Merge branch 'dev' into issue-1131/refresher

.github/workflows/codeql.yml

@@ -38,12 +38,12 @@ jobs:
         with:
           go-version: "1.22"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # tag=v3.26.0
+        uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # tag=v3.26.2
         with:
           languages: go
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
         run: make build
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # tag=v3.26.0
+        uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # tag=v3.26.2

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
           fetch-depth: 0
 
     - name: Install Syft
-      uses: anchore/sbom-action/download-syft@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0
+      uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1
 
     - name: Set up Go
       uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2

.github/workflows/scorecards.yml

@@ -55,6 +55,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # tag=v3.26.0
+        uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # tag=v3.26.2
         with:
           sarif_file: results.sarif

README.md

@@ -21,6 +21,7 @@ Is a verification engine as a binary executable and on Kubernetes which enables
   - [Pull Request Review Series](#pull-request-review-series)
   - [Documents](#documents)
   - [Code of Conduct](#code-of-conduct)
+  - [Project Governance](#project-governance)
   - [Release Management](#release-management)
   - [Licensing](#licensing)
   - [Trademark](#trademark)
@@ -44,14 +45,20 @@ Get Ratify Community Meeting Calendar [here](https://calendar.google.com/calenda
 
 ## Documents
 
-Please see the [Ratify website](https://ratify.dev/docs/what-is-ratify)  for more in-depth information.
+Please see the [Ratify website](https://ratify.dev/docs/what-is-ratify) for more in-depth information.
 
-Meeting notes for weekly project syncs can be found [here](https://hackmd.io/ABueHjizRz2iFQpWnQrnNA?both)
+Meeting notes for weekly project syncs can be found [here](https://hackmd.io/ABueHjizRz2iFQpWnQrnNA?both).
+
+The Ratify community documents can be found in the repository [`.github`](https://github.com/ratify-project/.github).
 
 ## Code of Conduct
 
 Ratify follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
 
+## Project Governance
+
+The Ratify project governance can be found [here](https://github.com/ratify-project/.github/blob/main/GOVERNANCE.md).
+
 ## Release Management
 
 The Ratify release process is defined in [RELEASES.md](./RELEASES.md).

charts/ratify/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: ratify
 description: A Helm chart for Ratify
-version: 1.13.2
-appVersion: v1.2.1
+version: 1.13.3
+appVersion: v1.2.2
 home: https://github.com/ratify-project/ratify
 icon: https://raw.githubusercontent.com/ratify-project/ratify/main/logo.svg

helmfile.yaml

@@ -23,7 +23,7 @@ releases:
   - name: ratify
     namespace: gatekeeper-system
     chart: ratify/ratify
-    version: 1.13.2 # Make sure this matches Chart.yaml
+    version: 1.13.3 # Make sure this matches Chart.yaml
     wait: true
     needs:
       - gatekeeper

high-availability.helmfile.yaml

@@ -50,7 +50,7 @@ releases:
   - name: ratify
     namespace: gatekeeper-system
     chart: ratify/ratify
-    version: 1.13.2 # Make sure this matches Chart.yaml
+    version: 1.13.3 # Make sure this matches Chart.yaml
     wait: true
     needs:
       - dapr-system/dapr

httpserver/handlers.go

@@ -141,12 +141,12 @@ func (server *Server) verify(ctx context.Context, w http.ResponseWriter, r *http
 						logger.GetLogger(ctx, server.LogOption).Warnf("unable to insert cache entry for subject %v", resolvedSubjectReference)
 					}
 				}
-
-				if res, err := json.MarshalIndent(result, "", "  "); err == nil {
-					logger.GetLogger(ctx, server.LogOption).Infof("verify result for subject %s: %s", resolvedSubjectReference, string(res))
-				}
 			}
-			returnItem.Value = fromVerifyResult(result, server.GetExecutor(ctx).PolicyEnforcer.GetPolicyType(ctx))
+			verificationResponse := fromVerifyResult(ctx, result, server.GetExecutor(ctx).PolicyEnforcer.GetPolicyType(ctx))
+			returnItem.Value = verificationResponse
+			if res, err := json.MarshalIndent(verificationResponse, "", "  "); err == nil {
+				logger.GetLogger(ctx, server.LogOption).Infof("verification response for subject %s: \n%s", resolvedSubjectReference, string(res))
+			}
 			logger.GetLogger(ctx, server.LogOption).Debugf("verification: execution time for image %s: %dms", resolvedSubjectReference, time.Since(routineStartTime).Milliseconds())
 		}(utils.SanitizeString(key), ctx)
 	}

