Merge branch 'open-policy-agent:master' into master

softlee-io · Nov 22, 2023 · 56e018e · 56e018e
2 parents a0cf7b0 + aed792f
commit 56e018e
Show file tree

Hide file tree

Showing 89 changed files with 5,773 additions and 634 deletions.
diff --git a/.github/workflows/license-lint.yaml b/.github/workflows/license-lint.yaml
@@ -28,9 +28,10 @@ jobs:
           egress-policy: audit
 
       - name: Set up Go
-        uses: actions/setup-go@v4 # v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: "1.21"
+          check-latest: true
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.5.2

diff --git a/.github/workflows/release-pr.yaml b/.github/workflows/release-pr.yaml
@@ -23,9 +23,10 @@ jobs:
           egress-policy: audit
 
       - name: Set up Go
-        uses: actions/setup-go@v4 # v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: "1.21"
+          check-latest: true
 
       - name: Set release version and target branch for vNext
         if: github.event_name == 'push'
@@ -83,3 +84,4 @@ jobs:
           title: "chore: Prepare ${{ env.NEWVERSION }} release"
           branch: "release-${{ env.NEWVERSION }}"
           base: "${{ env.TARGET_BRANCH }}"
+          signoff: true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -35,9 +35,10 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
       - name: Set up Go
-        uses: actions/setup-go@v4 # v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: "1.21"
+          check-latest: true
 
       - name: Get tag
         id: get_version

diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml
@@ -0,0 +1,78 @@
+name: scan_vulns
+on:
+  push:
+    paths-ignore:
+      - ".github/workflows/website.yaml"
+      - "docs/**"
+      - "library/**"
+      - "demo/**"
+      - "deprecated/**"
+      - "example/**"
+      - "website/**"
+      - "**.md"
+      - "!cmd/build/helmify/static/README.md"
+  pull_request:
+    paths-ignore:
+      - ".github/workflows/website.yaml"
+      - "docs/**"
+      - "library/**"
+      - "demo/**"
+      - "deprecated/**"
+      - "example/**"
+      - "website/**"
+      - "**.md"
+      - "!cmd/build/helmify/static/README.md"
+
+permissions: read-all
+
+jobs:
+  govulncheck:
+    name: "Run govulncheck"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    steps:
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: "1.21"
+          check-latest: true
+      - uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4 # v1.0.1
+
+  scan_vulnerabilities:
+    name: "[Trivy] Scan for vulnerabilities"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Download trivy
+        run: |
+          pushd $(mktemp -d)
+          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          echo "$(pwd)" >> $GITHUB_PATH
+        env:
+          TRIVY_VERSION: "0.46.0"
+
+      - name: Run trivy on git repository
+        run: |
+          trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln .
+
+      - name: Build docker images
+        run: |
+          make docker-buildx \
+            IMG=gatekeeper-e2e:latest
+
+          make docker-buildx-crds \
+            CRD_IMG=gatekeeper-crds:latest
+
+      - name: Run trivy on images
+        run: |
+          for img in "gatekeeper-e2e:latest" "gatekeeper-crds:latest"; do
+              trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
+          done
diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
@@ -37,10 +37,10 @@ jobs:
           egress-policy: audit
 
       - name: Set up Go
-        uses: actions/setup-go@v4 # v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: "1.21"
-
+          check-latest: true
       - name: Check out code into the Go module directory
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
@@ -62,10 +62,10 @@ jobs:
           egress-policy: audit
 
       - name: Set up Go
-        uses: actions/setup-go@v4 # v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: "1.21"
-
+          check-latest: true
       - name: Check out code into the Go module directory
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
@@ -92,9 +92,10 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.5.2
       - name: Set up Go
-        uses: actions/setup-go@v4 # v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: "1.21"
+          check-latest: true
       - name: Check go.mod and manifests
         run: |
           # there should be no additional manifest or go.mod changes
@@ -114,10 +115,10 @@ jobs:
           egress-policy: audit
 
       - name: Set up Go
-        uses: actions/setup-go@v4 # v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: "1.21"
-
+          check-latest: true
       - name: Check out code into the Go module directory
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
@@ -147,10 +148,10 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
       - name: Set up Go
-        uses: actions/setup-go@v4 # v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: "1.21"
-
+          check-latest: true
       - name: Bootstrap e2e
         run: |
           mkdir -p $GITHUB_WORKSPACE/bin
@@ -267,10 +268,10 @@ jobs:
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
     - name: Set up Go
-      uses: actions/setup-go@v4 # v4.0.1
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: "1.21"
-
+        check-latest: true
     - name: Bootstrap e2e
       run: |
         mkdir -p $GITHUB_WORKSPACE/bin
@@ -307,43 +308,3 @@ jobs:
         name: generatorexpansion-logs
         path: |
           logs-*.json
-
-  scan_vulnerabilities:
-    name: "[Trivy] Scan for vulnerabilities"
-    runs-on: ubuntu-22.04
-    timeout-minutes: 15
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
-        with:
-          egress-policy: audit
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-
-      - name: Download trivy
-        run: |
-          pushd $(mktemp -d)
-          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-          echo "$(pwd)" >> $GITHUB_PATH
-        env:
-          TRIVY_VERSION: "0.41.0"
-
-      - name: Run trivy on git repository
-        run: |
-          trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln .
-
-      - name: Build docker images
-        run: |
-          make docker-buildx \
-            IMG=gatekeeper-e2e:latest
-
-          make docker-buildx-crds \
-            CRD_IMG=gatekeeper-crds:latest
-
-      - name: Run trivy on images
-        run: |
-          for img in "gatekeeper-e2e:latest" "gatekeeper-crds:latest"; do
-              trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
-          done
diff --git a/Makefile b/Makefile
@@ -13,7 +13,7 @@ ENABLE_PUBSUB ?= false
 AUDIT_CONNECTION ?= "audit"
 AUDIT_CHANNEL ?= "audit"
 
-VERSION := v3.14.0-beta.0
+VERSION := v3.15.0-beta.0
 
 KIND_VERSION ?= 0.17.0
 # note: k8s version pinned since KIND image availability lags k8s releases

diff --git a/charts/gatekeeper/Chart.yaml b/charts/gatekeeper/Chart.yaml
@@ -4,8 +4,8 @@ name: gatekeeper
 icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg
 keywords:
   - open policy agent
-version: 3.14.0-beta.0
+version: 3.15.0-beta.0
 home: https://github.com/open-policy-agent/gatekeeper
 sources:
   - https://github.com/open-policy-agent/gatekeeper.git
-appVersion: v3.14.0-beta.0
+appVersion: v3.15.0-beta.0