Merge branch 'kubernetes-sigs:main' into main

Author: zeb33n

.github/dependabot.yml

@@ -31,3 +31,13 @@ updates:
         update-types:
           - "minor"
           - "patch"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      all:
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/docs.yml

@@ -1,6 +1,5 @@
 name: github pages
-permissions:
-  contents: write
+
 on:
   push:
     paths:
@@ -9,11 +8,17 @@ on:
     branches:
       - main  # Set a branch to deploy
 
+permissions: {}
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           submodules: true  # Fetch Hugo themes (true OR recursive)
           fetch-depth: 0    # Fetch all history for .GitInfo and .Lastmod
@@ -28,6 +33,6 @@ jobs:
         run: cd docs && npm install && hugo --minify
 
       - name: Deploy 🚀
-        uses: JamesIves/github-pages-deploy-action@15de0f09300eea763baee31dff6c6184995c5f6a # v4.7.2
+        uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3
         with:
           folder: ./docs/public # The folder the action should deploy.

.github/workflows/release.yml

@@ -5,6 +5,8 @@ on:
     tags:
       - 'v*'
 
+permissions: {}
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -18,23 +20,27 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile.dev)" >> $GITHUB_ENV
 
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version: '1.24'
+          go-version: '${{ env.GOVERSION }}'
           check-latest: true
+          cache: false
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           install-only: true
 
       - name: Run Mage
-        uses: magefile/mage-action@6a5dcb5fe61f43d7c08a98bc3cf9bc63c308c08e # v3.0.0
+        uses: magefile/mage-action@6f50bbb8ea47d56e62dee92392788acbc8192d0b # v3.1.0
         with:
           version: latest
           args: buildBinaries
@@ -53,20 +59,20 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set tag output
         id: tag
         run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
 
       - name: Install tejolote
-        uses: kubernetes-sigs/release-actions/setup-tejolote@a69972745f85aab4ba5d6c681e2a0e7f73eaff2b # v0.3.0
+        uses: kubernetes-sigs/release-actions/setup-tejolote@8af7b2a5596dff526de9db59b2c4b8457e9f52a1 # v0.4.0
 
       - run: |
           tejolote attest --artifacts github://kubernetes-sigs/bom/${{ steps.tag.outputs.tag_name }} github://kubernetes-sigs/bom/"${GITHUB_RUN_ID}" --output bom.intoto.json --sign
 
       - name: Release
-        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v0.1.15
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
         with:
           files: bom.intoto.json
           tag_name: "${{ steps.tag.outputs.tag_name }}"

.github/workflows/snapshot.yml

@@ -5,32 +5,45 @@ on:
     branches:
       - 'main'
   pull_request:
+    branches:
+      - 'main'
+
+permissions: {}
 
 jobs:
   snapshot:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - name: Check out code onto GOPATH
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile.dev)" >> $GITHUB_ENV
 
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version: '1.24'
+          go-version: '${{ env.GOVERSION }}'
           check-latest: true
+          cache: false
 
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           install-only: true
 
       - name: Run Mage
-        uses: magefile/mage-action@6a5dcb5fe61f43d7c08a98bc3cf9bc63c308c08e # v3.0.0
+        uses: magefile/mage-action@6f50bbb8ea47d56e62dee92392788acbc8192d0b # v3.1.0
         with:
           version: latest
           args: buildBinariesSnapshot
 
       - name: check binary
         run: |
-          ./dist/bom-amd64-linux version
+          ./dist/bom_linux_amd64_v1/bom version
           cat ./dist/bom.json.spdx

.github/workflows/verify-spdx.yaml

@@ -2,40 +2,54 @@ name: Validate SPDX Conformance
 
 on:
   pull_request:
-    branches: ['main']
+    branches:
+      - 'main'
+
+permissions: {}
 
 jobs:
   check-spdx:
     name: Check SPDX SBOMs
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v3.3.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile.dev)" >> $GITHUB_ENV
+
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version: '1.24'
+          go-version: '${{ env.GOVERSION }}'
           check-latest: true
+          cache: false
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: |
           go run ./cmd/bom/main.go generate -i registry.k8s.io/pause > example-image-pause.spdx
           go run ./cmd/bom/main.go generate --format=json -i registry.k8s.io/pause > example-image-pause.spdx.json
 
-      - uses: chainguard-dev/actions/setup-spdx@d886686603afb809f7ef9b734b333e20b7ce5cda
+      - uses: chainguard-dev/actions/setup-spdx@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7
         with:
           spdx-tools-version: 1.1.8
 
-      - uses: chainguard-dev/actions/setup-spdx@d886686603afb809f7ef9b734b333e20b7ce5cda
+      - uses: chainguard-dev/actions/setup-spdx@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7
         with:
           download: false
           spdx-tools-version: 1.1.8
           sbom-path: example-image-pause.spdx
 
-      - uses: chainguard-dev/actions/setup-spdx@d886686603afb809f7ef9b734b333e20b7ce5cda
+      - uses: chainguard-dev/actions/setup-spdx@1b32103f5aa389c31ab0be75a8edc38d7e4750d8 # v1.5.7
         with:
           download: false
           spdx-tools-version: 1.1.8
           sbom-path: example-image-pause.spdx.json
 
-      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b  # v4.5.0
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
         if: ${{ always() }}
         with:
           name: Example SBOMs

.goreleaser.yml

@@ -16,8 +16,6 @@ gomod:
 
 builds:
   - id: bom
-    no_unique_dist_dir: true
-    binary: bom-{{ .Arch }}-{{ .Os }}
     main: ./cmd/bom
     goos:
       - darwin
@@ -48,6 +46,7 @@ builds:
 archives:
   - formats:
       - binary
+    name_template: "{{ .ProjectName }}-{{ .Arch }}-{{ .Os }}"
     allow_different_binary_count: true
 
 signs:
@@ -61,7 +60,7 @@ signs:
 
 sboms:
   - id: bom
-    cmd: ./bom-amd64-linux
+    cmd: ./bom_linux_amd64_v1/bom
     args:
       - generate
       - "--output"

Dockerfile.dev

@@ -0,0 +1,19 @@
+#
+# Copyright 2025 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# This is used to we scrap the go version and use in CI to get the latest go version
+# and we use dependabot to keep the go version up to date
+FROM golang:1.25.3

cloudbuild.yaml

@@ -1,7 +1,7 @@
 # See https://cloud.google.com/cloud-build/docs/build-config
 timeout: 3600s
 options:
-  substitution_option: ALLOW_LOOSE
+  substitutionOption: ALLOW_LOOSE
 steps:
   - name: gcr.io/cloud-builders/git
     dir: "go/src/sigs.k8s.io"
@@ -19,7 +19,7 @@ steps:
         echo "Checking out ${_PULL_BASE_REF}"
         git checkout ${_PULL_BASE_REF}
 
-  - name: 'gcr.io/k8s-staging-releng/releng-ci:latest-go1.22-bookworm'
+  - name: 'gcr.io/k8s-staging-releng/releng-ci:latest-go1.24-bookworm'
     dir: "go/src/sigs.k8s.io/bom"
     entrypoint: go
     env:

cmd/bom/cmd/generate.go

@@ -25,7 +25,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"sigs.k8s.io/release-utils/util"
+	"sigs.k8s.io/release-utils/helpers"
 	"sigs.k8s.io/release-utils/version"
 
 	"sigs.k8s.io/bom/pkg/license"
@@ -84,7 +84,7 @@ func (opts *generateOptions) Validate() error {
 	} {
 		// Check if image archives exist
 		for i, iPath := range col.Items {
-			if !isGlob(iPath) && !util.Exists(iPath) {
+			if !isGlob(iPath) && !helpers.Exists(iPath) {
 				return fmt.Errorf("%s #%d not found (%s)", col.Name, i+1, iPath)
 			}
 		}
@@ -125,7 +125,7 @@ completed by a later stage in your CI/CD pipeline. See the
 		PersistentPreRunE: initLogging,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			for i, arg := range args {
-				if !util.Exists(arg) {
+				if !helpers.Exists(arg) {
 					continue
 				}
 				file, err := os.Open(arg)

cmd/bom/cmd/validate.go

@@ -23,11 +23,10 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/olekukonko/tablewriter"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"sigs.k8s.io/release-utils/util"
+	"sigs.k8s.io/release-utils/helpers"
 
 	"sigs.k8s.io/bom/pkg/spdx"
 )
@@ -55,7 +54,7 @@ for checking files.
 
 		RunE: func(_ *cobra.Command, args []string) error {
 			for i, arg := range args {
-				if util.Exists(arg) {
+				if helpers.Exists(arg) {
 					file, err := os.Open(arg)
 					if err != nil {
 						return fmt.Errorf("checking argument %d: %w", i, err)
@@ -192,13 +191,10 @@ func validateArtifacts(opts validateOptions) error {
 		data = append(data, resRow)
 	}
 
-	table := tablewriter.NewWriter(os.Stdout)
-	table.SetHeader([]string{"FileName", "Valid", "Message", "Invalid Hashes"})
+	table := helpers.NewTableWriterWithDefaultsAndHeader(os.Stdout, []string{"FileName", "Valid", "Message", "Invalid Hashes"})
 
-	for _, v := range data {
-		table.Append(v)
-	}
-	table.Render()
+	_ = table.Bulk(data) //nolint: errcheck
+	_ = table.Render()   //nolint: errcheck
 
 	if errored {
 		return errors.New("failed to validate all files")