Merge branch 'main' into dependabot/go_modules/sigs.k8s.io/release-ut…

…ils-0.8.5

Signed-off-by: Bob Callaway <[email protected]>

.github/workflows/add-remove-new-fulcio.yaml

@@ -35,7 +35,7 @@ jobs:
           - fulcio-key-rotation
 
         go-version:
-          - 1.22.x
+          - 1.23.x
 
     env:
       GOPATH: ${{ github.workspace }}

.github/workflows/codeql-analysis.yml

@@ -46,7 +46,7 @@ jobs:
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         if: steps.changes.outputs.gocode == 'true'
-        uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           languages: '${{ matrix.language }}'
 
@@ -57,4 +57,4 @@ jobs:
 
       - name: Perform CodeQL Analysis
         if: steps.changes.outputs.gocode == 'true'
-        uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8

.github/workflows/fulcio-rekor-kind.yaml

@@ -35,7 +35,7 @@ jobs:
           - fulcio rekor ctlog e2e
 
         go-version:
-          - 1.22.x
+          - 1.23.x
 
     env:
       GOPATH: ${{ github.workspace }}

.github/workflows/prober-test.yml

@@ -25,7 +25,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: '1.22'
+          go-version-file: 'go.mod'
           check-latest: true
 
       - name: Prober test

.github/workflows/release.yaml

@@ -22,7 +22,7 @@ jobs:
     steps:
     - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
-        go-version: '1.22'
+        go-version-file: 'go.mod'
         check-latest: true
 
     - name: Install ko

.github/workflows/terraform.yml

@@ -26,7 +26,7 @@ jobs:
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v2.0.0
         with:
           # TODO: extract terraform from the tf file when we have pinned
-          terraform_version: 1.9.5
+          terraform_version: 1.9.6
 
       - name: Terraform fmt
         id: fmt
@@ -46,7 +46,7 @@ jobs:
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v2.0.0
         with:
           # TODO: extract terraform from the tf file when we have pinned
-          terraform_version: 1.9.5
+          terraform_version: 1.9.6
 
       - name: Terraform init
         id: init
@@ -80,7 +80,7 @@ jobs:
           tfsec_args: --force-all-dirs --verbose
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: tfsec.sarif

.github/workflows/test-action-tuf.yaml

@@ -30,7 +30,7 @@ jobs:
         release-version:
           - "main" # Test explicitly with latest
         go-version:
-          - 1.22.x
+          - 1.23.x
         leg:
           - test github action with TUF
     env:

.github/workflows/test-release.yaml

@@ -30,7 +30,7 @@ jobs:
         leg:
           - fulcio rekor ctlog e2e
         go-version:
-          - 1.22.x
+          - 1.23.x
 
     env:
       RELEASE_VERSION: "v0.7.1"

.github/workflows/verify.yml

@@ -17,7 +17,7 @@ jobs:
 
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: '1.22'
+          go-version-file: 'go.mod'
           check-latest: true
           cache: true
 
@@ -46,11 +46,11 @@ jobs:
 
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: '1.22'
+          go-version-file: 'go.mod'
           check-latest: true
 
       - name: golangci-lint
         uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.58
+          version: v1.61

.golangci.yml

@@ -43,6 +43,10 @@ issues:
       text: SA1019
   max-issues-per-linter: 0
   max-same-issues: 0
+linters-settings:
+  gosec:
+    excludes:
+      - G115  # integer overflow conversion uint64 -> int64
 run:
   issues-exit-code: 1
   timeout: 15m

.ko.yaml

@@ -1,7 +1,7 @@
 ---
 defaultBaseImage: gcr.io/distroless/static-debian12:nonroot
 baseImageOverrides:
-  github.com/sigstore/scaffolding/cmd/cloudsqlproxy: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.12.0-alpine
+  github.com/sigstore/scaffolding/cmd/cloudsqlproxy: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine
 
 builds:
   - id: ctlog-createctconfig

Dockerfile.deps

@@ -1,9 +1,5 @@
 # This Dockerfile simply serves as a trigger for dependabot to notify when a new upstream release of a component is available
 #
-# !!!!!!!!!!!!!!
-# ! READ BELOW !
-# !!!!!!!!!!!!!!
-#
-# If dependabot proposes an update to the container listed below, you should also update the value listed in '.ko.yaml' and cut a new release of scaffolding
+# !!! READ AND ACT ON THIS !!! If dependabot proposes an update to the container listed below, you should also update the value listed in '.ko.yaml' and cut a new release of scaffolding
 FROM gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.13.0-alpine as cloud-sql-proxy
 ENV FOO=BAR

cmd/tuf/server/main.go

@@ -68,11 +68,11 @@ func getNamespaceAndClientset(noK8s bool) (string, *kubernetes.Clientset, error)
 
 	config, err := rest.InClusterConfig()
 	if err != nil {
-		return "", nil, fmt.Errorf("Failed to get InClusterConfig: %v", err)
+		return "", nil, fmt.Errorf("failed to get InClusterConfig: %w", err)
 	}
 	clientset, err := kubernetes.NewForConfig(config)
 	if err != nil {
-		return "", nil, fmt.Errorf("Failed to get clientset: %v", err)
+		return "", nil, fmt.Errorf("failed to get clientset: %w", err)
 	}
 
 	return ns, clientset, nil
@@ -84,13 +84,13 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 
 	ns, clientset, err := getNamespaceAndClientset(*noK8s)
 	if err != nil {
-		return fmt.Errorf("failed to get namespace and clientset: %v", err)
+		return fmt.Errorf("failed to get namespace and clientset: %w", err)
 	}
 
 	trimDir := strings.TrimSuffix(certsDir, "/")
 	tufFiles, err := os.ReadDir(trimDir)
 	if err != nil {
-		return fmt.Errorf("failed to read dir %s: %v", trimDir, err)
+		return fmt.Errorf("failed to read dir %s: %w", trimDir, err)
 	}
 	files := map[string][]byte{}
 	for _, file := range tufFiles {
@@ -105,7 +105,7 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 			fileName := fmt.Sprintf("%s/%s", trimDir, file.Name())
 			fileBytes, err := os.ReadFile(fileName)
 			if err != nil {
-				return fmt.Errorf("failed to read file %s: %v", fileName, err)
+				return fmt.Errorf("failed to read file %s: %w", fileName, err)
 			}
 			// If it's a TSA file, we need to split it into multiple TUF
 			// targets.
@@ -114,7 +114,7 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 
 				certFiles, err := certs.SplitCertChain(fileBytes, "tsa")
 				if err != nil {
-					return fmt.Errorf("failed to parse %s: %v", fileName, err)
+					return fmt.Errorf("failed to parse %s: %w", fileName, err)
 				}
 				for k, v := range certFiles {
 					logging.FromContext(ctx).Infof("Got tsa cert file %s", k)
@@ -130,16 +130,16 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 	// Create a new TUF root with the listed artifacts.
 	local, dir, err := repo.CreateRepoWithOptions(ctx, files, repo.CreateRepoOptions{AddMetadataTargets: *metadataTargets, AddTrustedRoot: *trustedRoot})
 	if err != nil {
-		return fmt.Errorf("failed to create repo: %v", err)
+		return fmt.Errorf("failed to create repo: %w", err)
 	}
 
 	meta, err := local.GetMeta()
 	if err != nil {
-		return fmt.Errorf("getting meta: %v", err)
+		return fmt.Errorf("getting meta: %w", err)
 	}
 	rootJSON, ok := meta["root.json"]
 	if !ok {
-		return fmt.Errorf("getting root: %v", err)
+		return fmt.Errorf("getting root: %w", err)
 	}
 
 	// Add the initial 1.root.json to secrets.
@@ -151,36 +151,36 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 	// worries here.
 	var compressed bytes.Buffer
 	if err := repo.CompressFS(os.DirFS(dir), &compressed, map[string]bool{"keys": true, "staged": true}); err != nil {
-		return fmt.Errorf("failed to compress the repo: %v", err)
+		return fmt.Errorf("failed to compress the repo: %w", err)
 	}
 	data["repository"] = compressed.Bytes()
 
 	if !*noK8s {
 		nsSecret := clientset.CoreV1().Secrets(ns)
 		if err := secret.ReconcileSecret(ctx, repoSecretName, ns, data, nsSecret); err != nil {
-			return fmt.Errorf("failed to reconcile secret %s/%s: %v", ns, repoSecretName, err)
+			return fmt.Errorf("failed to reconcile secret %s/%s: %w", ns, repoSecretName, err)
 		}
 
