Merge branch 'dev' into make-notation-verifier-installation-optional

.devcontainer/Dockerfile

@@ -14,7 +14,7 @@
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/go/.devcontainer/base.Dockerfile
 
 # [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.22-bullseye, 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
-FROM mcr.microsoft.com/vscode/devcontainers/go:1.22-bullseye@sha256:8cb4ef68d402b85b52c955ff16410e499cf7604527634d99a2a1922a93751795
+FROM mcr.microsoft.com/vscode/devcontainers/go:1.22-bullseye@sha256:fdc107cfc1c9423d56a0c633239576ac3f7ca503453e07976efa2a0ae9e0cb65
 
 # [Choice] Node.js version: none, lts/*, 18, 16, 14
 ARG NODE_VERSION="none"

.github/workflows/codeql.yml

@@ -38,12 +38,12 @@ jobs:
         with:
           go-version: "1.22"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # tag=v3.26.0
+        uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # tag=v3.26.5
         with:
           languages: go
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
         run: make build
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # tag=v3.26.0
+        uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # tag=v3.26.5

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
           fetch-depth: 0
 
     - name: Install Syft
-      uses: anchore/sbom-action/download-syft@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0
+      uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
 
     - name: Set up Go
       uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2

.github/workflows/scorecards.yml

@@ -55,6 +55,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # tag=v3.26.0
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # tag=v3.26.5
         with:
           sarif_file: results.sarif

CONTRIBUTING.md

@@ -10,15 +10,33 @@ Welcome! We are very happy to accept community contributions to Ratify, whether
 * Checkout the repo locally with `git clone [email protected]:{your_username}/ratify.git`.
 * Build the Ratify CLI with `go build -o ./bin/ratify ./cmd/ratify` or if on Mac/Linux/WSL `make build-cli`.
 
+## Feature Enhancements
+For non-trivial enhancements or bug fixes, please start by raising a document PR. You can refer to the example [here](https://github.com/ratify-project/ratify/blame/dev/docs/proposals/Release-Supply-Chain-Metadata.md).
+
+Major user experience updates should be documented in [/doc/proposals](https://github.com/ratify-project/ratify/tree/dev/docs/proposals). Changes to technical implementation should be added to [/doc/design](https://github.com/ratify-project/ratify/tree/dev/docs/design).  
+
+Consider adding the following section where applicable:
+- Proposed changes
+- Proposed feature flag
+- Impacted code paths
+- Required test coverage
+- Backward compatibility
+- Performance impact
+- Security consideration
+- Open questions
+
+This approach ensures that the changes are well-documented and reviewed before implementation.
+
 ## Pull Requests
 
 If you'd like to start contributing to Ratify, you can search for issues tagged as "good first issue" [here](https://github.com/ratify-project/ratify/labels/good%20first%20issue).
 
 We use the `dev` branch as the our default branch. PRs passing the basic set of validation can be merged to the `dev` branch, we then run the full suite of validation including cloud specific tests on `dev` before changes can be merged into `main`. All ratify release are cut from the `main` branch. A sample PR process is outlined below:
 1. Fork this repo and create your dev branch from default `dev` branch.
-2. Create a PR against default branch
-3. Maintainer approval and e2e test validation is required for completing the PR.
-4. On PR complete, the `push` event will trigger an automated PR targeting the `main` branch where we run a full suite validation including cloud specific tests.
+2. Create a PR against default branch.
+3. Add new unit test and [e2e test](https://github.com/ratify-project/ratify/tree/dev/test/bats) where approriate.
+4. Maintainer approval and e2e test validation is required for completing the PR.
+5. On PR complete, the `push` event will trigger an automated PR targeting the `main` branch where we run a full suite validation including cloud specific tests.
 6. Manual merge is required to complete the PR. (**Please keep individual commits to maintain commit history**)
 
 If the PR contains a regression that could not pass the full validation, please revert the change to unblock others:
@@ -54,7 +72,9 @@ The Ratify project is composed of the following main components:
 
 Ratify can run through cli command or run as a http server. Create a [launch.json](https://code.visualstudio.com/docs/editor/debugging#_launch-configurations) file in the .vscode directory, then hit F5 to debug. Note the first debug session may take a few minutes to load, subsequent session will be much faster.
 
-Sample json for cli:
+Here is a sample json for cli. Note that for the following sample json to successfully work, you need to make sure that `verificationCerts` attribute of the verifier in your config file points to the notation verifier's certificate file. In order to do that, you can download the cert file with the following command:
+`curl -sSLO https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt`, 
+and then modify the config file by setting the `verificationCerts` attribute in the notation verifier to the downloaded cert file path.
 
 ```json
 {
@@ -65,7 +85,11 @@ Sample json for cli:
       "request": "launch",
       "mode": "debug",
       "program": "${workspaceFolder}/cmd/ratify",
-      "args": ["verify", "-s", "ratify.azurecr.io/testimage@sha256:9515b691095051d68b4409a30c4819c98bd6f4355d5993a7487687cdc6d47cc3"]
+      "args": [
+                "verify", 
+                "-s", "ghcr.io/deislabs/ratify/notary-image:signed", 
+                "-c", "${workspaceFolder}/test/bats/tests/config/config_cli.json"
+      ]
     }]
 }
 ```

README.md

@@ -21,6 +21,7 @@ Is a verification engine as a binary executable and on Kubernetes which enables
   - [Pull Request Review Series](#pull-request-review-series)
   - [Documents](#documents)
   - [Code of Conduct](#code-of-conduct)
+  - [Project Governance](#project-governance)
   - [Release Management](#release-management)
   - [Licensing](#licensing)
   - [Trademark](#trademark)
@@ -44,14 +45,20 @@ Get Ratify Community Meeting Calendar [here](https://calendar.google.com/calenda
 
 ## Documents
 
-Please see the [Ratify website](https://ratify.dev/docs/what-is-ratify)  for more in-depth information.
+Please see the [Ratify website](https://ratify.dev/docs/what-is-ratify) for more in-depth information.
 
-Meeting notes for weekly project syncs can be found [here](https://hackmd.io/ABueHjizRz2iFQpWnQrnNA?both)
+Meeting notes for weekly project syncs can be found [here](https://hackmd.io/ABueHjizRz2iFQpWnQrnNA?both).
+
+The Ratify community documents can be found in the repository [`.github`](https://github.com/ratify-project/.github).
 
 ## Code of Conduct
 
 Ratify follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
 
+## Project Governance
+
+The Ratify project governance can be found [here](https://github.com/ratify-project/.github/blob/main/GOVERNANCE.md).
+
 ## Release Management
 
 The Ratify release process is defined in [RELEASES.md](./RELEASES.md).

api/v1beta1/keymanagementproviders_types.go

@@ -31,6 +31,10 @@ type KeyManagementProviderSpec struct {
 	// Name of the key management provider
 	Type string `json:"type,omitempty"`
 
+	// Refresh interval for fetching the certificate/key files from the provider. Only for providers that are refreshable. The value is in the format of "1h30m" where "h" means hour and "m" means minute. Valid time units are units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+	// +kubebuilder:default=""
+	RefreshInterval string `json:"refreshInterval,omitempty"`
+
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// Parameters of the key management provider
 	Parameters runtime.RawExtension `json:"parameters,omitempty"`

api/v1beta1/namespacedkeymanagementprovider_types.go

@@ -32,6 +32,10 @@ type NamespacedKeyManagementProviderSpec struct {
 	// Name of the key management provider
 	Type string `json:"type,omitempty"`
 
+	// Refresh interval for the key management provider. Only used if the key management provider is refreshable. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+	// +kubebuilder:default=""
+	RefreshInterval string `json:"refreshInterval,omitempty"`
+
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// Parameters of the key management provider
 	Parameters runtime.RawExtension `json:"parameters,omitempty"`

charts/ratify/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: ratify
 description: A Helm chart for Ratify
-version: 1.13.2
-appVersion: v1.2.1
+version: 1.13.3
+appVersion: v1.2.2
 home: https://github.com/ratify-project/ratify
 icon: https://raw.githubusercontent.com/ratify-project/ratify/main/logo.svg

charts/ratify/crds/keymanagementprovider-customresourcedefinition.yaml

@@ -14,73 +14,87 @@ spec:
     singular: keymanagementprovider
   scope: Cluster
   versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.issuccess
-      name: IsSuccess
-      type: boolean
-    - jsonPath: .status.brieferror
-      name: Error
-      type: string
-    - jsonPath: .status.lastfetchedtime
-      name: LastFetchedTime
-      type: date
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: KeyManagementProvider is the Schema for the keymanagementproviders
-          API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: KeyManagementProviderSpec defines the desired state of KeyManagementProvider
-            properties:
-              parameters:
-                description: Parameters of the key management provider
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-              type:
-                description: Name of the key management provider
-                type: string
-            type: object
-          status:
-            description: KeyManagementProviderStatus defines the observed state of
-              KeyManagementProvider
-            properties:
-              brieferror:
-                description: Truncated error message if the message is too long
-                type: string
-              error:
-                description: Error message if operation was unsuccessful
-                type: string
-              issuccess:
-                description: Is successful in loading certificate/key files
-                type: boolean
-              lastfetchedtime:
-                description: The time stamp of last successful certificate/key fetch
-                  operation. If operation failed, last fetched time shows the time
-                  of error
-                format: date-time
-                type: string
+    - additionalPrinterColumns:
+        - jsonPath: .status.issuccess
+          name: IsSuccess
+          type: boolean
+        - jsonPath: .status.brieferror
+          name: Error
+          type: string
+        - jsonPath: .status.lastfetchedtime
+          name: LastFetchedTime
+          type: date
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description:
+            KeyManagementProvider is the Schema for the keymanagementproviders
+            API
+          properties:
+            apiVersion:
+              description:
+                "APIVersion defines the versioned schema of this representation
+                of an object. Servers should convert recognized schemas to the latest
+                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description:
+                "Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: KeyManagementProviderSpec defines the desired state of KeyManagementProvider
               properties:
-                description: provider specific properties of the each individual certificate/key
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-            required:
-            - issuccess
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
+                refreshInterval:
+                  default: ""
+                  description:
+                    Refresh interval for fetching the certificate/key files
+                    from the provider. Only for providers that are refreshable. The
+                    value is in the format of "1h30m" where "h" means hour and "m" means
+                    minute. Valid time units are units are "ns", "us" (or "µs"), "ms",
+                    "s", "m", "h".
+                  type: string
+                parameters:
+                  description: Parameters of the key management provider
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                type:
+                  description: Name of the key management provider
+                  type: string
+              type: object
+            status:
+              description:
+                KeyManagementProviderStatus defines the observed state of
+                KeyManagementProvider
+              properties:
+                brieferror:
+                  description: Truncated error message if the message is too long
+                  type: string
+                error:
+                  description: Error message if operation was unsuccessful
+                  type: string
+                issuccess:
+                  description: Is successful in loading certificate/key files
+                  type: boolean
+                lastfetchedtime:
+                  description:
+                    The time stamp of last successful certificate/key fetch
+                    operation. If operation failed, last fetched time shows the time
+                    of error
+                  format: date-time
+                  type: string
+                properties:
+                  description: provider specific properties of the each individual certificate/key
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+              required:
+                - issuccess
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}