[pull] master from kumahq:master

.circleci/config.yml

@@ -5,7 +5,7 @@ parameters:
   # These parameters are not meant to be changed they are more constants for the build change these in mk/dev.mk
   go_version:
     type: string
-    default: "1.21.8"
+    default: "1.21.9"
   first_k8s_version:
     type: string
     default: "v1.23.17-k3s1"

.github/dependabot.yml

@@ -23,6 +23,14 @@ updates:
     labels:
       - "dependencies"
 
+  - package-ecosystem: "docker"
+    directory: "/test/dockerfiles"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 15
+    labels:
+      - "dependencies"
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -31,8 +39,3 @@ updates:
     labels:
       - "dependencies"      
       - "ci/skip-test" # No need to run tests on github actions updates
-
-  - package-ecosystem: docker
-    directory: /tools/postgres
-    schedule:
-      interval: daily

.github/workflows/_build_publish.yaml

@@ -16,6 +16,15 @@ on:
       IMAGES:
         required: true
         type: string
+      REGISTRY:
+        required: true
+        type: string
+      VERSION_NAME:
+        required: true
+        type: string
+      NOTARY_REPOSITORY:
+        required: true
+        type: string
     outputs:
       BINARY_ARTIFACT_DIGEST_BASE64:
         value: ${{ jobs.build-binaries.outputs.BINARY_ARTIFACT_DIGEST_BASE64 }}
@@ -42,15 +51,9 @@ jobs:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
           fetch-depth: 0
-      - name: "Add matrix to .build/info to cache"
-        run: |
-          make build/info/short > .build-info
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: go.mod
-          cache-dependency-path: |
-            .build-info
-            go.sum
       - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
@@ -68,7 +71,7 @@ jobs:
           echo "Artifact digest:"
           cat ./build/distributions/artifact_digest_file.text
           echo "binary_artifact_digest_base64=$(cat ./build/distributions/artifact_digest_file.text)" > $GITHUB_OUTPUT
-      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
         id: binary-artifacts
         with:
           name: ${{ inputs.BINARY_ARTIFACT_NAME }}
@@ -86,7 +89,7 @@ jobs:
           make publish/pulp
   build-images:
     runs-on: ubuntu-latest
-    timeout-minutes: 10
+    timeout-minutes: 15
     strategy:
       fail-fast: false
       matrix:
@@ -102,9 +105,6 @@ jobs:
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: go.mod
-          cache-dependency-path: |
-            .build-info
-            go.sum
       - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
@@ -117,13 +117,7 @@ jobs:
       - id: image_meta
         run: |
           echo "Extracting image meta for ${{ matrix.image }}"
-          registry=$(make docker/info/registry)
-          tag=$(make build/info/version)
-          echo "tag=${tag}" >> $GITHUB_OUTPUT
-          echo "registry=${registry}" >> $GITHUB_OUTPUT
-          echo "image=${registry}/${{ matrix.image }}:${tag}" >> $GITHUB_OUTPUT
-          # Add matrix to .build/info to cache
-          make build/info/short > .build-info
+          echo "image=${{ inputs.REGISTRY }}/${{ matrix.image }}:${{ inputs.VERSION_NAME }}" >> $GITHUB_OUTPUT
       - run: |
           make images/${{ matrix.image }}
       - run: |
@@ -134,17 +128,19 @@ jobs:
           make test/container-structure/${{ matrix.image }}
       - name: scan amd64 image
         id: scan_image-amd64
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@590c699fe824010d7d563a33cc60500d847d3f9e # v2.1.0
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1
         with:
           asset_prefix: image_${{ matrix.image }}-amd64
           image: ./build/docker/${{ matrix.image }}-amd64.tar
+          upload-sbom-release-assets: true
       - name: scan arm64 image
         id: scan_image-arm64
         if: ${{ fromJSON(inputs.FULL_MATRIX) }}
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@590c699fe824010d7d563a33cc60500d847d3f9e # v2.1.0
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1
         with:
           asset_prefix: image_${{ matrix.image }}-arm64
           image: ./build/docker/${{ matrix.image }}-arm64.tar
+          upload-sbom-release-assets: true
         # TODO in the future we may want to have prerelease images and use `regctl image copy` to move them to their final location
       - name: publish images
         id: release_images
@@ -171,14 +167,14 @@ jobs:
           echo "Got digest: $digest"
           echo "digest=${digest}" >> $GITHUB_OUTPUT
           echo "{\"${{matrix.image}}\": \"${digest}\"}" > ./build/docker/${{ matrix.image }}.digest.json
-      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
         id: image-artifacts
         with:
           name: image_${{ matrix.image }}
           path: |
             ./build/docker/*.tar
           retention-days: ${{ github.event_name == 'pull_request' && 1 || 30 }}
-      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
         id: image-digest-artifacts
         with:
           name: image_${{ matrix.image }}.digest.json
@@ -188,11 +184,11 @@ jobs:
       - name: sign image
         if: ${{ fromJSON(inputs.ALLOW_PUSH) }}
         id: sign
-        uses: Kong/public-shared-actions/security-actions/sign-docker-image@590c699fe824010d7d563a33cc60500d847d3f9e # v2.1.0
+        uses: Kong/public-shared-actions/security-actions/sign-docker-image@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1
         with:
           image_digest: ${{ steps.image_digest.outputs.digest }}
           tags: ${{ steps.image_meta.outputs.image }}
-          signature_registry: ${{ steps.image_meta.outputs.registry }}/notary${{ contains(steps.image_meta.outputs.tag, 'preview') && '-internal' }}
+          signature_registry: ${{ inputs.REGISTRY }}/${{inputs.NOTARY_REPOSITORY}}
           registry_username: ${{ vars.DOCKER_USERNAME }}
           registry_password: ${{ secrets.DOCKER_API_KEY }}
   digest-images:
@@ -201,7 +197,7 @@ jobs:
     outputs:
       DIGESTS: ${{ steps.compute-digests.outputs.digests }}
     steps:
-      - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+      - uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d # v4.1.5
         with:
           pattern: "image_*.digest.json"
           path: ./digests
@@ -257,7 +253,7 @@ jobs:
           PKG_FILENAME=$(find .cr-release-packages -type f -printf "%f\n")
           echo "filename=${PKG_FILENAME}" >> $GITHUB_OUTPUT
       - name: Upload packaged chart
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
         with:
           name: ${{ steps.package-helm.outputs.filename }}
           path: .cr-release-packages/${{ steps.package-helm.outputs.filename }}
@@ -267,7 +263,7 @@ jobs:
       - name: Generate GitHub app token
         id: github-app-token
         if: ${{ github.ref_type == 'tag' }}
-        uses: actions/create-github-app-token@f2acddfb5195534d487896a656232b016a682f3c # v1.9.0
+        uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}

