upgrade to latest dependencies (#333)

bumping knative.dev/hack 6c30196...36b2b3c:
  > 36b2b3c add flag (# 224)
  > 547a2ca Start Signing our Releases (# 198)

Signed-off-by: Knative Automation <[email protected]>

Signed-off-by: Knative Automation <[email protected]>

Author: knative-automation

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/spf13/cobra v1.3.0
 	gotest.tools/v3 v3.1.0
 	knative.dev/client v0.34.1-0.20220906114442-59948bb3723d
-	knative.dev/hack v0.0.0-20220907111718-6c301965af4c
+	knative.dev/hack v0.0.0-20220908170219-36b2b3c7a245
 
 )
 

go.sum

@@ -2174,8 +2174,8 @@ knative.dev/eventing v0.34.1-0.20220902060017-e1866d7660ee/go.mod h1:6UnNnPrEUNA
 knative.dev/hack v0.0.0-20220815132133-e9a8475f4329/go.mod h1:t/azP8I/Cygaw+87O7rkAPrNRjCelmtfSzWzu/9TM7I=
 knative.dev/hack v0.0.0-20220823140917-8d1e4ccf9dc3/go.mod h1:t/azP8I/Cygaw+87O7rkAPrNRjCelmtfSzWzu/9TM7I=
 knative.dev/hack v0.0.0-20220902220419-664eac5c391e/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/hack v0.0.0-20220907111718-6c301965af4c h1:TTVBodIukkW7CUXSep9k/nc+nynXbjkBqXyYZxIS9Jw=
-knative.dev/hack v0.0.0-20220907111718-6c301965af4c/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
+knative.dev/hack v0.0.0-20220908170219-36b2b3c7a245 h1:VbG+uEhRW+t/xeq5G5/XazQrlbKmykJK1IeVfZMuyCQ=
+knative.dev/hack v0.0.0-20220908170219-36b2b3c7a245/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
 knative.dev/hack/schema v0.0.0-20220823140917-8d1e4ccf9dc3/go.mod h1:ffjwmdcrH5vN3mPhO8RrF2KfNnbHeCE2C60A+2cv3U0=
 knative.dev/networking v0.0.0-20220831065816-215bac90b28b/go.mod h1:vMMT540KNAh6TWmpGEFnExTxJ/j9cee5qNV7Bs0kzUk=
 knative.dev/pkg v0.0.0-20220818004048-4a03844c0b15/go.mod h1:YLjXbkQLlGHok+u0FLfMbBHFzY9WGu3GHhnrptoAy8I=

vendor/knative.dev/hack/go.work.sum

@@ -0,0 +1,2 @@
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=

vendor/knative.dev/hack/release.sh

@@ -29,6 +29,10 @@ readonly REPO_UPSTREAM="https://github.com/${ORG_NAME}/${REPO_NAME}"
 readonly NIGHTLY_GCR="gcr.io/knative-nightly/github.com/${ORG_NAME}/${REPO_NAME}"
 readonly RELEASE_GCR="gcr.io/knative-releases/github.com/${ORG_NAME}/${REPO_NAME}"
 
+# Signing identities for knative releases.
+readonly NIGHTLY_SIGNING_IDENTITY="[email protected]"
+readonly RELEASE_SIGNING_IDENTITY="[email protected]"
+
 # Georeplicate images to {us,eu,asia}.gcr.io
 readonly GEO_REPLICATION=(us eu asia)
 