 		// If we should also store created keys in a secret, read all their files and save them in the secret
 		if keysSecretName != "" {
 			keyFiles, err := os.ReadDir(filepath.Join(dir, "keys"))
 			if err != nil {
-				return fmt.Errorf("failed to list keys directory %v", err)
+				return fmt.Errorf("failed to list keys directory %w", err)
 			}
 			dataKeys := map[string][]byte{}
 			for _, keyFile := range keyFiles {
 				if !strings.HasSuffix(keyFile.Name(), ".json") {
 					continue
 				}
-				keyFilePath := filepath.Join(filepath.Join(dir, "keys", keyFile.Name()))
+				keyFilePath := filepath.Join(dir, "keys", keyFile.Name())
 				content, err := os.ReadFile(keyFilePath)
 				if err != nil {
-					return fmt.Errorf("failed reading file %s: %v", keyFilePath, err)
+					return fmt.Errorf("failed reading file %s: %w", keyFilePath, err)
 				}
 				dataKeys[keyFile.Name()] = content
 			}
 			if err := secret.ReconcileSecret(ctx, keysSecretName, ns, dataKeys, nsSecret); err != nil {
-				return fmt.Errorf("failed to reconcile keys secret %s/%s: %v", ns, keysSecretName, err)
+				return fmt.Errorf("failed to reconcile keys secret %s/%s: %w", ns, keysSecretName, err)
 			}
 		}
 	}
@@ -189,8 +189,7 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 
 	// Copy repository to the targetDir - until Go 1.23 which has os.CopyFS, we use
 	// a quick hack where we uncompress the compressed repository to the targetDir
-	repo.Uncompress(bytes.NewReader(data["repository"]), targetDir)
-	return nil
+	return repo.Uncompress(bytes.NewReader(data["repository"]), targetDir)
 }
 
 func main() {

config/trillian/mysql/300-mysql-trillian.yaml

@@ -20,7 +20,7 @@ metadata:
     app: mysql-trillian
 spec:
   containers:
-    - image: gcr.io/trillian-opensource-ci/db_server@sha256:c5195ff7b05084478f1125167f6ae314e46cade50d761665e2063e27c0a20314
+    - image: gcr.io/trillian-opensource-ci/db_server@sha256:6f9942d392c43e0a87e3c16666dc73e714666fda506bca9ac145296582dcccff
       name: mysql
       env:
         - name: MYSQL_ROOT_PASSWORD

go.mod

@@ -1,12 +1,12 @@
 module github.com/sigstore/scaffolding
 
-go 1.22.6
-toolchain go1.23.1
+go 1.23.1
 
 require (
 	chainguard.dev/exitdir v0.0.1
+	filippo.io/edwards25519 v1.1.0
 	github.com/cenkalti/backoff/v3 v3.2.2
-	github.com/go-jose/go-jose/v3 v3.0.3
+	github.com/go-jose/go-jose/v4 v4.0.4
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-openapi/swag v0.23.0
 	github.com/go-sql-driver/mysql v1.8.1
@@ -28,7 +28,7 @@ require (
 	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/prometheus/client_golang v1.20.3
+	github.com/prometheus/client_golang v1.20.4
 	github.com/ryanuber/go-glob v1.0.0
 	github.com/sigstore/cosign/v2 v2.4.0
 	github.com/sigstore/fulcio v1.6.4
@@ -44,9 +44,8 @@ require (
 	golang.org/x/net v0.29.0
 	golang.org/x/time v0.6.0
 	google.golang.org/genproto v0.0.0-20240823204242-4ba0660f739c
-	google.golang.org/grpc v1.66.2
+	google.golang.org/grpc v1.67.0
 	google.golang.org/protobuf v1.34.2
-	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.31.1
 	k8s.io/apimachinery v0.31.1
@@ -59,7 +58,7 @@ require (
 
 require (
 	bitbucket.org/creachadair/shell v0.0.8 // indirect
-	cel.dev/expr v0.15.0 // indirect
+	cel.dev/expr v0.16.0 // indirect
 	cloud.google.com/go v0.115.1 // indirect
 	cloud.google.com/go/auth v0.9.1 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
@@ -71,7 +70,6 @@ require (
 	cloud.google.com/go/spanner v1.67.0 // indirect
 	cloud.google.com/go/trace v1.10.12 // indirect
 	contrib.go.opencensus.io/exporter/stackdriver v0.13.14 // indirect
-	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0 // indirect
@@ -134,7 +132,7 @@ require (
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
-	github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect
+	github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect
 	github.com/cockroachdb/cockroach-go/v2 v2.3.8 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
@@ -151,13 +149,13 @@ require (
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/envoyproxy/go-control-plane v0.12.1-0.20240621013728-1eb8caab5155 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
+	github.com/envoyproxy/go-control-plane v0.13.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
-	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect