akashsinghal · github-actions · Aug 19, 2024 · Aug 19, 2024 · Aug 20, 2024 · Aug 20, 2024
@@ -13,8 +13,8 @@
 
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/go/.devcontainer/base.Dockerfile
 
-# [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
-FROM mcr.microsoft.com/vscode/devcontainers/go:1.21-bullseye@sha256:0ea3913135923a684b37f9e75a1e9adbb14551199244656b77f516c4c0c6d5bc
+# [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.22-bullseye, 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
+FROM mcr.microsoft.com/vscode/devcontainers/go:1.22-bullseye@sha256:56252721cd215f21f9504e8b6b66ad63e384c63171f9936c809a8b59518ec5bd
 
 # [Choice] Node.js version: none, lts/*, 18, 16, 14
 ARG NODE_VERSION="none"
@@ -30,7 +30,7 @@ RUN curl -Lo bats.tar.gz https://github.com/bats-core/bats-core/archive/v${BATS_
   && bash ./bats-core-${BATS_VERSION}/install.sh /usr/local \
   && rm -rf bats.tar.gz ./bats-core-${BATS_VERSION}
 
-ARG NOTATION_VERSION="1.0.0-rc.1"
+ARG NOTATION_VERSION="1.2.0"
 RUN curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v${NOTATION_VERSION}/notation_${NOTATION_VERSION}_linux_amd64.tar.gz \
   && tar -zxf notation.tar.gz \
   && mv ./notation /usr/local/bin/notation \

@@ -5,10 +5,10 @@
 	"build": {
 		"dockerfile": "Dockerfile",
 		"args": {
-			// Update the VARIANT arg to pick a version of Go: 1.21, 1.20, 1.19, 1.18
+			// Update the VARIANT arg to pick a version of Go: 1.22, 1.21, 1.20, 1.19, 1.18
 			// Append -bullseye or -buster to pin to an OS version.
 			// Use -bullseye variants on local arm64/Apple Silicon.
-			"VARIANT": "1.21-bullseye",
+			"VARIANT": "1.22-bullseye",
 			// Options
 			"NODE_VERSION": "none",
 			// Ratify-specific devcontainer options

@@ -0,0 +1,20 @@
+name: "Steps to restore trivy cache"
+description: "Steps to restore Trivy cache under ~/.cache/trivy"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Get current date
+      id: date
+      run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+      shell: bash
+    - name: Restore trivy cache directory
+      uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      with:
+        path: ${{ github.workspace }}/.cache/trivy
+        key: cache-trivy-${{ steps.date.outputs.date }}
+    - name: Set up trivy cache directory
+      run: |
+        mkdir -p ~/.cache/trivy
+        cp -r ${{ github.workspace }}/.cache/trivy/db ~/.cache/trivy
+      shell: bash
@@ -1,7 +1,8 @@
 ignore:
-  - "./api"  # ignore folders and all its contents
+  - "./api" # ignore folders and all its contents
+  - "./experimental/proto/v1"
 coverage:
   status:
     patch:
       default:
-        target: 80%
+        target: 80%
@@ -0,0 +1,3 @@
+vulnerabilities:
+  - id: CVE-2024-45338
+    statement: kubectl is not vulnerable to this and is reason for being flagged
@@ -33,7 +33,7 @@ updates:
       interval: "weekly"
     ignore:
       - dependency-name: "golang"
-        versions: '> 1.21'
+        versions: '> 1.22'
     commit-message:
       prefix: "chore"
 
@@ -43,6 +43,6 @@ updates:
       interval: "weekly"
     ignore:
       - dependency-name: "vscode/devcontainers/go"
-        versions: '> 1.21'
+        versions: '> 1.22'
     commit-message:
       prefix: "chore"
@@ -29,7 +29,7 @@ header:
       limitations under the License.
 
   paths-ignore:
-    - "**/*.{md,svg,yaml,crt,json,pub,yml,pb.go,proto}"
+    - "**/*.{md,svg,yaml,crt,cer,json,pub,yml,pb.go,proto}"
     - "CODEOWNERS"
     - "PROJECT"
     - "NOTICE"
@@ -49,7 +49,7 @@ dependency:
     - go.mod
   licenses:
     - name: github.com/spdx/tools-golang
-      version: v0.5.4
+      version: v0.5.5
       license: Apache-2.0
     - name: github.com/alibabacloud-go/cr-20160607 # TODO: remove this when library is upgraded to v2.0.0
       version: v1.0.1