@@ -94,11 +98,12 @@ RELEASE_NOTES=""
 RELEASE_BRANCH=""
 RELEASE_GCS_BUCKET="knative-nightly/${REPO_NAME}"
 RELEASE_DIR=""
-KO_FLAGS="-P --platform=all"
+KO_FLAGS="-P --platform=all --image-refs=imagerefs.txt"
 VALIDATION_TESTS="./test/presubmit-tests.sh"
 ARTIFACTS_TO_PUBLISH=""
 FROM_NIGHTLY_RELEASE=""
 FROM_NIGHTLY_RELEASE_GCS=""
+SIGNING_IDENTITY=""
 export KO_DOCKER_REPO="gcr.io/knative-nightly"
 # Build stripped binary to reduce size
 export GOFLAGS="-ldflags=-s -ldflags=-w"
@@ -301,6 +306,34 @@ function build_from_source() {
   if [[ $? -ne 0 ]]; then
     abort "error building the release"
   fi
+  sign_release || abort "error signing the release"
+}
+
+# Build a release from source.
+function sign_release() {
+  if [ -z "$SIGN_IMAGES" ]; then # Temporary Feature Gate
+    return 0
+  fi
+  ## Sign the images with cosign
+  ## For now, check if ko has created imagerefs.txt file. In the future, missing image refs will break
+  ## the release for all jobs that publish images.
+  if [[ -f "imagerefs.txt" ]]; then
+      echo "Signing Images with the identity ${SIGNING_IDENTITY}"
+      COSIGN_EXPERIMENTAL=1 cosign sign $(cat imagerefs.txt) --recursive --identity-token="$(
+        gcloud auth print-identity-token --audiences=sigstore \
+        --include-email \
+        --impersonate-service-account="${SIGNING_IDENTITY}")"
+  fi
+
+  ## Check if there is checksums.txt file. If so, sign the checksum file
+  if [[ -f "checksums.txt" ]]; then
+      echo "Signing Images with the identity ${SIGNING_IDENTITY}"
+      COSIGN_EXPERIMENTAL=1 cosign sign-blob checksums.txt --output-signature checksums.txt.sig --identity-token="$(
+        gcloud auth print-identity-token --audiences=sigstore \
+        --include-email \
+        --impersonate-service-account="${SIGNING_IDENTITY}")"
+      ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} checksums.txt.sig"
+  fi
 }
 
 # Copy tagged images from the nightly GCR to the release GCR, tagging them 'latest'.
@@ -375,10 +408,12 @@ function parse_flags() {
             ;;
           --release-gcr)
             KO_DOCKER_REPO=$1
+            SIGNING_IDENTITY=$RELEASE_SIGNING_IDENTITY
             has_gcr_flag=1
             ;;
           --release-gcs)
             RELEASE_GCS_BUCKET=$1
+            SIGNING_IDENTITY=$RELEASE_SIGNING_IDENTITY
             RELEASE_DIR=""
             has_gcs_flag=1
             ;;
@@ -449,6 +484,11 @@ function parse_flags() {
     [[ -z "${RELEASE_DIR}" ]] && RELEASE_DIR="${REPO_ROOT_DIR}"
   fi
 
+  # Set signing identity for cosign, it would already be set to the RELEASE one if the release-gcr/release-gcs flags are set
+  if [[ -z "${SIGNING_IDENTITY}" ]]; then
+    SIGNING_IDENTITY="${NIGHTLY_SIGNING_IDENTITY}"
+  fi
+
   [[ -z "${RELEASE_GCS_BUCKET}" && -z "${RELEASE_DIR}" ]] && abort "--release-gcs or --release-dir must be used"
   if [[ -n "${RELEASE_DIR}" ]]; then
     mkdir -p "${RELEASE_DIR}" || abort "cannot create release dir '${RELEASE_DIR}'"
@@ -481,6 +521,7 @@ function parse_flags() {
   readonly RELEASE_DIR
   readonly VALIDATION_TESTS
   readonly FROM_NIGHTLY_RELEASE
+  readonly SIGNING_IDENTITY
 }
 
 # Run tests (unless --skip-tests was passed). Conveniently displays a banner indicating so.

vendor/modules.txt

@@ -31,6 +31,6 @@ gotest.tools/v3/internal/source
 # knative.dev/client v0.34.1-0.20220906114442-59948bb3723d
 ## explicit; go 1.18
 knative.dev/client/pkg/kn/plugin
-# knative.dev/hack v0.0.0-20220907111718-6c301965af4c
+# knative.dev/hack v0.0.0-20220908170219-36b2b3c7a245
 ## explicit; go 1.18
 knative.dev/hack