkg/mod
@@ -52,19 +52,19 @@ jobs:
           ${{ runner.os }}-go-
 
     - name: Set correct version of Golang to use during CodeQL run
-      uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.1.5
+      uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2.1.5
       with:
-        go-version: '1.17'
+        go-version: '1.18'
         check-latest: true
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@3f62b754e23e0dd60f91b744033e1dc1654c0ec6 # v2.1.14
+      uses: github/codeql-action/init@f5d217be74900c6ac8fbbe53f3c10376ba4e64da # v2.1.18
       with:
         languages: ${{ matrix.language }}
 
     - name: Build cosign for CodeQL
       run: make cosign
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@3f62b754e23e0dd60f91b744033e1dc1654c0ec6 # v2.1.14
+      uses: github/codeql-action/analyze@f5d217be74900c6ac8fbbe53f3c10376ba4e64da # v2.1.18
diff --git a/.github/workflows/cross.yaml b/.github/workflows/cross.yaml
@@ -29,9 +29,9 @@ jobs:
             COSIGN_PASSWORD: COSIGN_PASSWORD
     steps:
       - name: Install Go
-        uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0
+        uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2.2.0
         with:
-          go-version: '1.17'
+          go-version: '1.18'
           check-latest: true
       - name: Checkout code
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0

diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
@@ -25,4 +25,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b  # v3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@1c59cdf2a9c7f29c90e8da32237eb04b81bad9f0 # v2
+        uses: actions/dependency-review-action@23d1ffffb6fa5401173051ec21eba8c35242733f # v2
diff --git a/.github/workflows/e2e-with-binary.yml b/.github/workflows/e2e-with-binary.yml
@@ -39,9 +39,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
-      - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0
+      - uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2.2.0
         with:
-          go-version: '1.17'
+          go-version: '1.18'
           check-latest: true
       - name: build cosign and check
         shell: bash

diff --git a/.github/workflows/e2e_tests.yml b/.github/workflows/e2e_tests.yml
@@ -16,7 +16,11 @@
 name: e2e-tests
 
 # Run on every push, and allow it to be run manually.
-on: [push, workflow_dispatch]
+on:
+  push:
+    branches:
+      - "main"
+  workflow_dispatch:
 
 permissions: read-all
 
@@ -32,9 +36,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
-      - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0
+      - uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2.2.0
         with:
-          go-version: '1.17'
+          go-version: '1.18'
           check-latest: true
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@877d4953d2c70a0ba7ef3290ae968eb24af233bb # v0.5.1

diff --git a/.github/workflows/github-oidc.yaml b/.github/workflows/github-oidc.yaml
@@ -36,14 +36,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
-      - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0
+      - uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2.2.0
         with:
-          go-version: '1.17'
+          go-version: '1.18'
           check-latest: true
+          cache: true
 
       # Install tools.
-      - uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25 # v2.3.0
-      - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
+      - uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d # v0.4
+
+      - name: build cosign from the HEAD
+        run: |
+          make cosign
+          ./cosign version
 
       - name: Build and sign a container image
         run: |
@@ -54,5 +59,4 @@ jobs:
       - name: Build and sign a blob
         run: |
           set -e
-          make cosign
           make sign-blob-experimental
diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml
@@ -32,43 +32,40 @@ jobs:
     strategy:
       matrix:
         k8s-version:
-        - v1.21.x
-        - v1.22.x
-        # Try without this one now, might have problems with job restartings
-        # may require upstream changes.
-        #- v1.23.x
+        - v1.24.x
 
     env:
-      KNATIVE_VERSION: "1.1.0"
       KO_DOCKER_REPO: "registry.local:5000/policy-controller"
-      SCAFFOLDING_RELEASE_VERSION: "v0.2.2"
+      SCAFFOLDING_RELEASE_VERSION: "v0.4.5"
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KOCACHE: ~/ko
-      # Trust the custom Rekor API endpoint for fetching the Public Key from it.
-      SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY: "true"
       # We are only testing keyless here, so set it.
       COSIGN_EXPERIMENTAL: "true"
 
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
-    - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v2.2.0
+    - uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2.2.0
       with:
-        go-version: '1.17'
+        go-version: '1.18'
         check-latest: true
 
     # will use the latest release available for ko
-    - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
+    - uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d # v0.4
 
     - name: Install yq
-      uses: mikefarah/yq@b669844ef72b8e0ebc1844a611bf56a5331aeb31 # v4.25.1
+      uses: mikefarah/yq@1c7dc0e88aad311c89889bc5ce5d8f96931a1bd0 # v4.25.1
 
     - name: build cosign
       run: |
         make cosign
 
-    - name: Install cluster + cosign
+    - name: Install cluster + sigstore
       uses: sigstore/scaffolding/actions/setup@main
+      with:
+        legacy-variables: "false"
+        k8s-version: ${{ matrix.k8s-version }}
+        version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
 
     - name: Create sample image - demoimage
       run: |
@@ -86,6 +83,11 @@ jobs:
         echo Created image $demoimage
         popd
 
+    - name: Initialize with our custom TUF root
+      run: |
+        TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
+        ./cosign initialize --mirror $TUF_MIRROR --root ./root.json
+
     - name: Sign demoimage with cosign
       run: |
         ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}

diff --git a/.github/workflows/milestone.yaml b/.github/workflows/milestone.yaml
@@ -23,7 +23,7 @@ jobs:
       statuses: none
 
     steps:
-      - uses: actions/github-script@7a5c598405937d486b0331594b5da2b14db670da # v6.1.0
+      - uses: actions/github-script@d50f485531ba88479582bc2da03ff424389af5c1 # v6.1.0
         with:
           script: |
             if (!context.payload.pull_request.merged) {

diff --git a/.github/workflows/scorecard_action.yml b/.github/workflows/scorecard_action.yml
@@ -20,15 +20,15 @@ jobs:
       security-events: write
       actions: read
       contents: read
-
+      id-token: write
     steps:
       - name: "Checkout code"
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564
+        uses: ossf/scorecard-action@08dd0cebb088ac0fd6364339b1b3b68b75041ea8 # v2.0.0-alpha.2
         with:
           results_file: results.sarif
           results_format: sarif
@@ -52,6 +52,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@3f62b754e23e0dd60f91b744033e1dc1654c0ec6 # v2.1.14
+        uses: github/codeql-action/upload-sarif@f5d217be74900c6ac8fbbe53f3c10376ba4e64da # v2.1.18
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -0,0 +1,29 @@
+name: "Close stale issues/pull requests"
+on:
+  schedule:
+  - cron: "30 1 * * *"
+
+jobs:
+  stale:
+    permissions:
+      issues: write
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/stale@9c1b1c6e115ca2af09755448e0dbba24e5061cc8 # v5.1.1
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
+        stale-pr-message: 'This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
+        close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.'
+        close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
+        stale-issue-label: 'no-issue-activity'
+        exempt-issue-labels: 'bug,core feature,enhancement,good first issue,help wanted,needs discussion'
+        stale-pr-label: 'no-pr-activity'
+        exempt-pr-labels: 'awaiting-approval,work-in-progress'
+        days-before-pr-stale: '30'
+        days-before-pr-close: '10'
+        days-before-issue-stale: '60'
+        days-before-close: '5'
diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml