sigstore · haydentherapper · Sep 20, 2022 · Aug 31, 2022
diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
@@ -30,8 +30,8 @@ jobs:
     permissions: {}
 
     env:
-      CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.18.5-1@sha256:7dda2158ee68f0e4f53ca9bdf3971b2db01084dad4bdc775391e5f3bf40056a5
-      COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.10.1@sha256:9377edd13ae515dcb97c15052e577a2cbce098f36b0361bdb2348e3bdd8fe536
+      CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.19.1-0@sha256:8e4115486c3cc1c3da2b4f576afdc206718f61793854b79a491eb34c52ceed1a
+      COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.12.0@sha256:880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0
 
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3

diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml
@@ -70,10 +70,10 @@ jobs:
         with:
           go-version: ${{ env.GOVERSION }}
 
-      - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.4
+      - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
 
       - name: Setup Cluster
-        uses: chainguard-dev/actions/setup-kind@84c993eaf02da1c325854fb272a4df9184bd80fc # main
+        uses: chainguard-dev/actions/setup-kind@7d1eb557f464d97e5fe5177807a9226141eb9308 # main
         with:
           k8s-version: v1.22.x
           registry-authority: ${{ env.REGISTRY_NAME }}:${{ env.REGISTRY_PORT }}
@@ -87,7 +87,6 @@ jobs:
               -out "${{ github.run_id }}-cert.pem" \
               -subj "/CN=ed25519" \
               -days 36500 \
-              -addext basicConstraints=critical,CA:TRUE,pathlen:1 \
               -passout pass:"${{ github.run_id }}"
 
       - name: Deploy fulcio-system
@@ -164,7 +163,7 @@ jobs:
                 automountServiceAccountToken: false
                 containers:
                 - name: check-oidc
-                  image: gcr.io/projectsigstore/cosign:v1.4.1
+                  image: gcr.io/projectsigstore/cosign:v1.12.0
                   args: [
                     "sign",
                     "--fulcio-url=http://fulcio-server.fulcio-system.svc",

diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -56,7 +56,7 @@ jobs:
         timeout-minutes: 5
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.48.0
+          version: v1.49
 
   oidc-config:
     name: oidc-config

diff --git a/.golangci.yml b/.golangci.yml
@@ -15,7 +15,7 @@
 
 linters:
   enable:
-  - deadcode
+  - unused
   - errcheck
   - gofmt
   - goimports
@@ -36,7 +36,7 @@ issues:
     linters:
     - staticcheck
     text: SA1019
-  - path: pkg/ca/tinkca/signer.go 
+  - path: pkg/ca/tinkca/signer.go
     linters:
     - staticcheck
     text: SA1019

diff --git a/Dockerfile b/Dockerfile
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.18.5@sha256:fb249eca1b9172732de4950b0fb0fb5c231b83c2c90952c56d822d8a9de4d64b AS builder
+FROM golang:1.19.1@sha256:2d17ffd12a2cdb25d4a633ad25f8dc29608ed84f31b3b983427d825280427095 AS builder
 ENV APP_ROOT=/opt/app-root
 ENV GOPATH=$APP_ROOT
 
@@ -28,7 +28,7 @@ RUN go build -o server main.go
 RUN CGO_ENABLED=1 go build -gcflags "all=-N -l" -o server_debug main.go
 
 # Multi-Stage production build
-FROM golang:1.18.5@sha256:fb249eca1b9172732de4950b0fb0fb5c231b83c2c90952c56d822d8a9de4d64b as deploy
+FROM golang:1.19.1@sha256:2d17ffd12a2cdb25d4a633ad25f8dc29608ed84f31b3b983427d825280427095 as deploy
 
 # Retrieve the binary from the previous stage
 COPY --from=builder /opt/app-root/src/server /usr/local/bin/fulcio-server

diff --git a/Dockerfile.ctfe_init b/Dockerfile.ctfe_init
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.18.5@sha256:fb249eca1b9172732de4950b0fb0fb5c231b83c2c90952c56d822d8a9de4d64b AS builder
+FROM golang:1.19.1@sha256:2d17ffd12a2cdb25d4a633ad25f8dc29608ed84f31b3b983427d825280427095 AS builder
 
 WORKDIR /root/
 

diff --git a/federation/main.go b/federation/main.go
@@ -17,7 +17,7 @@ package main
 
 import (
 	"encoding/json"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 
 	"github.com/sigstore/fulcio/pkg/config"
@@ -79,7 +79,7 @@ func main() {
 		},
 	}
 	for _, m := range matches {
-		b, err := ioutil.ReadFile(m)
+		b, err := os.ReadFile(m)
 		if err != nil {
 			panic(err)
 		}
@@ -106,7 +106,7 @@ func main() {
 	}
 
 	// Update the yaml
-	yb, err := ioutil.ReadFile("config/fulcio-config.yaml")
+	yb, err := os.ReadFile("config/fulcio-config.yaml")
 	if err != nil {
 		panic(err)
 	}
@@ -125,7 +125,7 @@ func main() {
 
 	yamlWithBoilerplate := boilerPlate + string(newYaml)
 
-	if err := ioutil.WriteFile("config/fulcio-config.yaml", []byte(yamlWithBoilerplate), 0600); err != nil {
+	if err := os.WriteFile("config/fulcio-config.yaml", []byte(yamlWithBoilerplate), 0600); err != nil {
 		panic(err)
 	}
 }
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -21,7 +21,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
@@ -371,7 +370,7 @@ func Load(configPath string) (*FulcioConfig, error) {
 		}
 		return config, nil
 	}
-	b, err := ioutil.ReadFile(configPath)
+	b, err := os.ReadFile(configPath)
 	if err != nil {
 		return nil, fmt.Errorf("read file: %w", err)
 	}
@@ -398,7 +397,7 @@ func Read(b []byte) (*FulcioConfig, error) {
 			rootCAs = x509.NewCertPool()
 		}
 		const k8sCA = "/var/run/fulcio/ca.crt"
-		certs, err := ioutil.ReadFile(k8sCA)
+		certs, err := os.ReadFile(k8sCA)
 		if err != nil {
 			return nil, fmt.Errorf("read file: %w", err)
 		}

diff --git a/pkg/config/config_network_test.go b/pkg/config/config_network_test.go
@@ -19,7 +19,7 @@ package config
 
 import (
 	"context"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"testing"
 
@@ -30,7 +30,7 @@ import (
 func TestLoad(t *testing.T) {
 	td := t.TempDir()
 	cfgPath := filepath.Join(td, "config.json")
-	if err := ioutil.WriteFile(cfgPath, []byte(validCfg), 0644); err != nil {
+	if err := os.WriteFile(cfgPath, []byte(validCfg), 0644); err != nil {
 		t.Fatal(err)
 	}
 

diff --git a/pkg/generated/protobuf/fulcio.pb.go b/pkg/generated/protobuf/fulcio.pb.go
diff --git a/pkg/generated/protobuf/fulcio_grpc.pb.go b/pkg/generated/protobuf/fulcio_grpc.pb.go
diff --git a/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go b/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go
diff --git a/pkg/server/max_bytes_test.go b/pkg/server/max_bytes_test.go
@@ -16,7 +16,7 @@
 package server
 
 import (
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"strings"
@@ -26,7 +26,7 @@ import (
 func TestWithMaxBytes(t *testing.T) {
 	var maxBodySize int64 = 10
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		_, err := ioutil.ReadAll(r.Body)
+		_, err := io.ReadAll(r.Body)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
 			return