From e25b7f7819d03b8d30d1061535c69ad1b2d33c93 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Mon, 19 Jan 2026 18:41:35 +0100 Subject: [PATCH 1/2] feat: add new actions to perform builds Port the native runner builds into actions that can be invoked from the release of build-containers GHA of kubewarden and also sbomscanner. Signed-off-by: Flavio Castelli --- attestation/action.yml | 103 +++++++++++++++++++++++++++++++++++++ container-build/action.yml | 92 +++++++++++++++++++++++++++++++++ merge-multiarch/action.yml | 102 ++++++++++++++++++++++++++++++++++++ 3 files changed, 297 insertions(+) create mode 100644 attestation/action.yml create mode 100644 container-build/action.yml create mode 100644 merge-multiarch/action.yml diff --git a/attestation/action.yml b/attestation/action.yml new file mode 100644 index 0000000..5b0b904 --- /dev/null +++ b/attestation/action.yml @@ -0,0 +1,103 @@ +name: attestation +description: extract and sign provenance and SBOM files +inputs: + component: + description: | + The component name (e.g., policy-server, kubewarden-controller, audit-scanner) + required: true + arch: + description: architecture being processed + required: true + GITHUB_TOKEN: + description: | + The GitHub token with permission to publish images to ghcr. + required: true +runs: + using: composite + steps: + - name: Install cosign + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + - name: Install the crane command + uses: kubewarden/github-actions/crane-installer@v4.5.15 + - name: Login to GitHub Container Registry + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ inputs.GITHUB_TOKEN }} + - name: Download all digests + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + path: ${{ runner.temp }}/digests + pattern: digest-${{ inputs.component }}-* + merge-multiple: true + - name: Retrieve digest + working-directory: ${{ runner.temp }}/digests + shell: bash + run: | + set -e + DIGEST=$(cat ${{ inputs.component }}-${{ inputs.arch }}.txt) + echo "DIGEST=${DIGEST}" >> "$GITHUB_ENV" + - name: Find attestation digest + shell: bash + run: | + set -e + DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.DIGEST }} \ + | jq -r '.manifests[] + | select(.annotations["vnd.docker.reference.type"] == "attestation-manifest") + | .digest') + echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV" + - name: Find provenance manifest digest + shell: bash + run: | + set -e + DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST }} | + jq -r '.layers[] + | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") + | .digest') + echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV" + - name: Find SBOM manifest layer digest + shell: bash + run: | + set -e + DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \ + jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")') + echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV" + + # We need to upload provenance and SBOM files, plus their signatures under the GitHub Release page. + # Moreover, the files have to be named in a certain way. + # This is required by [ossf](https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases) + - name: Download provenance and SBOM files + shell: bash + run: | + set -e + crane blob ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.PROVENANCE_DIGEST}} \ + > ${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl + crane blob ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.SBOM_DIGEST}} \ + > ${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json + - name: Sign provenance and SBOM files + shell: bash + run: | + set -e + cosign sign-blob --yes \ + --bundle ${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl.bundle.sigstore \ + ${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl + cosign verify-blob \ + --bundle ${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl.bundle.sigstore \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity="${{ github.server_url }}/${{ github.workflow_ref }}" \ + ${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl + + cosign sign-blob --yes \ + --bundle ${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json.bundle.sigstore \ + ${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json + cosign verify-blob \ + --bundle ${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json.bundle.sigstore \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity="${{ github.server_url }}/${{ github.workflow_ref }}" \ + ${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json + - name: Upload SBOMs as artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: attestation-${{ inputs.component }}-${{ inputs.arch }} + path: ${{ inputs.component }}-attestation-${{ inputs.arch }}* diff --git