Update to upstream - v0.13.1 by JasonPowr · Pull Request #81 · securesign/policy-controller

JasonPowr · 2025-12-02T16:07:39Z

Summary by Sourcery

Refresh dependencies, tooling, and CI workflows to align with newer upstream versions and Kubernetes releases, while tightening timestamp authority validation behavior.

Bug Fixes:

Ensure validator ignores transparency log when using new TSA bundle format with signed timestamps to match expected authority options.

Enhancements:

Update golang.org/x libraries and other Go module dependencies and remove the explicit Go toolchain directive from go.mod.
Bump golangci-lint to the v2.x series and adjust the Makefile and lint workflow to use the newer binary.

CI:

Expand kind-based test matrices to drop Kubernetes v1.30.x and add v1.34.x across image-policy and e2e workflows.
Upgrade GitHub Actions across workflows (checkout, cache, CodeQL, Scorecard, upload-artifact, Codecov, Chainguard actions, Google Cloud actions, SBOM/Syft, GoReleaser, cosign-installer, yq, kind tooling, etc.) to their latest pinned versions.
Update scaffolding release version used in kind cluster image policy workflows to v0.7.27.

Bumps the minor-patch group with 2 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions) and [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `chainguard-dev/actions` from 1.4.3 to 1.4.4 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@16e2fd6...a643ade) Updates `anchore/sbom-action` from 0.20.1 to 0.20.2 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@9246b90...cee1b8e) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: anchore/sbom-action dependency-version: 0.20.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ates (sigstore#1864) Bumps the minor-patch group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.9.1` | `3.9.2` | | [chainguard-dev/actions](https://github.com/chainguard-dev/actions) | `1.4.4` | `1.4.6` | | [google-github-actions/auth](https://github.com/google-github-actions/auth) | `2.1.10` | `2.1.11` | | [github/codeql-action](https://github.com/github/codeql-action) | `3.29.2` | `3.29.3` | | [mikefarah/yq](https://github.com/mikefarah/yq) | `4.45.4` | `4.46.1` | | [google-github-actions/setup-gcloud](https://github.com/google-github-actions/setup-gcloud) | `2.1.4` | `2.1.5` | Updates `sigstore/cosign-installer` from 3.9.1 to 3.9.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@398d4b0...d58896d) Updates `chainguard-dev/actions` from 1.4.4 to 1.4.6 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@a643ade...ae2f039) Updates `google-github-actions/auth` from 2.1.10 to 2.1.11 - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](google-github-actions/auth@ba79af0...140bb51) Updates `github/codeql-action` from 3.29.2 to 3.29.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@181d5ee...d6bbdef) Updates `mikefarah/yq` from 4.45.4 to 4.46.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@b534aa9...1187c95) Updates `google-github-actions/setup-gcloud` from 2.1.4 to 2.1.5 - [Release notes](https://github.com/google-github-actions/setup-gcloud/releases) - [Changelog](https://github.com/google-github-actions/setup-gcloud/blob/main/CHANGELOG.md) - [Commits](google-github-actions/setup-gcloud@77e7a55...6a7c903) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 3.9.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: chainguard-dev/actions dependency-version: 1.4.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: google-github-actions/auth dependency-version: 2.1.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: github/codeql-action dependency-version: 3.29.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: mikefarah/yq dependency-version: 4.46.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch - dependency-name: google-github-actions/setup-gcloud dependency-version: 2.1.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the minor-patch group with 4 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [github/codeql-action](https://github.com/github/codeql-action), [mikefarah/yq](https://github.com/mikefarah/yq) and [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `chainguard-dev/actions` from 1.4.6 to 1.4.7 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@ae2f039...708219d) Updates `github/codeql-action` from 3.29.3 to 3.29.4 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@d6bbdef...4e828ff) Updates `mikefarah/yq` from 4.46.1 to 4.47.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@1187c95...f03c9dc) Updates `anchore/sbom-action` from 0.20.2 to 0.20.4 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@cee1b8e...7b36ad6) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: github/codeql-action dependency-version: 3.29.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: mikefarah/yq dependency-version: 4.47.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch - dependency-name: anchore/sbom-action dependency-version: 0.20.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the minor-patch group with 3 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [google-github-actions/auth](https://github.com/google-github-actions/auth) and [github/codeql-action](https://github.com/github/codeql-action). Updates `chainguard-dev/actions` from 1.4.7 to 1.4.8 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@708219d...df684a7) Updates `google-github-actions/auth` from 2.1.11 to 2.1.12 - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](google-github-actions/auth@140bb51...b7593ed) Updates `github/codeql-action` from 3.29.4 to 3.29.5 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@4e828ff...51f7732) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: google-github-actions/auth dependency-version: 2.1.