Merge branch 'main' into fix/containerd-config-default-last

Author: voigt

.github/workflows/ci.yml

@@ -25,21 +25,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
-          go-version: "1.21"
+          go-version: "1.23"
       - run: make test
 
   golangci:
     name: Golangci-lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
-          go-version: "1.21"
+          go-version: "1.23"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+        uses: golangci/golangci-lint-action@2e788936b09dd82dc280e845628a40d2ba6b204c # v6.3.1
         with:
-          version: v1.57.2
+          version: v1.63.4
           skip-cache: true

.github/workflows/dependency-review.yml

@@ -24,7 +24,7 @@ jobs:
       - name: "Checkout repository"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
         # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
         with:
           comment-summary-in-pr: always

.github/workflows/helm-chart-release.yml

@@ -1,47 +1,75 @@
 # This action releases the runtime-class-manager helm chart
-# The action must run on each commit done against main, however
-# a new release will be performed **only** when a change occurs inside
-# of the `charts` directory.
+#
+# A chart is published to the configured OCI registry on every push to main
+# as well as on semver tag releases (via workflow_call from release.yml).
 name: Release helm chart
 
-permissions:
-  contents: read
-
 on:
   push:
     branches:
       - main
+  workflow_call:
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
+  CHART_NAME: runtime-class-manager
 
 jobs:
   release:
-    runs-on: ubuntu-latest
-
-    permissions:
-      id-token: write
-      packages: write
-      contents: write
+    name: Release chart
+    runs-on: ubuntu-22.04
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
+
+      - name: Install helm
+        uses: Azure/setup-helm@v4
         with:
-          fetch-depth: 0
+          version: v3.16.3
 
-      - name: Configure Git
+      - name: Determine chart version
         run: |
-          git config user.name "$GITHUB_ACTOR"
-          git config user.email "[email protected]"
+          if [[ "${{ startsWith(github.ref, 'refs/tags/v') }}" == "true" ]]; then
+            # NOTE: We remove the leading 'v' to comply with helm's versioning requirements
+            echo "CHART_VERSION=$(echo -n ${{ github.ref_name }} | sed -rn 's/(v)?(.*)/\2/p')" >> $GITHUB_ENV
+            echo "APP_VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+          else
+            # NOTE: We can replace 0.0.0 with e.g. $(git describe --tags $(git rev-list --tags --max-count=1)) once we have a first tag
+            # However, we'll also need to update the checkout step with 'fetch-depth: 0' if we list tags
+            echo "CHART_VERSION=0.0.0-$(date +%Y%m%d-%H%M%S)-g$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+            # Setting to 'latest' to match tag used in container-image.yml
+            echo "APP_VERSION=latest" >> $GITHUB_ENV
+          fi
 
-      - name: Install Helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v3
         with:
-          version: v3.14.0
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Package chart
+        run: make helm-package
+
+      - name: Lint packaged chart
+        run: make helm-lint
 
-      - name: Run chart-releaser
-        if: github.ref == 'refs/heads/main'
-        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+      - name: Upload chart as GitHub artifact
+        uses: actions/upload-artifact@v4
         with:
-          charts_dir: deploy/helm
+          name: ${{ env.CHART_NAME }}
+          path: _dist/${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz
+
+      - name: Publish chart
         env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          CR_RELEASE_NAME_TEMPLATE: "{{ .Name }}-chart-{{ .Version }}"
+          CHART_REGISTRY: ${{ env.REGISTRY }}/${{ github.repository_owner }}/charts
+        run: |
+          make helm-publish
+
+          echo '### Helm chart published:' >> $GITHUB_STEP_SUMMARY
+          echo '- `Reference: ${{ env.CHART_REGISTRY }}/${{ env.CHART_NAME }}`' >> $GITHUB_STEP_SUMMARY
+          echo '- `Version: ${{ env.CHART_VERSION }}`' >> $GITHUB_STEP_SUMMARY

.github/workflows/helm-chart-smoketest.yml

@@ -87,7 +87,7 @@ jobs:
       - name: apply Spin shim
         run: |
           # Ensure shim binary is compatible with runner arch
-          yq -i '.spec.fetchStrategy.anonHttp.location = "https://github.com/spinkube/containerd-shim-spin/releases/download/${{ env.SHIM_SPIN_VERSION }}/containerd-shim-spin-v2-linux-x86_64.tar.gz"' \
+          yq -i '.spec.fetchStrategy.anonHttp.location = "https://github.com/spinframework/containerd-shim-spin/releases/download/${{ env.SHIM_SPIN_VERSION }}/containerd-shim-spin-v2-linux-x86_64.tar.gz"' \
             config/samples/test_shim_spin.yaml
           kubectl apply -f config/samples/test_shim_spin.yaml
 

.github/workflows/release-drafter.yml

@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "master"
-      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
         # with:
         #   config-name: my-config.yml

.github/workflows/release.yml

@@ -31,13 +31,35 @@ jobs:
       packages: write
       contents: read
 
+  build-downloader:
+    name: Build downloader image, sign it, and generate SBOMs
+    uses: ./.github/workflows/downloader-build.yml
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+
+  publish-chart:
+    name: Publish the helm chart to the configured OCI registry
+    uses: ./.github/workflows/helm-chart-release.yml
+    permissions:
+      packages: write
+      contents: read
+    needs:
+      - ci
+      - build-manager
+      - build-installer
+      - build-downloader
+
   release:
     name: Create release
 
     needs:
       - ci
       - build-manager
       - build-installer
+      - build-downloader
+      - publish-chart
 
     permissions:
       contents: write
@@ -50,22 +72,6 @@ jobs:
         run: |
           echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV
 
-      - name: Get latest release tag
-        id: get_last_release_tag
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            let release = await github.rest.repos.getLatestRelease({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-            });
-
-            if (release.status  === 200 ) {
-              core.setOutput('old_release_tag', release.data.tag_name)
-              return
-            }
-            core.setFailed("Cannot find latest release")
-
       - name: Get release ID from the release created by release drafter
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
@@ -84,12 +90,18 @@ jobs:
             core.setFailed(`Draft release not found`)
 
       - name: Download SBOM artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           pattern: "*-sbom-*"
           path: ./
           merge-multiple: true
 
+      - name: Download helm chart artifact
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
+        with:
+          name: runtime-class-manager
+          path: ./
+
       - name: Display structure of downloaded files
         run: ls -R
 
@@ -101,6 +113,9 @@ jobs:
             let fs = require('fs');
             let path = require('path');
 
+            // The chart version omits the leading 'v' to adhere to Helm's versioning requirements
+            let chartVersion = "${{ env.TAG_NAME }}".replace("v", "");
+
             let files = [
               'runtime-class-manager-sbom-amd64.spdx',
               'runtime-class-manager-sbom-amd64.spdx.cert',
@@ -114,6 +129,13 @@ jobs:
               'node-installer-sbom-arm64.spdx',
               'node-installer-sbom-arm64.spdx.cert',
               'node-installer-sbom-arm64.spdx.sig',
+              'shim-downloader-sbom-amd64.spdx',
+              'shim-downloader-sbom-amd64.spdx.cert',
+              'shim-downloader-sbom-amd64.spdx.sig',
+              'shim-downloader-sbom-arm64.spdx',
+              'shim-downloader-sbom-arm64.spdx.cert',
+              'shim-downloader-sbom-arm64.spdx.sig',
+              `runtime-class-manager-${chartVersion}.tgz`,
             ]
             const {RELEASE_ID} = process.env
 

.github/workflows/sbom.yml

@@ -26,13 +26,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install cosign
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
       - name: Install the syft command
-        uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
 
       - name: Install the crane command
-        uses: IAreKyleW00t/crane-installer@42ae002485110213e1a2f98caf04bd928c49afda # v1.3
+        uses: IAreKyleW00t/crane-installer@714fc1e08f8f301abca2f140eba36d9a14e8c5e6 # v1.3
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0

.github/workflows/scorecard.yml

@@ -37,7 +37,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
         with:
           sarif_file: results.sarif

.github/workflows/sign-image.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install cosign
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0

.golangci.yaml

@@ -188,19 +188,19 @@ linters:
     - asasalint # checks for pass []any as any in variadic func(...any)
     - asciicheck # checks that your code does not contain non-ASCII identifiers
     - bidichk # checks for dangerous unicode character sequences
+    - copyloopvar # Copyloopvar is a linter detects places where loop variables are copied.
     - cyclop # checks function and package cyclomatic complexity
     - dupl # tool for code clone detection
     - errname # checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error
     - errorlint # finds code that will cause problems with the error wrapping scheme introduced in Go 1.13
-    - exportloopref # checks for pointers to enclosing loop variables
     - forbidigo # forbids identifiers
     - funlen # tool for detection of long functions
     - gocognit # computes and checks the cognitive complexity of functions
     - goconst # finds repeated strings that could be replaced by a constant
     - gocritic # provides diagnostics that check for bugs, performance and style issues
     - gocyclo # computes and checks the cyclomatic complexity of functions
     - goimports # in addition to fixing imports, goimports also formats your code in the same style as gofmt
-    - gomnd # detects magic numbers
+    - mnd # detects magic numbers
     - goprintffuncname # checks that printf-like functions are named with f at the end
     - gosec # inspects source code for security problems
     - makezero # finds slice declarations with non-zero initial length