notaryproject · github-actions · May 8, 2025 · May 8, 2025 · May 27, 2025 · Jun 17, 2025
@@ -0,0 +1,3 @@
+vulnerabilities:
+  - id: CVE-2025-27403
+    statement: Ratify's internal components are being flagged by it's own CVE. Internal go build versions for non-tagged commits use a lower semver tag which causes false positives.
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches:
       - dev
+    paths-ignore:
+      - "**.md"
   workflow_dispatch:
 
 permissions: read-all
@@ -76,10 +78,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Set up Go 1.22
+      - name: Set up Go 1.24
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22"
+          go-version: "1.24"
 
       - name: Az CLI login
         uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
 

@@ -11,6 +11,8 @@ on:
       - main
       - dev
       - 1.0.0*
+    paths-ignore:
+      - "**.md"
   schedule:
     - cron: "30 1 * * 0"
   workflow_dispatch:

@@ -34,10 +34,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Set up Go 1.22
+      - name: Set up Go 1.24
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22"
+          go-version: "1.24"
       - name: Az CLI login
         uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
         with:

@@ -43,7 +43,7 @@ jobs:
       - name: setup go environment
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22"
+          go-version: "1.24"
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI

@@ -32,10 +32,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Set up Go 1.22
+      - name: Set up Go 1.24
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22"
+          go-version: "1.24"
       - name: Restore Trivy cache
         uses: ./.github/actions/restore_trivy_cache
       - name: Bootstrap e2e

@@ -6,6 +6,9 @@ on:
       - dev
       - 1.0.0*
   pull_request:
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
   workflow_dispatch:
 permissions:
   contents: read
@@ -21,7 +24,7 @@ jobs:
 
       - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22"
+          go-version: "1.24"
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: golangci-lint
         uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0

@@ -8,6 +8,8 @@ on:
       - main
       - dev
       - 1.0.0*
+    paths-ignore:
+      - "**.md"
   push:
     branches:
       - 1.0.0*
@@ -36,10 +38,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Set up Go 1.22
+      - name: Set up Go 1.24
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22"
+          go-version: "1.24"
 
       - name: Bootstrap e2e
         run: |

@@ -73,7 +73,7 @@ jobs:
           docker buildx build \
             --attest type=sbom \
             --attest type=provenance,mode=max \
-            --build-arg KUBE_VERSION="1.30.6" \
+            --build-arg KUBE_VERSION="1.34.1" \
             -f crd.Dockerfile \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --label org.opencontainers.image.revision=${{ github.sha }} \
@@ -103,6 +103,7 @@ jobs:
             --build-arg build_licensechecker=true \
             --build-arg build_schemavalidator=true \
             --build-arg build_vulnerabilityreport=true \
+            --build-arg build_slsaverifier=true \
             --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
             --label org.opencontainers.image.revision=${{ github.sha }} \
             -t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} \

@@ -72,7 +72,7 @@ jobs:
           docker buildx build \
             --attest type=sbom \
             --attest type=provenance,mode=max \
-            --build-arg KUBE_VERSION="1.30.6" \
+            --build-arg KUBE_VERSION="1.34.1" \
             -f crd.Dockerfile \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --label org.opencontainers.image.revision=${{ github.sha }} \
@@ -100,6 +100,7 @@ jobs:
             --build-arg build_licensechecker=true \
             --build-arg build_schemavalidator=true \
             --build-arg build_vulnerabilityreport=true \
+            --build-arg build_slsaverifier=true \
             --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$TAG" \
             --label org.opencontainers.image.revision=${{ github.sha }} \
             -t ${{ steps.prepare.outputs.ref }} \

@@ -11,6 +11,8 @@ on:
       - main
       - dev
       - 1.0.0*
+    paths-ignore:
+      - "**.md"
   push:
     branches:
       - 1.0.0*
@@ -39,7 +41,7 @@ jobs:
       - name: setup go environment
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22"
+          go-version: "1.24"
       - name: Run tidy
         run: go mod tidy
       - name: Bootstrap e2e

@@ -31,7 +31,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22"
+          go-version: "1.24"
 
       - name: Goreleaser
         id: goreleaser

@@ -5,6 +5,8 @@ on:
     branches:
       - main
       - release*
+    paths-ignore:
+      - "**.md"
   push:
     branches:
       - release*
@@ -64,10 +66,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Set up Go 1.22
+      - name: Set up Go 1.24
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22"
+          go-version: "1.24"
 
       - name: Az CLI login
         uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0

@@ -29,7 +29,7 @@ jobs:
 
       - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
-          go-version: "1.22"
+          go-version: "1.24"
           check-latest: true
       - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
 
@@ -73,5 +73,5 @@ jobs:
           done
       - name: Run trivy on images and exit on HIGH/CRITICAL severity
         run: |
-          trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" "localbuild:test"
+          trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" --show-suppressed --ignorefile ./.github/server.trivyignore.yaml "localbuild:test"
           trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" --show-suppressed --ignorefile ./.github/crd.trivyignore.yaml "localbuildcrd:test"
@@ -14,6 +14,8 @@ on:
       - dev
       - main
       - release-*
+    paths-ignore:
+      - "**.md"
   workflow_dispatch:
 
 permissions: read-all

@@ -292,54 +292,6 @@ helm install ratify ./charts/ratify \
     --atomic
 ```
 
-### Test/debug local changes in k8s cluster using Bridge to Kubernetes
-
-Bridge to Kubernetes is an [open source project](https://github.com/Azure/Bridge-To-Kubernetes) to enable local tunneling of a kubernetes service to a user's development environment. It operates by forwarding all requests going to a specified service to the configured local instance running. This guide will focus on VSCode with the Bridge to Kubernetes extension.
-
-Prerequisites:
-- Install [Kubernetes Toosl](https://marketplace.visualstudio.com/items?itemName=ms-kubernetes-tools.vscode-kubernetes-tools) plugin for VSCode
-- Install [Bridge to Kubernetes](https://marketplace.visualstudio.com/items?itemName=mindaro.mindaro) plugin for VSCode
-- Connect to K8s cluster
-- Namespace context set to Ratify's installation namespace (default is `gatekeeper-system`)
-
-Gatekeeper requires TLS for external data provider interactions. As such ratify must run with TLS cert and key configured on server startup. The current helm chart will automatically generate the cabundle, cert, and key if none are manually specified. For ease of use in starting the local ratify server on our development environment, we should pre generate the TLS ca bundle, cert, and key and instead provide them during helm installation. 
-
-1. Generate TLS cabundle, cert, and key. By default this will place the tls/cert folder in the $WORKSPACE_DIRECTORY
-    ```
-    make generate-certs
-    ```
-1. Rename files server.crt and server.key to tls.crt and tls.key
-1. Updated helm install command
-    ```
-    helm install ratify \
-      ./charts/ratify --atomic \
-      --namespace gatekeeper-system \
-      --set logger.level=debug \
-      --set-file notationCerts[0]=./test/testdata/notation.crt \
-      --set-file provider.tls.crt=./tls/certs/tls.crt \
-      --set-file provider.tls.key=./tls/certs/tls.key \
-      --set provider.tls.cabundle="$(cat ./tls/certs/ca.crt | base64 | tr -d '\n\r')" \
-      --set-file provider.tls.caCert=./tls/certs/ca.crt \
-      --set-file provider.tls.caKey=./tls/certs/ca.key
-    ```
-Update the `KubernetesLocalProcessConfig.yaml` with updated directory/file paths:
-- In the file, set the `<INSERT WORKLOAD IDENTITY TOKEN LOCAL PATH>` to an absolute directory accessible on local environment. This is the directory where Bridge to K8s will download the Azure Workload Identity JWT token. 
-- In the file, set the `<INSERT CLIENT CA CERT LOCAL PATH>` to an absolute directory accessible on local environment. This is the directory where Bridge to K8s will download the `client-ca-cert` volume (Gatekeeper's `ca.crt`). 
-
-Configure Bridge to Kubernetes (Comprehensive guide [here](https://learn.microsoft.com/en-us/visualstudio/bridge/bridge-to-kubernetes-vs-code))
-1. Open the `Command Palette` in VSCode `CTRL-SHIFT-P`
-2. Select `Bridge to Kubernetes: Configure`
-3. Select `Ratify` from the list as the service to redirect to
-4. Set port to be 6001
-5. Select `Serve w/ CRD manager and TLS enabled` as the launch config
-6. Select 'No' for request isolation
-
-This should automatically append a new Bridge to Kubernetes configuration to the launch.json file and add a new tasks.json file. 
-
-NOTE: If you are using a remote development environment, set the `useKubernetesServiceEnvironmentVariables` field to `true` in the tasks.json file. 
