Merge branch 'main' into update-crd-version

.github/workflows/publish-package.yml

@@ -4,6 +4,9 @@ on:
   push:
     tags:
       - v*
+  schedule:
+    - cron: '30 8 * * 0'  # early morning (08:30 UTC) every Sunday
+  workflow_dispatch:
 
 permissions: read-all
 
@@ -20,13 +23,20 @@ jobs:
         id: prepare
         run: |
           VERSION=${GITHUB_REF#refs/*/}
-          BRANCH_NAME=${GITHUB_REF#refs/heads/}
+          DATE=$(date +'%Y%m%d')
+          REPOSITORY=ghcr.io/${{ github.repository }}
+          REPOSITORYCRD=ghcr.io/${{ github.repository }}-crds
           if [[ "${VERSION}" == "${BRANCH_NAME}" ]]; then
             VERSION=$(git rev-parse --short HEAD)
           fi
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" || "${{ github.event_name }}" == "schedule" ]]; then
+            VERSION=dev.${DATE}
+            REPOSITORY=${REPOSITORY}-dev
+            REPOSITORYCRD=${REPOSITORYCRD}-dev
+          fi
           echo ::set-output name=version::${VERSION}
-          echo ::set-output name=ref::ghcr.io/${{ github.repository }}:${VERSION}
-          echo ::set-output name=crdref::ghcr.io/${{ github.repository }}-crds:${VERSION}
+          echo ::set-output name=ref::${REPOSITORY}:${VERSION}
+          echo ::set-output name=crdref::${REPOSITORYCRD}:${VERSION}
       - name: docker build ratify
         run: |
           docker build -f ./httpserver/Dockerfile --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.ref }} .

RELEASES.md

@@ -22,10 +22,13 @@ Example pre-release versions include `v0.1.0-alpha1`, `v0.1.0-beta2`, `v0.1.0-rc
 
 ## Pre Release Activity
 
- [Test.bats](test/bats/test.bats) provides limited end to end test coverage, while we are working on improving our coverage, please perform [manual validations](test/ManualValidation.md) to ensure release quality.
+Most e2e-scenarios for cli, K8, and Azure are covered by the ratify e2e tests. Please refer to this [document](test/validation.md) for the current supported and unsupported tests. 
 
- Validate that the format of the data returned for external data calls has not changed. If it has changed update the version in `httpserver/types.go` to reflect a change in the format and document the update.
+Please perform manual prerelease validations for the unsupported tests list [here](test/validation.md#unsupported-tests)
 
+Validate that the format of the data returned for external data calls has not changed. If it has changed update the version in `httpserver/types.go` to reflect a change in the format and document the update.
+
+Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` packages. Each dev image tag is prefixed with `dev` followed by the date of creation (e.g a build generated on March 2, 2023 would be tagged `dev.20230302`).
 ## Git Release Flow
 
 This section deals with the practical considerations of versioning in Git, this repo's version control system.  See the semantic versioning specification for the scope of changes allowed for each release type.

go.mod

@@ -28,7 +28,6 @@ require (
 	github.com/open-policy-agent/frameworks/constraint v0.0.0-20220627162905-95c012350402
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc2
-	github.com/oras-project/artifacts-spec v1.0.0-rc.2
 	github.com/pkg/errors v0.9.1
 	github.com/sigstore/cosign v1.13.1
 	github.com/sigstore/sigstore v1.4.6
@@ -39,9 +38,9 @@ require (
 	golang.org/x/sync v0.1.0
 	google.golang.org/grpc v1.50.1
 	google.golang.org/protobuf v1.28.1
-	k8s.io/api v0.24.10
-	k8s.io/apimachinery v0.24.10
-	k8s.io/client-go v0.24.10
+	k8s.io/api v0.24.11
+	k8s.io/apimachinery v0.24.11
+	k8s.io/client-go v0.24.11
 	oras.land/oras-go/v2 v2.0.0
 )
 

