Skip to content

Add kata-runtime mutatingpolicy (#30) #63

Add kata-runtime mutatingpolicy (#30)

Add kata-runtime mutatingpolicy (#30) #63

Triggered via push April 20, 2026 02:45
Status Success
Total duration 8m 54s
Artifacts 11

build.yaml

on: push
🔐 Verify Signed Commits
5s
🔐 Verify Signed Commits
⚖️ Verify SPDX License Headers
5s
⚖️ Verify SPDX License Headers
🧾 Validate VEX Statements
0s
🧾 Validate VEX Statements
🛡️ Security Vulnerability Scan
20s
🛡️ Security Vulnerability Scan
🔎 SAST (Semgrep)
34s
🔎 SAST (Semgrep)
🏗️ IaC Security Scan (Trivy config)
16s
🏗️ IaC Security Scan (Trivy config)
🧪 cargo-deny (License + Advisory + Sources)
21s
🧪 cargo-deny (License + Advisory + Sources)
🏷️ Extract Version Information
6s
🏷️ Extract Version Information
🎨 Check Formatting
0s
🎨 Check Formatting
Matrix: build
📦 Package Deployment Manifests
📦 Package Deployment Manifests
📎 Clippy
📎 Clippy
Matrix: ✍️ Sign Binary Artifacts
🔬 Generate SLSA Provenance Subjects
6s
🔬 Generate SLSA Provenance Subjects
Matrix: docker
🏛️ Generate SLSA Provenance  /  detect-env
6s
🏛️ Generate SLSA Provenance / detect-env
🧾 Assemble OpenVEX
13s
🧾 Assemble OpenVEX
Matrix: attest
🏛️ Generate SLSA Provenance  /  generator
26s
🏛️ Generate SLSA Provenance / generator
Matrix: grype
🏛️ Generate SLSA Provenance  /  upload-assets
0s
🏛️ Generate SLSA Provenance / upload-assets
🏛️ Generate SLSA Provenance  /  final
3s
🏛️ Generate SLSA Provenance / final
🚀 Upload Release Assets
0s
🚀 Upload Release Assets
Fit to window
Zoom out
Zoom in

Annotations

20 warnings
🏗️ IaC Security Scan (Trivy config)
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🛡️ Security Vulnerability Scan
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/cache@v4, actions/upload-artifact@v4. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🦀 Build - Linux ARM64
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/cache@v4. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🦀 Build - Linux x86_64
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/cache@v4. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🏛️ Generate SLSA Provenance / detect-env
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v2.1.0. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🏛️ Generate SLSA Provenance / generator
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: ./__BUILDER_CHECKOUT_DIR__/.github/actions/compute-sha256, ./__BUILDER_CHECKOUT_DIR__/.github/actions/privacy-check, actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683, actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34, actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🏛️ Generate SLSA Provenance / generator
Restore cache failed: Dependencies file is not found in /home/runner/work/5-spot/5-spot. Supported file pattern: go.sum
🧪 Test
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/cache@v4. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🐳 Build and Push Docker Image - Chainguard
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093, docker/login-action@v3, docker/setup-buildx-action@v3. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
Variables should be defined before their use: Dockerfile.chainguard#L40
UndefinedVar: Usage of undefined variable '$BASE_IMAGE' More info: https://docs.docker.com/go/dockerfile/rule/undefined-var/
🐳 Build and Push Docker Image - Distroless
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093, docker/login-action@v3, docker/setup-buildx-action@v3. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🔏 Attest Docker Image - Chainguard
Please check that the "artifact-metadata:write" permission has been included
🔏 Attest Docker Image - Chainguard
Failed to create storage record: Error: Failed to persist storage record: no artifacts found - https://docs.github.com/rest/orgs/artifact-metadata#create-artifact-metadata-storage-record
🧾 Assemble OpenVEX
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5, actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065, actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02, docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🔏 Attest Docker Image - Distroless
Please check that the "artifact-metadata:write" permission has been included
🔏 Attest Docker Image - Distroless
Failed to create storage record: Error: Failed to persist storage record: no artifacts found - https://docs.github.com/rest/orgs/artifact-metadata#create-artifact-metadata-storage-record
🔭 Container Security Scan - Distroless
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093, actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02, github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🔭 Container Security Scan - Distroless
CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/
🔭 Container Security Scan - Chainguard
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093, actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02, github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
🔭 Container Security Scan - Chainguard
CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/

Artifacts

Produced during runtime
Name Size Digest
0.0.0-main.2026-04-20.63.intoto.jsonl Expired
9.97 KB
sha256:1701405e07a4c1f218ae9578d4ea9ab851250a10df5e7129faa56f146002ef82
5spot-linux-amd64 Expired
5.05 MB
sha256:4aab105eff13dd54c39944dd36b19442fb01be9116ef515934d0176929f657a8
5spot-linux-amd64-signed
4.88 MB
sha256:72e48c61ee34dacdd5e54396067d8d602b11219e30a3d89658adf99f21d8e255
5spot-linux-arm64 Expired
4.87 MB
sha256:f4f50134d3e6cea8062b464aa79f4415164f9a93dc1762e660d40ef06e1bf967
5spot-linux-arm64-signed
4.61 MB
sha256:4b4af2a69839703d9201982c828251e862ddb1577eb8fab25ebdbe7ddfdc546f
cargo-audit-report
419 Bytes
sha256:5ae819981135a8d3b44c44b729dc1093417ad7a79fb55c0168aa33fc06fd2f78
finos~5-spot~URZUBZ.dockerbuild
71.8 KB
sha256:ef7233bfd85135b62ed95c9643b331fdc4a5ac47bd62228bd5267673cf6b0524
finos~5-spot~US8M08.dockerbuild
106 KB
sha256:ff4f0fbd09931afe3c359886b282d894bb830984bcb226179201116824b51fdf
grype-push-Chainguard-63
3.69 KB
sha256:544e24e3da1777fcd3b0ab4c362fb24783552f7e284c2b5efcc3a6dedeacefe1
grype-push-Distroless-63
3.71 KB
sha256:18a72d44259ce746d17f8c75e45cc005a68bcf6efbdbddd2c6f34865204e8992
openvex
1.26 KB
sha256:da0e0d366edc98e48b7c071edceb03d7fec5da3fc4a3c2c49f1ec7bf6cba8922