@@ -13,7 +13,9 @@ permissions: read-all
 jobs:
   call_test_cli:
     uses: ./.github/workflows/e2e-cli.yml
-
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
   call_test_e2e_basic:
     name: "run e2e on basic matrix"
     if: ${{ ! (contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch') }}
@@ -22,9 +24,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.29.2"]
-        GATEKEEPER_VERSION: ["3.16.0"]
-    uses: ./.github/workflows/e2e-k8s.yml 
+        KUBERNETES_VERSION: ["1.31.2"]
+        GATEKEEPER_VERSION: ["3.18.0"]
+    uses: ./.github/workflows/e2e-k8s.yml
     with:
       k8s_version: ${{ matrix.KUBERNETES_VERSION }}
       gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}
@@ -35,12 +37,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.28.7", "1.29.2"]
-        GATEKEEPER_VERSION: ["3.14.0", "3.15.0", "3.16.0"]
-    uses: ./.github/workflows/e2e-k8s.yml 
+        KUBERNETES_VERSION: ["1.30.6", "1.31.2"]
+        GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"]
+    uses: ./.github/workflows/e2e-k8s.yml
     with:
       k8s_version: ${{ matrix.KUBERNETES_VERSION }}
-      gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }} 
+      gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}
 
   build_test_aks_e2e_conditional:
     name: "Build and run e2e Test on AKS with conditions"
@@ -51,45 +53,41 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.27.9", "1.29.2"]
-        GATEKEEPER_VERSION: ["3.14.0", "3.15.0", "3.16.0"]
+        KUBERNETES_VERSION: ["1.30.6", "1.31.2"] 
+        GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"]
     uses: ./.github/workflows/e2e-aks.yml
     with:
       k8s_version: ${{ matrix.KUBERNETES_VERSION }}
       gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}
     secrets: inherit
-  
+
   aks-test-cleanup:
-    env:
-      AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
-      AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
-      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
-    needs: ['build_test_aks_e2e_conditional']
+    needs: ["build_test_aks_e2e_conditional"]
     runs-on: ubuntu-latest
     permissions:
       id-token: write
       contents: read
     environment: azure-test
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.21
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up Go 1.22
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
-          go-version: '1.21'
+          go-version: "1.22"
 
       - name: Az CLI login
-        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
         with:
-          client-id: ${{ env.AZURE_CLIENT_ID }}
-          tenant-id: ${{ env.AZURE_TENANT_ID }}
-          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: clean up
         run: |
-          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
+          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}
@@ -10,16 +10,16 @@ permissions:
 jobs:
   cleanup:
     runs-on: ubuntu-latest
-    steps:      
+    steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: audit
 
       - name: Cleanup
         run: |
           gh extension install actions/gh-actions-cache
-          
+
           echo "Fetching list of cache key"
           cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
 
@@ -34,4 +34,4 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO: ${{ github.repository }}
-          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
+          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
@@ -10,24 +10,24 @@ jobs:
   cleanup-packages:
     runs-on: ubuntu-latest
     permissions:
-        packages: write
+      packages: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: audit
 
       - name: Clean up ratify-crds-dev
         uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
-        with: 
-          package-name: 'ratify-crds-dev'
-          package-type: 'container'
+        with:
+          package-name: "ratify-crds-dev"
+          package-type: "container"
           min-versions-to-keep: 7
           delete-only-pre-release-versions: "true"
       - name: Clean up ratify-dev
         uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
-        with: 
-          package-name: 'ratify-dev'
-          package-type: 'container'
+        with:
+          package-name: "ratify-dev"
+          package-type: "container"
           min-versions-to-keep: 7
-          delete-only-pre-release-versions: "true"
+          delete-only-pre-release-versions: "true"
@@ -1,19 +1,18 @@
-
 name: "CodeQL Scan"
 
 on:
   push:
-    branches: 
+    branches:
       - main
       - dev
       - 1.0.0*
   pull_request:
-    branches: 
+    branches:
       - main
       - dev
       - 1.0.0*
   schedule:
-    - cron: '30 1 * * 0'
+    - cron: "30 1 * * 0"
   workflow_dispatch:
 
 permissions: read-all
@@ -27,23 +26,23 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=3.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2
       - name: setup go environment
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # tag=v3.25.10
+        uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # tag=v3.28.8
         with:
           languages: go
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
         run: make build
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # tag=v3.25.10
+        uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # tag=v3.28.8