.github/workflows/_provenance.yaml

@@ -2,32 +2,41 @@ name: Generate Provenance
 on:
   workflow_call:
     inputs:
-      binary_artifacts_hashes_as_file:
+      BINARY_ARTIFACTS_HASH_AS_FILE:
         required: true
         type: string
         description: file containing hash for all compressed binary artifacts
-      images:
+      IMAGES:
         required: true
         type: string
-        description: JSON string containing all images
-      image_digests:
+        description: JSON string containing all IMAGES
+      IMAGE_DIGESTS:
         required: true
         type: string
         description: JSON string containing all image digests
+      REGISTRY:
+        required: true
+        type: string
+        description: registry name
+      NOTARY_REPOSITORY:
+        required: true
+        type: string
+        description: notary repository
 permissions:
   contents: write
   id-token: write # needed for signing the images
   actions: read # For getting workflow run info to build provenance
   packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
 jobs:
   artifact-provenance:
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@c747fe7769adf3656dc7d588b161cb614d7abfee # v1.10.0
+    # need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
-      base64-subjects: ${{ inputs.binary_artifacts_hashes_as_file }}
+      base64-subjects: ${{ inputs.BINARY_ARTIFACTS_HASH_AS_FILE }}
       upload-assets: ${{ github.ref_type == 'tag' }}
       upload-tag-name: ${{ github.ref_name }}
       provenance-name: ${{ github.event.repository.name }}.intoto.jsonl
-      continue-on-error: true
+      draft-release: "true"
 
   # Provenance job for all images manifests
   # SLSA generator is a reusable workflow
@@ -41,12 +50,12 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        IMAGE: ${{ fromJSON(inputs.images) }}
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@c747fe7769adf3656dc7d588b161cb614d7abfee # v1.10.0
+        IMAGE: ${{ fromJSON(inputs.IMAGES) }}
+    # need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
-      image: ${{ matrix.IMAGE }}
-      digest: ${{ fromJSON(inputs.image_digests)[matrix.IMAGE] }}
-      continue-on-error: true
+      image: ${{ inputs.REGISTRY }}/${{ matrix.IMAGE }}
+      digest: ${{ fromJSON(inputs.IMAGE_DIGESTS)[matrix.IMAGE] }}
+      registry-username: ${{ vars.DOCKER_USERNAME }}
     secrets:
       registry-password: ${{ secrets.DOCKER_API_KEY }}
-      registry-username: ${{ secrets.DOCKER_USERNAME }}

.github/workflows/auto-merge.yaml

@@ -20,7 +20,7 @@ jobs:
     steps:
       - name: Generate GitHub app token
         id: github-app-token
-        uses: actions/create-github-app-token@f2acddfb5195534d487896a656232b016a682f3c # v1.9.0
+        uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}

.github/workflows/bom.yaml

@@ -17,7 +17,7 @@ jobs:
         with:
           version: v1
           args: mod -licenses -json -output licenses.json
-      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
         with:
           name: licenses
           path: |

.github/workflows/build-test-distribute.yaml

@@ -6,8 +6,8 @@ on:
   pull_request:
     branches: ["master", "release-*"]
 concurrency:
-  group: ${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
+  group: ${{github.workflow}}-${{ github.ref_name }} # group all runs by branch or tag
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }} # only cancel previous runs on PRs, we want each commit to build on branches
 permissions:
   contents: write # To upload assets
   id-token: write # For using token to sign images
@@ -28,12 +28,21 @@ jobs:
       FULL_MATRIX: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ci/run-full-matrix') }}
       ALLOW_PUSH: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ci/force-publish') }}
       BUILD: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ci/run-build') || contains(github.event.pull_request.labels.*.name, 'ci/force-publish') }}
+      FORCE_PUBLISH_FROM_FORK: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ci/force-publish') && github.event.pull_request.head.repo.full_name != github.repository }}
     outputs:
       FULL_MATRIX: ${{ env.FULL_MATRIX }}
       ALLOW_PUSH: ${{ env.ALLOW_PUSH }}
       BUILD: ${{ env.BUILD }}
       IMAGES: ${{ steps.metadata.outputs.images }}
+      REGISTRY: ${{ steps.metadata.outputs.registry }}
+      VERSION_NAME: ${{ steps.metadata.outputs.version }}
+      NOTARY_REPOSITORY: ${{ (contains(steps.metadata.outputs.version, 'preview') && 'notary-internal') || 'notary' }}
     steps:
+      - name: "Fail when 'ci/force-publish' label is present on PRs from forks"
+        if: ${{ fromJSON(env.FORCE_PUBLISH_FROM_FORK) }}
+        run: |
+          echo "::error title=Label 'ci/force-publish' cannot be used on PRs from forks::To prevent accidental exposure of secrets, CI won't use repository secrets on pull requests from forks"
+          exit 1
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
           fetch-depth: 0
@@ -60,13 +69,16 @@ jobs:
       - run: |
           make check
       - id: sca-project
-        uses: Kong/public-shared-actions/security-actions/sca@590c699fe824010d7d563a33cc60500d847d3f9e # v2.1.0
+        uses: Kong/public-shared-actions/security-actions/sca@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1
         with:
           dir: .
           config: .syft.yaml
+          upload-sbom-release-assets: true
       - id: metadata
         run: |
           echo "images=$(make images/info/release/json)" >> $GITHUB_OUTPUT
+          echo "registry=$(make docker/info/registry)" >> $GITHUB_OUTPUT
+          echo "version=$(make build/info/version)" >> $GITHUB_OUTPUT
   test:
     permissions:
       contents: read
@@ -88,10 +100,13 @@ jobs:
       IMAGE_ARTIFACT_NAME: "image_artifacts"
       BINARY_ARTIFACT_NAME: "binary_artifacts"
       IMAGES: ${{ needs.check.outputs.IMAGES }}
+      REGISTRY: ${{ needs.check.outputs.REGISTRY }}
+      NOTARY_REPOSITORY: ${{ needs.check.outputs.NOTARY_REPOSITORY }}
+      VERSION_NAME: ${{ needs.check.outputs.VERSION_NAME }}
     secrets: inherit
   provenance:
     needs: ["check", "build_publish"]
-    if: ${{ fromJSON(needs.check.outputs.BUILD) }}
+    if: ${{ github.ref_type == 'tag' }}
     uses: ./.github/workflows/_provenance.yaml
     secrets: inherit
     permissions:
@@ -100,18 +115,21 @@ jobs:
       actions: read # For getting workflow run info to build provenance
       packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
     with:
-      binary_artifacts_hashes_as_file: ${{ needs.build_publish.outputs.BINARY_ARTIFACT_DIGEST_BASE64 }}
-      images: ${{ needs.check.outputs.IMAGES }}
-      image_digests: ${{ needs.build_publish.outputs.IMAGE_DIGESTS }}
+      BINARY_ARTIFACTS_HASH_AS_FILE: ${{ needs.build_publish.outputs.BINARY_ARTIFACT_DIGEST_BASE64 }}
+      IMAGES: ${{ needs.check.outputs.IMAGES }}
+      REGISTRY: ${{ needs.check.outputs.REGISTRY }}
+      NOTARY_REPOSITORY: ${{ needs.check.outputs.NOTARY_REPOSITORY }}
+      IMAGE_DIGESTS: ${{ needs.build_publish.outputs.IMAGE_DIGESTS }}
   distributions:
     needs: ["build_publish", "check", "test", "provenance"]
     timeout-minutes: 10
     if: ${{ always() }}
     runs-on: ubuntu-latest
     steps:
       - name: "Halt due to previous failures"
-        if: ${{ contains(needs.*.result, 'failure')|| contains(needs.*.result, 'cancelled') }}
         run: |-
+          echo "results: ${{ toJson(needs.*.result) }}"
           # for some reason, GH Action will always trigger a downstream job even if there are errors in an dependent job
           # so we manually check it here. An example could be found here: https://github.com/kumahq/kuma/actions/runs/7044980149
-          exit 1
+          [[ ${{ contains(needs.*.result, 'failure')|| contains(needs.*.result, 'cancelled') }} == "true" ]] && exit 1
+          echo "All dependent jobs succeeded"

.github/workflows/codeql.yaml

@@ -24,13 +24,13 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/init@c7f9125735019aa87cfc361530512d50ea439c71 # v3.25.1
         with:
           config-file: ./.github/codeql/codeql-config.yml
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/autobuild@c7f9125735019aa87cfc361530512d50ea439c71 # v3.25.1
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/analyze@c7f9125735019aa87cfc361530512d50ea439c71 # v3.25.1
         with:
           category: "/language:${{matrix.language}}"