f9775dcf6b
Support --tag and --tag-only with nop publisher ( #797 )
...
* Support --tag and --tag-only with nop publisher
* log the output, for debugging
* unset KO_DOCKER_REPO for push=false test
* run e2e test first before other stuff
* review feedback
2022-08-24 10:57:52 -04:00
568da167be
Extend ko.local and kind.local detection to include sub-repos ( #796 )
2022-08-22 19:51:02 -04:00
2c58e4a136
Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 ( #794 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 2.5.0 to 2.5.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](https://github.com/sigstore/cosign-installer/compare/v2.5.0...v2.5.1 )
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-22 09:44:12 -04:00
497ac17842
Bump github.com/sigstore/cosign from 1.10.1 to 1.11.0 ( #793 )
...
Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign ) from 1.10.1 to 1.11.0.
- [Release notes](https://github.com/sigstore/cosign/releases )
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md )
- [Commits](https://github.com/sigstore/cosign/compare/v1.10.1...v1.11.0 )
---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-22 09:43:54 -04:00
9c5fe636dc
Bump k8s.io/apimachinery from 0.24.3 to 0.24.4 ( #792 )
...
Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery ) from 0.24.3 to 0.24.4.
- [Release notes](https://github.com/kubernetes/apimachinery/releases )
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.24.3...v0.24.4 )
---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-22 09:43:35 -04:00
cbe2784e52
Error if image platform does not match desired ( #785 )
2022-08-19 17:19:55 -04:00
6bda550899
update default base image to distroless.dev/static ( #790 )
2022-08-18 12:00:41 -04:00
3baf14de6e
adds org move message ( #789 )
...
* adds org move message
* fixes lint error on training spaces
2022-08-17 21:21:29 -04:00
14b4fe1c7c
feat: generate SLSA provenance for release binaries ( #730 )
...
* Support for SLSA provenance generation
* updates
* updates
* updates
* updates
* updates
* comment
* update
* update
* update
* update
* update
* update
* update
* update
* update
2022-08-16 18:01:15 -04:00
f9b4471f65
expose commands.ResolveFilesToWriter() method to allow downstream ( #787 )
...
consumers more easily leverage `ko resolve` functionality through public apis
2022-08-12 15:45:50 -04:00
d1ff96165a
Bump github.com/sigstore/cosign from 1.10.0 to 1.10.1 ( #786 )
...
Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign ) from 1.10.0 to 1.10.1.
- [Release notes](https://github.com/sigstore/cosign/releases )
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md )
- [Commits](https://github.com/sigstore/cosign/compare/v1.10.0...v1.10.1 )
---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-07 23:02:39 -04:00
ad00979ecc
Bump sigstore/cosign-installer from 2.4.1 to 2.5.0 ( #784 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 2.4.1 to 2.5.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](https://github.com/sigstore/cosign-installer/compare/v2.4.1...v2.5.0 )
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-01 04:05:50 -04:00
5f3f0dd20a
Bump golang.org/x/tools from 0.1.11 to 0.1.12 ( #783 )
...
Bumps [golang.org/x/tools](https://github.com/golang/tools ) from 0.1.11 to 0.1.12.
- [Release notes](https://github.com/golang/tools/releases )
- [Commits](https://github.com/golang/tools/compare/v0.1.11...v0.1.12 )
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-01 04:05:35 -04:00
7fafb61c55
Bump github.com/sigstore/cosign from 1.9.0 to 1.10.0 ( #781 )
...
Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign ) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/sigstore/cosign/releases )
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md )
- [Commits](https://github.com/sigstore/cosign/compare/v1.9.0...v1.10.0 )
---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-07-25 09:39:53 -04:00
d71c0df165
Fix e2e push tests, these registries need --bare ( #780 )
2022-07-22 17:48:51 -04:00
47fa74e18c
Add tests that ko can push to quay.io and Dockerhub ( #778 )
...
* Add test that ko can push to quay.io
* Also push to dockerhub
* workflow_dispatch
2022-07-22 17:32:31 -04:00
ccddbb800e
Add kind e2e test for ko run ( #779 )
2022-07-22 17:21:16 -04:00
2f230b88c4
Set layer media types consistently ( #776 )
...
* Set layer media types consistently
* Also test that base image mediaType is not changed
2022-07-21 15:04:34 -04:00
562039fc7a
Deprecate ko deps ( #770 )
...
* Deprecate ko deps and ko run
* update-codegen.sh
* delete docs for deprecated stuff
* update deprecation message for ko run
* un-deprecate ko run
* add doc/ko_run.md
2022-07-21 15:04:23 -04:00
890365c4b3
fix GitHub Actions workflows ( #777 )
2022-07-21 10:43:30 -04:00
d32cfff9eb
Remove redundant return path ( #774 )
2022-07-21 06:30:16 -04:00
2358dba82a
bump go-containerregistry dependency ( #773 )
...
* bump go-containerregistry dependency
* go mod tidy; go mod vendor
2022-07-21 05:55:46 -04:00
3ef2fec866
Use chainguard-dev/actions/setup-registry ( #772 )
...
* Use chainguard-dev/actions/setup-registry
* run -> uses
2022-07-20 14:38:24 -04:00
7ac1a0303d
Bump github.com/containerd/stargz-snapshotter/estargz ( #768 )
...
Bumps [github.com/containerd/stargz-snapshotter/estargz](https://github.com/containerd/stargz-snapshotter ) from 0.11.4 to 0.12.0.
- [Release notes](https://github.com/containerd/stargz-snapshotter/releases )
- [Commits](https://github.com/containerd/stargz-snapshotter/compare/v0.11.4...v0.12.0 )
---
updated-dependencies:
- dependency-name: github.com/containerd/stargz-snapshotter/estargz
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-07-18 10:09:55 -04:00
9fbe1e1034
Bump k8s.io/apimachinery from 0.24.2 to 0.24.3 ( #767 )
...
Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery ) from 0.24.2 to 0.24.3.
- [Release notes](https://github.com/kubernetes/apimachinery/releases )
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.24.2...v0.24.3 )
---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-07-18 10:09:43 -04:00
3d362cf670
Add a delimiter before digest in the SPDX namespace ( #765 )
2022-07-15 11:09:28 -07:00
dcae0e70d0
Chore: bumped base image to go 1.18 ( #764 )
2022-07-14 18:23:35 -04:00
a148473bc0
exercise symlink chasing without .git ( #763 )
...
* exercise symlink chasing without .git
* fix b symlink
2022-07-13 17:07:51 -04:00
2336bb5cb2
ko run: remove --generator flag ( #751 )
...
* ko run: remove --generator flag
* ignore dashes when passing args to kubectl
* avoid panic
2022-07-13 16:55:31 -04:00
f7976d0e15
Add installation instructions for Alpine ( #754 )
2022-07-13 16:35:43 -04:00
d108e694ed
Reject the -toolexec flag ( #752 )
2022-07-13 16:35:20 -04:00
ca1648dcbf
remove deprecated k8s flags support ( #750 )
2022-07-13 16:29:54 -04:00
8f228585b9
Have --image-refs list all images for multi-arch builds. ( #761 )
...
* Have `--image-refs` list all images for multi-arch builds.
This change alters the behavior of `--image-refs` to also include all of the image references when a multi-architecture build is being performed.
* Add test coverage for the new path
* Add ref count check to unit test
2022-07-12 09:06:42 -07:00
bd8cfaa245
Decorate per-architecture images with base image annotations. ( #759 )
...
* Decorate per-architecture images with base image annotations.
Currently we only decorate the topmost index/image with base image data for the base index/image (for everything except docker manifest lists).
This change makes multi-arch builds decorate the manifest of the per-architecture images with the reference of the base index, and the digest of the specific base image used for that particular architecture's image.
This results in the per-architecture SBOMs starting to encode `DESCENDENT_OF` links as well.
* Add a detailed comment outlining why the per-arch digest is preferable even for cases where we want to watch the base index for updates.
2022-07-11 12:18:25 -07:00
cdd1dec2ff
Several SPDX SBOM adjustments. ( #760 )
...
1. Change index -> image relationship type from `CONTAINS` to `VARIANT_OF` (I think this was an oversight in my original PR),
2. Always include `mediaType` in pURLs for index/images we produce (I'm not adding this to the base image, since it's not readily available, but we can add it there if we want to find a way to plumb it through),
3. Include more platform discriminator information to the pURLs we use in index -> image.
2022-07-11 11:49:14 -07:00
59c4264234
don't fail if LDFLAGS env isn't set ( #758 )
2022-07-08 14:45:49 -07:00
9139f454d7
Populate base image information via DESCENDENT_OF ( #744 )
2022-07-05 15:19:03 -07:00
2299765c54
Start emitting multi-arch SBOMs for SPDX with ko ( #743 )
...
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few
adaptations. I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs.
Related: https://github.com/google/ko/issues/655
2022-07-05 12:47:15 -07:00
787d625019
Unconditionally set the base image annotation. ( #745 )
...
* Unconditionally set the base image annotation.
Previously we only set this annotation when our base image was a tag, but this means when folks actually follow the best practice of use digest base images they get strictly worse resulting images!
It sounds like maybe the original motivation for this condition was that it was supposed to contain the mutable reference (tag), but I don't see anything detailing such a restriction (just an example), so there should be nothing
precluding this from the spec.
* Fold assignment into map initialization.
2022-07-05 11:17:28 -07:00
809b20669c
Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 ( #746 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](https://github.com/sigstore/cosign-installer/compare/v2.4.0...v2.4.1 )
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-07-05 09:47:38 -04:00
d17aca8a69
Add externalDocumentRefs to SPDX doc type ( #741 )
...
This commit adds the `externalDocumentRefs` field to the SPDX document. These
will be required to link individual sboms.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev >
2022-07-01 16:51:45 -07:00
31d1c612ba
Fix off-by-one error ( #742 )
2022-07-01 10:09:28 -07:00
12e5001192
Convert our SPDX SBOMs to spdx+json. ( #740 )
2022-07-01 07:13:30 -07:00
a61e14dc6a
Update base image to ghcr.io/distroless/static:latest ( #737 )
...
* Update base image to ghcr.io/distroless/static:latest
* Add more logging to e2e for windows
* skip timezone conversion on Windows
2022-06-30 15:12:39 -04:00
79a463dc23
Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 ( #734 )
...
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra ) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/spf13/cobra/releases )
- [Commits](https://github.com/spf13/cobra/compare/v1.4.0...v1.5.0 )
---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-27 09:59:52 -04:00
8561139e11
Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 ( #735 )
...
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ) from 0.9.0 to 0.10.0.
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.9.0...v0.10.0 )
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-27 09:57:22 -04:00
8e4587e93e
Bump k8s.io/apimachinery from 0.24.1 to 0.24.2 ( #732 )
...
Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery ) from 0.24.1 to 0.24.2.
- [Release notes](https://github.com/kubernetes/apimachinery/releases )
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.24.1...v0.24.2 )
---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-21 09:10:22 -04:00
be76051d44
Allow KO_CONFIG_PATH to point to a file ( #731 )
2022-06-16 15:21:29 -04:00
1a5551d10a
build: Imply current import path ( #717 )
...
* build: Imply current import path
* update generated docs
2022-06-15 23:51:40 -04:00
821a4a7a2b
Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 ( #726 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 2.3.0 to 2.4.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](https://github.com/sigstore/cosign-installer/compare/v2.3.0...v2.4.0 )
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-12 22:00:59 -04:00