go.sum

@@ -901,8 +901,6 @@ github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
-github.com/oras-project/artifacts-spec v1.0.0-rc.2 h1:9SMCNSxkJEHqWGDiMCuy6TXHgvjgwXGdXZZGXLKQvVE=
-github.com/oras-project/artifacts-spec v1.0.0-rc.2/go.mod h1:Xch2aLzSwtkhbFFN6LUzTfLtukYvMMdXJ4oZ8O7BOdc=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
 github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
 github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs=
@@ -1900,19 +1898,19 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.22.5/go.mod h1:mEhXyLaSD1qTOf40rRiKXkc+2iCem09rWLlFwhCEiAs=
 k8s.io/api v0.24.2/go.mod h1:AHqbSkTm6YrQ0ObxjO3Pmp/ubFF/KuM7jU+3khoBsOg=
-k8s.io/api v0.24.10 h1:ikYsEPMxnTW5ZqOVU0dRZ/QXSOZxE393y+7pUZiRFXg=
-k8s.io/api v0.24.10/go.mod h1:H1RVF3JPcla30nosN0B/mjHVrF5jKvT9GaG+68wMRAo=
+k8s.io/api v0.24.11 h1:fyKC53FxEbRpd7sn4Z/T8HIBVChIN+7FgtiKMe3qmX8=
+k8s.io/api v0.24.11/go.mod h1:YH1vQls490acgEr/bfoQSsu1wqmAUif6TsJ2/JBsmXk=
 k8s.io/apiextensions-apiserver v0.24.2 h1:/4NEQHKlEz1MlaK/wHT5KMKC9UKYz6NZz6JE6ov4G6k=
 k8s.io/apiextensions-apiserver v0.24.2/go.mod h1:e5t2GMFVngUEHUd0wuCJzw8YDwZoqZfJiGOW6mm2hLQ=
 k8s.io/apimachinery v0.22.5/go.mod h1:xziclGKwuuJ2RM5/rSFQSYAj0zdbci3DH8kj+WvyN0U=
 k8s.io/apimachinery v0.24.2/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
-k8s.io/apimachinery v0.24.10 h1:1KWw24JyTsyi4LdAItmVclCv+H8jS9aiOuolIx1+28E=
-k8s.io/apimachinery v0.24.10/go.mod h1:WKP/nbpA6xR1TodchJym9COpVcn+V3cAaaNmXk6bwzA=
+k8s.io/apimachinery v0.24.11 h1:Iv6uO3O4wDCN93p/ehg2u3/Y6q1fti43zgJmAy9DVvs=
+k8s.io/apimachinery v0.24.11/go.mod h1:Yg8GIoNnVG9af59MrlKMm4Unsw3EBj+MfEBvfSid2/4=
 k8s.io/apiserver v0.22.5/go.mod h1:s2WbtgZAkTKt679sYtSudEQrTGWUSQAPe6MupLnlmaQ=
 k8s.io/client-go v0.22.5/go.mod h1:cs6yf/61q2T1SdQL5Rdcjg9J1ElXSwbjSrW2vFImM4Y=
 k8s.io/client-go v0.24.2/go.mod h1:zg4Xaoo+umDsfCWr4fCnmLEtQXyCNXCvJuSsglNcV30=
-k8s.io/client-go v0.24.10 h1:OES38LCaqmeJDpjy3lqDRAlAO4376dFXD3X/A0RSTTQ=
-k8s.io/client-go v0.24.10/go.mod h1:NqCCKuS48y1Hf9g7heYm4uns5l3NLmbv0AYLGrMG7n4=
+k8s.io/client-go v0.24.11 h1:Rzh2y3pAzquiKXOIw6Gb7JKQEIagkgt4/WJ4xhymOl4=
+k8s.io/client-go v0.24.11/go.mod h1:siv8qBAK/AOperwUM0E6poDMTfByCORycs5C+JmIMrA=
 k8s.io/code-generator v0.24.2/go.mod h1:dpVhs00hTuTdTY6jvVxvTFCk6gSMrtfRydbhZwHI15w=
 k8s.io/component-base v0.22.5/go.mod h1:VK3I+TjuF9eaa+Ln67dKxhGar5ynVbwnGrUiNF4MqCI=
 k8s.io/component-base v0.24.2 h1:kwpQdoSfbcH+8MPN4tALtajLDfSfYxBDYlXobNWI6OU=

test/validation.md

@@ -0,0 +1,43 @@
+# Validation
+Our goal is to automate as much testing as possible with unit and integration tests. For all CLI test scenarios covered today, please see [cli-test.bats](bats/cli-test.bats). For all K8 supported test scenarios covered today, please see [test.bats](bats/test.bats). For all Azure supported test scenarios covered today, please see [azure-test.bats](bats/azure-test.bats).
+
+## Unsupported Tests
+
+While we are working on improving our coverage, here is the list of scenarios that currently require manual validation: 
+- Azure Managed Identity Auth Provider
+- AWS ECR IRSA Auth Provider
+
+## Supported Tests
+
+### CLI
+- Verifier Scenarios
+    - Notation v2
+    - Cosign
+        - Keyed
+        - Keyless 
+    - SBOM
+    - License Checker
+    - JSON Schema Validation
+    - All verifier types in one
+- Dynamic OCI Plugins
+    - Verifier Plugin
+    - Store Plugin
+### Kubernetes
+- Verifier Scenarios
+    - Notation v2
+    - Cosign
+    - SBOM
+    - License Checker
+    - JSON Schema Validation
+    - All verifier types in one
+- ORAS Store Authentication Providers
+    - Docker
+    - Kubernetes Secrets
+    - Azure Workload Identity
+    - Azure Managed Identity
+- Certificate Store Providers
+    - Inline Certificate
+    - Azure Key Vault Certificate
+- Mutation Provider
+- Dynamic OCI Plugins
+    - Verifier Plugin