httpserver/types.go

@@ -16,6 +16,10 @@ limitations under the License.
 package httpserver
 
 import (
+	"context"
+	"time"
+
+	"github.com/ratify-project/ratify/internal/logger"
 	"github.com/ratify-project/ratify/pkg/executor/types"
 	pt "github.com/ratify-project/ratify/pkg/policyprovider/types"
 )
@@ -32,17 +36,21 @@ const (
 type VerificationResponse struct {
 	Version         string        `json:"version"`
 	IsSuccess       bool          `json:"isSuccess"`
+	TraceID         string        `json:"traceID,omitempty"`
+	Timestamp       string        `json:"timestamp,omitempty"`
 	VerifierReports []interface{} `json:"verifierReports,omitempty"`
 }
 
-func fromVerifyResult(res types.VerifyResult, policyType string) VerificationResponse {
+func fromVerifyResult(ctx context.Context, res types.VerifyResult, policyType string) VerificationResponse {
 	version := ResultVersion0_2_0
 	if policyType == pt.RegoPolicy {
 		version = ResultVersion1_1_0
 	}
 	return VerificationResponse{
 		Version:         version,
 		IsSuccess:       res.IsSuccess,
+		Timestamp:       time.Now().Format(time.RFC3339Nano),
+		TraceID:         logger.GetTraceID(ctx),
 		VerifierReports: res.VerifierReports,
 	}
 }

httpserver/types_test.go

@@ -16,6 +16,7 @@ limitations under the License.
 package httpserver
 
 import (
+	"context"
 	"testing"
 
 	"github.com/ratify-project/ratify/pkg/executor/types"
@@ -43,7 +44,7 @@ func TestFromVerifyResult(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			if res := fromVerifyResult(result, tc.policyType); res.Version != tc.expectedVersion {
+			if res := fromVerifyResult(context.Background(), result, tc.policyType); res.Version != tc.expectedVersion {
 				t.Fatalf("Expected version to be %s, got %s", tc.expectedVersion, res.Version)
 			}
 		})

internal/logger/logger.go

@@ -101,6 +101,15 @@ func GetLogger(ctx context.Context, opt Option) dcontext.Logger {
 	return dcontext.GetLogger(ctx, ContextKeyComponentType)
 }
 
+// GetTraceID returns the trace ID from the context.
+func GetTraceID(ctx context.Context) string {
+	traceID := ctx.Value(ContextKeyTraceID)
+	if traceID == nil {
+		return ""
+	}
+	return traceID.(string)
+}
+
 // setTraceID sets the trace ID in the context. If the trace ID is not present in the request headers, a new one is generated.
 func setTraceID(ctx context.Context, r *http.Request) context.Context {
 	traceID := ""

internal/logger/logger_test.go

@@ -23,7 +23,6 @@ import (
 	"testing"
 
 	logstash "github.com/bshuster-repo/logrus-logstash-hook"
-	dcontext "github.com/docker/distribution/context"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 )
@@ -75,7 +74,7 @@ func TestInitContext(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			traceIDHeaderNames = tc.headerNames
 			ctx := InitContext(context.Background(), tc.r)
-			traceID := dcontext.GetStringValue(ctx, ContextKeyTraceID)
+			traceID := GetTraceID(ctx)
 			if traceID == "" {
 				t.Fatalf("expected non-empty traceID, but got empty one")
 			}

library/default/template.yaml

@@ -44,5 +44,5 @@ spec:
         general_violation[{"result": result}] {
           subject_validation := remote_data.responses[_]
           subject_validation[1].isSuccess == false
-          result := sprintf("Failed to verify the artifact: %s", [subject_validation[0]])
+          result := sprintf("Time=%s, failed to verify the artifact: %s, trace-id: %s", [subject_validation[1].timestamp, subject_validation[0], subject_validation[1].traceID])
         }