From 7322b258d467182e39be591e97c1c3823384fe5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Thu, 19 Mar 2026 12:54:02 +0100 Subject: [PATCH 1/3] feat!: Support slsa provenance predicate type v1 instead of v0.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- attestation/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attestation/action.yml b/attestation/action.yml index 054d54e..ecd8230 100644 --- a/attestation/action.yml +++ b/attestation/action.yml @@ -53,7 +53,7 @@ runs: set -e DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST }} | jq -r '.layers[] - | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") + | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v1") | .digest') echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV" - name: Find SBOM manifest layer digest From bdf876cb1649abc88b9eabcf8df89161e846aa31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Thu, 19 Mar 2026 12:54:35 +0100 Subject: [PATCH 2/3] feat: Add error checking to digest extraction MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- attestation/action.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/attestation/action.yml b/attestation/action.yml index ecd8230..e1a02a1 100644 --- a/attestation/action.yml +++ b/attestation/action.yml @@ -46,6 +46,10 @@ runs: | jq -r '.manifests[] | select(.annotations["vnd.docker.reference.type"] == "attestation-manifest") | .digest') + if [[ -z "${DIGEST}" ]]; then + echo "ERROR: No attestation manifest found for ${{ inputs.component }} (${{ inputs.arch }})" + exit 1 + fi echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV" - name: Find provenance manifest digest shell: bash @@ -55,13 +59,27 @@ runs: jq -r '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v1") | .digest') + if [[ -z "${DIGEST}" ]]; then + echo "ERROR: No SLSA provenance layer found in attestation manifest for ${{ inputs.component }} (${{ inputs.arch }})" + exit 1 + fi echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV" - name: Find SBOM manifest layer digest shell: bash run: | set -e DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \ - jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")') + jq -r '.layers + | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) + | map(.digest) + | if length == 0 then empty + elif length == 1 then .[0] + else error("ERROR: Multiple SBOM layers found in attestation manifest") + end') + if [[ -z "${DIGEST}" ]]; then + echo "ERROR: No SBOM layer found in attestation manifest for ${{ inputs.component }} (${{ inputs.arch }})" + exit 1 + fi echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV" # We need to upload provenance and SBOM files, plus their signatures under the GitHub Release page. From 4880e768cdcd258c2b36378b7e42cc32064dbaea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Thu, 19 Mar 2026 12:55:32 +0100 Subject: [PATCH 3/3] chore: Prepare for release 4.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit sed --in-place 's/4\.5\.16/4\.6\.0/' $(find . -maxdepth 3 -name "*.yml") Signed-off-by: Víctor Cuadrado Juan --- .../reusable-release-policy-assemblyscript.yml | 8 ++++---- .github/workflows/reusable-release-policy-go-wasi.yml | 10 +++++----- .github/workflows/reusable-release-policy-go.yml | 10 +++++----- .github/workflows/reusable-release-policy-rego.yml | 10 +++++----- .github/workflows/reusable-release-policy-rust.yml | 10 +++++----- .github/workflows/reusable-release-policy-swift.yml | 8 ++++---- .github/workflows/reusable-test-policy-go-wasi.yml | 4 ++-- .github/workflows/reusable-test-policy-go.yml | 4 ++-- .github/workflows/reusable-test-policy-rego.yml | 2 +- .github/workflows/reusable-test-policy-rust.yml | 4 ++-- attestation/action.yml | 2 +- policy-gh-action-dependencies/action.yml | 6 +++--- push-artifacthub/action.yml | 2 +- 13 files changed, 40 insertions(+), 40 deletions(-) diff --git a/.github/workflows/reusable-release-policy-assemblyscript.yml b/.github/workflows/reusable-release-policy-assemblyscript.yml index 75817bc..e35255b 100644 --- a/.github/workflows/reusable-release-policy-assemblyscript.yml +++ b/.github/workflows/reusable-release-policy-assemblyscript.yml @@ -19,7 +19,7 @@ jobs: NODE_VERSION: 14 steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # until https://github.com/actions/checkout/pull/579 is released @@ -48,7 +48,7 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.16 + uses: kubewarden/github-actions/check-policy-version@v4.6.0 with: expected-version: ${{ steps.calculate-version.outputs.version }} - name: Setup node @@ -71,7 +71,7 @@ jobs: run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.16 + uses: kubewarden/github-actions/policy-release@v4.6.