Skip to content

Commit

Permalink
upgrade to latest dependencies (#13689)
Browse files Browse the repository at this point in the history 
bumping knative.dev/caching 264c897...5b981db:
  > 5b981db Update community files (# 718)
  > cb87c90 upgrade to latest dependencies (# 717)
bumping knative.dev/networking 2473e65...195809a:
  > 195809a Update community files (# 761)
  > c3510af upgrade to latest dependencies (# 760)
bumping knative.dev/pkg decc1cc...fb44e94:
  > fb44e94 Update community files (# 2676)
bumping knative.dev/hack 549c360...d71d569:
  > d71d569 🐛 Location-agnostic sign release (# 268)
  > b674d64 Update community files (# 270)

Signed-off-by: Knative Automation <automation@knative.team>
  • Loading branch information
@knative-automation
knative-automation authored Feb 13, 2023
1 parent e2add5d commit 9b9a951
Show file tree
Hide file tree
Showing 4 changed files with 95 additions and 49 deletions.
8 changes: 4 additions & 4 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,11 @@ require (
k8s.io/code-generator v0.25.4
k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2
knative.dev/caching v0.0.0-20230207014047-264c897f4047
knative.dev/caching v0.0.0-20230210014149-5b981dba4d4e
knative.dev/control-protocol v0.0.0-20230207132547-1ce43d662d86
knative.dev/hack v0.0.0-20230207150947-549c3605c670
knative.dev/networking v0.0.0-20230207014849-2473e65d6920
knative.dev/pkg v0.0.0-20230207013346-decc1cc0acad
knative.dev/hack v0.0.0-20230210215449-d71d569c4308
knative.dev/networking v0.0.0-20230210015049-195809a6b766
knative.dev/pkg v0.0.0-20230210013552-fb44e94cccb1
sigs.k8s.io/yaml v1.3.0
)

Expand Down
16 changes: 8 additions & 8 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1656,16 +1656,16 @@ k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkI
k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
knative.dev/caching v0.0.0-20230207014047-264c897f4047 h1:/dVs+vl1+qEtTDCtB7djPyFDMLkI3cBxZXhOF+nvDJ8=
knative.dev/caching v0.0.0-20230207014047-264c897f4047/go.mod h1:9dANNPrOu2VYjha0hNAN82kO4NrIhiLBMmrZ9PTFeUI=
knative.dev/caching v0.0.0-20230210014149-5b981dba4d4e h1:PpzRrQMYbtDRLKNUlkTZVJl7sqSChI0yINA1o0IY45s=
knative.dev/caching v0.0.0-20230210014149-5b981dba4d4e/go.mod h1:t9wLoDKsFgclzL+1vsm6cL7bqHZ74MXkvY/Q9bgLavo=
knative.dev/control-protocol v0.0.0-20230207132547-1ce43d662d86 h1:tVRHOEN40dSTYqgqEsYBZsQNikAYTn6OUP65JPEiXXo=
knative.dev/control-protocol v0.0.0-20230207132547-1ce43d662d86/go.mod h1:BPH2Zj2XHBrPKgTBNTxKiz6KMzc9Eyt1O7N7fMiVyfQ=
knative.dev/hack v0.0.0-20230207150947-549c3605c670 h1:1+DsejqC6ex9vq8kS9blFqsr/FEpSTR1hRdtFAm/iEA=
knative.dev/hack v0.0.0-20230207150947-549c3605c670/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
knative.dev/networking v0.0.0-20230207014849-2473e65d6920 h1:NN7Fr0MVyYhAbGntBXcwLNc4nCAfg3I4pn1FXc5CLiQ=
knative.dev/networking v0.0.0-20230207014849-2473e65d6920/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo=
knative.dev/pkg v0.0.0-20230207013346-decc1cc0acad h1:jedK7bc5p5KtxJ5/qGvV3xtYuyddci/F8cynxyyOI6c=
knative.dev/pkg v0.0.0-20230207013346-decc1cc0acad/go.mod h1:VO/fcEsq43seuONRQxZyftWHjpMabYzRHDtpSEQ/eoQ=
knative.dev/hack v0.0.0-20230210215449-d71d569c4308 h1:zH5OedRfo9SB22o25VNQ+vygceTvOujsnLYaALb8jos=
knative.dev/hack v0.0.0-20230210215449-d71d569c4308/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
knative.dev/networking v0.0.0-20230210015049-195809a6b766 h1:MR5gV19dx9rz2e3UjSKHj/Re7mynysdi/iSnOcBkuiA=
knative.dev/networking v0.0.0-20230210015049-195809a6b766/go.mod h1:Axl8raFlsUR/LiUYt387LpiRfE/zgQULog6BL6rfKM0=
knative.dev/pkg v0.0.0-20230210013552-fb44e94cccb1 h1:VUjBhCMWbugVNWkGIbgW6yfjvAuEPCN7UE1xzMeHJvE=
knative.dev/pkg v0.0.0-20230210013552-fb44e94cccb1/go.mod h1:VO/fcEsq43seuONRQxZyftWHjpMabYzRHDtpSEQ/eoQ=
mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc=
mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=
Expand Down
112 changes: 79 additions & 33 deletions vendor/knative.dev/hack/release.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ export KO_DOCKER_REPO="gcr.io/knative-nightly"
# Build stripped binary to reduce size
export GOFLAGS="-ldflags=-s -ldflags=-w"
export GITHUB_TOKEN=""
readonly IMAGES_REFS_FILE="${IMAGES_REFS_FILE:-$(mktemp -d)/images_refs.txt}"

# Convenience function to run the hub tool.
# Parameters: $1..$n - arguments to hub.
Expand Down Expand Up @@ -313,64 +314,109 @@ function build_from_source() {
}

function get_images_in_yamls() {
rm -rf imagerefs.txt
rm -rf "$IMAGES_REFS_FILE"
echo "Assembling a list of image refences to sign"
for file in $@; do
for file in "$@"; do
[[ "${file##*.}" != "yaml" ]] && continue
echo "Inspecting ${file}"
for image in $(grep -oh "\S*${KO_DOCKER_REPO}\S*" "${file}"); do
echo $image >> imagerefs.txt
done
while read -r image; do
echo "$image" >> "$IMAGES_REFS_FILE"
done < <(grep -oh "\S*${KO_DOCKER_REPO}\S*" "${file}")
done
if [[ -f "$IMAGES_REFS_FILE" ]]; then
sort -uo "$IMAGES_REFS_FILE" "$IMAGES_REFS_FILE" # Remove duplicate entries
fi
}

function find_checksums_file() {
for file in "$@"; do
if [[ "${file}" == *"checksums.txt" ]]; then
echo "${file}"
return 0
fi
done
sort -uo imagerefs.txt imagerefs.txt # Remove duplicate entries
warning "cannot find checksums file"
}

# Build a release from source.
function sign_release() {
get_images_in_yamls "${ARTIFACTS_TO_PUBLISH}"
if (( ! IS_PROW )); then # This function can't be run by devs on their laptops
return 0
fi
get_images_in_yamls "${ARTIFACTS_TO_PUBLISH}"
local checksums_file
checksums_file="$(find_checksums_file "${ARTIFACTS_TO_PUBLISH}")"

if ! [[ -f "${checksums_file}" ]]; then
echo '>> No checksums file found, generating one'
checksums_file="$(mktemp -d)/checksums.txt"
for file in ${ARTIFACTS_TO_PUBLISH}; do
pushd "$(dirname "$file")" >/dev/null
sha256sum "$(basename "$file")" >> "${checksums_file}"
popd >/dev/null
done
ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} ${checksums_file}"
fi

# Notarizing mac binaries needs to be done before cosign as it changes the checksum values
# of the darwin binaries
if [ -n "${APPLE_CODESIGN_KEY}" ] && [ -n "${APPLE_CODESIGN_PASSWORD_FILE}" ] && [ -n "${APPLE_NOTARY_API_KEY}" ]; then
banner "Notarizing macOS Binaries for the release"
FILES=$(find -- * -type f -name "*darwin*")
for file in $FILES; do
rcodesign sign "${file}" --p12-file="${APPLE_CODESIGN_KEY}" \
--code-signature-flags=runtime \
--p12-password-file="${APPLE_CODESIGN_PASSWORD_FILE}"
done
zip files.zip ${FILES}
rcodesign notary-submit files.zip --api-key-path="${APPLE_NOTARY_API_KEY}" --wait
sha256sum ${ARTIFACTS_TO_PUBLISH//checksums.txt/} > checksums.txt
echo "🧮 Post Notarization Checksum:"
cat checksums.txt
local macos_artifacts
declare -a macos_artifacts=()
while read -r file; do
if echo "$file" | grep -q "darwin"; then
macos_artifacts+=("${file}")
rcodesign sign "${file}" --p12-file="${APPLE_CODESIGN_KEY}" \
--code-signature-flags=runtime \
--p12-password-file="${APPLE_CODESIGN_PASSWORD_FILE}"
fi
done < <(echo "${ARTIFACTS_TO_PUBLISH}" | tr ' ' '\n')
if [[ -z "${macos_artifacts[*]}" ]]; then
warning "No macOS binaries found, skipping notarization"
else
local zip_file
zip_file="$(mktemp -d)/files.zip"
zip "$zip_file" -@ < <(printf "%s\n" "${macos_artifacts[@]}")
rcodesign notary-submit "$zip_file" --api-key-path="${APPLE_NOTARY_API_KEY}" --wait
true > "${checksums_file}" # Clear the checksums file
for file in ${ARTIFACTS_TO_PUBLISH}; do
if echo "$file" | grep -q "checksums.txt"; then
continue # Don't checksum the checksums file
fi
pushd "$(dirname "$file")" >/dev/null
sha256sum "$(basename "$file")" >> "${checksums_file}"
popd >/dev/null
done
echo "🧮 Post Notarization Checksum:"
cat "$checksums_file"
fi
fi

ID_TOKEN=$(gcloud auth print-identity-token --audiences=sigstore \
--include-email \
--impersonate-service-account="${SIGNING_IDENTITY}")
echo "Signing Images with the identity ${SIGNING_IDENTITY}"
## Sign the images with cosign
if [[ -f "imagerefs.txt" ]]; then
COSIGN_EXPERIMENTAL=1 cosign sign $(cat imagerefs.txt) --recursive --identity-token="${ID_TOKEN}"
if [ -n "${ATTEST_IMAGES:-}" ]; then # Temporary Feature Gate
provenance-generator --clone-log=/logs/clone.json \
--image-refs=imagerefs.txt --output=attestation.json
mkdir -p "${ARTIFACTS}"/attestation && cp attestation.json "${ARTIFACTS}"/attestation
COSIGN_EXPERIMENTAL=1 cosign attest $(cat imagerefs.txt) --recursive --identity-token="${ID_TOKEN}" \
--predicate=attestation.json --type=slsaprovenance
fi
if [[ -f "$IMAGES_REFS_FILE" ]]; then
COSIGN_EXPERIMENTAL=1 cosign sign $(cat "$IMAGES_REFS_FILE") \
--recursive --identity-token="${ID_TOKEN}"
if [ -n "${ATTEST_IMAGES:-}" ]; then # Temporary Feature Gate
provenance-generator --clone-log=/logs/clone.json \
--image-refs="$IMAGES_REFS_FILE" --output=attestation.json
mkdir -p "${ARTIFACTS}"/attestation && cp attestation.json "${ARTIFACTS}"/attestation
COSIGN_EXPERIMENTAL=1 cosign attest $(cat "$IMAGES_REFS_FILE") \
--recursive --identity-token="${ID_TOKEN}" \
--predicate=attestation.json --type=slsaprovenance
fi
fi

## Check if there is checksums.txt file. If so, sign the checksum file
if [[ -f "checksums.txt" ]]; then
echo "Signing Images with the identity ${SIGNING_IDENTITY}"
COSIGN_EXPERIMENTAL=1 cosign sign-blob checksums.txt --output-signature=checksums.txt.sig --output-certificate=checksums.txt.pem --identity-token="${ID_TOKEN}"
ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} checksums.txt.sig checksums.txt.pem"
fi
echo "Signing checksums with the identity ${SIGNING_IDENTITY}"
COSIGN_EXPERIMENTAL=1 cosign sign-blob "$checksums_file" \
--output-signature="${checksums_file}.sig" \
--output-certificate="${checksums_file}.pem" \
--identity-token="${ID_TOKEN}"
ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} ${checksums_file}.sig ${checksums_file}.pem"
}

# Copy tagged images from the nightly GCR to the release GCR, tagging them 'latest'.
Expand Down
8 changes: 4 additions & 4 deletions vendor/modules.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1214,7 +1214,7 @@ k8s.io/utils/net
k8s.io/utils/pointer
k8s.io/utils/strings/slices
k8s.io/utils/trace
# knative.dev/caching v0.0.0-20230207014047-264c897f4047
# knative.dev/caching v0.0.0-20230210014149-5b981dba4d4e
## explicit; go 1.18
knative.dev/caching/config
knative.dev/caching/pkg/apis/caching
Expand All @@ -1239,11 +1239,11 @@ knative.dev/caching/pkg/client/listers/caching/v1alpha1
## explicit; go 1.18
knative.dev/control-protocol/pkg/certificates
knative.dev/control-protocol/pkg/certificates/reconciler
# knative.dev/hack v0.0.0-20230207150947-549c3605c670
# knative.dev/hack v0.0.0-20230210215449-d71d569c4308
## explicit; go 1.18
knative.dev/hack
knative.dev/hack/shell
# knative.dev/networking v0.0.0-20230207014849-2473e65d6920
# knative.dev/networking v0.0.0-20230210015049-195809a6b766
## explicit; go 1.18
knative.dev/networking/config
knative.dev/networking/pkg
Expand Down Expand Up @@ -1280,7 +1280,7 @@ knative.dev/networking/pkg/http/stats
knative.dev/networking/pkg/ingress
knative.dev/networking/pkg/k8s
knative.dev/networking/pkg/prober
# knative.dev/pkg v0.0.0-20230207013346-decc1cc0acad
# knative.dev/pkg v0.0.0-20230210013552-fb44e94cccb1
## explicit; go 1.18
knative.dev/pkg/apiextensions/storageversion
knative.dev/pkg/apiextensions/storageversion/cmd/migrate
Expand Down

0 comments on commit 9b9a951

Please sign in to comment.