chore: automated PR to main 2024-06-30

.devcontainer/Dockerfile

@@ -13,8 +13,8 @@
 
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/go/.devcontainer/base.Dockerfile
 
-# [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
-FROM mcr.microsoft.com/vscode/devcontainers/go:1.21-bullseye@sha256:0ea3913135923a684b37f9e75a1e9adbb14551199244656b77f516c4c0c6d5bc
+# [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.22-bullseye, 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
+FROM mcr.microsoft.com/vscode/devcontainers/go:1.22-bullseye@sha256:a80cd1df0fed16f2a6f6854b87df49940100449aa193fb55dc30acfdc7fd7309
 
 # [Choice] Node.js version: none, lts/*, 18, 16, 14
 ARG NODE_VERSION="none"

.devcontainer/devcontainer.json

@@ -5,10 +5,10 @@
 	"build": {
 		"dockerfile": "Dockerfile",
 		"args": {
-			// Update the VARIANT arg to pick a version of Go: 1.21, 1.20, 1.19, 1.18
+			// Update the VARIANT arg to pick a version of Go: 1.22, 1.21, 1.20, 1.19, 1.18
 			// Append -bullseye or -buster to pin to an OS version.
 			// Use -bullseye variants on local arm64/Apple Silicon.
-			"VARIANT": "1.21-bullseye",
+			"VARIANT": "1.22-bullseye",
 			// Options
 			"NODE_VERSION": "none",
 			// Ratify-specific devcontainer options

.github/dependabot.yml

@@ -33,7 +33,7 @@ updates:
       interval: "weekly"
     ignore:
       - dependency-name: "golang"
-        versions: '> 1.21'
+        versions: '> 1.22'
     commit-message:
       prefix: "chore"
 
@@ -43,6 +43,6 @@ updates:
       interval: "weekly"
     ignore:
       - dependency-name: "vscode/devcontainers/go"
-        versions: '> 1.21'
+        versions: '> 1.22'
     commit-message:
       prefix: "chore"

.github/licenserc.yml

@@ -49,7 +49,7 @@ dependency:
     - go.mod
   licenses:
     - name: github.com/spdx/tools-golang
-      version: v0.5.4
+      version: v0.5.5
       license: Apache-2.0
     - name: github.com/alibabacloud-go/cr-20160607 # TODO: remove this when library is upgraded to v2.0.0
       version: v1.0.1

.github/workflows/build-pr.yml

@@ -78,10 +78,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.21
+      - name: Set up Go 1.22
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: '1.21'
+          go-version: '1.22'
 
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1

.github/workflows/codeql.yml

@@ -36,14 +36,14 @@ jobs:
       - name: setup go environment
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # tag=v3.25.10
+        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # tag=v3.25.11
         with:
           languages: go
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
         run: make build
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # tag=v3.25.10
+        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # tag=v3.25.11

.github/workflows/e2e-aks.yml

@@ -39,10 +39,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.21
+      - name: Set up Go 1.22
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: '1.21'
+          go-version: '1.22'
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
         with:

.github/workflows/e2e-cli.yml

@@ -41,7 +41,7 @@ jobs:
       - name: setup go environment
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
@@ -70,7 +70,7 @@ jobs:
       - name: setup go environment
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI

.github/workflows/e2e-k8s.yml

@@ -32,10 +32,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.21
+      - name: Set up Go 1.22
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: '1.21'
+          go-version: '1.22'
 
       - name: Bootstrap e2e
         run: |

.github/workflows/golangci-lint.yml

@@ -21,9 +21,10 @@ jobs:
 
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: '1.21'
+          go-version: '1.22'
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: golangci-lint
         uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
         with:
-          version: v1.55.2
+          version: v1.59.1
+          args: --timeout=10m

.github/workflows/high-availability.yml

@@ -36,10 +36,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.21
+      - name: Set up Go 1.22
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: '1.21'
+          go-version: '1.22'
 
       - name: Bootstrap e2e
         run: |

.github/workflows/publish-dev-assets.yml

@@ -18,7 +18,6 @@ jobs:
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: prepare
@@ -50,11 +49,22 @@ jobs:
       - name: docker build ratify-crds
         run: |
           docker buildx create --use
-          docker buildx build --build-arg KUBE_VERSION="1.29.2" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
+          docker buildx build \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
+            --build-arg KUBE_VERSION="1.29.2" \
+            -f crd.Dockerfile \
+            --platform linux/amd64,linux/arm64,linux/arm/v7 \
+            --label org.opencontainers.image.revision=${{ github.sha }} \
+            -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} \
+            -t ${{ steps.prepare.outputs.crdref }} \
+            --push ./charts/ratify/crds
       - name: docker build ratify base
         run: |
           docker buildx create --use         
           docker buildx build -f ./httpserver/Dockerfile \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
             --label org.opencontainers.image.revision=${{ github.sha }} \
@@ -65,6 +75,8 @@ jobs:
         run: |
           docker buildx create --use
           docker buildx build -f ./httpserver/Dockerfile \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --build-arg build_sbom=true \
             --build-arg build_licensechecker=true \

.github/workflows/publish-package.yml

@@ -19,7 +19,6 @@ jobs:
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: prepare
@@ -49,11 +48,21 @@ jobs:
       - name: docker build ratify-crds
         run: |
           docker buildx create --use
-          docker buildx build --build-arg KUBE_VERSION="1.29.2" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
+          docker buildx build \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
+            --build-arg KUBE_VERSION="1.29.2" \
+            -f crd.Dockerfile \
+            --platform linux/amd64,linux/arm64,linux/arm/v7 \
+            --label org.opencontainers.image.revision=${{ github.sha }} \
+            -t ${{ steps.prepare.outputs.crdref }} \
+            --push ./charts/ratify/crds
       - name: docker build ratify base
         run: |
           docker buildx create --use         
           docker buildx build -f ./httpserver/Dockerfile \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
             --label org.opencontainers.image.revision=${{ github.sha }} \
@@ -63,6 +72,8 @@ jobs:
         run: |
           docker buildx create --use
           docker buildx build -f ./httpserver/Dockerfile \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --build-arg build_sbom=true \
             --build-arg build_licensechecker=true \

.github/workflows/quick-start.yml

@@ -39,7 +39,7 @@ jobs:
       - name: setup go environment
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Run tidy
         run: go mod tidy
       - name: Bootstrap e2e

.github/workflows/release.yml

@@ -28,7 +28,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
-        go-version: '1.21'
+        go-version: '1.22'
 
     - name: Goreleaser
       uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0

.github/workflows/run-full-validation.yml

@@ -66,10 +66,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.21
+      - name: Set up Go 1.22
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: '1.21'
+          go-version: '1.22'
 
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1

.github/workflows/scorecards.yml

@@ -53,6 +53,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # tag=v3.25.10
+        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # tag=v3.25.11
         with:
           sarif_file: results.sarif

.golangci.yml

@@ -1,6 +1,3 @@
-run:
-  deadline: 5m
-
 linters:
   disable-all: true
   enable:

cmd/ratify/cmd/discover.go

@@ -60,7 +60,7 @@ func NewCmdDiscover(argv ...string) *cobra.Command {
 		Short:   "Discover referrers for a subject",
 		Example: eg,
 		Args:    cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			return discover(opts)
 		},
 	}

cmd/ratify/cmd/referrer.go

@@ -46,7 +46,7 @@ func NewCmdReferrer(argv ...string) *cobra.Command {
 		Use:   referrerUse,
 		Short: "Discover referrers for a subject",
 		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			return cmd.Usage()
 		},
 	}
@@ -71,7 +71,7 @@ func NewCmdShowBlob(argv ...string) *cobra.Command {
 		Short:   "show blob at a digest",
 		Example: eg,
 		Args:    cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			return showBlob(opts)
 		},
 	}
@@ -100,7 +100,7 @@ func NewCmdShowRefManifest(argv ...string) *cobra.Command {
 		Short:   "show rference manifest at a digest",
 		Example: eg,
 		Args:    cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			return showRefManifest(opts)
 		},
 	}

cmd/ratify/cmd/resolve.go

@@ -54,7 +54,7 @@ func NewCmdResolve(argv ...string) *cobra.Command {
 		Short:   "Resolve digest of a subject that is referenced by a tag",
 		Example: eg,
 		Args:    cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			return resolve(opts)
 		},
 	}

cmd/ratify/cmd/root.go

@@ -35,14 +35,14 @@ func New(use, short string) *cobra.Command {
 	root := &cobra.Command{
 		Use:   use,
 		Short: short,
-		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		PersistentPreRun: func(_ *cobra.Command, _ []string) {
 			if enableDebug {
 				common.SetLoggingLevel("debug", logrus.StandardLogger())
 			} else {
 				common.SetLoggingLevelFromEnv(logrus.StandardLogger())
 			}
 		},
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			return cmd.Usage()
 		},
 		SilenceUsage:      true,

cmd/ratify/cmd/serve.go

@@ -58,7 +58,7 @@ func NewCmdServe(_ ...string) *cobra.Command {
 		Short:   "Run ratify as a server",
 		Example: "ratify server",
 		Args:    cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			return serve(opts)
 		},
 	}

cmd/ratify/cmd/verify.go

@@ -51,7 +51,7 @@ func NewCmdVerify(_ ...string) *cobra.Command {
 		Short:   "Verify a subject",
 		Example: "sample example",
 		Args:    cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			return verify(opts)
 		},
 	}

cmd/ratify/cmd/version.go

@@ -35,7 +35,7 @@ ratify version`
 		Short:   "Show the ratify version information",
 		Example: eg,
 		Args:    cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			return runVersion()
 		},
 	}