diff --git a/.github/codecov.yml b/.github/codecov.yml index 193437e4d..cbfef6428 100644 --- a/.github/codecov.yml +++ b/.github/codecov.yml @@ -1,2 +1,7 @@ ignore: - - "./api" # ignore folders and all its contents \ No newline at end of file + - "./api" # ignore folders and all its contents +coverage: + status: + patch: + default: + target: 80% \ No newline at end of file diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index 101293e96..de7b58652 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -21,11 +21,11 @@ jobs: timeout-minutes: 15 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: "1.22" check-latest: true @@ -37,12 +37,12 @@ jobs: timeout-minutes: 15 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - name: Check out code into the Go module directory - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 - name: Download trivy run: | diff --git a/charts/ratify/Chart.yaml b/charts/ratify/Chart.yaml index 173ba0f0b..57fba1d69 100644 --- a/charts/ratify/Chart.yaml +++ b/charts/ratify/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: ratify description: A Helm chart for Ratify -version: 1.12.0 -appVersion: v1.1.0 +version: 1.13.0 +appVersion: v1.2.0 home: https://github.com/deislabs/ratify icon: https://raw.githubusercontent.com/deislabs/ratify/main/logo.svg diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 34a20ad41..7d97c5489 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -1,7 +1,7 @@ image: repository: ghcr.io/deislabs/ratify crdRepository: ghcr.io/deislabs/ratify-crds - tag: v1.1.0 + tag: v1.2.0 pullPolicy: IfNotPresent nameOverride: "" diff --git a/helmfile.yaml b/helmfile.yaml index 310facfe6..ef854c134 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -3,13 +3,13 @@ repositories: url: https://open-policy-agent.github.io/gatekeeper/charts - name: ratify url: https://deislabs.github.io/ratify - + releases: - name: gatekeeper namespace: gatekeeper-system createNamespace: true chart: gatekeeper/gatekeeper - version: 3.14.0 + version: 3.16.0 wait: true set: - name: enableExternalData @@ -23,7 +23,7 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: 1.12.1 # Make sure this matches Chart.yaml + version: 1.13.0 # Make sure this matches Chart.yaml wait: true needs: - gatekeeper @@ -60,6 +60,11 @@ releases: - "verifiers.config.ratify.deislabs.io" - "certificatestores.config.ratify.deislabs.io" - "policies.config.ratify.deislabs.io" + - "keymanagementproviders.config.ratify.deislabs.io" + - "namespacedkeymanagementproviders.config.ratify.deislabs.io" + - "namespacedpolicies.config.ratify.deislabs.io" + - "namespacedstores.config.ratify.deislabs.io" + - "namespacedverifiers.config.ratify.deislabs.io" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -70,7 +75,7 @@ releases: - "-n" - "gatekeeper-system" set: - - name: notationCert + - name: notationCerts[0] value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} - name: featureFlags.RATIFY_CERT_ROTATION value: true diff --git a/high-availability.helmfile.yaml b/high-availability.helmfile.yaml index f99e1b92b..bc2a2f952 100644 --- a/high-availability.helmfile.yaml +++ b/high-availability.helmfile.yaml @@ -1,4 +1,6 @@ repositories: + - name: gatekeeper + url: https://open-policy-agent.github.io/gatekeeper/charts - name: dapr url: https://dapr.github.io/helm-charts/ - name: bitnami @@ -11,10 +13,26 @@ releases: namespace: dapr-system createNamespace: true chart: dapr/dapr - version: 1.11.1 + version: 1.13.2 wait: true + - name: gatekeeper + namespace: gatekeeper-system + createNamespace: true + chart: gatekeeper/gatekeeper + version: 3.16.0 + wait: true + set: + - name: enableExternalData + value: true + - name: validatingWebhookTimeoutSeconds + value: 5 + - name: mutatingWebhookTimeoutSeconds + value: 2 + - name: externaldataProviderResponseCacheTTL + value: 10s - name: redis namespace: gatekeeper-system + createNamespace: true chart: bitnami/redis version: 17.11.6 wait: true @@ -32,11 +50,12 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: 1.12.1 # Make sure this matches Chart.yaml + version: 1.13.0 # Make sure this matches Chart.yaml wait: true needs: - dapr-system/dapr - gatekeeper-system/redis + - gatekeeper-system/gatekeeper hooks: - events: ["presync"] showlogs: true @@ -53,6 +72,12 @@ releases: - "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis.yaml" - "-n" - "gatekeeper-system" + - events: ["presync"] + showlogs: true + command: "bash" + args: + - "-c" + - "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -99,6 +124,10 @@ releases: - "verifiers.config.ratify.deislabs.io" - "certificatestores.config.ratify.deislabs.io" - "policies.config.ratify.deislabs.io" + - "namespacedkeymanagementproviders.config.ratify.deislabs.io" + - "namespacedpolicies.config.ratify.deislabs.io" + - "namespacedstores.config.ratify.deislabs.io" + - "namespacedverifiers.config.ratify.deislabs.io" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -115,7 +144,7 @@ releases: value: true - name: logger.level value: debug - - name: notationCert + - name: notationCerts[0] value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} - name: replicaCount value: 2