Merge branch 'main' into docs/single-source-site

Author: mchmarny

.github/workflows/build-attested.yaml

@@ -59,7 +59,7 @@ jobs:
           cache: true
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22  # v4.1.0
 
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29  # v7.0.0

.github/workflows/gh-pages.yaml

@@ -74,7 +74,7 @@ jobs:
 
       - name: Upload artifact
         if: github.event_name != 'pull_request'
-        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa  # v3.0.1
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b  # v4.0.0
         with:
           path: site/.vitepress/dist
 

.github/workflows/on-tag.yaml

@@ -77,7 +77,7 @@ jobs:
           cache: true
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22  # v4.1.0
 
       - name: Generate SLSA predicate
         uses: ./.github/actions/generate-slsa-predicate

.github/workflows/stale.yaml

@@ -49,7 +49,7 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d  # v10.1.0
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f  # v10.1.0
         with:
           # Issue settings
           stale-issue-message: |

.goreleaser.yaml

@@ -187,11 +187,11 @@ brews:
     caveats: |
       To verify supply-chain provenance (requires cosign):
 
-        cosign verify-blob-attestation \
-          --bundle #{opt_bin}/aicr-attestation.sigstore.json \
-          --type https://slsa.dev/provenance/v1 \
-          --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-          --certificate-identity-regexp "https://github.com/NVIDIA/aicr/.github/workflows/on-tag\\.yaml@refs/tags/.*" \
+        cosign verify-blob-attestation \\
+          --bundle #{opt_bin}/aicr-attestation.sigstore.json \\
+          --type https://slsa.dev/provenance/v1 \\
+          --certificate-oidc-issuer https://token.actions.githubusercontent.com \\
+          --certificate-identity-regexp "https://github.com/NVIDIA/aicr/.github/workflows/on-tag\\.yaml@refs/tags/.*" \\
           #{opt_bin}/aicr
 
       To update the trust root for bundle attestation:

pkg/bundler/deployer/helm/templates/undeploy.sh.tmpl

@@ -164,6 +164,10 @@ fi
 delete_orphaned_webhooks_for_ns "{{ . }}"
 delete_namespace "{{ . }}"
 {{ end }}
+# Clean up companion namespaces created at runtime by components.
+# These are not in the bundle's namespace list but are created by operators.
+delete_namespace "kai-resource-reservation"
+
 # Wait for terminating namespaces to finish
 echo "Waiting for namespaces to terminate..."
 for i in $(seq 1 60); do

pkg/evidence/scripts/collect-evidence.sh

@@ -110,6 +110,29 @@ wait_for_port() {
     return 1
 }
 
+# Runtime results tracker — records check name and status as they execute.
+# Format: "name:status" entries separated by newlines.
+CHECK_RESULTS=""
+
+# Run a collector and record its result based on the evidence file it produces.
+# Usage: run_check "DRA Support" "dra-support" collect_dra
+run_check() {
+    local display_name="$1" file_key="$2" collector_fn="$3"
+    local evidence_path="${EVIDENCE_DIR}/${file_key}.md"
+
+    "${collector_fn}"
+
+    if [ ! -f "${evidence_path}" ]; then
+        CHECK_RESULTS="${CHECK_RESULTS}${display_name}:SKIP\n"
+    elif grep -q "Result: PASS" "${evidence_path}" 2>/dev/null; then
+        CHECK_RESULTS="${CHECK_RESULTS}${display_name}:PASS\n"
+    elif grep -q "Result: FAIL" "${evidence_path}" 2>/dev/null; then
+        CHECK_RESULTS="${CHECK_RESULTS}${display_name}:FAIL\n"
+    else
+        CHECK_RESULTS="${CHECK_RESULTS}${display_name}:UNKNOWN\n"
+    fi
+}
+
 # Clean up a test namespace properly: pods → resourceclaims → namespace
 # This order prevents stale DRA kubelet checkpoint issues caused by
 # orphaned ResourceClaims with delete-protection finalizers.
@@ -1438,38 +1461,38 @@ main() {
 
     case "${SECTION}" in
         dra)
-            collect_dra
+            run_check "DRA Support" "dra-support" collect_dra
             ;;
         gang)
-            collect_gang
+            run_check "Gang Scheduling" "gang-scheduling" collect_gang
             ;;
         secure)
-            collect_secure
+            run_check "Secure Accelerator Access" "secure-accelerator-access" collect_secure
             ;;
         metrics)
-            collect_metrics
+            run_check "Accelerator Metrics" "accelerator-metrics" collect_metrics
             ;;
         gateway)
-            collect_gateway
+            run_check "Inference Gateway" "inference-gateway" collect_gateway
             ;;
         operator)
-            collect_operator
+            run_check "Robust AI Operator" "robust-operator" collect_operator
             ;;
         hpa)
-            collect_hpa
+            run_check "Pod Autoscaling (HPA)" "pod-autoscaling" collect_hpa
             ;;
         cluster-autoscaling)
-            collect_cluster_autoscaling
+            run_check "Cluster Autoscaling" "cluster-autoscaling" collect_cluster_autoscaling
             ;;
         all)
-            collect_dra
-            collect_gang
-            collect_secure
-            collect_metrics
-            collect_gateway
-            collect_operator
-            collect_hpa
-            collect_cluster_autoscaling
+            run_check "DRA Support" "dra-support" collect_dra
+            run_check "Gang Scheduling" "gang-scheduling" collect_gang
+            run_check "Secure Accelerator Access" "secure-accelerator-access" collect_secure
+            run_check "Accelerator Metrics" "accelerator-metrics" collect_metrics
+            run_check "Inference Gateway" "inference-gateway" collect_gateway
+            run_check "Robust AI Operator" "robust-operator" collect_operator
+            run_check "Pod Autoscaling (HPA)" "pod-autoscaling" collect_hpa
+            run_check "Cluster Autoscaling" "cluster-autoscaling" collect_cluster_autoscaling
             ;;
         *)
             log_error "Unknown section: ${SECTION}"
@@ -1496,36 +1519,20 @@ main() {
     echo "  OS:         ${CLUSTER_OS_IMAGE}"
     echo "  Evidence:   ${EVIDENCE_DIR}/"
     echo ""
-    local checks=(
-        "dra-support:DRA Support"
-        "gang-scheduling:Gang Scheduling"
-        "secure-accelerator-access:Secure Accelerator Access"
-        "accelerator-metrics:Accelerator Metrics"
-        "inference-gateway:Inference Gateway"
-        "robust-operator:Robust AI Operator"
-        "pod-autoscaling:Pod Autoscaling (HPA)"
-        "cluster-autoscaling:Cluster Autoscaling"
-    )
     local passed=0 failed=0 skipped=0
     printf "  %-30s %s\n" "Check" "Status"
     printf "  %-30s %s\n" "-----" "------"
-    for entry in "${checks[@]}"; do
-        local file="${entry%%:*}"
-        local name="${entry#*:}"
-        local evidence_path="${EVIDENCE_DIR}/${file}.md"
-        if [ ! -f "${evidence_path}" ]; then
-            printf "  %-30s %s\n" "${name}" "SKIP"
-            skipped=$((skipped + 1))
-        elif grep -q "Result: PASS" "${evidence_path}" 2>/dev/null; then
-            printf "  %-30s %s\n" "${name}" "PASS"
-            passed=$((passed + 1))
-        elif grep -q "Result: FAIL" "${evidence_path}" 2>/dev/null; then
-            printf "  %-30s %s\n" "${name}" "FAIL"
-            failed=$((failed + 1))
-        else
-            printf "  %-30s %s\n" "${name}" "UNKNOWN"
-        fi
-    done
+    while IFS= read -r line; do
+        [ -z "${line}" ] && continue
+        local name="${line%%:*}"
+        local status="${line#*:}"
+        printf "  %-30s %s\n" "${name}" "${status}"
+        case "${status}" in
+            PASS*) passed=$((passed + 1)) ;;
+            FAIL*) failed=$((failed + 1)) ;;
+            SKIP)  skipped=$((skipped + 1)) ;;
+        esac
+    done < <(printf '%b' "${CHECK_RESULTS}")
     echo ""
     echo "  Total: $((passed + failed + skipped)) | Passed: ${passed} | Failed: ${failed} | Skipped: ${skipped}"
     echo ""