Merge pull request #1424 from deislabs/dev

chore: merging dev into main 04-30-2024
ratify-project · May 1, 2024 · 6a26a56 · 6a26a56
2 parents 6a5f10c + a884308
commit 6a26a56
Show file tree

Hide file tree

Showing 144 changed files with 7,586 additions and 640 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -14,8 +14,7 @@
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/go/.devcontainer/base.Dockerfile
 
 # [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
-ARG VARIANT="1.21-bullseye"
-FROM mcr.microsoft.com/vscode/devcontainers/go:${VARIANT}
+FROM mcr.microsoft.com/vscode/devcontainers/go:1.21-bullseye@sha256:c23be6befc7fbe2685f2fdd8161b314bc28bf34a0d37f6777461ccb21c17972d
 
 # [Choice] Node.js version: none, lts/*, 18, 16, 14
 ARG NODE_VERSION="none"

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -17,6 +17,32 @@ updates:
     ignore:
       - dependency-name: "*"
         update-types:
-        - "version-update:semver-major"
-        - "version-update:semver-minor"
-
+          - "version-update:semver-major"
+          - "version-update:semver-minor"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/httpserver"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "golang"
+        versions: '> 1.21'
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/.devcontainer"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "vscode/devcontainers/go"
+        versions: '> 1.21'
+    commit-message:
+      prefix: "chore"
diff --git a/.github/licenserc.yml b/.github/licenserc.yml
@@ -49,7 +49,7 @@ dependency:
     - go.mod
   licenses:
     - name: github.com/spdx/tools-golang
-      version: v0.5.3
+      version: v0.5.4
       license: Apache-2.0
     - name: github.com/alibabacloud-go/cr-20160607 # TODO: remove this when library is upgraded to v2.0.0
       version: v1.0.1

diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -5,7 +5,7 @@ on:
     types: [labeled]
   pull_request:
     branches:
-      - staging
+      - dev
   workflow_dispatch:
 
 permissions: read-all
@@ -16,12 +16,13 @@ jobs:
 
   call_test_e2e_basic:
     name: "run e2e on basic matrix"
+    if: ${{ ! (contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch') }}
     permissions:
       contents: read
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.27.7"]
+        KUBERNETES_VERSION: ["1.29.2"]
         GATEKEEPER_VERSION: ["3.15.0"]
     uses: ./.github/workflows/e2e-k8s.yml 
     with:
@@ -34,7 +35,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.26.10", "1.27.7"]
+        KUBERNETES_VERSION: ["1.28.7", "1.29.2"]
         GATEKEEPER_VERSION: ["3.13.0", "3.14.0", "3.15.0"]
     uses: ./.github/workflows/e2e-k8s.yml 
     with:
@@ -50,7 +51,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.26.10", "1.27.7"]
+        KUBERNETES_VERSION: ["1.27.9", "1.29.2"]
         GATEKEEPER_VERSION: ["3.13.0", "3.14.0", "3.15.0"]
     uses: ./.github/workflows/e2e-aks.yml
     with:
@@ -70,14 +71,14 @@ jobs:
       contents: read
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Go 1.21
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: '1.21'
 
       - name: Az CLI login
-        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
+        uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
         with:
           creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
 

diff --git a/.github/workflows/cache-cleanup.yml b/.github/workflows/cache-cleanup.yml
@@ -4,6 +4,9 @@ on:
     types:
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -5,12 +5,12 @@ on:
   push:
     branches: 
       - main
-      - staging
+      - dev
       - 1.0.0*
   pull_request:
     branches: 
       - main
-      - staging
+      - dev
       - 1.0.0*
   schedule:
     - cron: '30 1 * * 0'
@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=3.0.2
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=3.0.2
       - name: setup go environment
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:

diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
@@ -1,12 +1,15 @@
 name: e2e-aks
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
       k8s_version:
         description: 'Kubernetes version'
         required: true
-        default: '1.27.7'
+        default: '1.29.2'
         type: string
       gatekeeper_version:
         description: 'Gatekeeper version'
@@ -25,14 +28,14 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Go 1.21
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: '1.21'
 
