v0.6.3

Changelog

• 7de0227 change validation to avoid only setting rfc3161timestamp #7de0227 @hectorj2f
• d0d1797 fix policy conversion from v1beta1 to v1alpha1 #d0d1797 @hectorj2f

Thanks to all contributors!

@hectorj2f

v0.6.2

What's Changed

• Add TrustRoot crd. by @vaikas in #291
• keep the matrix jobs running if one fail by @cpanato in #441
• Plumb TrustRoot CRD through to CIP CRDs. Make TrustRoot available to webhook, clean up and refactor checkOpts logic. by @vaikas in #436
• update scaffolding releases to v0.5.4 by @vaikas in #443
• e2e test for bring your own keys with trustroot. by @vaikas in #444
• expose webhook validator getters by @joshrwolf in #449
• Generate slsa provenance by @hectorj2f in #447
• policy-tester: use UnmarshalStrict by @hectorj2f in #453
• Add support for policy.configMapRef in attestation / cip.spec by @vaikas in #457
• Add support for bring your own serialized tuf repository. by @vaikas in #452
• If TLog.url is specified, use it if trustroot does not have one + test. by @vaikas in #461
• Fix: Fix private multi-arch fetchConfigFile by @mattmoor in #462
• Add support for TUF remote. by @vaikas in #463
• bring in latest cosign changes + udpate interfaces. by @vaikas in #467
• fix: wrong api field ref in error msg by @hectorj2f in #470
• chore: Relax certificate authority validation in trustRoots by @hectorj2f in #471
• chore: add TSA cert chain validation by @hectorj2f in #472
• fix: script field identation by @hectorj2f in #476
• feature: add TSA support when verifying authorities by @hectorj2f in #468
• Fix: Use the apiVersion when matching resources. by @mattmoor in #482
• Feature: Create an interface for downstream CIP integrations. by @mattmoor in #480
• user sigstore cosign-installer by @hectorj2f in #485
• cleanup: switch to using cosign v2.0.0-rc.0 by @k4leung4 in #484
• Allow fully specified URLs in predicateTypes. by @vaikas in #491
• cleanup: update sigstore/cosign dep by @k4leung4 in #493
• Require issuer/subject or issuerRegExp/subjectRegExp by @vaikas in #495
• cleanup: bump cosign to latest by @k4leung4 in #501
• Fix keyless behauvior when ctlog is absent by @hectorj2f in #508
• test: change error message for empty keyless/key by @hectorj2f in #509
• Add InsecureIgnoreSCT field to the keyless authorities by @hectorj2f in #511
• Add a policy example for GCP KMS by @mathieu-benoit in #520
• Improve kms key validations and error messages for awskms by @hectorj2f in #524
• chore(deps): Bump github/codeql-action from 2.1.39 to 2.2.0 by @dependabot in #527
• Bump cosign to v2.0.0.rc.1 by @hectorj2f in #530
• Add support for Policy URLs by @hectorj2f in #518
• only sub&rbac. by @vaikas in #534
• Bump cosign e2e tests to rc2.0.0.rc.1 by @hectorj2f in #536
• cleanup: update repo to use cosign v2.0.0-rc.1 by @k4leung4 in #535
• remove COSIGN_EXPERIMENTAL evn var by @hectorj2f in #537
• bump timeout for goreleaser to 60 minutes. by @vaikas in #539
• set yes confirmation flag and bump timeout by @cpanato in #540

New Contributors

• @joshrwolf made their first contribution in #449
• @mathieu-benoit made their first contribution in #520

Full Changelog: v0.5.2...v0.6.2

v0.5.2

Changelog

• 21c7eb0 Merge pull request #435 from sigstore/dependabot/go_modules/k8s.io/code-generator-0.26.0

Thanks to all contributors!

What's Changed

• chore(deps): Bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 by @dependabot in #433
• chore(deps): Bump github/codeql-action from 2.1.35 to 2.1.36 by @dependabot in #430
• chore(deps): Bump k8s.io/api from 0.25.3 to 0.26.0 by @dependabot in #432
• chore(deps): Bump k8s.io/code-generator from 0.25.3 to 0.26.0 by @dependabot in #435

Full Changelog: v0.5.1...v0.5.2

v0.5.1

Changelog

• 8d7653e Merge pull request #426 from sigstore/dependabot/go_modules/github.com/hashicorp/go-plugin-1.4.8

Thanks to all contributors!

What's Changed

• Feature: Add -resource to policy-tester by @mattmoor in #414

• Cleanup: Rename objectMeta to metadata to align with K8s shape. by @mattmoor in #420 (This is a breaking change in evaluating CIP level policies using objectMeta from 0.5.0)

• Bug Fix: Do not fail on first attestation that does not satisfy. by @vaikas in #422

• chore(deps): Bump golang.org/x/sys from 0.2.0 to 0.3.0 by @dependabot in #412

• chore(deps): Bump github.com/aws/aws-sdk-go-v2 from 1.17.1 to 1.17.2 by @dependabot in #409

• chore(deps): Bump golang.org/x/time from 0.2.0 to 0.3.0 by @dependabot in #410

• chore(deps): Bump golang.org/x/net from 0.2.0 to 0.3.0 by @dependabot in #411

• Initial support for rego + simple tests. by @vaikas in #413

• Update go and base image by @cpanato in #415

• chore(deps): Bump golang.org/x/crypto from 0.3.0 to 0.4.0 by @dependabot in #416

• chore(deps): Bump golang.org/x/net from 0.3.0 to 0.4.0 by @dependabot in #418

• chore(deps): Bump github.com/hashicorp/go-hclog from 1.3.1 to 1.4.0 by @dependabot in #417

• Add includeTypeMeta that includes TypeMeta (just like includeObjectMeta) by @vaikas in #421

• Fix some lint issues surfaced by #424 by @vaikas in #425

• bump golangci-lint to 1.50.1 by @cpanato in #424

• fix ioutil deprecation by @cpanato in #428

• release-script: bump golang to 1.19 (rebased version of #427) by @vaikas in #429

• chore(deps): Bump github.com/hashicorp/go-plugin from 1.4.6 to 1.4.8 by @dependabot in #426

Full Changelog: v0.5.0...v0.5.1

v0.5.0

Changelog

• ee7c481 Merge pull request #399 from hectorj2f/source_secrets

Thanks to all contributors!

What's Changed

• chore(deps): Bump anchore/sbom-action from 0.13.0 to 0.13.1 by @dependabot in #365
• chore(deps): Bump github/codeql-action from 2.1.30 to 2.1.31 by @dependabot in #366
• chore(deps): Bump golang.org/x/sys from 0.1.0 to 0.2.0 by @dependabot in #367
• chore(deps): Bump golang.org/x/time from 0.1.0 to 0.2.0 by @dependabot in #368
• chore(deps): Bump golang.org/x/crypto from 0.1.0 to 0.2.0 by @dependabot in #373
• chore(deps): Bump google-github-actions/auth from 0.8.3 to 1.0.0 by @dependabot in #371
• chore(deps): Bump google-github-actions/setup-gcloud from 0.6.2 to 1.0.0 by @dependabot in #370
• CI: bump scaffolding version by @hectorj2f in #377
• chore(deps): Bump google-github-actions/setup-gcloud from 1.0.0 to 1.0.1 by @dependabot in #376
• chore(deps): Bump github.com/hashicorp/go-plugin from 1.4.5 to 1.4.6 by @dependabot in #374
• chore(deps): Bump mikefarah/yq from 4.28.2 to 4.30.1 by @dependabot in #378
• chore(deps): Bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 by @dependabot in #379
• chore(deps): Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 by @dependabot in #381
• chore(deps): Bump github.com/sigstore/rekor from 1.0.0 to 1.0.1 by @dependabot in #380
• chore(deps): Bump github/codeql-action from 2.1.31 to 2.1.32 by @dependabot in #384
• chore(deps): Bump mikefarah/yq from 4.30.1 to 4.30.2 by @dependabot in #383
• chore(deps): Bump golang.org/x/crypto from 0.2.0 to 0.3.0 by @dependabot in #390
• chore(deps): Bump google.golang.org/grpc from 1.50.1 to 1.51.0 by @dependabot in #392
• fix: v1beta1 version converter that ignored the field spec.policy by @hectorj2f in #393
• Drop service account lookups when signaturePullSecrets are specified by @hectorj2f in #388
• Add FetchConfigFile to Policy that allows you to fetch and evaluate policy against container image configfile. by @vaikas in #389
• add gh actions to verify docs by @hectorj2f in #395
• chore(deps): Bump github.com/hashicorp/golang-lru from 0.5.4 to 1.0.1 by @dependabot in #387
• chore(deps): Bump github.com/sigstore/sigstore from 1.4.5 to 1.4.6 by @dependabot in #397
• chore(deps): Bump github/codeql-action from 2.1.32 to 2.1.35 by @dependabot in #402
• chore(deps): Bump actions/setup-go from 3.3.1 to 3.4.0 by @dependabot in #403
• chore(deps): Bump go.uber.org/zap from 1.23.0 to 1.24.0 by @dependabot in #404
• Attach highest level resource spec to PolicyResult if so desired. by @vaikas in #406
• chore(deps): Bump mikefarah/yq from 4.30.2 to 4.30.5 by @dependabot in #405
• Add includeObjectMetadata for including objectMeta in CIP policy eval. by @vaikas in #407
• feat: configurable ClusterImagePolicy resync period by @DennyHoang in #398
• feat: accept source without setting any oci repository by @hectorj2f in #399

New Contributors

• @DennyHoang made their first contribution in #398

Full Changelog: v0.4.2...v0.5.0

v0.4.2

What's Changed

• chore(deps): Bump anchore/sbom-action from 0.12.0 to 0.13.0 by @dependabot in #356
• chore(deps): Bump mikefarah/yq from 4.28.2 to 4.29.2 by @dependabot in #357
• fix: error message by @hectorj2f in #359
• chore(deps): Bump github.com/hashicorp/vault/sdk from 0.6.0 to 0.6.1 by @dependabot in #358
• chore(deps): Bump github/codeql-action from 2.1.29 to 2.1.30 by @dependabot in #363
• fix: allow spec.authorities field to not be specified by @wojciechka in #362
• Fix issue 354. by @vaikas in #355

New Contributors

• @wojciechka made their first contribution in #362

Full Changelog: v0.4.1...v0.4.2

v0.4.1

What's Changed

• update README with some new features by @hectorj2f in #304
• run codeql on post-merge by @hectorj2f in #308
• Feature: add support for ephemeral containers by @hectorj2f in #299
• Add api docs generator by @hectorj2f in #311
• update images to the new path by @cpanato in #328
• switch to reusable workflow by @bobcallaway in #330
• Fix: Always use kubeclient.Get() for fetching k8s client. by @mattmoor in #340
• Add validation for the oci repository field by @hectorj2f in #337
• Move validation code to its own function by @hectorj2f in #341
• Fix: switch from all to ALL when dropping capabilities. by @mattmoor in #346
• Add policy name to the cache by @hectorj2f in #348
• Feature: Incorporate an identifier for signatures and attestations. by @mattmoor in #350
• Manually bump all go deps to latest by @hectorj2f in #351

New Contributors

• @bobcallaway made their first contribution in #330

Full Changelog: v0.4.0...v0.4.1

v0.4.0

What's Changed

• Allow fetching CIPs from URLs. by @vaikas in #221
• add tester binary to the release process by @cpanato in #233
• Remove secret name flag by @hectorj2f in #223
• Rely exclusively on TUF root for fulcio root. Do not fetch them oob. by @vaikas in #240
• Add a new field to set the signature hash algorithm by @hectorj2f in #237
• chore: bump k8s.io deps to v0.24.4 by @hectorj2f in #254
• chore(deps): Bump actions/dependency-review-action from 2.2.0 to 2.3.0 by @dependabot in #256
• chore(deps): Bump github/codeql-action from 2.1.24 to 2.1.25 by @dependabot in #255
• Bump cosign and rekor deps to v1.12.1 by @hectorj2f in #253
• chore: add kind support for 1.25 by @hectorj2f in #229
• Fix: Plumb context through to GGCR. by @mattmoor in #271
• Feature: match available resource types by name, version, group and/or labels by @hectorj2f in #248
• Add policy-controller level config map and decorate requests with it. by @vaikas in #270
• Validate containers in parallel. by @vaikas in #277
• deny by default. by @vaikas in #279
• Since by default we deny all, just drop it from CM. by @vaikas in #282
• Cache scaffolding by @vaikas in #283
• add id-token permission to be able to sign the report by @cpanato in #289
• Add a configuration field to allow CIP with no authorities by @hectorj2f in #292
• bump sigstore deps to latest by @hectorj2f in #300
• Fix: Check flag in v1alpha1, use OrDefaults to avoid breaking change. by @mattmoor in #303

Full Changelog: v0.3.0...v0.4.0

v0.3.0

What's Changed

BREAKING Deprecate 'secret-name' flag harder. It will go away in the next release. Use ClusterImagePolicy instead.

• fix codeql job by @cpanato in #132
• use omit-empty to make results more readable and concise. by @vaikas in #134
• Include the predicate type and payload for attestations. by @mattmoor in #135
• Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in #136
• Add issuerRegExp and subjectRegExp fields to doc. by @vaikas in #137
• Add two more example policies by @nsmith5 in #118
• refactor release job to run over GH actions instead of cloudbuild by @cpanato in #128
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.8 to 1.16.10 by @dependabot in #141
• Bump go.uber.org/zap from 1.21.0 to 1.22.0 by @dependabot in #140
• Use scaffolding v0.4.2 for tests. by @vaikas in #142
• README.md: fix typo by @mykter in #144
• chore: require setting the identity - issuer and subject by @hectorj2f in #125
• Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in #147
• Add finalizers permissions to ClusterRole by @elfotografo007 in #146
• Use scaffolding v0.4.3. Remove unused KNATIVE_VERSION env var. by @vaikas in #149
• Bump go.uber.org/atomic from 1.9.0 to 1.10.0 by @dependabot in #152
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.10 to 1.16.11 by @dependabot in #151
• Bump actions/github-script from 6.1.0 to 6.1.1 by @dependabot in #150
• Reduce the duplication across action workflows. by @mattmoor in #153
• Add --type spdxjson to verify-attestation by @vaikas in #158
• Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 by @dependabot in #156
• Use TUF instead of env variables. by @vaikas in #159
• Add cosign initialize as an init container to initialize TUF. by @vaikas in #157
• fix keyless check by @cpanato in #160
• add missing action to install ko by @cpanato in #162
• add initial Support Policy documentation by @cpanato in #164
• Bump actions/dependency-review-action from 2.0.4 to 2.1.0 by @dependabot in #167
• Bump anchore/sbom-action from 0.11.0 to 0.12.0 by @dependabot in #168
• upgrade to go 1.18 by @k4leung4 in #174
• Bump github/codeql-action from 2.1.18 to 2.1.19 by @dependabot in #166
• Bump github/codeql-action from 2.1.19 to 2.1.20 by @dependabot in #177
• update sigstore/[cosign|fulcio|rekor|sigstore] deps by @k4leung4 in #175
• Bump actions/cache from 3.0.7 to 3.0.8 by @dependabot in #176
• Bump github.com/sigstore/fulcio from 0.5.2 to 0.5.3 by @dependabot in #178
• Bump actions/setup-go from 3.2.1 to 3.3.0 by @dependabot in #180
• Bump github.com/hashicorp/yamux from 0.1.0 to 0.1.1 by @dependabot in #179
• Fixes #90 by configuring webhook not to get called on status updates. by @vaikas in #165
• bump sigstore/cosign to 1.11.1 by @k4leung4 in #185
• Bump go.uber.org/zap from 1.22.0 to 1.23.0 by @dependabot in #187
• Bump google.golang.org/grpc from 1.48.0 to 1.49.0 by @dependabot in #186
• Add warn mode for CIP. by @vaikas in #163
• Add warn tests for creating CIP with missing identities. by @vaikas in #188
• Bump github/codeql-action from 2.1.20 to 2.1.21 by @dependabot in #190
• Bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0 by @dependabot in #192
• Bump actions/github-script from 6.1.1 to 6.2.0 by @dependabot in #191
• update chainguard-dev/actions/goimports by @cpanato in #194
• Do not exit on warnings on CIP. by @vaikas in #196
• update CIP to fix tests when running in the push to main and in keyless mode by @cpanato in #197
• Fix webhook looking for credentials in the wrong namespace by @elfotografo007 in #199
• Add explicit check for invalid keys. This should not happen, but. by @vaikas in #200
• Bump mikefarah/yq from 4.27.2 to 4.27.3 by @dependabot in #198
• fix order of the release steps by @cpanato in #201
• Bump google-github-actions/auth from 0.8.0 to 0.8.1 by @dependabot in #202
• Bump github/codeql-action from 2.1.21 to 2.1.22 by @dependabot in #203
• ignore the credentials and setup gcloud by @cpanato in #204
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.11 to 1.16.13 by @dependabot in #206
• Bump github.com/hashicorp/go-hclog from 1.2.2 to 1.3.0 by @dependabot in #207
• Bump sigstore/sigstore. Simplify tests by specifying COSIGN_EXPERIMENTAL=1. by @vaikas in #209
• Misleading docs on use of regexp by @lukehinds in #210
• Add e2e test with secretRef. by @vaikas in #213
• Reorder tests to prevent race condition by @elfotografo007 in #211
• Relax glob so easier to run e2e tests against other clusters. by @vaikas in #214
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.13 to 1.16.14 by @dependabot in #212
• Start deprecation of --secret-name by @hectorj2f in #215
• upgrade setup-ko to point to new repo by @imjasonh in #217
• Bump imranismail/setup-kustomize from 1.6.1 to 1.7.0 by @dependabot in #216
• remove not needed env vars by @cpanato in #218
• remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #219

New Contributors

• @nsmith5 made their first contribution in #118
• @mykter made their first contribution in #144
• @elfotografo007 made their first contribution in #146
• @k4leung4 made their first contribution in #174
• @lukehinds made their first contribution in #210

Full Changelog: v0.2.1...v0.3.0

v0.2.1

What's Changed

• chore: add golang documentation to the api types by @hectorj2f in #100
• Bump github.com/hashicorp/go-hclog from 1.2.1 to 1.2.2 by @dependabot in #102
• Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 by @dependabot in #101
• Bump imjasonh/setup-ko from 0.4 to 0.5 by @dependabot in #105
• Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 by @dependabot in #110
• chore: add more context to the README by @hectorj2f in #111
• Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in #113
• Fix keyful handling in tester. by @vaikas in #115
• Bump mikefarah/yq from 4.26.1 to 4.27.2 by @dependabot in #117
• Update to cosign HEAD, add replace for glog by @jdolitsky in #112
• Wrap errors, encode signature Subject/Issuer. by @mattmoor in #116
• Begin an examples/ directory by @jdolitsky in #108
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.7 to 1.16.8 by @dependabot in #119
• Add all of the current extensions. by @mattmoor in #122
• fix: Makefile wrong targets by @hectorj2f in #121
• Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in #126
• add documentation about release cadence by @cpanato in #127
• Remove test due to #130 by @vaikas in #131

Full Changelog: v0.2.0...v0.2.1

Images:

• policy-controller: gcr.io/projectsigstore/policy-controller:v0.2.1 or ghcr.io/sigstore/policy-controller/policy-controller:v0.2.1
• policy-webhook: gcr.io/projectsigstore/policy-webhook:v0.2.1 or ghcr.io/sigstore/policy-controller/policy-webhook:v0.2.1

Thanks to all contributors!