Skip to content

Modernize provenance pkg to use the new intoto libraries#598

Merged
k8s-ci-robot merged 5 commits intokubernetes-sigs:mainfrom
puerco:modernize-intoto
Feb 7, 2026
Merged

Modernize provenance pkg to use the new intoto libraries#598
k8s-ci-robot merged 5 commits intokubernetes-sigs:mainfrom
puerco:modernize-intoto

Conversation

@puerco
Copy link
Member

@puerco puerco commented Feb 7, 2026

What type of PR is this?

/kind cleanup
/kind api-change
/kind failing-test
/kind flake

What this PR does / why we need it:

This PR updates the provenance package in bom to break the dependency on the deprecated in-toto-go libraries. This PR drops the old module and switches it to use the intoto attestation framework libraries.

Preparing to update the SLSA predicate version we are using, I've updated the Predicate wrapper to take any proto message internally and added a few new methods to translate to the different slsa versions.

The SPDX package has been updated to now use the provenance package.

Which issue(s) this PR fixes:

This change will allow us fix the breakages in other parts of the release tooling (eg kubernetes/release#4248) once it flows down.

Special notes for your reviewer:

/cc @kubernetes-sigs/release-engineering

Does this PR introduce a user-facing change?

- bom now uses the intoto attestation framework libraries, dropping the old in-toto-go module
- The provenance APIs have been generalized a bit, introducing a breaking change in some functions.

puerco added 5 commits February 6, 2026 20:10
@puerco
Rework the provenance package with intoto.Att
d8d6e09 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
@puerco
Update provenance pkg tests
86f02b8 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
@puerco
Update fakes
0ff0e8d 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
@puerco
Update SPDX>SLSA exporter to new provenance
ad70ebc 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
@puerco
go mod tidy
c6f9105 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 7, 2026

@puerco: GitHub didn't allow me to request PR reviews from the following users: kubernetes-sigs/release-engineering.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

What type of PR is this?

/kind cleanup
/kind api-change
/kind failing-test
/kind flake

What this PR does / why we need it:

This PR updates the provenance package in bom to break the dependency on the deprecated in-toto-go libraries. This PR drops the old module and switches it to use the intoto attestation framework libraries.

Preparing to update the SLSA predicate version we are using, I've updated the Predicate wrapper to take any proto message internally and added a few new methods to translate to the different slsa versions.

The SPDX package has been updated to now use the provenance package.

Which issue(s) this PR fixes:

This change will allow us fix the breakages in other parts of the release tooling (eg kubernetes/release#4248) once it flows down.

Special notes for your reviewer:

/cc @kubernetes-sigs/release-engineering

Does this PR introduce a user-facing change?

- bom now uses the intoto attestation framework libraries, dropping the old in-toto-go module
- The provenance APIs have been generalized a bit, introducing a breaking change in some functions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. kind/flake Categorizes issue or PR as related to a flaky test. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 7, 2026
@puerco puerco mentioned this pull request Feb 7, 2026
Open
cpanato
cpanato approved these changes Feb 7, 2026
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice thanks

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 7, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 7, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, puerco

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 0b81bd5 into kubernetes-sigs:main Feb 7, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpanato cpanato cpanato approved these changes

Assignees

@cpanato cpanato

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. kind/flake Categorizes issue or PR as related to a flaky test. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@puerco @k8s-ci-robot @cpanato