a/container-build/action.yml b/container-build/action.yml new file mode 100644 index 0000000..79aaaa1 --- /dev/null +++ b/container-build/action.yml @@ -0,0 +1,92 @@ +name: container-build +description: build/sign an image and publish its digest in artifact +inputs: + digest_artifact_prefix: + description: the prefix of the artifact filename + default: digest- + component: + description: | + The component name (e.g., policy-server, kubewarden-controller, audit-scanner) + required: true + arch: + description: | + Target architecture to build (e.g., amd64, arm64) + required: true + platform: + description: | + Target platform for Docker build (e.g., linux/amd64, linux/arm64) + required: true + GITHUB_TOKEN: + description: | + The GitHub token with permission to publish images to ghcr. + required: true +runs: + using: composite + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Install cosign + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + - name: Login to GitHub Container Registry + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ inputs.GITHUB_TOKEN }} + - name: Docker meta + id: meta + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + with: + images: ghcr.io/${{ github.repository_owner }}/${{ inputs.component }} + - name: Build and push ${{ inputs.component }} for ${{ inputs.arch }} + id: build-image + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + context: . + file: ./Dockerfile.${{ inputs.component }} + labels: ${{ steps.meta.outputs.labels }} + platforms: ${{ inputs.platform }} + push: true + sbom: true + provenance: mode=max + tags: ghcr.io/${{ github.repository_owner }}/${{ inputs.component }} + + # We need to disable the new bundle format enabled by default since + # cosign v3.x.x because some verification tools (e.g. slsactl, hauler and old + # cosign) are not able to properly verify the signatures using this + # new format + - name: Sign container image with cosign v2 signature format + shell: bash + run: | + cosign sign --yes --new-bundle-format=false --use-signing-config=false \ + ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ steps.build-image.outputs.digest }} + + - name: Sign container image with cosign v3 signature format + shell: bash + run: | + cosign sign --yes --new-bundle-format=true --use-signing-config=true \ + ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ steps.build-image.outputs.digest }} + + - name: Verify container image signature + shell: bash + run: | + cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity="${{ github.server_url }}/${{ github.workflow_ref }}" \ + ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ steps.build-image.outputs.digest }} + + - name: Export digest + shell: bash + run: | + mkdir -p ${{ runner.temp }}/digests + digest="${{ steps.build-image.outputs.digest }}" + echo "${digest}" > "${{ runner.temp }}/digests/${{ inputs.component }}-${{ inputs.arch }}.txt" + + - name: Upload digest + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: ${{ inputs.digest_artifact_prefix }}${{ inputs.component }}-${{ inputs.arch }} + path: ${{ runner.temp }}/digests/*.txt + retention-days: 1 diff --git a/merge-multiarch/action.yml b/merge-multiarch/action.yml new file mode 100644 index 0000000..3357b1a --- /dev/null +++ b/merge-multiarch/action.yml @@ -0,0 +1,102 @@ +name: merge-multiarch-images +description: merge multi-arch images based on images digests provided +inputs: + digest_artifact_prefix: + description: the prefix of the artifact filename + default: digest- + component: + description: | + The component name (e.g., policy-server, kubewarden-controller, audit-scanner) + required: true + tag: + description: | + The tag component in a fully qualified image. + required: true + arch: + description: The list of image architecture for this action to merge (comma-separated) + default: amd64,arm64 + GITHUB_TOKEN: + description: | + The GitHub token with permission to publish images to ghcr. + required: true +runs: + using: composite + steps: + - name: Download all digests + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + with: + path: ${{ runner.temp }}/digests + pattern: ${{ inputs.digest_artifact_prefix}}${{ inputs.component }}-* + merge-multiple: true + - name: Install cosign + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + - name: Login to GHCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ inputs.GITHUB_TOKEN }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + - name: Create and push multi-arch manifest for ${{ inputs.component }} + id: create-manifest + working-directory: ${{ runner.temp }}/digests + shell: bash + run: | + set -e + TARGET="" + + ARCHES=$(echo ${{ inputs.arch }} | tr ',' ' ') + + for ARCH in $ARCHES + do + TARGET+=" ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@$(cat ${{ inputs.component }}-$ARCH.txt)" + done + + # Create the manifest locally + docker buildx imagetools create \ + -t ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}:${{ inputs.tag }} \ + $TARGET \ + --dry-run > expected-multi-arch-manifest.json + + # Create the manifest and push it + docker buildx imagetools create \ + -t ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}:${{ inputs.tag }} \ + $TARGET + + # The previous command is NOT printing the digest of the multi-arch manifest, we have to obtain it by + # fetching it from the OCI registry and **verify** its contents before signing it + + # Fetch the multi arch manifest + docker buildx imagetools inspect ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}:${{ inputs.tag }} \ + --raw > multi-arch-manifest.json + multi_arch_manifest_digest="sha256:$(sha256sum multi-arch-manifest.json | awk '{print $1}')" + + # Compare the contents of the manifest we previously computed and the actual one. + # Use jq to sort the contents and build a compact output (removing useless whitespaces), + # this is done to ensure the JSON documents have the same structure. + expected_digest="sha256:$(jq -S -c . expected-multi-arch-manifest.json | sha256sum | awk '{print $1}')" + actual_digest="sha256:$(jq -S -c . multi-arch-manifest.json | sha256sum | awk '{print $1}')" + + if [ "$expected_digest" != "$actual_digest" ]; then + echo "Error: digests do not match!" + exit 1 + fi + + # Sign the multi-arch image manifest using cosign v2 format + cosign sign --yes --new-bundle-format=false --use-signing-config=false \ + ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${multi_arch_manifest_digest} + + # Sign the multi-arch image manifest using cosign v3 format + cosign sign --yes --new-bundle-format=true --use-signing-config=true \ + ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${multi_arch_manifest_digest} + + echo "MULTI_ARCH_MANIFEST_DIGEST=$multi_arch_manifest_digest" >> $GITHUB_ENV + + - name: Verify multi-arch manifest signature + shell: bash + run: | + cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity="${{ github.server_url }}/${{ github.workflow_ref }}" \ + ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.MULTI_ARCH_MANIFEST_DIGEST}} From 63d534ad6c28d1bb163e442c482fc2ee86b11d6f Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Mon, 19 Jan 2026 21:27:09 +0100 Subject: [PATCH 2/2] chore: Prepare for release 4.5.16 sed --in-place 's/4\.5\.15/4\.5\.16/' $(find . -maxdepth 3 -name "*.yml") Signed-off-by: Flavio Castelli --- .../reusable-release-policy-assemblyscript.yml | 8 ++++---- .github/workflows/reusable-release-policy-go-wasi.yml | 10 +++++----- .github/workflows/reusable-release-policy-go.yml | 10 +++++----- .github/workflows/reusable-release-policy-rego.yml | 10 +++++----- .github/workflows/reusable-release-policy-rust.yml | 10 +++++----- .github/workflows/reusable-release-policy-swift.yml | 8 ++++---- .github/workflows/reusable-test-policy-go-wasi.yml | 4 ++-- .github/workflows/reusable-test-policy-go.yml | 4 ++-- .github/workflows/reusable-test-policy-rego.yml | 2 +- .github/workflows/reusable-test-policy-rust.yml | 4 ++-- attestation/action.yml | 2 +- policy-gh-action-dependencies/action.yml | 6 +++--- push-artifacthub/action.yml | 2 +- 13 files changed, 40 insertions(+), 40 deletions(-) diff --git a/.github/workflows/reusable-release-policy-assemblyscript.yml b/.github/workflows/reusable-release-policy-assemblyscript.yml index 57e7bfa..11aad45 100644 --- a/.github/workflows/reusable-release-policy-assemblyscript.yml +++ b/.github/workflows/reusable-release-policy-assemblyscript.yml @@ -19,7 +19,7 @@ jobs: NODE_VERSION: 14 steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.15 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: # until https://github.com/actions/checkout/pull/579 is released @@ -48,7 +48,7 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.15 + uses: kubewarden/github-actions/check-policy-version@v4.5.16 with: expected-version: ${{ steps.calculate-version.outputs.version }} - name: Setup node @@ -71,7 +71,7 @@ jobs: run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.15 + uses: kubewarden/github-actions/policy-release@v4.5.16 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -88,4 +88,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.15 + uses: kubewarden/github-actions/push-artifacthub@v4.5.16 diff --git a/.github/workflows/reusable-release-policy-go-wasi.yml b/.github/workflows/reusable-release-policy-go-wasi.yml index dc9723d..8bb605b 100644 --- a/.github/workflows/reusable-release-policy-go-wasi.yml +++ b/.github/workflows/reusable-release-policy-go-wasi.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.15 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: # until https://github.com/actions/checkout/pull/579 is released @@ -46,16 +46,16 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.15 + uses: kubewarden/github-actions/check-policy-version@v4.5.16 with: expected-version: ${{ steps.calculate-version.outputs.version }} - name: Build and annotate policy - uses: kubewarden/github-actions/policy-build-go-wasi@v4.5.15 + uses: kubewarden/github-actions/policy-build-go-wasi@v4.5.16 - name: Run e2e tests run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.15 + uses: kubewarden/github-actions/policy-release@v4.5.16 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -71,4 +71,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.15 + uses: kubewarden/github-actions/push-artifacthub@v4.5.16 diff --git a/.github/workflows/reusable-release-policy-go.yml b/.github/workflows/reusable-release-policy-go.yml index 78319de..957fc91 100644 --- a/.github/workflows/reusable-release-policy-go.yml +++ b/.github/workflows/reusable-release-policy-go.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.15 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: # until https://github.com/actions/checkout/pull/579 is released @@ -46,16 +46,16 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.15 + uses: kubewarden/github-actions/check-policy-version@v4.5.16 with: expected-version: ${{ steps.calculate-version.outputs.version }} - name: Build and annotate policy - uses: kubewarden/github-actions/policy-build-tinygo@v4.5.15 + uses: kubewarden/github-actions/policy-build-tinygo@v4.5.16 - name: Run e2e tests run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.15 + uses: kubewarden/github-actions/policy-release@v4.5.16 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -71,4 +71,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.15 + uses: kubewarden/github-actions/push-artifacthub@v4.5.16 diff --git a/.github/workflows/reusable-release-policy-rego.yml b/.github/workflows/reusable-release-policy-rego.yml index a878352..be2a364 100644 --- a/.github/workflows/reusable-release-policy-rego.yml +++ b/.github/workflows/reusable-release-policy-rego.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.15 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: # until https://github.com/actions/checkout/pull/579 is released @@ -64,12 +64,12 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.15 + uses: kubewarden/github-actions/check-policy-version@v4.5.16 with: expected-version: ${{ steps.calculate-version.outputs.version }} policy-working-dir: ${{ inputs.policy-working-dir }} - name: Install opa - uses: kubewarden/github-actions/opa-installer@v4.5.15 + uses: kubewarden/github-actions/opa-installer@v4.5.16 - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Build policy working-directory: ${{ inputs.policy-working-dir }} @@ -87,7 +87,7 @@ jobs: run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.15 + uses: kubewarden/github-actions/policy-release@v4.5.16 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -105,6 +105,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.15 + uses: kubewarden/github-actions/push-artifacthub@v4.5.16 with: policy-working-dir: ${{ inputs.policy-working-dir }} diff --git a/.github/workflows/reusable-release-policy-rust.yml b/.github/workflows/reusable-release-policy-rust.yml index d2e430a..b77e90d 100644 --- a/.github/workflows/reusable-release-policy-rust.yml +++ b/.github/workflows/reusable-release-policy-rust.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.15 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: # until https://github.com/actions/checkout/pull/579 is released @@ -46,16 +46,16 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.15 + uses: kubewarden/github-actions/check-policy-version@v4.5.16 with: expected-version: ${{ steps.calculate-version.outputs.version }} - name: Build and annotate policy - uses: kubewarden/github-actions/policy-build-rust@v4.5.15 + uses: kubewarden/github-actions/policy-build-rust@v4.5.16 - name: Run e2e tests run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.15 + uses: kubewarden/github-actions/policy-release@v4.5.16 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -71,4 +71,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.15 + uses: kubewarden/github-actions/push-artifacthub@v4.5.16 diff --git a/.github/workflows/reusable-release-policy-swift.yml b/.github/workflows/reusable-release-policy-swift.yml index 3cbcc10..09c10a6 100644 --- a/.github/workflows/reusable-release-policy-swift.yml +++ b/.github/workflows/reusable-release-policy-swift.