- sigstore/cosign-installer to v3.0.1
- Put (exact) version comment behind all action references, while taking note
this is an absolute insane way to manage versions.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Dependabot should stick to tagged versions if the existing hash relates
to the tag made in the comment.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
The main benefit of pinning GitHub actions is the determinism it brings
in terms of what version of a given action will be executed. This is
a step towards having hermetic builds.
Once pinned to a commit, dependabot will automatically issue PRs to update
to newer versions.
Pinned versions is the only security metric from OpenSSF scorecard that
this repository currently have a zero score.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
- add the Flux manifests and API schemas to checksums
- sign the checksum.txt with Cosign and GitHub OIDC
- sign the flux-cli container images with Cosign and GitHub OIDC
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
- generate SBOM for Flux Go modules with Syft
- publish the SBOM SPDX JSON files to GitHub releases with GoReleaser
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>
This change publishes the auto-generated JSON schemas as a single URL,
so that it is consumable by a tool like VS Code.
The CRD generator creates 2 files, a tar.gz for Kubeval,
and another one is a JSON file. The JSON file is a combination of
all schemas, put under the "oneOf" operator.
There's another location which uses the "manifests directory" target
directly, but isn't run when testing a PR: the release workflow.
Signed-off-by: Michael Bridgen <michael@weave.works>
There was an assumption in this script that it is always executed in Git
repository/directory, this is however not always true, for example when
one downloads the `.tar.gz` that is made available for every release
by GitHub (and used in one of our AUR packages).
This commit changes this, and makes the first argument of `bundle.sh`
configurable, so a custom manifests directory can always be defined
_without_ relying on Git.
Omitting it, or passing an empty string, will still fall back to the
previous behavior of using `git rev-parse --show-toplevel`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit changes the way the build of manifests is triggered by
making smarter use of the capabilities of Make. The result should be
that the manifests are only regenerated if:
1. There is no `cmd/flux/manifests/` directory.
2. There have been made changes to the YAML files in the `manifests/`
directory that are newer than the files in `cmd/flux/manifests/`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
- add make target for generating the install manifests using kustomize
- embed the generated manifests in flux binary
- the install and bootstrap commands default to using the embedded manifests
- download the install manifests from GitHub only if the install/bootstrap version arg is set
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
The AUR_BOT_SSH_PRIVATE_KEY environment variable needs to be set in
goreleaser so publishing the packages to AUR can work.
Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
Hidde Beydals
Hidde Beydals
dependabot[bot]
Paulo Gomes
Stefan Prodan
Eddie Knight
Aurel Canciu
Chanwit Kaewkasi
Michael Bridgen