From 6b30acef8570ee7548847dc6c437d7739bda0d60 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 31 May 2024 09:54:27 -0700 Subject: [PATCH 1/5] chore: Bump actions/checkout from 4.1.2 to 4.1.6 (#1530) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scan-vulns.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index 101293e96..16ff7f087 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -42,7 +42,7 @@ jobs: egress-policy: audit - name: Check out code into the Go module directory - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 - name: Download trivy run: | From fe662a43b59f4c882caf2bbf3704e37ff6fa6fbb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 31 May 2024 17:21:38 +0000 Subject: [PATCH 2/5] chore: Bump step-security/harden-runner from 2.7.0 to 2.8.0 (#1529) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scan-vulns.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index 16ff7f087..86689e85c 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -21,7 +21,7 @@ jobs: timeout-minutes: 15 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit @@ -37,7 +37,7 @@ jobs: timeout-minutes: 15 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit From 7a2d7c611164e5015d8ec1e882c42896d8f60d09 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 31 May 2024 17:49:46 +0000 Subject: [PATCH 3/5] chore: Bump actions/setup-go from 5.0.0 to 5.0.1 (#1528) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scan-vulns.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index 86689e85c..de7b58652 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -25,7 +25,7 @@ jobs: with: egress-policy: audit - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: "1.22" check-latest: true From 1bac149edb9f1ae79d19519a2585fab235b287e3 Mon Sep 17 00:00:00 2001 From: Binbin Li Date: Sat, 1 Jun 2024 03:16:18 +0800 Subject: [PATCH 4/5] ci: set patch coverage target to 80% (#1527) --- .github/codecov.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/codecov.yml b/.github/codecov.yml index 193437e4d..cbfef6428 100644 --- a/.github/codecov.yml +++ b/.github/codecov.yml @@ -1,2 +1,7 @@ ignore: - - "./api" # ignore folders and all its contents \ No newline at end of file + - "./api" # ignore folders and all its contents +coverage: + status: + patch: + default: + target: 80% \ No newline at end of file From b9446ef8e6d241f28510663eb3af3044ac938a03 Mon Sep 17 00:00:00 2001 From: Susan Shi Date: Sat, 1 Jun 2024 07:56:36 +1000 Subject: [PATCH 5/5] chore: update ratify charts to 1.2 (#1526) --- charts/ratify/Chart.yaml | 4 ++-- charts/ratify/values.yaml | 2 +- helmfile.yaml | 13 ++++++++---- high-availability.helmfile.yaml | 35 ++++++++++++++++++++++++++++++--- 4 files changed, 44 insertions(+), 10 deletions(-) diff --git a/charts/ratify/Chart.yaml b/charts/ratify/Chart.yaml index 173ba0f0b..57fba1d69 100644 --- a/charts/ratify/Chart.yaml +++ b/charts/ratify/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: ratify description: A Helm chart for Ratify -version: 1.12.0 -appVersion: v1.1.0 +version: 1.13.0 +appVersion: v1.2.0 home: https://github.com/deislabs/ratify icon: https://raw.githubusercontent.com/deislabs/ratify/main/logo.svg diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 34a20ad41..7d97c5489 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -1,7 +1,7 @@ image: repository: ghcr.io/deislabs/ratify crdRepository: ghcr.io/deislabs/ratify-crds - tag: v1.1.0 + tag: v1.2.0 pullPolicy: IfNotPresent nameOverride: "" diff --git a/helmfile.yaml b/helmfile.yaml index 310facfe6..ef854c134 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -3,13 +3,13 @@ repositories: url: https://open-policy-agent.github.io/gatekeeper/charts - name: ratify url: https://deislabs.github.io/ratify - + releases: - name: gatekeeper namespace: gatekeeper-system createNamespace: true chart: gatekeeper/gatekeeper - version: 3.14.0 + version: 3.16.0 wait: true set: - name: enableExternalData @@ -23,7 +23,7 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: 1.12.1 # Make sure this matches Chart.yaml + version: 1.13.0 # Make sure this matches Chart.yaml wait: true needs: - gatekeeper @@ -60,6 +60,11 @@ releases: - "verifiers.config.ratify.deislabs.io" - "certificatestores.config.ratify.deislabs.io" - "policies.config.ratify.deislabs.io" + - "keymanagementproviders.config.ratify.deislabs.io" + - "namespacedkeymanagementproviders.config.ratify.deislabs.io" + - "namespacedpolicies.config.ratify.deislabs.io" + - "namespacedstores.config.ratify.deislabs.io" + - "namespacedverifiers.config.ratify.deislabs.io" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -70,7 +75,7 @@ releases: - "-n" - "gatekeeper-system" set: - - name: notationCert + - name: notationCerts[0] value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} - name: featureFlags.RATIFY_CERT_ROTATION value: true diff --git a/high-availability.helmfile.yaml b/high-availability.helmfile.yaml index f99e1b92b..bc2a2f952 100644 --- a/high-availability.helmfile.yaml +++ b/high-availability.helmfile.yaml @@ -1,4 +1,6 @@ repositories: + - name: gatekeeper + url: https://open-policy-agent.github.io/gatekeeper/charts - name: dapr url: https://dapr.github.io/helm-charts/ - name: bitnami @@ -11,10 +13,26 @@ releases: namespace: dapr-system createNamespace: true chart: dapr/dapr - version: 1.11.1 + version: 1.13.2 wait: true + - name: gatekeeper + namespace: gatekeeper-system + createNamespace: true + chart: gatekeeper/gatekeeper + version: 3.16.0 + wait: true + set: + - name: enableExternalData + value: true + - name: validatingWebhookTimeoutSeconds + value: 5 + - name: mutatingWebhookTimeoutSeconds + value: 2 + - name: externaldataProviderResponseCacheTTL + value: 10s - name: redis namespace: gatekeeper-system + createNamespace: true chart: bitnami/redis version: 17.11.6 wait: true @@ -32,11 +50,12 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: 1.12.1 # Make sure this matches Chart.yaml + version: 1.13.0 # Make sure this matches Chart.yaml wait: true needs: - dapr-system/dapr - gatekeeper-system/redis + - gatekeeper-system/gatekeeper hooks: - events: ["presync"] showlogs: true @@ -53,6 +72,12 @@ releases: - "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis.yaml" - "-n" - "gatekeeper-system" + - events: ["presync"] + showlogs: true + command: "bash" + args: + - "-c" + - "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -99,6 +124,10 @@ releases: - "verifiers.config.ratify.deislabs.io" - "certificatestores.config.ratify.deislabs.io" - "policies.config.ratify.deislabs.io" + - "namespacedkeymanagementproviders.config.ratify.deislabs.io" + - "namespacedpolicies.config.ratify.deislabs.io" + - "namespacedstores.config.ratify.deislabs.io" + - "namespacedverifiers.config.ratify.deislabs.io" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -115,7 +144,7 @@ releases: value: true - name: logger.level value: debug - - name: notationCert + - name: notationCerts[0] value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} - name: replicaCount value: 2