github · dependabot · May 21, 2024 · May 22, 2024 · May 29, 2024 · Jun 3, 2024
@@ -19,7 +19,7 @@ on:
   push:
     branches:
       - main
-      - release-*
+      - release
 
 permissions: {}
 

@@ -17,7 +17,7 @@ name: CodeQL
 
 on:
   push:
-    branches: [ main ]
+    branches: [ release ]
   schedule:
     - cron: '45 10 * * 1'
 

@@ -2,7 +2,7 @@ name: Do Not Submit
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 permissions: read-all
 

@@ -16,7 +16,7 @@ name: Test policy-controller with ClusterImagePolicy TUF disabled
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 defaults:
   run:

@@ -16,7 +16,7 @@ name: Test policy-controller with TrustRoot - Bring your own keys
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 defaults:
   run:

@@ -16,7 +16,7 @@ name: Test policy-controller with TSA
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 defaults:
   run:

@@ -16,7 +16,7 @@ name: Test policy-controller with ClusterImagePolicy
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 defaults:
   run:

@@ -16,7 +16,7 @@ name: Policy Controller KinD E2E
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 permissions: read-all
 

@@ -16,7 +16,7 @@ name: TrustRoot CRD KinD E2E
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 permissions: read-all
 

@@ -18,7 +18,7 @@ name: Verify examples using policy-tester
 on:
   workflow_dispatch:
   push:
-    branches: ['main', 'release-*']
+    branches: ['main', 'release']
   pull_request:
 
 jobs:

@@ -1,110 +1,55 @@
-name: Cut Release
+name: Release
 
 on:
   push:
     tags:
       - "v*"
 
-concurrency: cut-release
-
-permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for pushing the images to ghcr.io
-
 jobs:
   release:
-    outputs:
-      hashes: ${{ steps.hash.outputs.hashes }}
-      tag_name: ${{ steps.tag.outputs.tag_name }}
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
+    env:
+      KO_DOCKER_REPO: ghcr.io/github/policy-controller-webhook
+      KOCACHE: /tmp/ko
     steps:
-      - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: true
-          docker-images: true
-          swap-storage: true
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+          ref: "release"
+          fetch-tags: true
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version-file: './go.mod'
+          go-version-file: "./go.mod"
           check-latest: true
-
-      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
-
-      - uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
-
-      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
-
-      - name: Set up Cloud SDK
-        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
+      - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
         with:
-          workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-policy-controller'
-          service_account: 'gha-policy-controller@projectsigstore.iam.gserviceaccount.com'
-
-      - name: 'Set up Cloud SDK'
-        uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: creds
-        run: gcloud auth configure-docker --quiet
-
-      - name: Set LDFLAGS
-        id: ldflags
+      - name: Build and publish webhook to GHCR
+        id: build
         run: |
-           source ./release/ldflags.sh
-           goflags=$(ldflags)
-           echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV"
-
-      - name: Set tag output
-        id: tag
-        run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
-
-      - name: Run GoReleaser
-        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
+          export GIT_HASH=`git rev-parse HEAD`
+          export GIT_VERSION=`git describe --tags --always --dirty`
+          export BUILD_DATE=`date +%Y-%m-%dT%H:%M:%SZ`
+          export LDFLAGS="-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$GIT_VERSION -X sigs.k8s.io/release-utils/version.gitCommit=$GIT_HASH -X sigs.k8s.io/release-utils/version.buildDate=$BUILD_DATE"
+
+          mkdir -p ${{ env.KOCACHE }}
+          # ko build should print ghcr.io/github/policy-controller-webhook@sha256:<digest>
+          # to standard out. Capture the image digest for the build provenance step
+          IMAGE_DIGEST=$(ko build --bare --tags $GIT_VERSION --tags $GIT_HASH --platform=linux/amd64 --sbom=none github.com/sigstore/policy-controller/cmd/webhook | cut -d'@' -f2)
+          echo "image_digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT
+      - name: Attest
+        uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1
+        id: attest
         with:
-          version: latest
-          args: release --clean --timeout 120m --parallelism 1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          LDFLAGS: ${{ env.GO_FLAGS }}
-
-      - name: Generate subject
-        id: hash
-        env:
-          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
-        run: |
-          set -euo pipefail
-          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
-
-      - name: build images
-        run: |
-          make build-sign-release-images
-        env:
-          LDFLAGS: ${{ env.GO_FLAGS }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: copy-signed-release-to-ghcr
-        run: make copy-signed-release-to-ghcr || true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  provenance:
-    needs: [release]
-    permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.release.outputs.hashes }}"
-      upload-assets: true # upload to a new release
-      upload-tag-name: "${{ needs.release.outputs.tag_name }}"
+          subject-name: ${{ env.KO_DOCKER_REPO }}
+          subject-digest: ${{ steps.build.outputs.image_digest }}
+          push-to-registry: true
@@ -2,7 +2,7 @@ name: Code Style
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 permissions: read-all
 

@@ -17,7 +17,7 @@ name: CI-Tests
 on:
   workflow_dispatch:
   push:
-    branches: ['main', 'release-*']
+    branches: ['main', 'release']
   pull_request:
 
 permissions: read-all

@@ -18,7 +18,7 @@ name: Codegen
 on:
   workflow_dispatch:
   push:
-    branches: ['main', 'release-*']
+    branches: ['main', 'release']
   pull_request:
 
 permissions: read-all

@@ -18,7 +18,7 @@ name: API Docs Generator
 on:
   workflow_dispatch:
   push:
-    branches: ['main', 'release-*']
+    branches: ['main', 'release']
   pull_request:
 
 permissions: read-all

@@ -2,7 +2,7 @@ name: Whitespace
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 permissions: read-all
 

@@ -30,4 +30,3 @@ builds:
     ldflags:
       - -extldflags "-static"
       - "{{ .Env.LDFLAGS }}"
-
@@ -1,3 +1 @@
-# The CODEOWNERS are managed via a GitHub team, but the current list is (in alphabetical order):
-#
-# lukehinds
+* @github/package-security-eng @steiza
@@ -1,4 +1,4 @@
-# Code of Conduct
+# Contributor Covenant Code of Conduct
 
 ## Our Pledge
 
@@ -23,7 +23,7 @@ include:
 Examples of unacceptable behavior by participants include:
 
 * The use of sexualized language or imagery and unwelcome sexual attention or
-  advances
+advances
 * Trolling, insulting/derogatory comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information, such as a physical or electronic
@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at <maintainers@sigstore.dev>. All
+reported by contacting the project team at <opensource@github.com>. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
@@ -71,4 +71,4 @@ This Code of Conduct is adapted from the [Contributor Covenant][homepage], versi
 available at [http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[version]: http://contributor-covenant.org/version/1/4/
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,7 +19,7 @@ on: @@
       push:
         branches:
           - main
-          - release-*
+          - release
     permissions: {}
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
Expand Up		@@ -30,4 +30,3 @@ builds:
		ldflags:
		- -extldflags "-static"
		- "{{ .Env.LDFLAGS }}"