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: github/codeql-action dependency-version: 3.29.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...08c6903) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the minor-patch group with 4 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [actions/cache](https://github.com/actions/cache), [github/codeql-action](https://github.com/github/codeql-action) and [google-github-actions/setup-gcloud](https://github.com/google-github-actions/setup-gcloud). Updates `chainguard-dev/actions` from 1.4.8 to 1.4.9 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@df684a7...b1933e3) Updates `actions/cache` from 4.2.3 to 4.2.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@5a3ec84...0400d5f) Updates `github/codeql-action` from 3.29.7 to 3.29.8 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@51f7732...76621b6) Updates `google-github-actions/setup-gcloud` from 2.1.5 to 2.2.0 - [Release notes](https://github.com/google-github-actions/setup-gcloud/releases) - [Changelog](https://github.com/google-github-actions/setup-gcloud/blob/main/CHANGELOG.md) - [Commits](google-github-actions/setup-gcloud@6a7c903...cb1e50a) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: github/codeql-action dependency-version: 3.29.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: google-github-actions/setup-gcloud dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](go-viper/mapstructure@v2.3.0...v2.4.0) --- updated-dependencies: - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.4.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ates (sigstore#1877) Bumps the minor-patch group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [chainguard-dev/actions](https://github.com/chainguard-dev/actions) | `1.4.9` | `1.4.12` | | [github/codeql-action](https://github.com/github/codeql-action) | `3.29.8` | `3.29.11` | | [anchore/sbom-action](https://github.com/anchore/sbom-action) | `0.20.4` | `0.20.5` | | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | `6.3.0` | `6.4.0` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | `5.4.3` | `5.5.0` | Updates `chainguard-dev/actions` from 1.4.9 to 1.4.12 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@b1933e3...be7b31a) Updates `github/codeql-action` from 3.29.8 to 3.29.11 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@76621b6...3c3833e) Updates `anchore/sbom-action` from 0.20.4 to 0.20.5 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@7b36ad6...da167ea) Updates `goreleaser/goreleaser-action` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@9c156ee...e435ccd) Updates `codecov/codecov-action` from 5.4.3 to 5.5.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@18283e0...fdcc847) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.4.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: github/codeql-action dependency-version: 3.29.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: anchore/sbom-action dependency-version: 0.20.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: goreleaser/goreleaser-action dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch - dependency-name: codecov/codecov-action dependency-version: 5.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…0.0 (sigstore#1879) Bumps [google-github-actions/setup-gcloud](https://github.com/google-github-actions/setup-gcloud) from 2.2.0 to 3.0.0. - [Release notes](https://github.com/google-github-actions/setup-gcloud/releases) - [Changelog](https://github.com/google-github-actions/setup-gcloud/blob/main/CHANGELOG.md) - [Commits](google-github-actions/setup-gcloud@cb1e50a...26f734c) --- updated-dependencies: - dependency-name: google-github-actions/setup-gcloud dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…gstore#1880) Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.12 to 3.0.0. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](google-github-actions/auth@b7593ed...7c6bc77) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ignore tlog when using RFC3161Timestamp Signed-off-by: jkylekelly <jkylekelly@github.com> * update wantCheckOpts for test Signed-off-by: jkylekelly <jkylekelly@github.com> --------- Signed-off-by: jkylekelly <jkylekelly@github.com>

* remove unuspported k8s version and added newer supported version Signed-off-by: Meredith Lancaster <malancas@github.com> * remove 1.34.x support for now Signed-off-by: Meredith Lancaster <malancas@github.com> * Revert "remove 1.34.x support for now" This reverts commit 0e8d1a1. Signed-off-by: Meredith Lancaster <malancas@github.com> * update setup-kind version Signed-off-by: Meredith Lancaster <malancas@github.com> * update scaffolding version Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>

…ates --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.7 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch - dependency-name: actions/cache dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch - dependency-name: mikefarah/yq dependency-version: 4.48.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch - dependency-name: anchore/sbom-action dependency-version: 0.20.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: google-github-actions/setup-gcloud dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: codecov/codecov-action dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>

…ons/minor-patch-b90029a5ab chore(deps): Bump the minor-patch group across 1 directory with 7 updates

* update golangci-lint to latest minor version Signed-off-by: Meredith Lancaster <malancas@github.com> * install the latest golangci-lint tool Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>

…#1901) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.37.0 to 0.45.0. - [Commits](golang/crypto@v0.37.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…re#1907) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.11 to 4.31.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3c3833e...fdbfb4d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.5 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…re#1910) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 5.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...330a01c) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the minor-patch group with 3 updates: [chainguard-dev/actions](https://github.com/chainguard-dev/actions), [mikefarah/yq](https://github.com/mikefarah/yq) and [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `chainguard-dev/actions` from 1.5.8 to 1.5.10 - [Release notes](https://github.com/chainguard-dev/actions/releases) - [Changelog](https://github.com/chainguard-dev/actions/blob/main/.goreleaser.yml) - [Commits](chainguard-dev/actions@abcc11e...3e8a2a2) Updates `mikefarah/yq` from 4.48.1 to 4.49.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@0ecdce2...45be35c) Updates `anchore/sbom-action` from 0.20.9 to 0.20.10 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@8e94d75...fbfd9c6) --- updated-dependencies: - dependency-name: chainguard-dev/actions dependency-version: 1.5.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: mikefarah/yq dependency-version: 4.49.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch - dependency-name: anchore/sbom-action dependency-version: 0.20.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

sourcery-ai · 2025-12-02T16:07:47Z

Reviewer's Guide

Syncs this repo with upstream v0.13.1 by updating CI workflows (Kubernetes matrix, GitHub Actions pins, linters, and tooling) and aligning Go module and webhook validation behavior with upstream expectations.

Sequence diagram for TSA bundle validation with IgnoreTlog behavior

sequenceDiagram
  participant APIServer
  participant WebhookValidator
  participant Authority
  participant Bundle
  participant Options

  APIServer->>WebhookValidator: Admit request with image signature
  WebhookValidator->>Authority: Load authority configuration
  Authority-->>WebhookValidator: Returns TSA enabled and new bundle format

  WebhookValidator->>Bundle: Inspect bundle format
  Bundle-->>WebhookValidator: Indicates new bundle format

  WebhookValidator->>Authority: Compare trustRootRef for keyless and TSA
  Authority-->>WebhookValidator: trustRootRef values match

  WebhookValidator->>Options: Initialize verification options
  Options-->>WebhookValidator: Options with default flags

  WebhookValidator->>Options: Set UseSignedTimestamps = true
  WebhookValidator->>Options: Set IgnoreTlog = true

  WebhookValidator->>Authority: Verify signature using TSA bundle and options
  Authority-->>WebhookValidator: Verification result

  WebhookValidator-->>APIServer: Admission response based on verification

File-Level Changes

Change	Details	Files
Expand CI test matrix and scaffolding version to match upstream Kubernetes and sigstore scaffolding support.	Remove Kubernetes v1.30.x from kind-based workflow matrices. Add Kubernetes v1.34.x to kind-based workflow matrices. Bump SCAFFOLDING_RELEASE_VERSION from v0.7.24 to v0.7.27 in kind image policy workflows.	`.github/workflows/kind-cluster-image-policy-tsa.yaml` `.github/workflows/kind-cluster-image-policy-no-tuf.yaml` `.github/workflows/kind-cluster-image-policy-trustroot.yaml` `.github/workflows/kind-cluster-image-policy.yaml` `.github/workflows/kind-e2e-cosigned.yaml` `.github/workflows/kind-e2e-trustroot-crd.yaml`
Refresh GitHub Actions pins and related CI tooling to newer upstream versions.	Update actions/checkout from v4.2.2 to v5.0.0 across workflows and adjust one secondary checkout pin while keeping its logical version comment. Upgrade sigstore/cosign-installer pins to newer digests (v2 and v3.9.2). Upgrade chainguard-dev actions (setup-kind, setup-mirror, kind-diag, gofmt, goimports, trailing-space, eof-newline, donotsubmit, nodiff) from v1.4.3 to v1.5.10. Update caching, CodeQL, scorecard, upload-artifact, codecov, sbom-action (syft), google-github-actions auth/setup-gcloud, and goreleaser-action to their newer pinned SHAs. Align golangci-lint GitHub Action version from v2.1 to v2.6.	`.github/workflows/kind-cluster-image-policy-tsa.yaml` `.github/workflows/kind-cluster-image-policy-no-tuf.yaml` `.github/workflows/kind-cluster-image-policy-trustroot.yaml` `.github/workflows/kind-cluster-image-policy.yaml` `.github/workflows/kind-e2e-cosigned.yaml` `.github/workflows/kind-e2e-trustroot-crd.yaml` `.github/workflows/release.yaml` `.github/workflows/build.yaml` `.github/workflows/codeql-analysis.yml` `.github/workflows/scorecard_action.yml` `.github/workflows/style.yaml` `.github/workflows/tests.yaml` `.github/workflows/release-snapshot.yaml` `.github/workflows/whitespace.yaml` `.github/workflows/donotsubmit.yaml` `.github/workflows/lint.yaml` `.github/workflows/policy-tester-examples.yml` `.github/workflows/verify-codegen.yaml` `.github/workflows/verify-docs.yaml`
Adjust Go tooling and dependencies in line with upstream module expectations.	Remove explicit `toolchain go1.24.5` directive from go.mod, relying on the `go 1.24.0` line only. Bump golang.org/x crypto/net/sys, sync/term/text to the next minor/patch versions as per upstream. Update Makefile golangci-lint install path and version to use the v2 module path and v2.6.2. Regenerate go.sum to reflect dependency updates.	`go.mod` `go.sum` `Makefile`
Align webhook validator TSA bundle behavior with upstream by enabling tlog ignoring when using new bundle format.	When using the new bundle format and signed timestamps, set `IgnoreTlog = true` in checkOptsFromAuthority. Extend validator test expectations to assert `IgnoreTlog: true` in the relevant bundle-format test case.	`pkg/webhook/validator.go` `pkg/webhook/validator_test.go`

Tips and commands

Interacting with Sourcery

Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment
@sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

Enable or disable review features such as the Sourcery-generated pull request
summary, the reviewer's guide, and others.
Change the review language.
Add, remove or edit custom review instructions.
Adjust other review settings.

Getting Help

Contact our support team for questions or feedback.
Visit our documentation for detailed guides and information.
Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

sourcery-ai

Hey there - I've reviewed your changes - here's some feedback:

In .github/workflows/kind-cluster-image-policy-tsa.yaml, the second actions/checkout step is pinned to the same SHA as v5.0.0 but still commented as # v3.0.2; it would be less confusing to align the comment with the actual version or pin to the correct SHA for v3.0.2 if that’s what you intend.
You removed the toolchain go1.24.5 directive from go.mod; if the project relies on a specific Go patch level for reproducibility or compatibility, consider keeping or updating the toolchain directive rather than dropping it entirely.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `.github/workflows/kind-cluster-image-policy-tsa.yaml`, the second `actions/checkout` step is pinned to the same SHA as v5.0.0 but still commented as `# v3.0.2`; it would be less confusing to align the comment with the actual version or pin to the correct SHA for v3.0.2 if that’s what you intend.
- You removed the `toolchain go1.24.5` directive from `go.mod`; if the project relies on a specific Go patch level for reproducibility or compatibility, consider keeping or updating the toolchain directive rather than dropping it entirely.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

dependabot Bot and others added 21 commits July 8, 2025 09:11

Merge pull request sigstore#1897 from sigstore/dependabot/github_acti…

7006296

…ons/minor-patch-b90029a5ab chore(deps): Bump the minor-patch group across 1 directory with 7 updates

Merge remote-tracking branch 'upstream' into update-to-upstream

2fb9991

deps: run go mod tidy

fe4c4da

sourcery-ai Bot reviewed Dec 2, 2025

View reviewed changes

SequeI approved these changes Dec 2, 2025

View reviewed changes

JasonPowr merged commit bc451af into main Dec 3, 2025
92 of 93 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update to upstream - v0.13.1#81

Update to upstream - v0.13.1#81
JasonPowr merged 21 commits intomainfrom
update-to-upstream

JasonPowr commented Dec 2, 2025 •

edited by sourcery-ai Bot

Loading

Uh oh!

sourcery-ai Bot commented Dec 2, 2025 •

edited

Loading

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

sourcery-ai Bot left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

JasonPowr commented Dec 2, 2025 • edited by sourcery-ai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by Sourcery

Uh oh!

sourcery-ai Bot commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviewer's Guide

Sequence diagram for TSA bundle validation with IgnoreTlog behavior

File-Level Changes

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

sourcery-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

JasonPowr commented Dec 2, 2025 •

edited by sourcery-ai Bot

Loading

sourcery-ai Bot commented Dec 2, 2025 •

edited

Loading