From 927b63cd3654f2593d6de6b5908ff3d6dc9e827b Mon Sep 17 00:00:00 2001 From: Susan Shi Date: Tue, 9 Apr 2024 10:14:41 +1000 Subject: [PATCH 1/4] chore: Bump actions/checkout from 4.1.1 to 4.1.2 (#1368) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/e2e-cli.yml | 6 +++--- .github/workflows/pr-to-main.yml | 2 +- README.md | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml index 8405160d6..6a391bee6 100644 --- a/.github/workflows/e2e-cli.yml +++ b/.github/workflows/e2e-cli.yml @@ -10,12 +10,12 @@ jobs: - name: Checkout uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - name: Check license header - uses: apache/skywalking-eyes/header@ed436a5593c63a25f394ea29da61b0ac3731a9fe + uses: apache/skywalking-eyes/header@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 with: mode: check config: .github/licenserc.yml - name: Check dependencies license - uses: apache/skywalking-eyes/dependency@ed436a5593c63a25f394ea29da61b0ac3731a9fe + uses: apache/skywalking-eyes/dependency@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 with: config: .github/licenserc.yml flags: @@ -67,7 +67,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: submodules: recursive - name: Run link check diff --git a/.github/workflows/pr-to-main.yml b/.github/workflows/pr-to-main.yml index 6ce008c90..bbcb4ca8e 100644 --- a/.github/workflows/pr-to-main.yml +++ b/.github/workflows/pr-to-main.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: git checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # https://github.com/marketplace/actions/github-pull-request-action - name: create pull request with reposync action diff --git a/README.md b/README.md index 8370ee7d9..fbb1a1978 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Please see [Ratify website](https://ratify.dev/docs/quick-start) for a quick sta ## Community meetings - Agenda: -- We hold a weekly Ratify community meeting on Weds 4:30-5:30pm (Pacific Time) +- We hold a weekly Ratify community meeting on Thurs 12:00 - 1:00 AM (UTC) Get Ratify Community Meeting Calendar [here](https://calendar.google.com/calendar/u/0?cid=OWJjdTF2M3ZiZGhubm1mNmJyMDhzc2swNTRAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ) - We meet regularly to discuss and prioritize issues. The meeting may get cancelled due to holidays, all cancellation will be posted to meeting notes prior to the meeting. - Reach out on Slack at [cloud-native.slack.com#ratify](https://cloud-native.slack.com/archives/C03T3PEKVA9). If you're not already a member of cloud-native slack channel, first add [yourself here](https://communityinviter.com/apps/cloud-native/cncf). @@ -69,4 +69,4 @@ This project is released under the [Apache-2.0 License](./LICENSE). This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines][microsoft-trademark]. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies. -[microsoft-trademark]: https://www.microsoft.com/legal/intellectualproperty/trademarks \ No newline at end of file +[microsoft-trademark]: https://www.microsoft.com/legal/intellectualproperty/trademarks diff --git a/go.mod b/go.mod index e68611ac0..a421ac098 100644 --- a/go.mod +++ b/go.mod @@ -46,7 +46,7 @@ require ( go.opentelemetry.io/otel/metric v1.22.0 go.opentelemetry.io/otel/sdk/metric v0.39.0 golang.org/x/sync v0.6.0 - google.golang.org/grpc v1.61.1 + google.golang.org/grpc v1.61.2 google.golang.org/protobuf v1.33.0 k8s.io/api v0.28.8 k8s.io/apimachinery v0.28.8 diff --git a/go.sum b/go.sum index f66fe0c0c..460662d2e 100644 --- a/go.sum +++ b/go.sum @@ -1157,8 +1157,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY= -google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= +google.golang.org/grpc v1.61.2 h1:TzJay21lXCf7BiNFKl7mSskt5DlkKAumAYTs52SpJeo= +google.golang.org/grpc v1.61.2/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From 2ddd2045ab918884ff66856ce79f588b5e348dc3 Mon Sep 17 00:00:00 2001 From: Yi Zha Date: Tue, 9 Apr 2024 11:01:32 +0800 Subject: [PATCH 2/4] docs: add roadmap (#1344) Signed-off-by: Yi Zha (from Dev Box) --- ROADMAP.md | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 ROADMAP.md diff --git a/ROADMAP.md b/ROADMAP.md new file mode 100644 index 000000000..5ae2a0368 --- /dev/null +++ b/ROADMAP.md @@ -0,0 +1,95 @@ +# Roadmap + +## Overview + +At Ratify, our mission is to safeguard the container supply chain by ratifying trustworthy and compliant artifacts. We achieve this through a robust and pluggable verification engine that includes built-in verifiers. These verifiers can be customized to validate supply chain metadata associated with artifacts, covering essential aspects such as signatures and attestations (including vulnerability reports, SBOM, provenance data, and VEX documents). As the landscape of supply chain security evolves, we actively develop new verifiers, which can be seamlessly integrated into our verification engine. Additionally, if you have a specific use case, you can create your own verifier following our comprehensive guidance. Each verifier will generate detailed verfication reports, which can be consumed by various policy controllers to enforce policies. + +Ratify is designed to address several critical scenarios. It seamlessly integrates with OPA Gatekeeper, acting as the Kubernetes policy controller that shields your cluster from untrustworthy and non-compliant container images. As an external data provider for Gatekeeper, Ratify delivers artifact verification results that are in alignment with defined policies. Additionally, Ratify enhances security at the Kubernetes node level by extending its capabilities to container runtime through its plugin interface, which allows for detailed policy evaluations based on artifact verification outcomes. Lastly, incorporating Ratify into your CI/CD pipeline ensures the trustworthiness and compliance of container images prior to their usage. + +This document presents the roadmap of Ratify that translates our strategy into practical steps. + +## Milestones + +The Ratify roadmap is divided into milestones, each with a set of features (high level) and timeline. The milestones marked as `Tentative` are subject to change based on the project’s priorities and the community’s feedback. We will prioritize releases for security or urgent fixes, so the roadmap may be adjusted and new features may be postponed to the next milestone. Any dates and features listed below in a given milestone are subject to change. See the [GitHub milestones](https://github.com/deislabs/ratify/milestones?state=open) for the most up-to-date issues and their status. We are targeting to release a new Ratify version every 3 or 4 months. + +### v1.0 + +**Status**: Completed + +**Released date**: Sep 27, 2023 + +**Release link**: [v1.0.0 Release Notes](https://github.com/deislabs/ratify/releases/tag/v1.0.0) + +**Major features** + +- Ratify as an external Data Provider for Gatekeeper +- Plugin framework for extensibility +- Policies for Notary Project signatures verification at admission control in kubernetes +- Policies for Cosign keyless verification at admission control in kubernetes +- High Availability support in Kubernetes (Experimental) + +### v1.1 + +**Status**: Completed + +**Release date**: Dec 12, 2023 + +**Release link**: [v1.1.0 Release Notes](https://github.com/deislabs/ratify/releases/tag/v1.1.0) + +**Major features** + +- Policies for assessing vulnerability reports at admission control in kubernetes +- Policies for assessing software license at admission control in kubernetes +- New diagnostic logs + +### v1.2 + +**Status**: In progress + +**Target date**: Apr 30, 2024 + +**major features** + +- Kubernetes multi-tenancy support (Namespace-specific policies) +- OCI v1.1 compliance +- Cosign signatures verification using keys in AKV +- Error logs improvements + +See details in [GitHub milestone v1.2.0](https://github.com/deislabs/ratify/issues?q=is%3Aopen+is%3Aissue+milestone%3Av1.2.0). + +### v1.3 + +**Status**: Not started + +**Target date**: Jun 30, 2024 + +**Major features** + +- Kubernetes multi-tenancy support (Verifying Common images across namespaces) +- Cosign keyless verification using OIDC settings +- Notary Project signature verification with Time-stamping support +- Signing Certificate/key rotation support + +See details in [GitHub milestone v1.3.0](https://github.com/deislabs/ratify/issues?q=is%3Aopen+is%3Aissue+milestone%3Av1.3.0). + +### v1.4 + +**Status**: Tentative + +**Target date**: Sep 30, 2024 + +**Major features** + +- Attestations support +- Use Ratify at container runtime (Preview) + +### v2.0 + +Status: Tentative + +Target date: TBD + +**Major features** + +- Use Ratify in CI/CD pipelines (Preview) +- Support CEL as additional policy language \ No newline at end of file From 1d5e1c04763bf0f475bb1f74b88bfb565f3d7855 Mon Sep 17 00:00:00 2001 From: Susan Shi Date: Tue, 9 Apr 2024 15:48:25 +1000 Subject: [PATCH 3/4] Revert "chore: Bump actions/checkout from 4.1.1 to 4.1.2" (#1372) --- .github/workflows/e2e-cli.yml | 6 +++--- .github/workflows/pr-to-main.yml | 2 +- README.md | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml index 6a391bee6..8405160d6 100644 --- a/.github/workflows/e2e-cli.yml +++ b/.github/workflows/e2e-cli.yml @@ -10,12 +10,12 @@ jobs: - name: Checkout uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - name: Check license header - uses: apache/skywalking-eyes/header@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 + uses: apache/skywalking-eyes/header@ed436a5593c63a25f394ea29da61b0ac3731a9fe with: mode: check config: .github/licenserc.yml - name: Check dependencies license - uses: apache/skywalking-eyes/dependency@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 + uses: apache/skywalking-eyes/dependency@ed436a5593c63a25f394ea29da61b0ac3731a9fe with: config: .github/licenserc.yml flags: @@ -67,7 +67,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - name: Run link check diff --git a/.github/workflows/pr-to-main.yml b/.github/workflows/pr-to-main.yml index bbcb4ca8e..6ce008c90 100644 --- a/.github/workflows/pr-to-main.yml +++ b/.github/workflows/pr-to-main.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: git checkout - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # https://github.com/marketplace/actions/github-pull-request-action - name: create pull request with reposync action diff --git a/README.md b/README.md index fbb1a1978..8370ee7d9 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Please see [Ratify website](https://ratify.dev/docs/quick-start) for a quick sta ## Community meetings - Agenda: -- We hold a weekly Ratify community meeting on Thurs 12:00 - 1:00 AM (UTC) +- We hold a weekly Ratify community meeting on Weds 4:30-5:30pm (Pacific Time) Get Ratify Community Meeting Calendar [here](https://calendar.google.com/calendar/u/0?cid=OWJjdTF2M3ZiZGhubm1mNmJyMDhzc2swNTRAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ) - We meet regularly to discuss and prioritize issues. The meeting may get cancelled due to holidays, all cancellation will be posted to meeting notes prior to the meeting. - Reach out on Slack at [cloud-native.slack.com#ratify](https://cloud-native.slack.com/archives/C03T3PEKVA9). If you're not already a member of cloud-native slack channel, first add [yourself here](https://communityinviter.com/apps/cloud-native/cncf). @@ -69,4 +69,4 @@ This project is released under the [Apache-2.0 License](./LICENSE). This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines][microsoft-trademark]. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies. -[microsoft-trademark]: https://www.microsoft.com/legal/intellectualproperty/trademarks +[microsoft-trademark]: https://www.microsoft.com/legal/intellectualproperty/trademarks \ No newline at end of file diff --git a/go.mod b/go.mod index a421ac098..e68611ac0 100644 --- a/go.mod +++ b/go.mod @@ -46,7 +46,7 @@ require ( go.opentelemetry.io/otel/metric v1.22.0 go.opentelemetry.io/otel/sdk/metric v0.39.0 golang.org/x/sync v0.6.0 - google.golang.org/grpc v1.61.2 + google.golang.org/grpc v1.61.1 google.golang.org/protobuf v1.33.0 k8s.io/api v0.28.8 k8s.io/apimachinery v0.28.8 diff --git a/go.sum b/go.sum index 460662d2e..f66fe0c0c 100644 --- a/go.sum +++ b/go.sum @@ -1157,8 +1157,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.61.2 h1:TzJay21lXCf7BiNFKl7mSskt5DlkKAumAYTs52SpJeo= -google.golang.org/grpc v1.61.2/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= +google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY= +google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From 034f5ec523e48839003f3a232890ff9d626b63ce Mon Sep 17 00:00:00 2001 From: Binbin Li Date: Tue, 9 Apr 2024 14:39:08 +0800 Subject: [PATCH 4/4] build: Add codecov token (#1373) --- .github/workflows/e2e-cli.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml index 6a391bee6..30ecfc5f5 100644 --- a/.github/workflows/e2e-cli.yml +++ b/.github/workflows/e2e-cli.yml @@ -37,6 +37,8 @@ jobs: run: bin/ratify version - name: Upload coverage to codecov.io uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - name: Run helm lint run: helm lint charts/ratify build_test_cli: @@ -63,6 +65,8 @@ jobs: make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover - name: Upload coverage to codecov.io uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} markdown-link-check: runs-on: ubuntu-latest steps: