Use latest version of sigstore/policy-controller

README.md

@@ -3,7 +3,7 @@
 This repository hosts GitHub's Helm charts for deploying [a Kubernetes admission controller for Artifact Attestations](https://docs.github.com/en/actions/security-guides/enforcing-artifact-attestations-with-a-kubernetes-admission-controller). This admission controller allows you to enforce the provenance of artifacts deployed to your cluster by verifying their [Artifact Attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).
 
 The admission controller consists of:
-- The [`policy-controller` chart](https://github.com/github/artifact-attestations-helm-charts/tree/main/charts/policy-controller), which is used to deploy [our temporary fork](https://github.com/github/policy-controller) of the [Sigstore Policy Controller](https://github.com/sigstore/policy-controller)
+- The [`policy-controller` chart](https://github.com/github/artifact-attestations-helm-charts/tree/main/charts/policy-controller), which is used to deploy the [Sigstore Policy Controller](https://github.com/sigstore/policy-controller)
 - The [`trust-policies` chart](https://github.com/github/artifact-attestations-helm-charts/tree/main/charts/trust-policies), which is used to deploy GitHub's `TrustRoot` and a default `ClusterImagePolicy`. This policy ensures that images installed on a cluster must have provenance attestations generated with the [Attest Build Provenance GitHub Action](https://github.com/actions/attest-build-provenance).
 
 These charts are published to GitHub Container Registry (GHCR) as OCI images. Every release is attested with
@@ -12,7 +12,7 @@ the [Attest Build Provenance Action](https://github.com/github/artifact-attestat
 You can verify these releases using the [`gh` CLI](https://cli.github.com/manual/gh_attestation_verify):
 ```bash
 gh attestation verify --owner github \
-    oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.12.0-github12
+    oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.13.0
 ```
 
 For more information, see [our documentation](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds) on using artifact attestations to establish build provenance and [our blog post](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/) introducing Artifact Attestations.
@@ -26,7 +26,7 @@ You will need to install two charts. First, install the Sigstore policy controll
 helm install policy-controller --atomic \
   --create-namespace --namespace artifact-attestations \
   oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller \
-  --version v0.12.0-github12
+  --version v0.13.0
 ```
 
 The `--atomic` flag will delete the installation if failure occurs.
@@ -40,7 +40,7 @@ Next, install the GitHub `TrustRoot` and our default `ClusterImagePolicy`:
 helm install trust-policies --atomic \
  --namespace artifact-attestations \
  oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies \
- --version v0.6.2 \
+ --version v0.6.3 \
  --set policy.enabled=true \
  --set policy.organization=MY-ORGANIZATION
 ```
@@ -91,8 +91,8 @@ please file an [issue](https://github.com/github/artifact-attestations-helm-char
 When you are ready to cut a new release for a given Helm chart
 
 1. Update the chart's `AppVersion` and `Version` to the appropriate values
-1. Create a new tag prefixed with the targeted chart name in the format <my-chart-name>-v0.1.2, ex: `git tag -s "policy-controller-v0.12.0-github12" -m "policy-controller-v0.12.0-github12"`
-1. Push the tag, ex: `git push origin "policy-controller-v0.12.0-github12"`
+1. Create a new tag prefixed with the targeted chart name in the format <my-chart-name>-v0.1.2, ex: `git tag -s "policy-controller-v0.13.0" -m "policy-controller-v0.13.0"`
+1. Push the tag, ex: `git push origin "policy-controller-v0.13.0"`
 1. The [release workflow](.github/workflows/release.yml) will be triggered if
 the chart's tag format is included in the list of tags that trigger the workflow.
 The tag must follow the format `<my-chart-name>-v<semantic-version>`

charts/policy-controller/Chart.yaml

@@ -1,16 +1,15 @@
 apiVersion: v2
 description: Artifact Attestations Policy Controller Helm Chart
-home: https://github.com/github/policy-controller
+home: https://github.com/sigstore/policy-controller
 
 sources:
-  - https://github.com/github/policy-controller
+  - https://github.com/sigstore/policy-controller
 
 type: application
 
 name: policy-controller
-version: "v0.12.0-github12"
-appVersion: "v0.12.0-github12"
+version: "v0.13.0"
+appVersion: "v0.13.0"
 
 maintainers:
-  - name: codysoyland
   - name: malancas

charts/policy-controller/README.md

@@ -2,7 +2,7 @@
 
 The Helm chart for Policy  Controller
 
-**Homepage:** <https://github.com/github/policy-controller>
+**Homepage:** <https://github.com/sigstore/policy-controller>
 
 ## Source Code
 
@@ -68,7 +68,7 @@ The Helm chart for Policy  Controller
 Install `policy-controller` using Helm:
 
 ```shell
-helm install policy-controller oci://ghcr.io/github/helm-charts/policy-controller --create-namespace -n cosign-system --version 0.9.0-github1
+helm install policy-controller oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --create-namespace -n cosign-system --version v0.13.0
 ```
 
 The `policy-controller` enforce images matching the defined list of `ClusterImagePolicy` for the labeled namespaces.

charts/policy-controller/values.yaml

@@ -15,9 +15,9 @@ webhook:
   replicaCount: 1
   name: webhook
   image:
-    repository: ghcr.io/github/policy-controller-webhook
-    # crane digest ghcr.io/github/policy-controller-webhook:v0.12.0-github12
-    version: sha256:ab78d1c03f5f1fac5462015fbc32b024d19ce0e2aad6a0fd87400a1d443972ef
+    repository: ghcr.io/sigstore/policy-controller/policy-controller:v0.13.0
+    # crane digest ghcr.io/sigstore/policy-controller/policy-controller:v0.13.0
+    version: sha256:62d474d1be06a9dbf5051f14c82d995711fc02cd0bc1ca94ef6baacec3d2f3b1
     pullPolicy: IfNotPresent
   env: {}
   extraArgs: {}

charts/trust-policies/Chart.yaml

@@ -1,16 +1,15 @@
 apiVersion: v2
-description: GitHub policy for the Artifact Attestations Policy Controller
-home: https://github.com/github/policy-controller
+description: Used to deploy GitHub's TrustRoot and a default ClusterImagePolicy
+home: https://github.com/github/artifact-attestations-helm-charts
 
 sources:
-  - https://github.com/github/policy-controller
+  - https://github.com/github/artifact-attestations-helm-charts
 
 type: application
 
 name: trust-policies
-version: "v0.6.2"
-appVersion: "v0.6.2"
+version: "v0.6.3"
+appVersion: "v0.6.3"
 
 maintainers:
-  - name: codysoyland
   - name: malancas

charts/trust-policies/README.md

@@ -1,5 +1,5 @@
 # Trust policies
 
-This helm chart installs GitHub's `TrustRoot` and a default `ClusterImagePolicy` meant to be used with the <https://github.com/github/policy-controller>, and which can be used to enforce that images installed in your Kubernetes cluster originated within a given repository, organization, or were generated by a given reusable workflow.
+This helm chart installs GitHub's `TrustRoot` and a default `ClusterImagePolicy` meant to be used with the <https://github.com/sigstore/policy-controller>, and which can be used to enforce that images installed in your Kubernetes cluster originated within a given repository, organization, or were generated by a given reusable workflow.
 
 See the [values.yaml](./values.yaml) file for more information on which fields can be customized.