       - name: Az CLI login
-        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
+        uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
         with:
           creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
 
@@ -48,7 +51,7 @@ jobs:
           make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ env.AZURE_TENANT_ID }}
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: ${{ always() }}
         with:
           name: e2e-logs-aks-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}

diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml
@@ -3,12 +3,15 @@ name: e2e-cli
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   check-license:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: Check license header
         uses: apache/skywalking-eyes/header@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91
         with:
@@ -24,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: setup go environment
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
@@ -48,7 +51,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: setup go environment
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
@@ -71,7 +74,7 @@ jobs:
       runs-on: ubuntu-latest
       steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           submodules: recursive
       - name: Run link check

diff --git a/.github/workflows/e2e-k8s.yml b/.github/workflows/e2e-k8s.yml
@@ -1,12 +1,15 @@
 name: e2e-k8s
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
       k8s_version:
         description: 'Kubernetes version'
         required: true
-        default: '1.27.7'
+        default: '1.29.2'
         type: string
       gatekeeper_version:
         description: 'Gatekeeper version'
@@ -23,7 +26,7 @@ jobs:
       contents: read
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Go 1.21
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
@@ -57,7 +60,7 @@ jobs:
           kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
           kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
       - name: Upload artifacts
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: ${{ always() }}
         with:
           name: e2e-logs-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -3,7 +3,7 @@ on:
   push:
     branches:
       - main
-      - staging
+      - dev
       - 1.0.0*
   pull_request:
   workflow_dispatch:
@@ -17,8 +17,8 @@ jobs:
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: '1.21'
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
+        uses: golangci/golangci-lint-action@9d1e0624a798bb64f6c3cea93db47765312263dc # v5.1.0
         with:
           version: v1.55.2
diff --git a/.github/workflows/high-availability.yml b/.github/workflows/high-availability.yml
@@ -6,13 +6,13 @@ on:
   pull_request:
     branches:
       - main
-      - staging
+      - dev
       - 1.0.0*
   push:
     branches:
       - 1.0.0*
       - main
-      - staging
+      - dev
   workflow_dispatch:
 
 permissions: read-all
@@ -27,10 +27,10 @@ jobs:
       contents: read
     strategy:
       matrix:
-        DAPR_VERSION: ["1.11.1"]
+        DAPR_VERSION: ["1.13.2"]
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Go 1.21
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
@@ -55,7 +55,7 @@ jobs:
           kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.DAPR_VERSION }}.json
           kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.DAPR_VERSION }}.json
       - name: Upload artifacts
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: ${{ always() }}
         with:
           name: e2e-logs-${{ matrix.DAPR_VERSION }}

diff --git a/.github/workflows/pr-to-main.yml b/.github/workflows/pr-to-main.yml
@@ -3,7 +3,7 @@ name: pr_to_main
 on:
   push:
     branches:
-      - 'staging'
+      - 'dev'
 
 permissions:
   pull-requests: write
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: git checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
 
       # https://github.com/marketplace/actions/github-pull-request-action
       - name: create pull request with reposync action

diff --git a/.github/workflows/publish-charts.yml b/.github/workflows/publish-charts.yml
@@ -12,7 +12,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: Publish Helm charts
         uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
         with:

diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml
@@ -15,7 +15,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: prepare
         id: prepare
         run: |
@@ -45,7 +45,7 @@ jobs:
       - name: docker build ratify-crds
         run: |
           docker buildx create --use
-          docker buildx build --build-arg KUBE_VERSION="1.27.7" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
+          docker buildx build --build-arg KUBE_VERSION="1.29.2" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
       - name: docker build ratify base
         run: |
           docker buildx create --use         

diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
@@ -16,7 +16,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: prepare
         id: prepare
         run: |
@@ -44,7 +44,7 @@ jobs:
       - name: docker build ratify-crds
         run: |
           docker buildx create --use
-          docker buildx build --build-arg KUBE_VERSION="1.27.7" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
+          docker buildx build --build-arg KUBE_VERSION="1.29.2" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
       - name: docker build ratify base
         run: |
           docker buildx create --use