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -88,4 +88,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.16 + uses: kubewarden/github-actions/push-artifacthub@v4.6.0 diff --git a/.github/workflows/reusable-release-policy-go-wasi.yml b/.github/workflows/reusable-release-policy-go-wasi.yml index 691fe7d..b84bc89 100644 --- a/.github/workflows/reusable-release-policy-go-wasi.yml +++ b/.github/workflows/reusable-release-policy-go-wasi.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # until https://github.com/actions/checkout/pull/579 is released @@ -46,16 +46,16 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.16 + uses: kubewarden/github-actions/check-policy-version@v4.6.0 with: expected-version: ${{ steps.calculate-version.outputs.version }} - name: Build and annotate policy - uses: kubewarden/github-actions/policy-build-go-wasi@v4.5.16 + uses: kubewarden/github-actions/policy-build-go-wasi@v4.6.0 - name: Run e2e tests run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.16 + uses: kubewarden/github-actions/policy-release@v4.6.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -71,4 +71,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.16 + uses: kubewarden/github-actions/push-artifacthub@v4.6.0 diff --git a/.github/workflows/reusable-release-policy-go.yml b/.github/workflows/reusable-release-policy-go.yml index 3d6fd16..f4d7d34 100644 --- a/.github/workflows/reusable-release-policy-go.yml +++ b/.github/workflows/reusable-release-policy-go.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # until https://github.com/actions/checkout/pull/579 is released @@ -46,16 +46,16 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.16 + uses: kubewarden/github-actions/check-policy-version@v4.6.0 with: expected-version: ${{ steps.calculate-version.outputs.version }} - name: Build and annotate policy - uses: kubewarden/github-actions/policy-build-tinygo@v4.5.16 + uses: kubewarden/github-actions/policy-build-tinygo@v4.6.0 - name: Run e2e tests run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.16 + uses: kubewarden/github-actions/policy-release@v4.6.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -71,4 +71,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.16 + uses: kubewarden/github-actions/push-artifacthub@v4.6.0 diff --git a/.github/workflows/reusable-release-policy-rego.yml b/.github/workflows/reusable-release-policy-rego.yml index 70fcf65..defaaf0 100644 --- a/.github/workflows/reusable-release-policy-rego.yml +++ b/.github/workflows/reusable-release-policy-rego.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # until https://github.com/actions/checkout/pull/579 is released @@ -64,12 +64,12 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.16 + uses: kubewarden/github-actions/check-policy-version@v4.6.0 with: expected-version: ${{ steps.calculate-version.outputs.version }} policy-working-dir: ${{ inputs.policy-working-dir }} - name: Install opa - uses: kubewarden/github-actions/opa-installer@v4.5.16 + uses: kubewarden/github-actions/opa-installer@v4.6.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build policy working-directory: ${{ inputs.policy-working-dir }} @@ -87,7 +87,7 @@ jobs: run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.16 + uses: kubewarden/github-actions/policy-release@v4.6.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -105,6 +105,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.16 + uses: kubewarden/github-actions/push-artifacthub@v4.6.0 with: policy-working-dir: ${{ inputs.policy-working-dir }} diff --git a/.github/workflows/reusable-release-policy-rust.yml b/.github/workflows/reusable-release-policy-rust.yml index 8c9342c..dbb0275 100644 --- a/.github/workflows/reusable-release-policy-rust.yml +++ b/.github/workflows/reusable-release-policy-rust.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # until https://github.com/actions/checkout/pull/579 is released @@ -46,16 +46,16 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.16 + uses: kubewarden/github-actions/check-policy-version@v4.6.0 with: expected-version: ${{ steps.calculate-version.outputs.version }} - name: Build and annotate policy - uses: kubewarden/github-actions/policy-build-rust@v4.5.16 + uses: kubewarden/github-actions/policy-build-rust@v4.6.0 - name: Run e2e tests run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.16 + uses: kubewarden/github-actions/policy-release@v4.6.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -71,4 +71,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.16 + uses: kubewarden/github-actions/push-artifacthub@v4.6.0 diff --git a/.github/workflows/reusable-release-policy-swift.yml b/.github/workflows/reusable-release-policy-swift.yml index 632d836..0572077 100644 --- a/.github/workflows/reusable-release-policy-swift.yml +++ b/.github/workflows/reusable-release-policy-swift.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # until https://github.com/actions/checkout/pull/579 is released @@ -46,7 +46,7 @@ jobs: - name: Check that `io.kubewarden.policy.version` annotation is up-to-date # skip when releasing :latest from main, versions will not match if: startsWith(github.ref, 'refs/tags/v') - uses: kubewarden/github-actions/check-policy-version@v4.5.16 + uses: kubewarden/github-actions/check-policy-version@v4.6.0 with: expected-version: ${{ steps.calculate-version.outputs.version }} - name: install wasm-strip @@ -72,7 +72,7 @@ jobs: run: | make e2e-tests - name: Release - uses: kubewarden/github-actions/policy-release@v4.5.16 + uses: kubewarden/github-actions/policy-release@v4.6.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} oci-target: ${{ inputs.oci-target }} @@ -88,4 +88,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Push artifacthub files to artifacthub branch - uses: kubewarden/github-actions/push-artifacthub@v4.5.16 + uses: kubewarden/github-actions/push-artifacthub@v4.6.0 diff --git a/.github/workflows/reusable-test-policy-go-wasi.yml b/.github/workflows/reusable-test-policy-go-wasi.yml index 9050c33..a7ab157 100644 --- a/.github/workflows/reusable-test-policy-go-wasi.yml +++ b/.github/workflows/reusable-test-policy-go-wasi.yml @@ -23,11 +23,11 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0 - name: Build and annotate policy with: generate-sbom: false - uses: kubewarden/github-actions/policy-build-go-wasi@v4.5.16 + uses: kubewarden/github-actions/policy-build-go-wasi@v4.6.0 - name: Run e2e tests run: make e2e-tests diff --git a/.github/workflows/reusable-test-policy-go.yml b/.github/workflows/reusable-test-policy-go.yml index bba1cfd..f6e18ec 100644 --- a/.github/workflows/reusable-test-policy-go.yml +++ b/.github/workflows/reusable-test-policy-go.yml @@ -23,11 +23,11 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0 - name: Build and annotate policy with: generate-sbom: false - uses: kubewarden/github-actions/policy-build-tinygo@v4.5.16 + uses: kubewarden/github-actions/policy-build-tinygo@v4.6.0 - name: Run e2e tests run: make e2e-tests diff --git a/.github/workflows/reusable-test-policy-rego.yml b/.github/workflows/reusable-test-policy-rego.yml index 6c9866c..7088780 100644 --- a/.github/workflows/reusable-test-policy-rego.yml +++ b/.github/workflows/reusable-test-policy-rego.yml @@ -16,7 +16,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install opa - uses: kubewarden/github-actions/opa-installer@v4.5.16 + uses: kubewarden/github-actions/opa-installer@v4.6.0 - name: Run unit tests working-directory: ${{ inputs.policy-working-dir }} run: make test diff --git a/.github/workflows/reusable-test-policy-rust.yml b/.github/workflows/reusable-test-policy-rust.yml index a9bd541..ca148aa 100644 --- a/.github/workflows/reusable-test-policy-rust.yml +++ b/.github/workflows/reusable-test-policy-rust.yml @@ -53,11 +53,11 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install dependencies - uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16 + uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0 - name: Build and annotate policy with: generate-sbom: false - uses: kubewarden/github-actions/policy-build-rust@v4.5.16 + uses: kubewarden/github-actions/policy-build-rust@v4.6.0 - name: Run e2e tests run: | make e2e-tests diff --git a/attestation/action.yml b/attestation/action.yml index e1a02a1..17b696d 100644 --- a/attestation/action.yml +++ b/attestation/action.yml @@ -18,7 +18,7 @@ runs: - name: Install cosign uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Install the crane command - uses: kubewarden/github-actions/crane-installer@v4.5.16 + uses: kubewarden/github-actions/crane-installer@v4.6.0 - name: Login to GitHub Container Registry uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: diff --git a/policy-gh-action-dependencies/action.yml b/policy-gh-action-dependencies/action.yml index 9b3e943..eb8c7f5 100644 --- a/policy-gh-action-dependencies/action.yml +++ b/policy-gh-action-dependencies/action.yml @@ -9,11 +9,11 @@ runs: - name: Install cosign uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Install kwctl - uses: kubewarden/github-actions/kwctl-installer@v4.5.16 + uses: kubewarden/github-actions/kwctl-installer@v4.6.0 - name: Install bats run: sudo apt install -y bats shell: bash - name: Install SBOM generator tool - uses: kubewarden/github-actions/syft-installer@v4.5.16 + uses: kubewarden/github-actions/syft-installer@v4.6.0 - name: Install binaryen tool - uses: kubewarden/github-actions/binaryen-installer@v4.5.16 + uses: kubewarden/github-actions/binaryen-installer@v4.6.0 diff --git a/push-artifacthub/action.yml b/push-artifacthub/action.yml index fe7bd40..813384c 100644 --- a/push-artifacthub/action.yml +++ b/push-artifacthub/action.yml @@ -12,7 +12,7 @@ runs: using: "composite" steps: - name: Install kwctl - uses: kubewarden/github-actions/kwctl-installer@v4.5.16 + uses: kubewarden/github-actions/kwctl-installer@v4.6.0 - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: