v0.5.2

Changelog

• 21c7eb0 Merge pull request #435 from sigstore/dependabot/go_modules/k8s.io/code-generator-0.26.0

Thanks to all contributors!

What's Changed

• chore(deps): Bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 by @dependabot in #433
• chore(deps): Bump github/codeql-action from 2.1.35 to 2.1.36 by @dependabot in #430
• chore(deps): Bump k8s.io/api from 0.25.3 to 0.26.0 by @dependabot in #432
• chore(deps): Bump k8s.io/code-generator from 0.25.3 to 0.26.0 by @dependabot in #435

Full Changelog: v0.5.1...v0.5.2

v0.5.1

Changelog

• 8d7653e Merge pull request #426 from sigstore/dependabot/go_modules/github.com/hashicorp/go-plugin-1.4.8

Thanks to all contributors!

What's Changed

• Feature: Add -resource to policy-tester by @mattmoor in #414

• Cleanup: Rename objectMeta to metadata to align with K8s shape. by @mattmoor in #420 (This is a breaking change in evaluating CIP level policies using objectMeta from 0.5.0)

• Bug Fix: Do not fail on first attestation that does not satisfy. by @vaikas in #422

• chore(deps): Bump golang.org/x/sys from 0.2.0 to 0.3.0 by @dependabot in #412

• chore(deps): Bump github.com/aws/aws-sdk-go-v2 from 1.17.1 to 1.17.2 by @dependabot in #409

• chore(deps): Bump golang.org/x/time from 0.2.0 to 0.3.0 by @dependabot in #410

• chore(deps): Bump golang.org/x/net from 0.2.0 to 0.3.0 by @dependabot in #411

• Initial support for rego + simple tests. by @vaikas in #413

• Update go and base image by @cpanato in #415

• chore(deps): Bump golang.org/x/crypto from 0.3.0 to 0.4.0 by @dependabot in #416

• chore(deps): Bump golang.org/x/net from 0.3.0 to 0.4.0 by @dependabot in #418

• chore(deps): Bump github.com/hashicorp/go-hclog from 1.3.1 to 1.4.0 by @dependabot in #417

• Add includeTypeMeta that includes TypeMeta (just like includeObjectMeta) by @vaikas in #421

• Fix some lint issues surfaced by #424 by @vaikas in #425

• bump golangci-lint to 1.50.1 by @cpanato in #424

• fix ioutil deprecation by @cpanato in #428

• release-script: bump golang to 1.19 (rebased version of #427) by @vaikas in #429

• chore(deps): Bump github.com/hashicorp/go-plugin from 1.4.6 to 1.4.8 by @dependabot in #426

Full Changelog: v0.5.0...v0.5.1

v0.5.0

Changelog

• ee7c481 Merge pull request #399 from hectorj2f/source_secrets

Thanks to all contributors!

What's Changed

• chore(deps): Bump anchore/sbom-action from 0.13.0 to 0.13.1 by @dependabot in #365
• chore(deps): Bump github/codeql-action from 2.1.30 to 2.1.31 by @dependabot in #366
• chore(deps): Bump golang.org/x/sys from 0.1.0 to 0.2.0 by @dependabot in #367
• chore(deps): Bump golang.org/x/time from 0.1.0 to 0.2.0 by @dependabot in #368
• chore(deps): Bump golang.org/x/crypto from 0.1.0 to 0.2.0 by @dependabot in #373
• chore(deps): Bump google-github-actions/auth from 0.8.3 to 1.0.0 by @dependabot in #371
• chore(deps): Bump google-github-actions/setup-gcloud from 0.6.2 to 1.0.0 by @dependabot in #370
• CI: bump scaffolding version by @hectorj2f in #377
• chore(deps): Bump google-github-actions/setup-gcloud from 1.0.0 to 1.0.1 by @dependabot in #376
• chore(deps): Bump github.com/hashicorp/go-plugin from 1.4.5 to 1.4.6 by @dependabot in #374
• chore(deps): Bump mikefarah/yq from 4.28.2 to 4.30.1 by @dependabot in #378
• chore(deps): Bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 by @dependabot in #379
• chore(deps): Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 by @dependabot in #381
• chore(deps): Bump github.com/sigstore/rekor from 1.0.0 to 1.0.1 by @dependabot in #380
• chore(deps): Bump github/codeql-action from 2.1.31 to 2.1.32 by @dependabot in #384
• chore(deps): Bump mikefarah/yq from 4.30.1 to 4.30.2 by @dependabot in #383
• chore(deps): Bump golang.org/x/crypto from 0.2.0 to 0.3.0 by @dependabot in #390
• chore(deps): Bump google.golang.org/grpc from 1.50.1 to 1.51.0 by @dependabot in #392
• fix: v1beta1 version converter that ignored the field spec.policy by @hectorj2f in #393
• Drop service account lookups when signaturePullSecrets are specified by @hectorj2f in #388
• Add FetchConfigFile to Policy that allows you to fetch and evaluate policy against container image configfile. by @vaikas in #389
• add gh actions to verify docs by @hectorj2f in #395
• chore(deps): Bump github.com/hashicorp/golang-lru from 0.5.4 to 1.0.1 by @dependabot in #387
• chore(deps): Bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 by @dependabot in #397
• chore(deps): Bump github/codeql-action from 2.1.32 to 2.1.35 by @dependabot in #402
• chore(deps): Bump actions/setup-go from 3.3.1 to 3.4.0 by @dependabot in #403
• chore(deps): Bump go.uber.org/zap from 1.23.0 to 1.24.0 by @dependabot in #404
• Attach highest level resource spec to PolicyResult if so desired. by @vaikas in #406
• chore(deps): Bump mikefarah/yq from 4.30.2 to 4.30.5 by @dependabot in #405
• Add includeObjectMetadata for including objectMeta in CIP policy eval. by @vaikas in #407
• feat: configurable ClusterImagePolicy resync period by @DennyHoang in #398
• feat: accept source without setting any oci repository by @hectorj2f in #399

New Contributors

• @DennyHoang made their first contribution in #398

Full Changelog: v0.4.2...v0.5.0

v0.4.2

What's Changed

• chore(deps): Bump anchore/sbom-action from 0.12.0 to 0.13.0 by @dependabot in #356
• chore(deps): Bump mikefarah/yq from 4.28.2 to 4.29.2 by @dependabot in #357
• fix: error message by @hectorj2f in #359
• chore(deps): Bump github.com/hashicorp/vault/sdk from 0.6.0 to 0.6.1 by @dependabot in #358
• chore(deps): Bump github/codeql-action from 2.1.29 to 2.1.30 by @dependabot in #363
• fix: allow spec.authorities field to not be specified by @wojciechka in #362
• Fix issue 354. by @vaikas in #355

New Contributors

• @wojciechka made their first contribution in #362

Full Changelog: v0.4.1...v0.4.2

v0.4.1

What's Changed

• update README with some new features by @hectorj2f in #304
• run codeql on post-merge by @hectorj2f in #308
• Feature: add support for ephemeral containers by @hectorj2f in #299
• Add api docs generator by @hectorj2f in #311
• update images to the new path by @cpanato in #328
• switch to reusable workflow by @bobcallaway in #330
• Fix: Always use kubeclient.Get() for fetching k8s client. by @mattmoor in #340
• Add validation for the oci repository field by @hectorj2f in #337
• Move validation code to its own function by @hectorj2f in #341
• Fix: switch from all to ALL when dropping capabilities. by @mattmoor in #346
• Add policy name to the cache by @hectorj2f in #348
• Feature: Incorporate an identifier for signatures and attestations. by @mattmoor in #350
• Manually bump all go deps to latest by @hectorj2f in #351

New Contributors

• @bobcallaway made their first contribution in #330

Full Changelog: v0.4.0...v0.4.1

v0.4.0

What's Changed

• Allow fetching CIPs from URLs. by @vaikas in #221
• add tester binary to the release process by @cpanato in #233
• Remove secret name flag by @hectorj2f in #223
• Rely exclusively on TUF root for fulcio root. Do not fetch them oob. by @vaikas in #240
• Add a new field to set the signature hash algorithm by @hectorj2f in #237
• chore: bump k8s.io deps to v0.24.4 by @hectorj2f in #254
• chore(deps): Bump actions/dependency-review-action from 2.2.0 to 2.3.0 by @dependabot in #256
• chore(deps): Bump github/codeql-action from 2.1.24 to 2.1.25 by @dependabot in #255
• Bump cosign and rekor deps to v1.12.1 by @hectorj2f in #253
• chore: add kind support for 1.25 by @hectorj2f in #229
• Fix: Plumb context through to GGCR. by @mattmoor in #271
• Feature: match available resource types by name, version, group and/or labels by @hectorj2f in #248
• Add policy-controller level config map and decorate requests with it. by @vaikas in #270
• Validate containers in parallel. by @vaikas in #277
• deny by default. by @vaikas in #279
• Since by default we deny all, just drop it from CM. by @vaikas in #282
• Cache scaffolding by @vaikas in #283
• add id-token permission to be able to sign the report by @cpanato in #289
• Add a configuration field to allow CIP with no authorities by @hectorj2f in #292
• bump sigstore deps to latest by @hectorj2f in #300
• Fix: Check flag in v1alpha1, use OrDefaults to avoid breaking change. by @mattmoor in #303

Full Changelog: v0.3.0...v0.4.0

v0.3.0

What's Changed

BREAKING Deprecate 'secret-name' flag harder. It will go away in the next release. Use ClusterImagePolicy instead.

• fix codeql job by @cpanato in #132
• use omit-empty to make results more readable and concise. by @vaikas in #134
• Include the predicate type and payload for attestations. by @mattmoor in #135
• Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in #136
• Add issuerRegExp and subjectRegExp fields to doc. by @vaikas in #137
• Add two more example policies by @nsmith5 in #118
• refactor release job to run over GH actions instead of cloudbuild by @cpanato in #128
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.8 to 1.16.10 by @dependabot in #141
• Bump go.uber.org/zap from 1.21.0 to 1.22.0 by @dependabot in #140
• Use scaffolding v0.4.2 for tests. by @vaikas in #142
• README.md: fix typo by @mykter in #144
• chore: require setting the identity - issuer and subject by @hectorj2f in #125
• Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in #147
• Add finalizers permissions to ClusterRole by @elfotografo007 in #146
• Use scaffolding v0.4.3. Remove unused KNATIVE_VERSION env var. by @vaikas in #149
• Bump go.uber.org/atomic from 1.9.0 to 1.10.0 by @dependabot in #152
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.10 to 1.16.11 by @dependabot in #151
• Bump actions/github-script from 6.1.0 to 6.1.1 by @dependabot in #150
• Reduce the duplication across action workflows. by @mattmoor in #153
• Add --type spdxjson to verify-attestation by @vaikas in #158
• Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in #156
• Use TUF instead of env variables. by @vaikas in #159
• Add cosign initialize as an init container to initialize TUF. by @vaikas in #157
• fix keyless check by @cpanato in #160
• add missing action to install ko by @cpanato in #162
• add initial Support Policy documentation by @cpanato in #164
• Bump actions/dependency-review-action from 2.0.4 to 2.1.0 by @dependabot in #167
• Bump anchore/sbom-action from 0.11.0 to 0.12.0 by @dependabot in #168
• upgrade to go 1.18 by @k4leung4 in #174
• Bump github/codeql-action from 2.1.18 to 2.1.19 by @dependabot in #166
• Bump github/codeql-action from 2.1.19 to 2.1.20 by @dependabot in #177
• update sigstore/[cosign|fulcio|rekor|sigstore] deps by @k4leung4 in #175
• Bump actions/cache from 3.0.7 to 3.0.8 by @dependabot in #176
• Bump github.com/sigstore/fulcio from 0.5.2 to 0.5.3 by @dependabot in #178
• Bump actions/setup-go from 3.2.1 to 3.3.0 by @dependabot in #180
• Bump github.com/hashicorp/yamux from 0.1.0 to 0.1.1 by @dependabot in #179
• Fixes #90 by configuring webhook not to get called on status updates. by @vaikas in #165
• bump sigstore/cosign to 1.11.1 by @k4leung4 in #185
• Bump go.uber.org/zap from 1.22.0 to 1.23.0 by @dependabot in #187
• Bump google.golang.org/grpc from 1.48.0 to 1.49.0 by @dependabot in #186
• Add warn mode for CIP. by @vaikas in #163
• Add warn tests for creating CIP with missing identities. by @vaikas in #188
• Bump github/codeql-action from 2.1.20 to 2.1.21 by @dependabot in #190
• Bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0 by @dependabot in #192
• Bump actions/github-script from 6.1.1 to 6.2.0 by @dependabot in #191
• update chainguard-dev/actions/goimports by @cpanato in #194
• Do not exit on warnings on CIP. by @vaikas in #196
• update CIP to fix tests when running in the push to main and in keyless mode by @cpanato in #197
• Fix webhook looking for credentials in the wrong namespace by @elfotografo007 in #199
• Add explicit check for invalid keys. This should not happen, but. by @vaikas in #200
• Bump mikefarah/yq from 4.27.2 to 4.27.3 by @dependabot in #198
• fix order of the release steps by @cpanato in #201
• Bump google-github-actions/auth from 0.8.0 to 0.8.1 by @dependabot in #202
• Bump github/codeql-action from 2.1.21 to 2.1.22 by @dependabot in #203
• ignore the credentials and setup gcloud by @cpanato in #204
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.11 to 1.16.13 by @dependabot in #206
• Bump github.com/hashicorp/go-hclog from 1.2.2 to 1.3.0 by @dependabot in #207
• Bump sigstore/sigstore. Simplify tests by specifying COSIGN_EXPERIMENTAL=1. by @vaikas in #209
• Misleading docs on use of regexp by @lukehinds in #210
• Add e2e test with secretRef. by @vaikas in #213
• Reorder tests to prevent race condition by @elfotografo007 in #211
• Relax glob so easier to run e2e tests against other clusters. by @vaikas in #214
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.13 to 1.16.14 by @dependabot in #212
• Start deprecation of --secret-name by @hectorj2f in #215
• upgrade setup-ko to point to new repo by @imjasonh in #217
• Bump imranismail/setup-kustomize from 1.6.1 to 1.7.0 by @dependabot in #216
• remove not needed env vars by @cpanato in #218
• remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #219

New Contributors

• @nsmith5 made their first contribution in #118
• @mykter made their first contribution in #144
• @elfotografo007 made their first contribution in #146
• @k4leung4 made their first contribution in #174
• @lukehinds made their first contribution in #210

Full Changelog: v0.2.1...v0.3.0

v0.2.1

What's Changed

• chore: add golang documentation to the api types by @hectorj2f in #100
• Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 by @dependabot in #102
• Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by @dependabot in #101
• Bump imjasonh/setup-ko from 0.4 to 0.5 by @dependabot in #105
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in #110
• chore: add more context to the README by @hectorj2f in #111
• Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in #113
• Fix keyful handling in tester. by @vaikas in #115
• Bump mikefarah/yq from 4.26.1 to 4.27.2 by @dependabot in #117
• Update to cosign HEAD, add replace for glog by @jdolitsky in #112
• Wrap errors, encode signature Subject/Issuer. by @mattmoor in #116
• Begin an examples/ directory by @jdolitsky in #108
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.7 to 1.16.8 by @dependabot in #119
• Add all of the current extensions. by @mattmoor in #122
• fix: Makefile wrong targets by @hectorj2f in #121
• Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in #126
• add documentation about release cadence by @cpanato in #127
• Remove test due to #130 by @vaikas in #131

Full Changelog: v0.2.0...v0.2.1

Images:

• policy-controller: gcr.io/projectsigstore/policy-controller:v0.2.1 or ghcr.io/sigstore/policy-controller/policy-controller:v0.2.1
• policy-webhook: gcr.io/projectsigstore/policy-webhook:v0.2.1 or ghcr.io/sigstore/policy-controller/policy-webhook:v0.2.1

Thanks to all contributors!

v0.2.0

What's Changed

• Fixes numerous validating and defaulting. Improve tests by @vaikas in #93
• Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by @dependabot in #95
• Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.3 by @dependabot in #94
• update go builder and cosign by @cpanato in #96
• fix path in cloudbuild by @cpanato in #97
• another fix :( in cloudbuild by @cpanato in #99

Enhancements

• Refactor entire policy validation into ValidatePolicy.
• Set reinvocationPolicy to 'IfNeeded' for the tag resolver webhook
• Add policy-tester CLI for testing ClusterImagePolicies
• (tester) Validate CIP before using it.
• (tester) call SetDefaults on cip before conversion
• remove v1.21 k8s which is deprecated and add v1.24
• chore: do not fail to verify signed images if the secret-name flag is not set

Bug fixes

• Fix issue #38. Do not block status updates.
• Avoid test race condition.
• Fix sigstore/cosign#1653
• Allow for @ symbol on globs to support image refs with digest
• Validate globs at admission time.
• fix: add missing conversion to CRD
• fix: solve vuln from our opa version
• Fix issue #24
• Bump some vulnerable dependencies; base on distroless/static

Others

• Bump mikefarah/yq from 4.25.3 to 4.26.1
• Bump actions/dependency-review-action from 2.0.2 to 2.0.4
• Bump google.golang.org/grpc from 1.47.0 to 1.48.0
• Bump github/codeql-action from 2.1.15 to 2.1.16
• Bump actions/cache from 3.0.4 to 3.0.5
• Bump actions/setup-go from 3.2.0 to 3.2.1
• update knative to use v1.5.0 release
• update scafolding to use release v0.3.0
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.6 to 1.16.7
• Bump sigstore/cosign-installer from 2.4.0 to 2.4.1
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.5 to 1.16.6
• increase timeout for golangci-lint
• Bump github.com/stretchr/testify from 1.7.5 to 1.8.0
• Bump github/codeql-action from 2.1.14 to 2.1.15
• Switch to direct returns
• Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0
• Bump ossf/scorecard-action from 1.1.1 to 1.1.2
• chore: skip secret not found
• Bump github.com/stretchr/testify from 1.7.4 to 1.7.5
• Bump mikefarah/yq from 4.25.2 to 4.25.3
• Bump github/codeql-action from 2.1.13 to 2.1.14
• Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0
• Bump github.com/stretchr/testify from 1.7.2 to 1.7.4
• Bump github/codeql-action from 2.1.12 to 2.1.13
• Bump actions/dependency-review-action from 2.0.1 to 2.0.2
• Bump actions/dependency-review-action from 1.0.2 to 2.0.1
• Update tests for OR behaviour wrt authorities.
• remove unused struct from imports
• Add policy to make sure signature and attestation is there.
• Return authoritymatches before errors.
• remove third_party stuff due to mismatch in go version.
• Use fulcioroots from sigstore/sigstore
• Even if some authority returns err, return any other matching authority results.
• Use public fulcio/rekor to make sure things are not there.
• hack/update-deps.sh

Contributors

• Carlos Tadeu Panato Junior
• Hector Fernandez
• Jason Hall
• Josh Dolitsky
• Matt Moore
• Ville Aikas
• Vladimir Nachev
• cpanato
• dependabot[bot]
• dlorenc
• hectorj2f

Full Changelog: v0.1.0...v0.2.0

Images:

• policy-controller: gcr.io/projectsigstore/policy-controller:v0.2.0 or ghcr.io/sigstore/policy-controller/policy-controller:v0.2.0
• policy-webhook: gcr.io/projectsigstore/policy-webhook:v0.2.0 or ghcr.io/sigstore/policy-controller/policy-webhook:v0.2.0

v0.2.0-rc.2

Thanks to all contributors!

What's Changed

• fix path in cloudbuild by @cpanato in #97
• another fix :( in cloudbuild by @cpanato in #99

Full Changelog: v0.2.0-rc.1...v0.2.0-rc.2