binbin-li · github-actions · Jun 24, 2024 · Jun 24, 2024 · Jun 24, 2024 · Jun 24, 2024
@@ -13,9 +13,8 @@
 
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/go/.devcontainer/base.Dockerfile
 
-# [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
-ARG VARIANT="1.21-bullseye"
-FROM mcr.microsoft.com/vscode/devcontainers/go:${VARIANT}
+# [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.22-bullseye, 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
+FROM mcr.microsoft.com/vscode/devcontainers/go:1.22-bullseye@sha256:bdecb4ca0d168e7bd73b01e475d017aac0888ee22c7d4998a09858ab95157669
 
 # [Choice] Node.js version: none, lts/*, 18, 16, 14
 ARG NODE_VERSION="none"
@@ -31,7 +30,7 @@ RUN curl -Lo bats.tar.gz https://github.com/bats-core/bats-core/archive/v${BATS_
   && bash ./bats-core-${BATS_VERSION}/install.sh /usr/local \
   && rm -rf bats.tar.gz ./bats-core-${BATS_VERSION}
 
-ARG NOTATION_VERSION="1.0.0-rc.1"
+ARG NOTATION_VERSION="1.2.0"
 RUN curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v${NOTATION_VERSION}/notation_${NOTATION_VERSION}_linux_amd64.tar.gz \
   && tar -zxf notation.tar.gz \
   && mv ./notation /usr/local/bin/notation \
@@ -54,8 +53,8 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
 
 # [Optional] Uncomment the next lines to use go get to install anything else you need
 USER vscode
-RUN go install google.golang.org/protobuf/cmd/[email protected] \
-  && go install google.golang.org/grpc/cmd/[email protected] \
+RUN go install google.golang.org/protobuf/cmd/[email protected].1 \
+  && go install google.golang.org/grpc/cmd/[email protected].0 \
   && chmod a+w -R /go/pkg
 
 # [Optional] Uncomment this line to install global node packages.

@@ -5,10 +5,10 @@
 	"build": {
 		"dockerfile": "Dockerfile",
 		"args": {
-			// Update the VARIANT arg to pick a version of Go: 1.21, 1.20, 1.19, 1.18
+			// Update the VARIANT arg to pick a version of Go: 1.22, 1.21, 1.20, 1.19, 1.18
 			// Append -bullseye or -buster to pin to an OS version.
 			// Use -bullseye variants on local arm64/Apple Silicon.
-			"VARIANT": "1.21-bullseye",
+			"VARIANT": "1.22-bullseye",
 			// Options
 			"NODE_VERSION": "none",
 			// Ratify-specific devcontainer options

@@ -1,2 +1,8 @@
 ignore:
-  - "./api"  # ignore folders and all its contents
+  - "./api" # ignore folders and all its contents
+  - "./experimental/proto/v1"
+coverage:
+  status:
+    patch:
+      default:
+        target: 80%
@@ -17,6 +17,32 @@ updates:
     ignore:
       - dependency-name: "*"
         update-types:
-        - "version-update:semver-major"
-        - "version-update:semver-minor"
-
+          - "version-update:semver-major"
+          - "version-update:semver-minor"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/httpserver"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "golang"
+        versions: '> 1.22'
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/.devcontainer"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "vscode/devcontainers/go"
+        versions: '> 1.22'
+    commit-message:
+      prefix: "chore"
@@ -29,7 +29,7 @@ header:
       limitations under the License.
 
   paths-ignore:
-    - "**/*.{md,svg,yaml,crt,json,pub,yml,pb.go,proto}"
+    - "**/*.{md,svg,yaml,crt,cer,json,pub,yml,pb.go,proto}"
     - "CODEOWNERS"
     - "PROJECT"
     - "NOTICE"
@@ -49,7 +49,7 @@ dependency:
     - go.mod
   licenses:
     - name: github.com/spdx/tools-golang
-      version: v0.5.3
+      version: v0.5.5
       license: Apache-2.0
     - name: github.com/alibabacloud-go/cr-20160607 # TODO: remove this when library is upgraded to v2.0.0
       version: v1.0.1

@@ -5,25 +5,28 @@ on:
     types: [labeled]
   pull_request:
     branches:
-      - staging
+      - dev
   workflow_dispatch:
 
 permissions: read-all
 
 jobs:
   call_test_cli:
     uses: ./.github/workflows/e2e-cli.yml
-
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
   call_test_e2e_basic:
     name: "run e2e on basic matrix"
+    if: ${{ ! (contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch') }}
     permissions:
       contents: read
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.27.7"]
-        GATEKEEPER_VERSION: ["3.15.0"]
-    uses: ./.github/workflows/e2e-k8s.yml 
+        KUBERNETES_VERSION: ["1.29.2"]
+        GATEKEEPER_VERSION: ["3.17.0"]
+    uses: ./.github/workflows/e2e-k8s.yml
     with:
       k8s_version: ${{ matrix.KUBERNETES_VERSION }}
       gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}
@@ -34,12 +37,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.26.10", "1.27.7"]
-        GATEKEEPER_VERSION: ["3.13.0", "3.14.0", "3.15.0"]
-    uses: ./.github/workflows/e2e-k8s.yml 
+        KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
+        GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
+    uses: ./.github/workflows/e2e-k8s.yml
     with:
       k8s_version: ${{ matrix.KUBERNETES_VERSION }}
-      gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }} 
+      gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}
 
   build_test_aks_e2e_conditional:
     name: "Build and run e2e Test on AKS with conditions"
@@ -50,37 +53,41 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.26.10", "1.27.7"]
-        GATEKEEPER_VERSION: ["3.13.0", "3.14.0", "3.15.0"]
+        KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
+        GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
     uses: ./.github/workflows/e2e-aks.yml
     with:
       k8s_version: ${{ matrix.KUBERNETES_VERSION }}
       gatekeeper_version: ${{ matrix.GATEKEEPER_VERSION }}
     secrets: inherit
-  
+
   aks-test-cleanup:
-    env:
-      AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
-      AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
-      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
-    needs: ['build_test_aks_e2e_conditional']
+    needs: ["build_test_aks_e2e_conditional"]
     runs-on: ubuntu-latest
     permissions:
       id-token: write
       contents: read
+    environment: azure-test
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Check out code into the Go module directory
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: Set up Go 1.21
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - name: Set up Go 1.22
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: '1.21'
+          go-version: "1.22"
 
       - name: Az CLI login
-        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
         with:
-          creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: clean up
         run: |
-          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
+          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}
@@ -4,14 +4,22 @@ on:
     types:
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
-    steps:      
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Cleanup
         run: |
           gh extension install actions/gh-actions-cache
-          
+
           echo "Fetching list of cache key"
           cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
 
@@ -26,4 +34,4 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO: ${{ github.repository }}
-          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
+          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
@@ -0,0 +1,33 @@
+name: clean-dev-package
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  cleanup-packages:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - name: Clean up ratify-crds-dev
+        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
+        with:
+          package-name: "ratify-crds-dev"
+          package-type: "container"
+          min-versions-to-keep: 7
+          delete-only-pre-release-versions: "true"
+      - name: Clean up ratify-dev
+        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
+        with:
+          package-name: "ratify-dev"
+          package-type: "container"
+          min-versions-to-keep: 7
+          delete-only-pre-release-versions: "true"
@@ -1,17 +1,18 @@
-
 name: "CodeQL Scan"
 
 on:
   push:
-    branches: 
+    branches:
       - main
+      - dev
       - 1.0.0*
   pull_request:
-    branches: 
+    branches:
       - main
+      - dev
       - 1.0.0*
   schedule:
-    - cron: '30 1 * * 0'
+    - cron: "30 1 * * 0"
   workflow_dispatch:
 
 permissions: read-all
@@ -24,19 +25,24 @@ jobs:
       security-events: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=3.0.2
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=3.0.2
       - name: setup go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # tag=v2.13.4
+        uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # tag=v3.26.12
         with:
           languages: go
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
         run: make build
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # tag=v2.13.4
+        uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # tag=v3.26.12