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.15 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: # until https://github.com/actions/checkout/pull/579 is released @@ -46,7 +46,7 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.15 + uses: kubewarden/github-actions/check-policy-version@v4.5.16 with: expected-version: ${{ steps.calculate-version.outputs.version }} - name: install wasm-strip @@ -72,7 +72,7 @@ jobs: run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.15 + uses: kubewarden/github-actions/policy-release@v4.5.16 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -88,4 +88,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.15 + uses: kubewarden/github-actions/push-artifacthub@v4.5.16 diff --git a/.github/workflows/reusable-test-policy-go-wasi.yml b/.github/workflows/reusable-test-policy-go-wasi.yml index f0a8777..6cd4884 100644 --- a/.github/workflows/reusable-test-policy-go-wasi.yml +++ b/.github/workflows/reusable-test-policy-go-wasi.yml @@ -23,11 +23,11 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.15 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 - name: Build and annotate policy with: generate-sbom: false - uses: kubewarden/github-actions/policy-build-go-wasi@v4.5.15 + uses: kubewarden/github-actions/policy-build-go-wasi@v4.5.16 - name: Run e2e tests run: make e2e-tests diff --git a/.github/workflows/reusable-test-policy-go.yml b/.github/workflows/reusable-test-policy-go.yml index ca09ac9..3c149b6 100644 --- a/.github/workflows/reusable-test-policy-go.yml +++ b/.github/workflows/reusable-test-policy-go.yml @@ -23,11 +23,11 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.15 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 - name: Build and annotate policy with: generate-sbom: false - uses: kubewarden/github-actions/policy-build-tinygo@v4.5.15 + uses: kubewarden/github-actions/policy-build-tinygo@v4.5.16 - name: Run e2e tests run: make e2e-tests diff --git a/.github/workflows/reusable-test-policy-rego.yml b/.github/workflows/reusable-test-policy-rego.yml index 7da9091..7b9dd39 100644 --- a/.github/workflows/reusable-test-policy-rego.yml +++ b/.github/workflows/reusable-test-policy-rego.yml @@ -16,7 +16,7 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install opa - uses: kubewarden/github-actions/opa-installer@v4.5.15 + uses: kubewarden/github-actions/opa-installer@v4.5.16 - name: Run unit tests working-directory: ${{ inputs.policy-working-dir }} run: make test diff --git a/.github/workflows/reusable-test-policy-rust.yml b/.github/workflows/reusable-test-policy-rust.yml index 5c0bfb2..5e93f6e 100644 --- a/.github/workflows/reusable-test-policy-rust.yml +++ b/.github/workflows/reusable-test-policy-rust.yml @@ -53,11 +53,11 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.15 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 - name: Build and annotate policy with: generate-sbom: false - uses: kubewarden/github-actions/policy-build-rust@v4.5.15 + uses: kubewarden/github-actions/policy-build-rust@v4.5.16 - name: Run e2e tests run: | make e2e-tests diff --git a/attestation/action.yml b/attestation/action.yml index 5b0b904..d495640 100644 --- a/attestation/action.yml +++ b/attestation/action.yml @@ -18,7 +18,7 @@ runs: - name: Install cosign uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Install the crane command - uses: kubewarden/github-actions/crane-installer@v4.5.15 + uses: kubewarden/github-actions/crane-installer@v4.5.16 - name: Login to GitHub Container Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: diff --git a/policy-gh-action-dependencies/action.yml b/policy-gh-action-dependencies/action.yml index 892ba7b..9b3e943 100644 --- a/policy-gh-action-dependencies/action.yml +++ b/policy-gh-action-dependencies/action.yml @@ -9,11 +9,11 @@ runs: - name: Install cosign uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Install kwctl - uses: kubewarden/github-actions/kwctl-installer@v4.5.15 + uses: kubewarden/github-actions/kwctl-installer@v4.5.16 - name: Install bats run: sudo apt install -y bats shell: bash - name: Install SBOM generator tool - uses: kubewarden/github-actions/syft-installer@v4.5.15 + uses: kubewarden/github-actions/syft-installer@v4.5.16 - name: Install binaryen tool - uses: kubewarden/github-actions/binaryen-installer@v4.5.15 + uses: kubewarden/github-actions/binaryen-installer@v4.5.16 diff --git a/push-artifacthub/action.yml b/push-artifacthub/action.yml index f6349f0..d8788dc 100644 --- a/push-artifacthub/action.yml +++ b/push-artifacthub/action.yml @@ -12,7 +12,7 @@ runs: using: "composite" steps: - name: Install kwctl - uses: kubewarden/github-actions/kwctl-installer@v4.5.15 + uses: kubewarden/github-actions/kwctl-installer@v4.5.16 - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: