v0.2.0

What's Changed

• Fixes numerous validating and defaulting. Improve tests by @vaikas in #93
• Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by @dependabot in #95
• Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.3 by @dependabot in #94
• update go builder and cosign by @cpanato in #96
• fix path in cloudbuild by @cpanato in #97
• another fix :( in cloudbuild by @cpanato in #99

Enhancements

• Refactor entire policy validation into ValidatePolicy.
• Set reinvocationPolicy to 'IfNeeded' for the tag resolver webhook
• Add policy-tester CLI for testing ClusterImagePolicies
• (tester) Validate CIP before using it.
• (tester) call SetDefaults on cip before conversion
• remove v1.21 k8s which is deprecated and add v1.24
• chore: do not fail to verify signed images if the secret-name flag is not set

Bug fixes

• Fix issue #38. Do not block status updates.
• Avoid test race condition.
• Fix sigstore/cosign#1653
• Allow for @ symbol on globs to support image refs with digest
• Validate globs at admission time.
• fix: add missing conversion to CRD
• fix: solve vuln from our opa version
• Fix issue #24
• Bump some vulnerable dependencies; base on distroless/static

Others

• Bump mikefarah/yq from 4.25.3 to 4.26.1
• Bump actions/dependency-review-action from 2.0.2 to 2.0.4
• Bump google.golang.org/grpc from 1.47.0 to 1.48.0
• Bump github/codeql-action from 2.1.15 to 2.1.16
• Bump actions/cache from 3.0.4 to 3.0.5
• Bump actions/setup-go from 3.2.0 to 3.2.1
• update knative to use v1.5.0 release
• update scafolding to use release v0.3.0
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.6 to 1.16.7
• Bump sigstore/cosign-installer from 2.4.0 to 2.4.1
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.5 to 1.16.6
• increase timeout for golangci-lint
• Bump github.com/stretchr/testify from 1.7.5 to 1.8.0
• Bump github/codeql-action from 2.1.14 to 2.1.15
• Switch to direct returns
• Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0
• Bump ossf/scorecard-action from 1.1.1 to 1.1.2
• chore: skip secret not found
• Bump github.com/stretchr/testify from 1.7.4 to 1.7.5
• Bump mikefarah/yq from 4.25.2 to 4.25.3
• Bump github/codeql-action from 2.1.13 to 2.1.14
• Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0
• Bump github.com/stretchr/testify from 1.7.2 to 1.7.4
• Bump github/codeql-action from 2.1.12 to 2.1.13
• Bump actions/dependency-review-action from 2.0.1 to 2.0.2
• Bump actions/dependency-review-action from 1.0.2 to 2.0.1
• Update tests for OR behaviour wrt authorities.
• remove unused struct from imports
• Add policy to make sure signature and attestation is there.
• Return authoritymatches before errors.
• remove third_party stuff due to mismatch in go version.
• Use fulcioroots from sigstore/sigstore
• Even if some authority returns err, return any other matching authority results.
• Use public fulcio/rekor to make sure things are not there.
• hack/update-deps.sh

Contributors

• Carlos Tadeu Panato Junior
• Hector Fernandez
• Jason Hall
• Josh Dolitsky
• Matt Moore
• Ville Aikas
• Vladimir Nachev
• cpanato
• dependabot[bot]
• dlorenc
• hectorj2f

Full Changelog: v0.1.0...v0.2.0

Images:

• policy-controller: gcr.io/projectsigstore/policy-controller:v0.2.0 or ghcr.io/sigstore/policy-controller/policy-controller:v0.2.0
• policy-webhook: gcr.io/projectsigstore/policy-webhook:v0.2.0 or ghcr.io/sigstore/policy-controller/policy-webhook:v0.2.0

v0.2.0-rc.2

Thanks to all contributors!

What's Changed

• fix path in cloudbuild by @cpanato in #97
• another fix :( in cloudbuild by @cpanato in #99

Full Changelog: v0.2.0-rc.1...v0.2.0-rc.2

v0.2.0-rc.1

Thanks to all contributors!