-
-Start the debug session with the generated Bridge to Kubernetes launch config selected. This will start up the local Ratify server and forward all requests from the Ratify service to the local instance. The http server logs in the debug console will show new requests being processed locally.
-
 ## Feature Areas
 ### Plugins
 

@@ -26,8 +26,8 @@ LDFLAGS += -X $(GO_PKG)/internal/version.GitTreeState=$(GIT_TREE_STATE)
 LDFLAGS += -X $(GO_PKG)/internal/version.GitTag=$(GIT_TAG)
 
 KIND_VERSION ?= 0.25.0
-KUBERNETES_VERSION ?= 1.30.6
-KIND_KUBERNETES_VERSION ?= 1.30.6
+KUBERNETES_VERSION ?= 1.34.1
+KIND_KUBERNETES_VERSION ?= 1.34.0
 GATEKEEPER_VERSION ?= 3.18.0
 DAPR_VERSION ?= 1.14.4
 COSIGN_VERSION ?= 2.4.1
@@ -592,6 +592,7 @@ e2e-build-local-ratify-image:
 	--build-arg build_licensechecker=true \
 	--build-arg build_schemavalidator=true \
 	--build-arg build_vulnerabilityreport=true \
+	--build-arg build_slsaverifier=true \
 	-f ./httpserver/Dockerfile \
 	-t localbuild:test .
 

@@ -77,7 +77,7 @@ See details in [GitHub milestone v1.3.0](https://github.com/ratify-project/ratif
 
 ### v1.4
 
-**Status**: In process
+**Status**: Completed
 
 **Target date**: Nov 30, 2024
 
@@ -90,16 +90,72 @@ See details in [GitHub milestone v1.3.0](https://github.com/ratify-project/ratif
 
 See details in [GitHub milestone v1.4.0](https://github.com/ratify-project/ratify/issues?q=is%3Aopen+is%3Aissue+milestone%3Av1.4.0).
 
-### v2.x
+### v2.0.0-alpha.1
+**Status**: In procoess  
+**Target date**: May 15, 2025  
+**Major features**
+
+- Decouple Ratify core functionalities into a separate library([ratify-go](https://github.com/ratify-project/ratify-go)), which could be easily integrated into different projects.
+- Design new interfaces for `Verifier`, `Store`, and `PolicyEnforcer` to make them more extensible and flexible.
+- Support `notation-verifier` under [ratify-verifier-go](https://github.com/ratify-project/ratify-verifier-go) in terms of the new `Verifier` interface.
+- Support Registry Store and local OCI layout in terms of the new `Store` interface.
+- Support config based policy in terms of the new `PolicyEnforcer` interface.
+- Create new external data provider for Gatekeeper based on the new framework.
+
+#### Note
+- V2 milestones will cover a few sub-projects including libraries, CLI tools and external data provider.
+
+### v2.0.0-alpha.2
+**Status**: Tentative  
+**Target date**: June 30, 2025  
+**Major features**
+- Support authentication with remote OCI registries.
+- Support key/certificate management for verifiers.
+
+### v2.0.0-beta.1
+**Status**: Tentative  
+**Target date**: TBD  
+**Major features**
+- Support cache management, considering file system, in-memory and remote cache.
+- Improve performance of executor by supporting parallel execution of verifiers.
+
+### v2.0.0-beta.2
+**Status**: Tentative  
+**Target date**: TBD  
+**Major features**
+- Support more built-in verifiers to verify different artifact types, including SBOM verifier, vulnerability report verifier, and schema validator.
+- Support CRDs for K8s users to configure Ratify add-on natively.
+- Support multi-tenancy.
+
 
-Status: Tentative
+### v2.0.0-beta.3
+**Status**: Tentative  
+**Target date**: TBD  
+**Major features**
+- Build new ratify CLI tool with the basic functionalities.
+- Support instrumentation and telemetry by exposing pod's metrics to monitoring tools.
 
-Target date: TBD
+### v2.0.0-rc.x
+**Status**: Tentative  
+**Target date**: TBD  
+**Major features**
+- Support multiple cloud providers in v1, including Azure, AWS, and Alibaba.
+- Add any missing features from v1 to v2.
+- Fix any bugs or issues found in the previous versions.
 
+### v2.0.0
+**Status**: Tentative  
+**Target date**: TBD  
 **Major features**
+- Make features listed above stable and production-ready. 
+- Publish user documentation for v2.0.0.
 
+### v2.x
+**Status**: Tentative  
+**Target date**: TBD  
+**Major features**
 - Attestations support
 - Kubernetes multi-tenancy support - Verifying Common images across namespaces
 - Use Ratify at container runtime
 - Use Ratify in CI/CD pipelines
-- Support CEL as additional policy language
+- Support CEL as additional policy language