sigstore · miyunari · Aug 17, 2025 · Aug 12, 2025 · Aug 13, 2025 · miyunari
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,37 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      go-modules:
+        patterns:
+          - "*"
+    pull-request-title:
+      prefix: "chore(deps)"
+      separator: " "
+    labels:
+      - "dependencies"
+      - "go"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      actions-updates:
+        patterns:
+          - "*"
+        update-types:
+          - "patch"
+          - "minor"
+          - "major"
+    pull-request-title:
+      prefix: "chore(deps-dev)"
+      separator: " "
+    labels:
+      - "dependencies"
+      - "github-actions"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,23 +1,32 @@
-name: Lint
+name: Linter
 
 on:
   push:
+    branches: [ "main" ]
   pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
 
 jobs:
   lint:
-    name: Run on Ubuntu
+    name: Run Linting
     runs-on: ubuntu-latest
+
     steps:
-      - name: Clone the code
+      - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+          cache: true
 
-      - name: Run linter
+      - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v8
         with:
           version: v2.3.0
+          args: --timeout=5m --issues-exit-code=0 --verbose
+          cache: true
diff --git a/.github/workflows/sign-model.yaml b/.github/workflows/sign-model.yaml
@@ -1,4 +1,4 @@
-name: Sign Model Tensorflow Saved Model
+name: Sign model with Sigstore
 
 on:
   workflow_dispatch:
@@ -27,18 +27,20 @@ jobs:
                     "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value')
         echo "OIDC_TOKEN=$token" >> $GITHUB_ENV
 
-    - name: Set up environment and sign model
+    - name: Sign model
       env:
         OIDC_TOKEN: ${{ env.OIDC_TOKEN }}
       run: |
-        docker run --rm -v $(pwd)/testdata/tensorflow_saved_model:/tensorflow_saved_model:z -w /tensorflow_saved_model ghcr.io/sigstore/model-transparency-cli:v1.0.1 sign sigstore --signature="/tensorflow_saved_model/model.sig" --identity_token "$OIDC_TOKEN" /tensorflow_saved_model
+        docker run --rm -v $(pwd)/testdata/tensorflow_saved_model:/tensorflow_saved_model:z -w \
+        /tensorflow_saved_model ghcr.io/sigstore/model-transparency-cli:v1.0.1 sign sigstore \
+        --signature="/tensorflow_saved_model/model.sig" --identity_token "$OIDC_TOKEN" /tensorflow_saved_model
 
-    - name: Create tar.gz of the signed model
+    - name: Create a tarball of the signed model and signature
       run: |
-        tar -czvf signed_model.tar.gz -C $(pwd)/testdata/tensorflow_saved_model .
+        tar -czvf signed_model_bundle.tar.gz -C $(pwd)/testdata/tensorflow_saved_model .
 
-    - name: Upload signed model as artifact
+    - name: Upload signed model artifact
       uses: actions/upload-artifact@v4
       with:
-        name: signed-model
-        path: signed_model.tar.gz
+        name: signed-model-bundle
+        path: signed_model_bundle.tar.gz
diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml
@@ -2,50 +2,38 @@ name: E2E Tests
 
 on:
   push:
+    branches: [ "main" ]
   pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
 
 jobs:
   test-e2e:
-    name: Run on Ubuntu
+    name: Run E2E Tests
     runs-on: ubuntu-latest
     steps:
-      - name: Clone the code
+      - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-
-      - name: Install the latest version of kind
-        run: |
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
-
-      - name: Verify kind installation
-        run: kind version
-
-      - name: Install kubectl
-        run: |
-          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          chmod +x kubectl
-          sudo mv kubectl /usr/local/bin/kubectl
-
-      - name: Verify kubectl installation
-        run: kubectl version --client
+          cache: true
 
       - name: Create kind cluster
-        run: kind create cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: kind
 
-      - name: Wait for cluster to be ready
+      - name: Wait for kind cluster to be ready
         run: |
-          echo "Waiting for cluster to be ready..."
           kubectl wait --for=condition=Ready nodes --all --timeout=300s
           kubectl wait --for=condition=Ready --namespace=kube-system pod --all --timeout=300s
           echo "Cluster is ready"
 
-      - name: Running Test e2e
+      - name: Run E2E tests
         run: |
-          go mod tidy
           make test-e2e
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,7 +2,9 @@ name: Tests
 
 on:
   push:
+    branches: [ "main" ]
   pull_request:
+    branches: [ "main" ]
 
 jobs:
   test:
@@ -19,5 +21,4 @@ jobs:
 
       - name: Running Tests
         run: |
-          go mod tidy
           make test