kyverno · lucchmielowski · Mar 13, 2026 · Mar 13, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -47,7 +47,7 @@ jobs:
       - name: Set up Go 
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version: ~1.25.3
+          go-version: ~1.25.8
       - name: Test Policy
         run: go run ./cmd/cli/kubectl-kyverno test ../policies
         working-directory: kyverno
@@ -69,7 +69,7 @@ jobs:
       - name: Set up Go 
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version: ~1.25.3
+          go-version: ~1.25.8
       - name: Lint policies
         run: |
           set -e

diff --git a/other-mpol/replace-image-registry/artifacthub-pkg.yml b/other-mpol/replace-image-registry/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Sample"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Pod"
-digest: 2463c641a775bf52901516d24d5a6898298a630ed7b6ec981dcee3354e798a38
+digest: 2be43b9a23807316228e9e30b89c619113b84cf96cff589447b9219837d54562
diff --git a/other-mpol/replace-image-registry/replace-image-registry.yaml b/other-mpol/replace-image-registry/replace-image-registry.yaml
@@ -22,15 +22,7 @@ spec:
         apiVersions: ["v1"]
         operations: ["CREATE", "UPDATE"]
         resources: ["pods"]
-
-  variables:
-    - name: stripRegistry
-      expression: |
-        string(img) => 
-          img.contains('/') && img.split('/')[0].contains('.') ? 
-            img.split('/', 2)[1] : 
-            img
-  
+
   mutations:
     - patchType: ApplyConfiguration
       applyConfiguration:
@@ -64,4 +56,4 @@ spec:
       enabled: true
 
   webhookConfiguration:
-    timeoutSeconds: 10
+    timeoutSeconds: 10
diff --git a/other/block-stale-images/.chainsaw-test/pods-good.yaml b/other/block-stale-images/.chainsaw-test/pods-good.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   containers:
   - name: kyverno 
-    image: kyverno:latest
+    image: ghcr.io/kyverno/kyverno:latest
   - name: kyverno02
     image: ghcr.io/kyverno/kyverno:latest
 ---

diff --git a/other/block-stale-images/artifacthub-pkg.yml b/other/block-stale-images/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Other"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Pod"
-digest: 4c840db89d0d4d8d79c3ef120d319a93d62638f3e6c82ccbdf863b4f3d60b7aa
+digest: 1eb8ff932d2d9b35a2eb6876bf2a2ff3522dc1840076a315ff2996cbb3ea21be
diff --git a/other/block-stale-images/block-stale-images.yaml b/other/block-stale-images/block-stale-images.yaml
@@ -30,7 +30,7 @@ spec:
           context:
           - name: imageData
             imageRegistry:
-              reference: "{{ element.image }}"
+              reference: '{{ element.image }}'
           deny:
             conditions:
               all:

diff --git a/other/verify-image-ivpol/.chainsaw-test/bad.yaml b/other/verify-image-ivpol/.chainsaw-test/bad.yaml
@@ -5,5 +5,5 @@ metadata:
 spec:
   containers:
     - name: test-container
-      image: 'docker.io/mohdcode/kyverno@sha256:b178bb94b508183cddda73829e007c7ae2c6996324b2fc1f1746f2281e635f7a'
+      image: 'ghcr.io/kyverno/test-verify-image:unsigned'
       imagePullPolicy: Always
diff --git a/other/verify-image-ivpol/.chainsaw-test/good.yaml b/other/verify-image-ivpol/.chainsaw-test/good.yaml
@@ -5,5 +5,5 @@ metadata:
 spec:
   containers:
     - name: test-container
-      image: 'docker.io/mohdcode/kyverno@sha256:2215deb786eb4039647d8d2881d1b5290ec2c200e14ba1535b0cdd58b69a1bcf'
+      image: 'ghcr.io/kyverno/test-verify-image:signed'
       imagePullPolicy: Always
diff --git a/other/verify-image-ivpol/.chainsaw-test/policy-ready.yaml b/other/verify-image-ivpol/.chainsaw-test/policy-ready.yaml
@@ -4,13 +4,13 @@ metadata:
   name: verify-image-ivpol
 status:
   conditionStatus:
-            (conditions[?type == 'RBACPermissionsGranted']):
-            - message: Policy is ready for reporting.
-              reason: Succeeded
-              status: "True"
-            (conditions[?type == 'WebhookConfigured']):
-            - message: Webhook configured.
-              reason: Succeeded
-              status: "True"
-              type: WebhookConfigured
+    (conditions[?type == 'RBACPermissionsGranted']):
+    - message: Policy is ready for reporting.
+      reason: Succeeded
+      status: "True"
+    (conditions[?type == 'WebhookConfigured']):
+    - message: Webhook configured.
+      reason: Succeeded
+      status: "True"
+      type: WebhookConfigured
 
diff --git a/other/verify-image-ivpol/artifacthub-pkg.yml b/other/verify-image-ivpol/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
 annotations:
   kyverno/category: "Software Supply Chain Security, EKS Best Practices"
   kyverno/subject: "Pod"
-digest: c315f0db7538deb20debade15ceb0fcbbdf4e526512acac6af95048dd1ecb0e5
+digest: d15b7c6c473fd34424da705a54a27f2bd8d57c2ebf7dde140b8bed6199630c5f
diff --git a/other/verify-image-ivpol/verify-image-ivpol.yaml b/other/verify-image-ivpol/verify-image-ivpol.yaml
@@ -19,8 +19,8 @@ spec:
   webhookConfiguration:
     timeoutSeconds: 30
   evaluation:
-   background:
-    enabled: false
+    background:
+      enabled: false
   validationActions: [Deny]
   matchConstraints:
     resourceRules:
@@ -29,18 +29,34 @@ spec:
         operations: ["CREATE", "UPDATE"]
         resources: ["pods"]
   matchImageReferences:
-        - glob : "docker.io/mohdcode/kyverno*"
+        - glob : "ghcr.io/kyverno/test-verify-image*"
   attestors:
-  - name: cosign
-    cosign:
-     key:
-      data: |
-                -----BEGIN PUBLIC KEY-----
-                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6QsNef3SKYhJVYSVj+ZfbPwJd0pv
-                DLYNHXITZkhIzfE+apcxDjCCkDPcJ3A3zvhPATYOIsCxYPch7Q2JdJLsDQ==
-                -----END PUBLIC KEY-----
+    - name: notary
+      notary:
+        certs:
+          value: |-
+            -----BEGIN CERTIFICATE-----
+            MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
+            BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
+            Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
+            MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
+            dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
+            DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
+            b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
+            hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
+            Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
+            Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
+            ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
+            A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
+            CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
+            kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
+            Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
+            ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
+            5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
+            uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
+            -----END CERTIFICATE-----
   validations:
     - expression: >-
-       images.containers.map(image, verifyImageSignatures(image, [attestors.cosign])).all(e ,e > 0)
+        images.containers.map(image, verifyImageSignatures(image, [attestors.notary])).all(e ,e > 0)
       message: >-
-       failed the verification
+        failed the verification