Skip to content

Bump k8s.io/release from 0.9.0 to 0.12.0 in /hack/tools #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Bump k8s.io/release from 0.9.0 to 0.12.0 in /hack/tools #69

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Nov 22, 2021

Bumps k8s.io/release from 0.9.0 to 0.12.0.

Release notes

Sourced from k8s.io/release's releases.

v0.12.0

Changes by Kind

Deprecation

  • Remove vulndash I'm not a fan of doing this (because it was an intern's work), but vulndash is undeployed and unmaintained.

    Given the scope of the work, it creates an attack surface for the project in an unmaintained state, so we need to remove it. (#2322, @​justaugustus)

Feature

  • The stage phase of the Kubernetes release process is now SLSA compliant! 🎉
    • The anago state object now registers the time the release process starts.
    • We now make the GCB BUILD_ID identifier available to krel as an env var to include it in the provenance metadata.
    • New go pkg: provenance. This new package allows projects to generate provenance metadata in in-toto attestations with SLSA compliant predicates. The new package features a scanner to easily add files as subjects in the statement.
    • The provenance package now has tests and mocks
    • The staging phase of anago which krel runs now has a new step: GenerateProvenance(). This step writes a provenance attestation file to make stage SLSA1 compliant. The file describes the building environment and adds the artifacts that will be consumed from release as subjects in the statement.
    • The deletion of the Kubernetes source in the staging workspace is now decoupled from the StageLocalSourceTree() function
    • PushReleaseArtifacts() in the build package now supports uploading single files to the release bucket. Previously only directories could be uploaded with this function.
    • Optimized the artifact publishing logic to only create the Kubernetes source tarball once. Previously we tarred, compressed and uploaded the whole source tree once for each tag in the release. This is not needed as all releases share the same source. (#2273, @​puerco)
  • Add a new ci-reporter tool to generate weekly CI Signal Reports (#2309, @​palnabarun)
  • Added K8S_ORG, K8S_REPO and K8S_REF environment variable support to stage custom k/k forks. (#2074, @​saschagrunert)
  • Artifacts are now verified against the in-toto attestation produced during the staging phase of a release. If validation fails, for now only a warning is reported in the logs. Future builds will abort execution right after validation.
    • New ProvenanceChecker object in the release package to enable release runs to verify provenance metadata.
    • The provenance.Statement object which abstracts in-toto attestations can now read attestations from JSON files and clone predicates from other attestations. (#2283, @​puerco)
  • Config: Add configs for copying GitHub releases to GCS buckets (#2281, @​justaugustus)
  • Cosign: update cosign to 1.3.1 (#2315, @​cpanato)
  • Cross: build variants for each k8s release branch (main branch, 1.22, 1.21) (#2253, @​cpanato)
  • Debian-iptables image now contains /go-runner binary (#2301, @​BenTheElder)
  • Debian-iptables: Build bullseye-v1.0.0 images
  • images: Build go1.17-bullseye variants
  • Debian-iptables:bullseye image now contains /go-runner binary (#2310, @​pohly)
  • K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.10 (#2311, @​cpanato)
  • K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.8 (#2252, @​cpanato)
  • K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.9 (#2290, @​cpanato)
  • K8s-cloud-builder/k8s-ci-builder: Build image using go1.17.1 (#2246, @​cpanato)
  • K8s-cloud-builder/k8s-ci-builder: Build image using go1.17.2 (#2289, @​cpanato)
  • K8s-cloud-builder/k8s-ci-builder: Build image using go1.17.3 (#2306, @​cpanato)
  • Krel: make promote-images work for other k8s and k8s sigs projects (#2280, @​CecileRobertMichon)
  • New SPDX parser to read and interpret SPDX SBoMs in tag/value format.
    • New subcommand bom document outline reads an SBOM and prints to the screen a tree-like structure detailing the elements (files/packages) described in the SBoM and the relationships among them. (#2298, @​puerco)
  • Release notes: Remove author and PR links from Markdown (#2274, @​CecileRobertMichon)
  • Releases now publish a provenance attestation with a SLSA 0.1 predicate describing all artifacts in the release bucket. (#2300, @​puerco)
  • Setcap: Build bullseye-v1.0.0 images
  • images: Build go1.17-bullseye variants (part two)

... (truncated)

Commits
  • dd825e6 Merge pull request #2322 from justaugustus/rm-vulndash
  • 2c99ef6 generated: Run go mod tidy
  • 6465e9b Remove vulndash
  • d7b421d Merge pull request #2320 from palnabarun/krel/promote-images
  • f032d32 krel/promote-images: update promotion PR body to have the command
  • f61457d krel/promote-images: make an error message more verbose
  • 9daadac Merge pull request #2317 from kubernetes/dependabot/go_modules/github.com/yui...
  • 58b4fff Merge pull request #2300 from puerco/final-provenance
  • 3cb7bdb build(deps): bump github.com/yuin/goldmark from 1.4.3 to 1.4.4
  • a4f6884 Update release steps total count to 11
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump k8s.io/release from 0.9.0 to 0.12.0 in /hack/tools
88707e5 
Bumps [k8s.io/release](https://github.com/kubernetes/release) from 0.9.0 to 0.12.0.
- [Release notes](https://github.com/kubernetes/release/releases)
- [Changelog](https://github.com/kubernetes/release/blob/master/docs/release-notes-maps.md)
- [Commits](kubernetes/release@v0.9.0...v0.12.0)

---
updated-dependencies:
- dependency-name: k8s.io/release
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Nov 22, 2021
@dependabot dependabot bot mentioned this pull request Nov 22, 2021
Closed
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Feb 21, 2022

Superseded by #120.

@dependabot dependabot bot closed this Feb 21, 2022
@dependabot dependabot bot deleted the dependabot/go_modules/hack/tools/k8s.io/release-0.12.0 branch February 21, 2022 03:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant