Skip to content

Commit

Permalink
Merge branch 'dev' into issue-1751/enabled-status
Browse files Browse the repository at this point in the history
  • Loading branch information
susanshi authored Nov 6, 2024
2 parents 07abd20 + b82b60d commit 3dbcebf
Show file tree
Hide file tree
Showing 32 changed files with 955 additions and 202 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/build-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,9 +75,9 @@ jobs:
egress-policy: audit

- name: Check out code into the Go module directory
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go 1.22
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"

Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,18 +31,18 @@ jobs:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=3.0.2
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2
- name: setup go environment
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"
- name: Initialize CodeQL
uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # tag=v3.27.0
with:
languages: go
- name: Run tidy
run: go mod tidy
- name: Build CLI
run: make build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # tag=v3.27.0
4 changes: 2 additions & 2 deletions .github/workflows/e2e-aks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,9 @@ jobs:
egress-policy: audit

- name: Check out code into the Go module directory
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go 1.22
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"
- name: Az CLI login
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/e2e-cli.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
egress-policy: audit

- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Check license header
uses: apache/skywalking-eyes/header@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91
with:
Expand All @@ -39,9 +39,9 @@ jobs:
egress-policy: audit

- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: setup go environment
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"
- name: Run tidy
Expand All @@ -68,9 +68,9 @@ jobs:
egress-policy: audit

- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: setup go environment
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"
- name: Run tidy
Expand All @@ -96,7 +96,7 @@ jobs:
egress-policy: audit

- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: recursive
- name: Run link check
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/e2e-k8s.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,9 @@ jobs:
egress-policy: audit

- name: Check out code into the Go module directory
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go 1.22
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/golangci-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@ jobs:
with:
egress-policy: audit

- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: golangci-lint
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/high-availability.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,9 @@ jobs:
egress-policy: audit

- name: Check out code into the Go module directory
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go 1.22
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pr-to-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
egress-policy: audit

- name: git checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Get current date
id: date
run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-charts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
with:
egress-policy: audit

- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Publish Helm charts
uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-dev-assets.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install Notation
uses: notaryproject/notation-action/setup@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
- name: Install cosign
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/publish-package.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: prepare
id: prepare
run: |
Expand Down Expand Up @@ -64,7 +64,7 @@ jobs:
--attest type=sbom \
--attest type=provenance,mode=max \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
--build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$TAG" \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.baseref }} \
--push .
Expand All @@ -79,7 +79,7 @@ jobs:
--build-arg build_licensechecker=true \
--build-arg build_schemavalidator=true \
--build-arg build_vulnerabilityreport=true \
--build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
--build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$TAG" \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.ref }} \
--push .
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/quick-start.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,9 @@ jobs:
egress-policy: audit

- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: setup go environment
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"
- name: Run tidy
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,15 @@ jobs:
egress-policy: audit

- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=3.0.2
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2
with:
fetch-depth: 0

- name: Install Syft
uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5
uses: anchore/sbom-action/download-syft@251a468eed47e5082b105c3ba6ee500c0e65a764 # v0.17.6

- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/run-full-validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,9 @@ jobs:
egress-policy: audit

- name: Check out code into the Go module directory
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go 1.22
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"

Expand Down
80 changes: 30 additions & 50 deletions .github/workflows/scan-vulns.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
with:
egress-policy: audit

- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: "1.22"
check-latest: true
Expand All @@ -38,68 +38,48 @@ jobs:
runs-on: ubuntu-22.04
timeout-minutes: 15
env:
TRIVY_VERSION: v0.49.1
TRIVY_VERSION: 0.49.1
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Check out code into the Go module directory
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

- name: Manual Trivy Setup
uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.1
- name: Download trivy
run: |
pushd $(mktemp -d)
wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
echo "$(pwd)" >> $GITHUB_PATH
- name: Download vulnerability database
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
with:
cache: true
version: ${{ env.TRIVY_VERSION }}
max_attempts: 3
retry_on: error
timeout_seconds: 30
retry_wait_seconds: 5
command: |
trivy image --download-db-only
- name: Run trivy on git repository
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
ignore-unfixed: true
scanners: 'vuln'
version: ${{ env.TRIVY_VERSION }}
run: |
trivy fs --skip-db-update --format table --ignore-unfixed --scanners vuln .
- name: Build docker images
run: |
make e2e-build-local-ratify-image
make e2e-build-crd-image
- name: Run Trivy vulnerability scanner on localbuild:test
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuild:test'
ignore-unfixed: true
version: ${{ env.TRIVY_VERSION }}

- name: Run Trivy vulnerability scanner on localbuildcrd:test
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuildcrd:test'
ignore-unfixed: true
version: ${{ env.TRIVY_VERSION }}

- name: Run Trivy vulnerability scanner on localbuild:test and exit on HIGH severity
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuild:test'
ignore-unfixed: true
severity: 'HIGH,CRITICAL'
exit-code: '1'
version: ${{ env.TRIVY_VERSION }}

- name: Run Trivy vulnerability scanner on localbuildcrd:test and exit on HIGH severity
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuildcrd:test'
ignore-unfixed: true
severity: 'HIGH,CRITICAL'
exit-code: '1'
version: ${{ env.TRIVY_VERSION }}
- name: Run trivy on images for all severity
run: |
for img in "localbuild:test" "localbuildcrd:test"; do
trivy image --skip-db-update --ignore-unfixed --vuln-type="os,library" "${img}"
done
- name: Run trivy on images and exit on HIGH/CRITICAL severity
run: |
for img in "localbuild:test" "localbuildcrd:test"; do
trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" "${img}"
done
4 changes: 2 additions & 2 deletions .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
egress-policy: audit

- name: "Checkout code"
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=3.0.2
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2
with:
persist-credentials: false

Expand All @@ -55,6 +55,6 @@ jobs:
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # tag=v3.27.0
with:
sarif_file: results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/sync-gh-pages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
with:
egress-policy: audit

- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: everlytic/branch-merge@c4a244dc23143f824ae6c022a10732566cb8e973
with:
github_token: ${{ github.token }}
Expand Down
4 changes: 2 additions & 2 deletions charts/ratify/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: ratify
description: A Helm chart for Ratify
version: 1.14.0
appVersion: v1.3.0
version: 1.14.1
appVersion: v1.3.1
home: https://github.com/ratify-project/ratify
icon: https://raw.githubusercontent.com/ratify-project/ratify/main/logo.svg
1 change: 1 addition & 0 deletions charts/ratify/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| resources.requests.memory | Memory request of Ratify Deployment | `512Mi` |
| serviceAccount.create | Create new dedicated Ratify service account | `true` |
| serviceAccount.name | Name of Ratify service account to create | `ratify-admin` |
| serviceAccount.annotations | Annotations to add to the service account | `{}` |
| gatekeeper.version | Determines the Gatekeeper CRD versioning | `3.17.0` |
| gatekeeper.namespace | Namespace Gatekeeper is installed | `gatekeeper-system` |
| instrumentation.metricsEnabled | Initializes the configured metrics provider | `true` |
Expand Down
6 changes: 5 additions & 1 deletion charts/ratify/templates/serviceaccount.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,9 @@ metadata:
{{- if .Values.azureWorkloadIdentity.clientId }}
azure.workload.identity/use: "true"
{{- end }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ratify.serviceAccountName" . }}
{{- end }}
{{- end }}
Loading

0 comments on commit 3dbcebf

Please sign in to comment.