Merge pull request #310 from securesign/update-to-upstream

Update to upstream - v0.7.17
securesign · Jan 6, 2025 · 9e917fe · 9e917fe
2 parents 96ad338 + 33281db
commit 9e917fe
Show file tree

Hide file tree

Showing 276 changed files with 12,664 additions and 11,677 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,65 +1,26 @@
 version: 2
 updates:
 - package-ecosystem: docker
-  directory: "/"
-  schedule:
-    interval: daily
-- package-ecosystem: docker
-  directory: "/config/fulcio/fulcio"
-  schedule:
-    interval: daily
-- package-ecosystem: docker
-  directory: "/config/rekor/rekor"
-  schedule:
-    interval: daily
-- package-ecosystem: docker
-  directory: "/config/trillian/trillian-log-server"
-  schedule:
-    interval: daily
-- package-ecosystem: docker
-  directory: "/config/trillian/trillian-log-signer"
+  directories:
+    - "/"
+    - "/config/**/*"
   schedule:
-    interval: daily
-- package-ecosystem: docker
-  directory: "/config/tsa/tsa"
-  schedule:
-    interval: daily
+    interval: weekly
+
 - package-ecosystem: gomod
   directory: "/"
   schedule:
     interval: weekly
   open-pull-requests-limit: 10
+
 - package-ecosystem: "github-actions"
   directory: "/"
   schedule:
     interval: weekly
 
 - package-ecosystem: "terraform"
-  directory: "/terraform/gcp/modules/argocd"
-  schedule:
-    interval: monthly
-  groups:
-    terraform:
-      patterns:
-        - "*"
-- package-ecosystem: "terraform"
-  directory: "/terraform/gcp/modules/external_secrets"
-  schedule:
-    interval: monthly
-  groups:
-    terraform:
-      patterns:
-        - "*"
-- package-ecosystem: "terraform"
-  directory: "/terraform/gcp/modules/monitoring/slo"
-  schedule:
-    interval: monthly
-  groups:
-    terraform:
-      patterns:
-        - "*"
-- package-ecosystem: "terraform"
-  directory: "/terraform/gcp/modules/sigstore"
+  directories:
+    - "/terraform/gcp/modules/**/*"
   schedule:
     interval: monthly
   groups:

diff --git a/.github/workflows/add-remove-new-fulcio.yaml b/.github/workflows/add-remove-new-fulcio.yaml
@@ -29,12 +29,13 @@ jobs:
           - v1.27.x
           - v1.28.x
           - v1.29.x
+          - v1.30.x
 
         leg:
           - fulcio-key-rotation
 
         go-version:
-          - 1.22.x
+          - 1.23.x
 
     env:
       GOPATH: ${{ github.workspace }}
@@ -48,13 +49,13 @@ jobs:
     # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
 
     - name: Set up Go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       with:
         go-version: ${{ matrix.go-version }}
         check-latest: true
 
     - name: Check out our repo
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: ./src/github.com/sigstore/scaffolding
 
@@ -71,9 +72,9 @@ jobs:
         restore-keys: |
           ${{ runner.os }}-go-${{ matrix.go-version }}-
 
-    - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+    - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
 
-    - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+    - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
     - name: Setup Cluster
       uses: chainguard-dev/actions/setup-kind@main

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Filter paths
         uses: dorny/paths-filter@v3
@@ -39,14 +39,14 @@ jobs:
               - 'pkg/**'
               - 'cmd/**'
 
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: 'go.mod'
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         if: steps.changes.outputs.gocode == 'true'
-        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           languages: '${{ matrix.language }}'
 
@@ -57,4 +57,4 @@ jobs:
 
       - name: Perform CodeQL Analysis
         if: steps.changes.outputs.gocode == 'true'
-        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
diff --git a/.github/workflows/fulcio-rekor-kind.yaml b/.github/workflows/fulcio-rekor-kind.yaml
@@ -29,12 +29,13 @@ jobs:
           - v1.27.x
           - v1.28.x
           - v1.29.x
+          - v1.30.x
 
         leg:
           - fulcio rekor ctlog e2e
 
         go-version:
-          - 1.22.x
+          - 1.23.x
 
     env:
       GOPATH: ${{ github.workspace }}
@@ -45,15 +46,15 @@ jobs:
 
     steps:
     - name: Check out our repo
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: ./src/github.com/sigstore/scaffolding
 
     - uses: chainguard-dev/actions/setup-mirror@main
     # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
 
     - name: Set up Go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       with:
         go-version: ${{ matrix.go-version }}
         check-latest: true
@@ -71,9 +72,9 @@ jobs:
         restore-keys: |
           ${{ runner.os }}-go-${{ matrix.go-version }}-
 
-    - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+    - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
 
-    - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+    - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
     - name: Setup Cluster
       uses: chainguard-dev/actions/setup-kind@main
@@ -177,7 +178,7 @@ jobs:
     # Test with cosign in 'airgapped mode'
     # Uncomment these once modified cosign goes in.
     #- name: Checkout modified cosign for testing.
-    #  uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+    #  uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     #  with:
     #    repository: vaikas/cosign
     #    ref: air-gap
@@ -199,7 +200,7 @@ jobs:
     #    ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }}
 
     - name: Checkout TSA for testing.
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         repository: sigstore/timestamp-authority
         path: ./src/github.com/sigstore/timestamp-authority

diff --git a/.github/workflows/prober-test.yml b/.github/workflows/prober-test.yml
@@ -20,12 +20,12 @@ jobs:
       contents: read
     steps:
       - name: 'Checkout'
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.22'
+          go-version-file: 'go.mod'
           check-latest: true
 
       - name: Prober test

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -20,35 +20,35 @@ jobs:
       COSIGN_EXPERIMENTAL: "true"
 
     steps:
-    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+    - name: Check out code onto GOPATH
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        fetch-depth: 1
+        path: ./src/github.com/${{ github.repository }}
+
+    - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       with:
-        go-version: '1.22'
+        go-version-file: ./src/github.com/${{ github.repository }}/go.mod
         check-latest: true
 
     - name: Install ko
-      uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+      uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
 
     - name: Install cosign
-      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
     - name: Install GoReleaser
-      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v3.1.0
+      uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v3.1.0
       with:
         install-only: true
 
     - name: Log into ghcr.io
-      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Check out code onto GOPATH
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
-      with:
-        fetch-depth: 1
-        path: ./src/github.com/${{ github.repository }}
-
     - name: Get TAG
       id: get_tag
       run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -21,12 +21,12 @@ jobs:
 
     steps:
       - name: 'Checkout'
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v2.0.0
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v2.0.0
         with:
           # TODO: extract terraform from the tf file when we have pinned
-          terraform_version: 1.8.0
+          terraform_version: 1.9.8
 
       - name: Terraform fmt
         id: fmt
@@ -41,12 +41,12 @@ jobs:
 
     steps:
       - name: 'Checkout'
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v2.0.0
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v2.0.0
         with:
           # TODO: extract terraform from the tf file when we have pinned
-          terraform_version: 1.8.0
+          terraform_version: 1.9.8
 
       - name: Terraform init
         id: init
@@ -70,7 +70,7 @@ jobs:
 
     steps:
       - name: 'Checkout'
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: tfsec
         uses: tfsec/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 # v0.1.0
@@ -80,7 +80,7 @@ jobs:
           tfsec_args: --force-all-dirs --verbose
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: tfsec.sarif
diff --git a/.github/workflows/test-action-tuf.yaml b/.github/workflows/test-action-tuf.yaml
@@ -26,18 +26,19 @@ jobs:
           - v1.27.x
           - v1.28.x
           - v1.29.x
+          - v1.30.x
         release-version:
           - "main" # Test explicitly with latest
         go-version:
-          - 1.22.x
+          - 1.23.x
         leg:
           - test github action with TUF
     env:
       KO_DOCKER_REPO: registry.local:5000/knative
 
     steps:
     - name: Checkout the current action
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Test running the action
       uses: ./actions/setup
       with:
@@ -46,15 +47,15 @@ jobs:
 
     # Install cosign
     - name: Install cosign
-      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
     - name: Set up Go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       with:
         go-version: ${{ matrix.go-version }}
         check-latest: true
 
-    - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+    - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
 
     - name: Create sample image
       run: |
@@ -87,7 +88,7 @@ jobs:
         --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
 
     - name: Checkout TSA for testing.
-      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         repository: sigstore/timestamp-authority
         path: ./src/github.com/sigstore/timestamp-authority