Bump k8s.io/release from 0.9.0 to 0.12.0 in /hack/tools #69

dependabot · 2021-11-22T03:31:41Z

Bumps k8s.io/release from 0.9.0 to 0.12.0.

Release notes

Sourced from k8s.io/release's releases.

v0.12.0

Changes by Kind

Deprecation

Remove vulndash I'm not a fan of doing this (because it was an intern's work), but vulndash is undeployed and unmaintained.

Given the scope of the work, it creates an attack surface for the project in an unmaintained state, so we need to remove it. (#2322, @justaugustus)

Feature

The stage phase of the Kubernetes release process is now SLSA compliant! 🎉

The anago state object now registers the time the release process starts.

We now make the GCB BUILD_ID identifier available to krel as an env var to include it in the provenance metadata.

New go pkg: provenance. This new package allows projects to generate provenance metadata in in-toto attestations with SLSA compliant predicates. The new package features a scanner to easily add files as subjects in the statement.

The provenance package now has tests and mocks

The staging phase of anago which krel runs now has a new step: GenerateProvenance(). This step writes a provenance attestation file to make stage SLSA1 compliant. The file describes the building environment and adds the artifacts that will be consumed from release as subjects in the statement.

The deletion of the Kubernetes source in the staging workspace is now decoupled from the StageLocalSourceTree() function

PushReleaseArtifacts() in the build package now supports uploading single files to the release bucket. Previously only directories could be uploaded with this function.

Optimized the artifact publishing logic to only create the Kubernetes source tarball once. Previously we tarred, compressed and uploaded the whole source tree once for each tag in the release. This is not needed as all releases share the same source. (#2273, @puerco)

Add a new ci-reporter tool to generate weekly CI Signal Reports (#2309, @palnabarun)

Added K8S_ORG, K8S_REPO and K8S_REF environment variable support to stage custom k/k forks. (#2074, @saschagrunert)

Artifacts are now verified against the in-toto attestation produced during the staging phase of a release. If validation fails, for now only a warning is reported in the logs. Future builds will abort execution right after validation.

New ProvenanceChecker object in the release package to enable release runs to verify provenance metadata.

The provenance.Statement object which abstracts in-toto attestations can now read attestations from JSON files and clone predicates from other attestations. (#2283, @puerco)

Config: Add configs for copying GitHub releases to GCS buckets (#2281, @justaugustus)

Cosign: update cosign to 1.3.1 (#2315, @cpanato)

Cross: build variants for each k8s release branch (main branch, 1.22, 1.21) (#2253, @cpanato)

Debian-iptables image now contains /go-runner binary (#2301, @BenTheElder)

Debian-iptables: Build bullseye-v1.0.0 images

images: Build go1.17-bullseye variants

go-runner:v2.3.1-go1.17.1-bullseye.0

releng-ci (#2210, @justaugustus)

Debian-iptables:bullseye image now contains /go-runner binary (#2310, @pohly)

K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.10 (#2311, @cpanato)

K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.8 (#2252, @cpanato)

K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.9 (#2290, @cpanato)

K8s-cloud-builder/k8s-ci-builder: Build image using go1.17.1 (#2246, @cpanato)

K8s-cloud-builder/k8s-ci-builder: Build image using go1.17.2 (#2289, @cpanato)

K8s-cloud-builder/k8s-ci-builder: Build image using go1.17.3 (#2306, @cpanato)

Krel: make promote-images work for other k8s and k8s sigs projects (#2280, @CecileRobertMichon)

New SPDX parser to read and interpret SPDX SBoMs in tag/value format.

New subcommand bom document outline reads an SBOM and prints to the screen a tree-like structure detailing the elements (files/packages) described in the SBoM and the relationships among them. (#2298, @puerco)

Release notes: Remove author and PR links from Markdown (#2274, @CecileRobertMichon)

Releases now publish a provenance attestation with a SLSA 0.1 predicate describing all artifacts in the release bucket. (#2300, @puerco)

Setcap: Build bullseye-v1.0.0 images

images: Build go1.17-bullseye variants (part two)

... (truncated)

Commits

dd825e6 Merge pull request #2322 from justaugustus/rm-vulndash
2c99ef6 generated: Run go mod tidy
6465e9b Remove vulndash
d7b421d Merge pull request #2320 from palnabarun/krel/promote-images
f032d32 krel/promote-images: update promotion PR body to have the command
f61457d krel/promote-images: make an error message more verbose
9daadac Merge pull request #2317 from kubernetes/dependabot/go_modules/github.com/yui...
58b4fff Merge pull request #2300 from puerco/final-provenance
3cb7bdb build(deps): bump github.com/yuin/goldmark from 1.4.3 to 1.4.4
a4f6884 Update release steps total count to 11
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [k8s.io/release](https://github.com/kubernetes/release) from 0.9.0 to 0.12.0. - [Release notes](https://github.com/kubernetes/release/releases) - [Changelog](https://github.com/kubernetes/release/blob/master/docs/release-notes-maps.md) - [Commits](kubernetes/release@v0.9.0...v0.12.0) --- updated-dependencies: - dependency-name: k8s.io/release dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot · 2022-02-21T03:10:20Z

Superseded by #120.

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Nov 22, 2021

dependabot bot mentioned this pull request Nov 22, 2021

Bump k8s.io/release from 0.9.0 to 0.11.0 in /hack/tools #57

Closed

dependabot bot closed this Feb 21, 2022

dependabot bot deleted the dependabot/go_modules/hack/tools/k8s.io/release-0.12.0 branch February 21, 2022 03:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump k8s.io/release from 0.9.0 to 0.12.0 in /hack/tools #69

Bump k8s.io/release from 0.9.0 to 0.12.0 in /hack/tools #69

Uh oh!

dependabot bot commented on behalf of github Nov 22, 2021

Uh oh!

dependabot bot commented on behalf of github Feb 21, 2022

Uh oh!

Uh oh!

Bump k8s.io/release from 0.9.0 to 0.12.0 in /hack/tools #69

Bump k8s.io/release from 0.9.0 to 0.12.0 in /hack/tools #69

Uh oh!

Conversation

dependabot bot commented on behalf of github Nov 22, 2021

v0.12.0

Changes by Kind

Deprecation

Feature

Uh oh!

dependabot bot commented on behalf of github Feb 21, 2022

Uh oh!

Uh oh!