Merge tag 'v0.7.1' into SECURESIGN-1007

v0.7.1

.github/dependabot.yml

@@ -37,31 +37,31 @@ updates:
 - package-ecosystem: "terraform"
   directory: "/terraform/gcp/modules/argocd"
   schedule:
-    interval: weekly
+    interval: monthly
   groups:
     terraform:
       patterns:
         - "*"
 - package-ecosystem: "terraform"
   directory: "/terraform/gcp/modules/external_secrets"
   schedule:
-    interval: weekly
+    interval: monthly
   groups:
     terraform:
       patterns:
         - "*"
 - package-ecosystem: "terraform"
   directory: "/terraform/gcp/modules/monitoring/slo"
   schedule:
-    interval: weekly
+    interval: monthly
   groups:
     terraform:
       patterns:
         - "*"
 - package-ecosystem: "terraform"
   directory: "/terraform/gcp/modules/sigstore"
   schedule:
-    interval: weekly
+    interval: monthly
   groups:
     terraform:
       patterns:

.github/workflows/add-remove-new-fulcio.yaml

@@ -26,8 +26,6 @@ jobs:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         k8s-version:
-          - v1.25.x
-          - v1.26.x
           - v1.27.x
           - v1.28.x
           - v1.29.x
@@ -36,28 +34,27 @@ jobs:
           - fulcio-key-rotation
 
         go-version:
-          - 1.21.x
+          - 1.22.x
 
     env:
       GOPATH: ${{ github.workspace }}
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KO_DOCKER_REPO: registry.local:5000/knative
       KOCACHE: ~/ko
-      COSIGN_EXPERIMENTAL: true
 
     steps:
     - uses: chainguard-dev/actions/setup-mirror@main
     # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
 
     - name: Set up Go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: ${{ matrix.go-version }}
         check-latest: true
 
     - name: Check out our repo
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       with:
         path: ./src/github.com/sigstore/scaffolding
 
@@ -76,7 +73,7 @@ jobs:
 
     - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
 
-    - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+    - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
     - name: Setup Cluster
       uses: chainguard-dev/actions/setup-kind@main
@@ -90,7 +87,7 @@ jobs:
     - name: Setup Knative
       uses: chainguard-dev/actions/setup-knative@main
       with:
-        version: "1.10.x"
+        version: "1.11.x"
         serving-features: >
           {
             "kubernetes.podspec-fieldref": "enabled"

.github/workflows/codeql-analysis.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
       - name: Filter paths
         uses: dorny/paths-filter@v3
@@ -39,7 +39,7 @@ jobs:
               - 'pkg/**'
               - 'cmd/**'
 
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: 'go.mod'
 

.github/workflows/fulcio-rekor-kind.yaml

@@ -26,8 +26,6 @@ jobs:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         k8s-version:
-          - v1.25.x
-          - v1.26.x
           - v1.27.x
           - v1.28.x
           - v1.29.x
@@ -36,31 +34,30 @@ jobs:
           - fulcio rekor ctlog e2e
 
         go-version:
-          - 1.21.x
+          - 1.22.x
 
     env:
       GOPATH: ${{ github.workspace }}
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KO_DOCKER_REPO: registry.local:5000/knative
       KOCACHE: ~/ko
-      COSIGN_EXPERIMENTAL: true
 
     steps:
+    - name: Check out our repo
+      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      with:
+        path: ./src/github.com/sigstore/scaffolding
+
     - uses: chainguard-dev/actions/setup-mirror@main
     # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
 
     - name: Set up Go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: ${{ matrix.go-version }}
         check-latest: true
 
-    - name: Check out our repo
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      with:
-        path: ./src/github.com/sigstore/scaffolding
-
     - uses: actions/cache@v4
       with:
         # In order:
@@ -76,7 +73,7 @@ jobs:
 
     - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
 
-    - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+    - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
     - name: Setup Cluster
       uses: chainguard-dev/actions/setup-kind@main
@@ -90,7 +87,7 @@ jobs:
     - name: Setup Knative
       uses: chainguard-dev/actions/setup-knative@main
       with:
-        version: "1.8.x"
+        version: "1.11.x"
         serving-features: >
           {
             "kubernetes.podspec-fieldref": "enabled"
@@ -180,7 +177,7 @@ jobs:
     # Test with cosign in 'airgapped mode'
     # Uncomment these once modified cosign goes in.
     #- name: Checkout modified cosign for testing.
-    #  uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    #  uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
     #  with:
     #    repository: vaikas/cosign
     #    ref: air-gap
@@ -202,7 +199,7 @@ jobs:
     #    ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }}
 
     - name: Checkout TSA for testing.
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       with:
         repository: sigstore/timestamp-authority
         path: ./src/github.com/sigstore/timestamp-authority

.github/workflows/prober-test.yml

@@ -20,12 +20,12 @@ jobs:
       contents: read
     steps:
       - name: 'Checkout'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: '1.21'
+          go-version: '1.22'
           check-latest: true
 
       - name: Prober test

.github/workflows/release.yaml

@@ -20,31 +20,31 @@ jobs:
       COSIGN_EXPERIMENTAL: "true"
 
     steps:
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
-        go-version: '1.21'
+        go-version: '1.22'
         check-latest: true
 
     - name: Install ko
       uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
 
     - name: Install cosign
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
     - name: Install GoReleaser
-      uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v3.1.0
+      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v3.1.0
       with:
         install-only: true
 
     - name: Log into ghcr.io
-      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v2.0.0
+      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Check out code onto GOPATH
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       with:
         fetch-depth: 1
         path: ./src/github.com/${{ github.repository }}

.github/workflows/terraform.yml

@@ -21,12 +21,12 @@ jobs:
 
     steps:
       - name: 'Checkout'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
-      - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v2.0.0
+      - uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v2.0.0
         with:
           # TODO: extract terraform from the tf file when we have pinned
-          terraform_version: 1.7.2
+          terraform_version: 1.8.0
 
       - name: Terraform fmt
         id: fmt
@@ -41,12 +41,12 @@ jobs:
 
     steps:
       - name: 'Checkout'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
-      - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v2.0.0
+      - uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v2.0.0
         with:
           # TODO: extract terraform from the tf file when we have pinned
-          terraform_version: 1.7.2
+          terraform_version: 1.8.0
 
       - name: Terraform init
         id: init
@@ -70,7 +70,7 @@ jobs:
 
     steps:
       - name: 'Checkout'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
       - name: tfsec
         uses: tfsec/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 # v0.1.0

.github/workflows/test-action-tuf.yaml

@@ -23,24 +23,21 @@ jobs:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         k8s-version:
-          - v1.25.x
-          - v1.26.x
           - v1.27.x
           - v1.28.x
           - v1.29.x
         release-version:
           - "main" # Test explicitly with latest
         go-version:
-          - 1.21.x
+          - 1.22.x
         leg:
           - test github action with TUF
     env:
       KO_DOCKER_REPO: registry.local:5000/knative
-      COSIGN_EXPERIMENTAL: "true"
 
     steps:
     - name: Checkout the current action
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
     - name: Test running the action
       uses: ./actions/setup
       with:
@@ -49,10 +46,10 @@ jobs:
 
     # Install cosign
     - name: Install cosign
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
     - name: Set up Go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: ${{ matrix.go-version }}
         check-latest: true
@@ -90,7 +87,7 @@ jobs:
         --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
 
     - name: Checkout TSA for testing.
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       with:
         repository: sigstore/timestamp-authority
         path: ./src/github.com/sigstore/timestamp-authority

.github/workflows/test-release.yaml

@@ -23,29 +23,26 @@ jobs:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         k8s-version:
-          - v1.25.x
-          - v1.26.x
           - v1.27.x
           - v1.28.x
           - v1.29.x
         leg:
           - fulcio rekor ctlog e2e
         go-version:
-          - 1.21.x
+          - 1.22.x
 
     env:
-      RELEASE_VERSION: "v0.6.9"
+      RELEASE_VERSION: "v0.6.17"
       KO_DOCKER_REPO: registry.local:5000/knative
       KOCACHE: ~/ko
-      COSIGN_EXPERIMENTAL: "true"
 
     steps:
     - uses: chainguard-dev/actions/setup-mirror@main
 
-    - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+    - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
     - name: Set up Go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: ${{ matrix.go-version }}
         check-latest: true
@@ -65,7 +62,7 @@ jobs:
     - name: Setup Knative
       uses: chainguard-dev/actions/setup-knative@main
       with:
-        version: "1.8.x"
+        version: "1.11.x"
         serving-features: >
           {
             "kubernetes.podspec-fieldref": "enabled"
@@ -141,7 +138,7 @@ jobs:
         --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
 
     - name: Checkout TSA for testing.
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       with:
         repository: sigstore/timestamp-authority
         path: ./src/github.com/sigstore/timestamp-authority