feat: (PoC) Source Verification Policies

[jannfis]

This a proof of concept for Source Verification Policies, as outlined in #14964

CLI and UI code are out of sync with the API in this PoC, but will eventually be synchronized before the PR becomes mergeable.

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.

Please see Contribution FAQs if you have questions about your pull-request.

[codecov]

Codecov Report

Attention: Patch coverage is 41.41593% with 331 lines in your changes are missing coverage. Please review.

Project coverage is 49.30%. Comparing base (05eea87) to head (7573dc6).
Report is 38 commits behind head on master.

Files	Patch %	Lines
cmd/argocd/commands/project.go	0.00%	132 Missing ⚠️
controller/state.go	51.93%	74 Missing and 13 partials ⚠️
pkg/apis/application/v1alpha1/types.go	0.00%	56 Missing ⚠️
reposerver/repository/repository.go	69.23%	21 Missing and 7 partials ⚠️
util/git/client.go	63.46%	14 Missing and 5 partials ⚠️
util/git/git.go	0.00%	6 Missing ⚠️
util/gpg/gpg.go	90.90%	2 Missing ⚠️
util/db/gpgkeys.go	94.44%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #14966      +/-   ##
==========================================
- Coverage   49.44%   49.30%   -0.15%     
==========================================
  Files         273      274       +1     
  Lines       48662    49208     +546     
==========================================
+ Hits        24063    24261     +198     
- Misses      22237    22567     +330     
- Partials     2362     2380      +18     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jannfis]

@CodiumAI-Agent /review

[CodiumAI-Agent]

PR Review

⏱️ Estimated effort to review [1-5]	4, due to the introduction of a new feature involving GPG signature verification which impacts various components including the API, CLI, and UI. The changes are spread across multiple files and involve both backend and frontend modifications, requiring a thorough review to ensure compatibility, security, and correctness.
🧪 Relevant tests	Yes
🔍 Possible issues	Possible Bug: The removal of mustReadFile utility function in controller/state_test.go and its replacement with testResult might not cover all test scenarios previously handled by reading actual file contents.
	Security Concern: The introduction of GPG signature verification requires careful handling of cryptographic operations and key management to avoid security vulnerabilities.
🔒 Security concerns	GPG Key Handling: The changes involve handling GPG keys for signature verification. It's crucial to ensure that the implementation securely manages these keys, preventing unauthorized access or leakage.

Code feedback:

---

relevant file	controller/state_test.go
suggestion	Consider reintroducing a utility function similar to mustReadFile for tests that might require reading from files in the future, ensuring flexibility in test scenarios. [medium]
relevant line	-func mustReadFile(path string) string {

---

relevant file	util/gpg/gpg.go
suggestion	Ensure thorough validation and error handling around GPG key parsing and signature verification to prevent potential security issues. [important]
relevant line	func testResult(commitSHA, keyID, result, identity string) []*argoappv1.RevisionSignatureInfo {

---

relevant file	test/e2e/app_management_ns_test.go
suggestion	Update the project references in E2E tests from "gpg" to "gpg-legacy" to reflect the new project setup and ensure tests are aligned with the latest configurations. [medium]
relevant line	- Project("gpg").

---

relevant file	ui/src/app/settings/components/project-details/project-details.tsx
suggestion	Add UI validation for GPG key inputs in the project details page to ensure user-provided keys are in a valid format before submission. [medium]
relevant line	ui/src/app/settings/components/project-details/project-details.tsx

---

---

✨ Review tool usage guide:

---

Overview:
The review tool scans the PR code changes, and generates a PR review which includes several types of feedbacks, such as possible PR issues, security threats and relevant test in the PR. More feedbacks can be added by configuring the tool.

The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on any PR.

• When commenting, to edit configurations related to the review tool (pr_reviewer section), use the following template:

/review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=...

• With a configuration file, use the following template:

[pr_reviewer]
some_config1=...
some_config2=...

See the review usage page for a comprehensive guide on using this tool.