What's Changed

• Remove unnecessary files as part of the migration from sigstore/cosign by @vaikas in #11
• Remove unnecessary tests, update Makefile. by @vaikas in #12
• update ko configuration by @cpanato in #13
• clean up makefile by @cpanato in #14
• Fix import paths, update go.mod to be policy-controller. by @vaikas in #15
• Fix build job and more cleanup by @cpanato in #16
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.4 to 1.16.5 by @dependabot in #9
• update gcp service account by @cpanato in #17
• Bump google.golang.org/api from 0.82.0 to 0.83.0 by @dependabot in #5
• Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 by @dependabot in #19
• Just chop chop chopping... by @vaikas in #20
• Rejigger directories, drop cosign by @vaikas in #21
• Remove cosign pkg, take a dep on it. by @vaikas in #23
• Update release job by @cpanato in #22
• Bump some vulnerable dependencies; base on distroless/static by @imjasonh in #27
• Add spdxjson and cyclonedx as supported predicate types by @jdolitsky in #25
• Point fulcio roots to sigstore/sigstore. Fix #24 by @vaikas in #30
• Fix #28. Treat multiple authorities as OR instead of AND. by @vaikas in #29
• fix: solve vuln from our opa version by @hectorj2f in #32
• fix: add missing conversion to CRD by @hectorj2f in #36
• Bump actions/dependency-review-action from 1.0.2 to 2.0.1 by @dependabot in #39
• Bump actions/dependency-review-action from 2.0.1 to 2.0.2 by @dependabot in #40
• Bump github.com/stretchr/testify from 1.7.2 to 1.7.4 by @dependabot in #50
• Bump github/codeql-action from 2.1.12 to 2.1.13 by @dependabot in #49
• Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0 by @dependabot in #51
• Bump mikefarah/yq from 4.25.2 to 4.25.3 by @dependabot in #54
• Bump github/codeql-action from 2.1.13 to 2.1.14 by @dependabot in #53
• Bump github.com/stretchr/testify from 1.7.4 to 1.7.5 by @dependabot in #55
• Bump ossf/scorecard-action from 1.1.1 to 1.1.2 by @dependabot in #57
• chore: skip secret not found by @hectorj2f in #56
• Validate globs at admission time. by @mattmoor in #60
• Bump github/codeql-action from 2.1.14 to 2.1.15 by @dependabot in #61
• Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 by @dependabot in #62
• Allow for @ symbol on globs to support image refs with digest by @jdolitsky in #63
• Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0 by @dependabot in #58
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.5 to 1.16.6 by @dependabot in #64
• Bump sigstore/cosign-installer from 2.4.0 to 2.4.1 by @dependabot in #65
• Add policy-tester CLI for testing ClusterImagePolicies by @jdolitsky in #67
• Bump github.com/aws/aws-sdk-go-v2 from 1.16.6 to 1.16.7 by @dependabot in #68
• Add static field to authority that allows for block/allow behaviour. by @vaikas in #69
• Update k8s clusters test by @cpanato in #70
• Avoid test race condition. by @mattmoor in #72
• Validate CIP before using it. by @vaikas in #74
• Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #75
• Set reinvocationPolicy to 'IfNeeded' for the tag resolver webhook by @vpnachev in #76
• Bump google.golang.org/grpc from 1.47.0 to 1.48.0 by @dependabot in #79
• Bump actions/cache from 3.0.4 to 3.0.5 by @dependabot in #77
• Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in #78
• Refactor entire policy validation into ValidatePolicy. by @vaikas in #81
• Bump actions/dependency-review-action from 2.0.2 to 2.0.4 by @dependabot in #82
• Fix #38 , do not block status updates. by @vaikas in #88
• Bump mikefarah/yq from 4.25.3 to 4.26.1 by @dependabot in #89
• Update CHANGELOG to reflect changes since creating the repository. by @vaikas in #91
• Fixes numerous validating and defaulting. Improve tests by @vaikas in #93
• Bump github.com/google/go-containerregistry from 0.10.0 to 0.11.0 by @dependabot in #95
• Bump github.com/hashicorp/vault/sdk from 0.5.1 to 0.5.3 by @dependabot in #94
• update go builder and cosign by @cpanato in #96

New Contributors

• @vaikas made their first contribution in #11
• @dependabot made their first contribution in #9
• @imjasonh made their first contribution in #27
• @jdolitsky made their first contribution in #25
• @hectorj2f made their first contribution in #32
• @mattmoor made their first contribution in #60
• @vpnachev made their first contribution in #76

Full Changelog: https://github.com/sigstore/policy-controller/commits/v0.2.0-rc.1