Merge pull request #1683 from ratify-project/dev

ratify-project · Aug 5, 2024 · 98c8513 · 98c8513
2 parents 99d5629 + e222c72
commit 98c8513
Show file tree

Hide file tree

Showing 43 changed files with 1,065 additions and 83 deletions.
diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -13,6 +13,8 @@ permissions: read-all
 jobs:
   call_test_cli:
     uses: ./.github/workflows/e2e-cli.yml
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   call_test_e2e_basic:
     name: "run e2e on basic matrix"
@@ -60,10 +62,6 @@ jobs:
     secrets: inherit
 
   aks-test-cleanup:
-    env:
-      AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
-      AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
-      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
     needs: ['build_test_aks_e2e_conditional']
     runs-on: ubuntu-latest
     permissions:
@@ -86,10 +84,10 @@ jobs:
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
         with:
-          client-id: ${{ env.AZURE_CLIENT_ID }}
-          tenant-id: ${{ env.AZURE_TENANT_ID }}
-          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: clean up
         run: |
-          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
+          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -38,12 +38,12 @@ jobs:
         with:
           go-version: "1.22"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # tag=v3.25.14
+        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # tag=v3.25.15
         with:
           languages: go
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
         run: make build
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # tag=v3.25.14
+        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # tag=v3.25.15
diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
@@ -20,11 +20,6 @@ on:
 jobs:
   build_test_aks_e2e:
     name: "Build and run e2e Test on AKS"
-    env:
-      AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
-      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
-      AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
-      AZURE_SP_OBJECT_ID: fd917b28-cdc0-4828-92c9-1ca8203842a3
     runs-on: ubuntu-latest
     timeout-minutes: 30
     environment: azure-test
@@ -46,9 +41,9 @@ jobs:
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
         with:
-          client-id: ${{ env.AZURE_CLIENT_ID }}
-          tenant-id: ${{ env.AZURE_TENANT_ID }}
-          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       - name: Cache AAD tokens
         run: |
           az version
@@ -66,10 +61,10 @@ jobs:
 
       - name: Run e2e on Azure
         run: |
-          make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ env.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ env.AZURE_SP_OBJECT_ID }}
+          make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ secrets.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ secrets.AZURE_SP_OBJECT_ID }}
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         if: ${{ always() }}
         with:
           name: e2e-logs-aks-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}

diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml
@@ -2,6 +2,9 @@ name: e2e-cli
 
 on:
   workflow_call:
+    secrets:
+      CODECOV_TOKEN:
+        required: true
 
 permissions:
   contents: read
@@ -50,8 +53,8 @@ jobs:
         run: bin/ratify version
       - name: Upload coverage to codecov.io
         uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
       - name: Run helm lint
         run: helm lint charts/ratify
   build_test_cli:
@@ -83,8 +86,8 @@ jobs:
           make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover
       - name: Upload coverage to codecov.io
         uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
   markdown-link-check:
       runs-on: ubuntu-latest
       steps:

diff --git a/.github/workflows/e2e-k8s.yml b/.github/workflows/e2e-k8s.yml
@@ -65,7 +65,7 @@ jobs:
           kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
           kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
       - name: Upload artifacts
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         if: ${{ always() }}
         with:
           name: e2e-logs-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -24,7 +24,7 @@ jobs:
           go-version: '1.22'
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
         with:
           version: v1.59.1
           args: --timeout=10m
diff --git a/.github/workflows/high-availability.yml b/.github/workflows/high-availability.yml
@@ -60,7 +60,7 @@ jobs:
           kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.DAPR_VERSION }}.json
           kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.DAPR_VERSION }}.json
       - name: Upload artifacts
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         if: ${{ always() }}
         with:
           name: e2e-logs-${{ matrix.DAPR_VERSION }}

diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml
@@ -13,13 +13,30 @@ jobs:
     permissions:
       packages: write
       contents: read
+      id-token: write
+    environment: azure-publish
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+      - name: Install Notation
+        uses: notaryproject/notation-action/setup@104aa999103172f827373af8ac14dde7aa6d28f1 # v1.1.0
+      - name: Install cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - name: Az CLI login
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      - name: Cache AAD tokens
+        run: |
+          az version
+          # Key Vault: 
+          az account get-access-token --scope https://vault.azure.net/.default --output none
       - name: prepare
         id: prepare
         run: |
@@ -100,6 +117,27 @@ jobs:
         run: |
           helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
           helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
+      - name: Sign with Notation
+        uses: notaryproject/notation-action/sign@104aa999103172f827373af8ac14dde7aa6d28f1 # v1.1.0
+        with:
+          plugin_name: azure-kv
+          plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }}
+          plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }}
+          key_id: ${{ secrets.AZURE_KV_KEY_ID }}
+          target_artifact_reference: |-
+            ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
+          signature_format: cose
+      - name: Sign with Cosign
+        run: |
+          cosign sign --yes ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+          cosign sign --yes ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+          cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+          cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+          cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
       - name: clear
         if: always()
         run: |

diff --git a/.github/workflows/quick-start.yml b/.github/workflows/quick-start.yml
@@ -59,7 +59,7 @@ jobs:
           kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-config-policy.json
           kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-config-policy.json
       - name: Upload artifacts
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         if: ${{ always() }}
         with:
           name: e2e-logs-${{ matrix.KUBERNETES_VERSION }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,17 +24,21 @@ jobs:
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=3.0.2
       with:
           fetch-depth: 0
+
+    - name: Install Syft
+      uses: anchore/sbom-action/download-syft@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0
 
     - name: Set up Go
       uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version: '1.22'
 
     - name: Goreleaser
+      id: goreleaser
       uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
       with:
-        version: '1.18.0'
-        args: release --rm-dist
+        version: '2.0.1'
+        args: release --clean
       env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -45,7 +49,7 @@ jobs:
         $RUNNER_TEMP/sbom-tool generate -b . -bc . -pn ratify -pv $GITHUB_REF_NAME -ps Microsoft -nsb https://microsoft.com -V Verbose
 
     - name: Upload a Build Artifact
-      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag=v4.3.4
+      uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # tag=v4.3.5
       with:
         name: SBOM SPDX files
         path: _manifest/spdx_2.2/**
diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml
@@ -16,6 +16,8 @@ permissions: read-all
 jobs:
   call-e2e-cli:
     uses: ./.github/workflows/e2e-cli.yml
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   call_test_e2e_full:
     name: "Build and run e2e on full test matrix"
@@ -48,10 +50,6 @@ jobs:
     secrets: inherit
 
   aks-test-cleanup:
-    env:
-      AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
-      AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
-      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
     needs: ['build_test_aks_e2e']
     runs-on: ubuntu-latest
     permissions:
@@ -74,10 +72,10 @@ jobs:
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
         with:
-          client-id: ${{ env.AZURE_CLIENT_ID }}
-          tenant-id: ${{ env.AZURE_TENANT_ID }}
-          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: clean up
         run: |
-          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
+          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -38,21 +38,21 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # tag=v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # tag=v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
           repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag=v4.3.4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # tag=v4.3.5
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # tag=v3.25.14
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # tag=v3.25.15
         with:
           sarif_file: results.sarif
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -1,4 +1,5 @@
 # Check the documentation at https://goreleaser.com for more options
+version: 2
 before:
   hooks:
     - go mod tidy
@@ -57,15 +58,15 @@ release:
   prerelease: auto
   draft: true
 archives:
-  - replacements:
-      darwin: Darwin
-      linux: Linux
-      windows: Windows
-    format_overrides:
+  - format_overrides:
       - goos: windows
         format: zip
 checksum:
   name_template: 'checksums.txt'
+sboms:
+  - artifacts: archive
+  - id: source
+    artifacts: source
 snapshot:
   name_template: '{{ incpatch .Version }}-next'
 changelog:

diff --git a/.well-known/pki-validation/ratify-verification.crt b/.well-known/pki-validation/ratify-verification.crt
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFsDCCA5igAwIBAgIQbZCNsoQpQC+/hsEf/FdjDjANBgkqhkiG9w0BAQsFADBa
+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxFzAV
+BgNVBAoTDnJhdGlmeS1wcm9qZWN0MRMwEQYDVQQDEwpyYXRpZnkuZGV2MB4XDTI0
+MDYxMDIyNDQ1OVoXDTI1MDYxMDIyNTQ1OVowWjELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRcwFQYDVQQKEw5yYXRpZnktcHJvamVj
+dDETMBEGA1UEAxMKcmF0aWZ5LmRldjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAM6wAPQhVoIA7qbckyk8qYYiTnKjlUXaThXn8RYe6+dYQjBypxciAyyJ
+NLbM675gXTc26rZDm29ldsych6G6VSP0wkziqZHIYKTSZ/kSzw0mm/KLRgHQPKsj
+PdhVYnLbg4keyKvSRBDmKl6I04VMNXERezJWpcK0F+6wtt6BKZOJRSPCbTPhHIVY
+U5iwqwMt9lOzNgWKsFUfTW+eZ2sPOJzpu78h/0JaOGgsms80Btm5UBjeJCWAOQDS
+VzurUk8Q5EX5X4faNbUiKLREY4210ELVZq8xU1yixkzO2reh9Sw6maG2YLW3W0rc
+bn1PTxz5ddvTF1r/J+A9JSQUhVCM7sEfh9oXW6az4OeZVCD1beG1mX5mtE/kzZqN
+9KfzvBSwdFx4D4t0KBG4/f2/k2pwZuTy3qqA+R9cd434jJpdY4/dQi0JTAG7XmuG
+HMpEM/1TQmXV3Nccwbyy5W2D07/y4fDVSxh2czumK8C7hWs0EX3CQ0C4mi0o3GjD
+1meir2GYKDqQUyVQx0gcDgOVDQRsyA2zQ3gUy7/7RGDbtaGN0XVT0kBMU66aS6Mj
+z69YEu+Yj3QNqVQL/Ms4A2G+mPXoqVTikQxbDI5Bi3d5U0Xu6zQ7/Wx+li1pO2TV
+3tNSyy5Tj/IT5Mou5e5oDt81yIfrXtb6Mye5zJ6uiqq5RwK9+b2BAgMBAAGjcjBw
+MA4GA1UdDwEB/wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMD
+MB8GA1UdIwQYMBaAFO4kXbjSuXzopPxrB1tKZ5g4oZQ/MB0GA1UdDgQWBBTuJF24
+0rl86KT8awdbSmeYOKGUPzANBgkqhkiG9w0BAQsFAAOCAgEASs8iFwuuh1lB1eM7
+cDM2rZfExb0RFXkcHWdF6+dEwuchn9rjKKXFLXU4k5sARKj+rTzxKGKNbymCLUto
+DzaJwwWygZu7HoG5DHGcj5StlBXNELMCoRwFW/MjRTv4Sfkiakw03PUBeiZeg8Xb
+SB3WuZreD0c/DPiONuXGSdx5cPgf0NkMTY8hiOoENP9eBCqcMhCUGMYRf1sIXr4m
+YWuS5KTB93DsWLjdw+X9FDi0irFa1uP01IM+iSsPtoGoT1tV8fnYl5anvBCLsh8U
+Y9vAXwJvZM6XlfA5XX4fzq82KuLASMBktyhXrYWeGBUOYOpQa4M3c/KiJyYjtm08
+pFRBdbzUwK1GF2mDfO/8oyyqPMhdkD3dO6/iToOklSLcNS4AVoTBE+S62QHHluBD
+zlmeVabCB/TGLRm5wlKKm7YRI7DJXF0HVQ5KS8vXjbT1MzN7WB+Iey2lelH3U+CR
+V50lbGJhvs8WiSojzcl1xJAvhRaWXZ/h8TCBI8srQzBlZ+/8o2zhs4nlEFrgurzq
+Vd+m0s1lM1iGHrE//AxlU7NVh2yCjrhPumQ53Sv53LG3Kl5RD86Pvhd01ORvKKNR
+zS27F63BGy6basxXtHR8ibCPNs1gbT24YLfaPiXmhy0j8dwPhEFGwQEIL8peSG56
+6OcrwcZ4J28hTXOl4EIJ2Prp9mQ=
+-----END CERTIFICATE-----