diff --git a/.github/actions/golang/action.yaml b/.github/actions/golang/action.yaml deleted file mode 100644 index 890c4bb3cd..0000000000 --- a/.github/actions/golang/action.yaml +++ /dev/null @@ -1,10 +0,0 @@ -name: setup-go -description: "Setup Go binary and caching" - -runs: - using: composite - steps: - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version-file: 'go.mod' - cache: true diff --git a/.github/workflows/check-go-mod.yml b/.github/workflows/check-go-mod.yml index 8efdd95beb..4cc64058c8 100644 --- a/.github/workflows/check-go-mod.yml +++ b/.github/workflows/check-go-mod.yml @@ -14,7 +14,9 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Test go mod run: | diff --git a/.github/workflows/nightly-ecr.yml b/.github/workflows/nightly-ecr.yml index 4be6e1ebcb..7b72b9eee3 100644 --- a/.github/workflows/nightly-ecr.yml +++ b/.github/workflows/nightly-ecr.yml @@ -22,7 +22,9 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Build the Zarf binary run: make build-cli-linux-amd diff --git a/.github/workflows/nightly-eks.yml b/.github/workflows/nightly-eks.yml index fa347c2a8c..239f3cbbff 100644 --- a/.github/workflows/nightly-eks.yml +++ b/.github/workflows/nightly-eks.yml @@ -30,7 +30,9 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Build binary and zarf packages uses: ./.github/actions/packages diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 350fac65b5..38bb15883d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,7 +22,9 @@ jobs: fetch-depth: 0 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Install tools uses: ./.github/actions/install-tools @@ -84,7 +86,7 @@ jobs: # Upload the contents of the build directory for later stages to use - name: Upload build artifacts - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: build-artifacts path: build/ @@ -107,7 +109,9 @@ jobs: path: build/ - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Make Zarf executable run: | @@ -140,7 +144,9 @@ jobs: fetch-depth: 0 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Install tools uses: ./.github/actions/install-tools @@ -198,7 +204,7 @@ jobs: HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.brew-tap-token.outputs.token }} - name: Save CVE report - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: cve-report path: build/zarf-known-cves.csv diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml index 58e3596fea..7cf799c2e8 100644 --- a/.github/workflows/scan-codeql.yml +++ b/.github/workflows/scan-codeql.yml @@ -39,11 +39,13 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 with: languages: ${{ matrix.language }} config-file: ./.github/codeql.yaml @@ -52,6 +54,6 @@ jobs: run: make build-cli-linux-amd - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scan-docs-and-schema.yml b/.github/workflows/scan-docs-and-schema.yml index d1228c2fd4..69cb020a28 100644 --- a/.github/workflows/scan-docs-and-schema.yml +++ b/.github/workflows/scan-docs-and-schema.yml @@ -14,7 +14,9 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Docs and schemas run: "make test-docs-and-schema" diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index a887bc67de..98f0a328d8 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -36,7 +36,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif @@ -44,6 +44,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 with: sarif_file: results.sarif diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 97480716a8..e3e7ffef6d 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -38,7 +38,9 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Build binary and zarf packages uses: ./.github/actions/packages @@ -47,7 +49,7 @@ jobs: # Upload the contents of the build directory for later stages to use - name: Upload build artifacts - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: build-artifacts path: build/ @@ -67,7 +69,9 @@ jobs: path: build/ - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Make Zarf executable run: | @@ -102,7 +106,9 @@ jobs: path: build/ - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Setup K3d uses: ./.github/actions/k3d @@ -144,7 +150,9 @@ jobs: path: build/ - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Make Zarf executable run: | @@ -182,7 +190,9 @@ jobs: path: build/ - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Setup Kind run: | @@ -226,7 +236,9 @@ jobs: path: build/ - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Setup Minikube run: minikube start --driver=docker diff --git a/.github/workflows/test-external.yml b/.github/workflows/test-external.yml index 1dc1b5b641..10f4c75d7f 100644 --- a/.github/workflows/test-external.yml +++ b/.github/workflows/test-external.yml @@ -37,7 +37,9 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Build binary and zarf packages uses: ./.github/actions/packages diff --git a/.github/workflows/test-import.yaml b/.github/workflows/test-import.yaml index 201eb2f7db..44831ca1a9 100644 --- a/.github/workflows/test-import.yaml +++ b/.github/workflows/test-import.yaml @@ -20,8 +20,7 @@ jobs: - name: Setup Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version-file: 'go.mod' - cache: true + go-version-file: go.mod - name: Run test Go program that imports Zarf run: | diff --git a/.github/workflows/test-package-create.yml b/.github/workflows/test-package-create.yml new file mode 100644 index 0000000000..8572a3389a --- /dev/null +++ b/.github/workflows/test-package-create.yml @@ -0,0 +1,48 @@ +name: Test Package Create Checksums + +on: + pull_request: + merge_group: + +permissions: + contents: read + +concurrency: + group: package-create-${{ github.ref }} + cancel-in-progress: true + +jobs: + test-checksums: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version-file: go.mod + + - name: Build Zarf + run: make build + + - name: Build examples + run: make build-examples ARCH=amd64 + + - name: Compare checksums + run: | + set -e + + for f in hack/examples-checksums/*.txt + do + NAME=$(basename $f .txt) + CHECKSUM=$(tar Oxf build/$NAME.tar.zst checksums.txt | grep -v sboms.tar) + EXPECTED_CHECKSUM=$(cat $f | grep -v sboms.tar) + if [[ "$CHECKSUM" != "$EXPECTED_CHECKSUM" ]] + then + echo "Package $f does not have expected checksum." + echo "$CHECKSUM" + echo "-----" + echo "$EXPECTED_CHECKSUM" + exit 1 + fi + done diff --git a/.github/workflows/test-unit.yml b/.github/workflows/test-unit.yml index cec2d23eda..cc7278db9d 100644 --- a/.github/workflows/test-unit.yml +++ b/.github/workflows/test-unit.yml @@ -41,7 +41,9 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Run unit tests run: make test-unit diff --git a/.github/workflows/test-upgrade.yml b/.github/workflows/test-upgrade.yml index f00a720c79..f41e961b83 100644 --- a/.github/workflows/test-upgrade.yml +++ b/.github/workflows/test-upgrade.yml @@ -37,7 +37,9 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Build PR binary and zarf init package uses: ./.github/actions/packages @@ -46,7 +48,7 @@ jobs: # Upload the contents of the build directory for later stages to use - name: Upload build artifacts - uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: build-artifacts path: build/ @@ -66,7 +68,9 @@ jobs: path: build/ - name: Setup golang - uses: ./.github/actions/golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod - name: Make Zarf executable run: | diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml index 21cca72af2..13a4f43dea 100644 --- a/.github/workflows/test-windows.yml +++ b/.github/workflows/test-windows.yml @@ -36,6 +36,11 @@ jobs: - name: Checkout uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - name: Setup golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod + - name: Run Windows unit tests run: make test-unit shell: pwsh @@ -46,6 +51,11 @@ jobs: - name: Checkout uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - name: Setup golang + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod + - name: Build Windows binary and zarf packages uses: ./.github/actions/packages with: diff --git a/examples/dos-games/zarf.yaml b/examples/dos-games/zarf.yaml index 87042ca58d..f3319f8ea7 100644 --- a/examples/dos-games/zarf.yaml +++ b/examples/dos-games/zarf.yaml @@ -15,15 +15,6 @@ components: - manifests/service.yaml images: - ghcr.io/zarf-dev/doom-game:0.0.1 - actions: - onDeploy: - after: - - wait: - cluster: - kind: deployment - name: game - namespace: dos-games - condition: available # YAML keys starting with `x-` are custom keys that are ignored by the Zarf CLI # The `x-mdx` key is used to render the markdown content for https://docs.zarf.dev/ref/examples diff --git a/examples/helm-charts/zarf.yaml b/examples/helm-charts/zarf.yaml index e5e3757717..dbb2648204 100644 --- a/examples/helm-charts/zarf.yaml +++ b/examples/helm-charts/zarf.yaml @@ -56,33 +56,6 @@ components: - ghcr.io/stefanprodan/podinfo:6.4.0 # This is the cosign signature for the podinfo image for image signature verification - ghcr.io/stefanprodan/podinfo:sha256-57a654ace69ec02ba8973093b6a786faa15640575fbf0dbb603db55aca2ccec8.sig - actions: - onDeploy: - after: - - wait: - cluster: - kind: deployment - name: podinfo-local - namespace: podinfo-from-local-chart - condition: available - - wait: - cluster: - kind: deployment - name: podinfo-oci - namespace: podinfo-from-oci - condition: available - - wait: - cluster: - kind: deployment - name: podinfo-git - namespace: podinfo-from-git - condition: available - - wait: - cluster: - kind: deployment - name: cool-release-name-podinfo - namespace: podinfo-from-repo - condition: available # YAML keys starting with `x-` are custom keys that are ignored by the Zarf CLI # The `x-mdx` key is used to render the markdown content for https://docs.zarf.dev/ref/examples diff --git a/examples/manifests/zarf.yaml b/examples/manifests/zarf.yaml index 092f6ca684..7855f0a02b 100644 --- a/examples/manifests/zarf.yaml +++ b/examples/manifests/zarf.yaml @@ -12,17 +12,6 @@ components: files: # local manifests are specified relative to the `zarf.yaml` that uses them: - httpd-deployment.yaml - actions: - onDeploy: - # the following checks were computed by viewing the success state of the package deployment - # and creating `wait` actions that match - after: - - wait: - cluster: - kind: deployment - name: httpd-deployment - namespace: httpd - condition: "{.status.readyReplicas}=2" # image discovery is supported in all manifests and charts using: # zarf prepare find-images images: @@ -38,17 +27,6 @@ components: - https://k8s.io/examples/application/deployment.yaml@c57f73449b26eae02ca2a549c388807d49ef6d3f2dc040a9bbb1290128d97157 # this sha256 can be discovered using: # zarf prepare sha256sum https://k8s.io/examples/application/deployment.yaml - actions: - onDeploy: - # the following checks were computed by viewing the success state of the package deployment - # and creating `wait` actions that match - after: - - wait: - cluster: - kind: deployment - name: nginx-deployment - namespace: nginx - condition: available # image discovery is supported in all manifests and charts using: # zarf prepare find-images images: @@ -64,17 +42,6 @@ components: - github.com/stefanprodan/podinfo//kustomize?ref=6.4.0 # while ?ref= is not a requirement, it is recommended to use a specific commit hash / git tag to # ensure that the kustomization is not changed in a way that breaks your deployment. - actions: - onDeploy: - # the following checks were computed by viewing the success state of the package deployment - # and creating `wait` actions that match - after: - - wait: - cluster: - kind: deployment - name: podinfo - namespace: podinfo - condition: available # image discovery is supported in all manifests and charts using: # zarf prepare find-images images: diff --git a/examples/podinfo-flux/git/podinfo-kustomization.yaml b/examples/podinfo-flux/git/podinfo-kustomization.yaml index aa251f98ce..bc72ee0aa0 100644 --- a/examples/podinfo-flux/git/podinfo-kustomization.yaml +++ b/examples/podinfo-flux/git/podinfo-kustomization.yaml @@ -12,3 +12,4 @@ spec: kind: GitRepository name: podinfo targetNamespace: podinfo-git + wait: true diff --git a/examples/podinfo-flux/oci/podinfo-kustomization.yaml b/examples/podinfo-flux/oci/podinfo-kustomization.yaml index 57f290e7b6..7acd41f327 100644 --- a/examples/podinfo-flux/oci/podinfo-kustomization.yaml +++ b/examples/podinfo-flux/oci/podinfo-kustomization.yaml @@ -12,3 +12,4 @@ spec: kind: OCIRepository name: podinfo targetNamespace: podinfo-oci + wait: true diff --git a/examples/podinfo-flux/zarf.yaml b/examples/podinfo-flux/zarf.yaml index 6e94a715d0..16b25e3e59 100644 --- a/examples/podinfo-flux/zarf.yaml +++ b/examples/podinfo-flux/zarf.yaml @@ -33,16 +33,6 @@ components: - https://github.com/stefanprodan/podinfo.git images: - ghcr.io/stefanprodan/podinfo:6.4.0 - actions: - onDeploy: - after: - - description: Podinfo pods to be ready via wait action - wait: - cluster: - kind: pod - name: app=podinfo - namespace: podinfo-git - condition: ready - name: podinfo-via-flux-helm description: Example deployment via flux (helm oci) using the famous podinfo example @@ -57,16 +47,6 @@ components: - ghcr.io/stefanprodan/podinfo:6.4.0 # Note: this is a helm OCI artifact rather than a container image - ghcr.io/stefanprodan/charts/podinfo:6.4.0 - actions: - onDeploy: - after: - - description: Podinfo pods to be ready via wait action - wait: - cluster: - kind: pod - name: app.kubernetes.io/name=podinfo - namespace: podinfo-helm - condition: ready - name: podinfo-via-flux-oci description: Example deployment via flux (native oci) using the famous podinfo example @@ -81,17 +61,6 @@ components: - ghcr.io/stefanprodan/podinfo:6.4.0 # Note: this is a flux kustomize OCI artifact rather than a container image - ghcr.io/stefanprodan/manifests/podinfo:6.4.0 - actions: - onDeploy: - after: - # This will use a wait action to wait for the podinfo pod to be ready - - description: Podinfo pods to be ready via wait action - wait: - cluster: - kind: pod - name: app=podinfo - namespace: podinfo-oci - condition: ready # YAML keys starting with `x-` are custom keys that are ignored by the Zarf CLI # The `x-mdx` key is used to render the markdown content for https://docs.zarf.dev/ref/examples diff --git a/examples/variables/zarf.yaml b/examples/variables/zarf.yaml index df2873b1c4..e180acdaa8 100644 --- a/examples/variables/zarf.yaml +++ b/examples/variables/zarf.yaml @@ -81,15 +81,6 @@ components: - nginx-configmap.yaml - nginx-deployment.yaml - nginx-service.yaml - actions: - onDeploy: - after: - - wait: - cluster: - kind: pod - namespace: nginx - name: app=nginx - condition: Ready # YAML keys starting with `x-` are custom keys that are ignored by the Zarf CLI # The `x-mdx` key is used to render the markdown content for https://docs.zarf.dev/ref/examples diff --git a/examples/yolo/zarf.yaml b/examples/yolo/zarf.yaml index dfa4cf65f1..71a3f7aa95 100644 --- a/examples/yolo/zarf.yaml +++ b/examples/yolo/zarf.yaml @@ -13,15 +13,6 @@ components: files: - ../dos-games/manifests/deployment.yaml - ../dos-games/manifests/service.yaml - actions: - onDeploy: - after: - - wait: - cluster: - kind: deployment - name: game - namespace: zarf-yolo-example - condition: available # YAML keys starting with `x-` are custom keys that are ignored by the Zarf CLI # The `x-mdx` key is used to render the markdown content for https://docs.zarf.dev/ref/examples diff --git a/go.mod b/go.mod index bbfc5fa076..75c52d5f4f 100644 --- a/go.mod +++ b/go.mod @@ -53,7 +53,7 @@ require ( golang.org/x/crypto v0.28.0 golang.org/x/sync v0.8.0 golang.org/x/term v0.25.0 - helm.sh/helm/v3 v3.16.1 + helm.sh/helm/v3 v3.16.2 k8s.io/api v0.31.1 k8s.io/apimachinery v0.31.1 k8s.io/client-go v0.31.1 diff --git a/go.sum b/go.sum index f0507dfbb6..f1f84685d0 100644 --- a/go.sum +++ b/go.sum @@ -2457,8 +2457,8 @@ gorm.io/gorm v1.25.9 h1:wct0gxZIELDk8+ZqF/MVnHLkA1rvYlBWUMv2EdsK1g8= gorm.io/gorm v1.25.9/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c= -helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps= +helm.sh/helm/v3 v3.16.2 h1:Y9v7ry+ubQmi+cb5zw1Llx8OKHU9Hk9NQ/+P+LGBe2o= +helm.sh/helm/v3 v3.16.2/go.mod h1:SyTXgKBjNqi2NPsHCW5dDAsHqvGIu0kdNYNH9gQaw70= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/hack/examples-checksums/zarf-package-component-actions-amd64.txt b/hack/examples-checksums/zarf-package-component-actions-amd64.txt new file mode 100644 index 0000000000..24913a26dd --- /dev/null +++ b/hack/examples-checksums/zarf-package-component-actions-amd64.txt @@ -0,0 +1,3 @@ +cfd67a2aeebf13c632207183e1d5cd57146a28aa22b5ddf8896c6ce593c627c2 components/on-deploy-with-wait-action.tar +d26e18c92ff9f93b296fad6be153f02d4a746f0ec44dbcf4c526f1e121ffe4ec components/on-remove.tar +fbfcd7215652819a3b03084d2a12ca7594d8c610ac6e2ebed2f229a0019a52e2 components/on-deploy-with-template-use-of-variable.tar diff --git a/hack/examples-checksums/zarf-package-component-choice-amd64.txt b/hack/examples-checksums/zarf-package-component-choice-amd64.txt new file mode 100644 index 0000000000..ecce58903a --- /dev/null +++ b/hack/examples-checksums/zarf-package-component-choice-amd64.txt @@ -0,0 +1,2 @@ +fa862d90928e52ccc9faa69b5eae73bb97fa5acb76407ba6a177eb338f7d692d components/first-choice.tar +fb99083f2881d87f556c1a7a163876aeaaf1e6094526ff50b2775fc85f8858a3 components/second-choice.tar diff --git a/hack/examples-checksums/zarf-package-dos-games-amd64-1.1.0.txt b/hack/examples-checksums/zarf-package-dos-games-amd64-1.1.0.txt new file mode 100644 index 0000000000..e0a3ce3493 --- /dev/null +++ b/hack/examples-checksums/zarf-package-dos-games-amd64-1.1.0.txt @@ -0,0 +1,8 @@ +0a44b759e219d9d6f3c7cbbf40c57ede71a1f9bf54da65767c4137be74727662 images/blobs/sha256/0a44b759e219d9d6f3c7cbbf40c57ede71a1f9bf54da65767c4137be74727662 +4752b809555b8767401dfd39638f256c2373763a1f2cc421012301bb48481e6d images/blobs/sha256/4752b809555b8767401dfd39638f256c2373763a1f2cc421012301bb48481e6d +49f63464352d7b53ceea3b60b9cc764c1a810b28217ee9f13ab7f974bb3ed968 components/baseline.tar +4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 images/blobs/sha256/4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 +b66dbb27a73334db6ac9c030475837bd7f4472d835c72b2360534b203edce6cb images/oci-layout +c7ee390ce7fc9b525429312617f5fbff5fe195544c1d95b44b72330bff15a615 images/index.json +cc1421ef2ded4a559feaefe8dc266488d60675fcc995db7e51f0b0a6d893e010 images/blobs/sha256/cc1421ef2ded4a559feaefe8dc266488d60675fcc995db7e51f0b0a6d893e010 +e6886dc0b01f09d19480a3270fd9e7c4b261346cee9490b881b36edf21c7e722 images/blobs/sha256/e6886dc0b01f09d19480a3270fd9e7c4b261346cee9490b881b36edf21c7e722 diff --git a/hack/examples-checksums/zarf-package-manifests-amd64-0.0.1.txt b/hack/examples-checksums/zarf-package-manifests-amd64-0.0.1.txt new file mode 100644 index 0000000000..3553f82efa --- /dev/null +++ b/hack/examples-checksums/zarf-package-manifests-amd64-0.0.1.txt @@ -0,0 +1,27 @@ +0f23e58bd0b7c74311703e20c21c690a6847e62240ed456f8821f4c067d3659b images/blobs/sha256/0f23e58bd0b7c74311703e20c21c690a6847e62240ed456f8821f4c067d3659b +12cba3a8e34081029e840e7ac5454c080835cbc5a7adc1620482e939283a3a49 images/blobs/sha256/12cba3a8e34081029e840e7ac5454c080835cbc5a7adc1620482e939283a3a49 +27833a3ba0a545deda33bb01eaf95a14d05d43bf30bce9267d92d17f069fe897 images/blobs/sha256/27833a3ba0a545deda33bb01eaf95a14d05d43bf30bce9267d92d17f069fe897 +27e17b7ec145d38d0be7b5837639a1206f2f3902f7831a6060d0b897f144decd images/index.json +295c7be079025306c4f1d65997fcf7adb411c88f139ad1d34b537164aa060369 images/blobs/sha256/295c7be079025306c4f1d65997fcf7adb411c88f139ad1d34b537164aa060369 +3a96ca29c7fb133e78765557b2bf29a257467f679c43e4153ad05bcde8a1ce3d images/blobs/sha256/3a96ca29c7fb133e78765557b2bf29a257467f679c43e4153ad05bcde8a1ce3d +45ef08258efc940f6336384ae1f35224b5bdf89a3b7abbb5effcbb6c5d62cabe components/nginx-remote.tar +489db2792d7fc3ed75b6970b2e0e73f782bd5c0ed2462ddd683ae92cce04cdb6 images/blobs/sha256/489db2792d7fc3ed75b6970b2e0e73f782bd5c0ed2462ddd683ae92cce04cdb6 +4db1b89c0bd13344176ddce2d093b9da2ae58336823ffed2009a7ea4b62d2a95 images/blobs/sha256/4db1b89c0bd13344176ddce2d093b9da2ae58336823ffed2009a7ea4b62d2a95 +4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 images/blobs/sha256/4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 +706446e9c6667c0880d5da3f39c09a6c7d2114f5a5d6b74a2fafd24ae30d2078 images/blobs/sha256/706446e9c6667c0880d5da3f39c09a6c7d2114f5a5d6b74a2fafd24ae30d2078 +8ca774778e858d3f97d9ec1bec1de879ac5e10096856dc22ed325a3ad944f78a images/blobs/sha256/8ca774778e858d3f97d9ec1bec1de879ac5e10096856dc22ed325a3ad944f78a +92974acd1b7d5aec7654a2df3a310f97c56b7449fc5d042ba8442dbace9a0da6 images/blobs/sha256/92974acd1b7d5aec7654a2df3a310f97c56b7449fc5d042ba8442dbace9a0da6 +9926d2e1a82b13f28b6b9c720bb6947b34c8eabc943de113a3fbc8fabee82d94 images/blobs/sha256/9926d2e1a82b13f28b6b9c720bb6947b34c8eabc943de113a3fbc8fabee82d94 +9b61d3667e8d8d1d8f14ebb413c1ac3fe62373fd69af6aafb281b7a8733f50aa images/blobs/sha256/9b61d3667e8d8d1d8f14ebb413c1ac3fe62373fd69af6aafb281b7a8733f50aa +ae8092b154d705e09bc77523083da3e93200a476ae3aa2b7a5e1747b1cbb8fef images/blobs/sha256/ae8092b154d705e09bc77523083da3e93200a476ae3aa2b7a5e1747b1cbb8fef +b4cd0df67c961ba7f49c86c2e1e6e89d2fd1b8c40ad6fe59508db060dfac51fe images/blobs/sha256/b4cd0df67c961ba7f49c86c2e1e6e89d2fd1b8c40ad6fe59508db060dfac51fe +b66dbb27a73334db6ac9c030475837bd7f4472d835c72b2360534b203edce6cb images/oci-layout +b9c1296647242c2c9c7ffe8cc3a1b9ecde558e8748969ad6a64428ab5922769a images/blobs/sha256/b9c1296647242c2c9c7ffe8cc3a1b9ecde558e8748969ad6a64428ab5922769a +c398742ba22c44f9bbc08dcbbdf0c978b20928fde49dceacded095bc09a46b84 images/blobs/sha256/c398742ba22c44f9bbc08dcbbdf0c978b20928fde49dceacded095bc09a46b84 +c926b61bad3b94ae7351bafd0c184c159ebf0643b085f7ef1d47ecdc7316833c images/blobs/sha256/c926b61bad3b94ae7351bafd0c184c159ebf0643b085f7ef1d47ecdc7316833c +cadc8652ff5abccc918746eb742e7b9165a48428b2c8cc6a48eb6ce782ce5405 images/blobs/sha256/cadc8652ff5abccc918746eb742e7b9165a48428b2c8cc6a48eb6ce782ce5405 +d37d27b92cce4fb1383d5fbe32540382ea3d9662c7be3555f5a0f6a044099e1b images/blobs/sha256/d37d27b92cce4fb1383d5fbe32540382ea3d9662c7be3555f5a0f6a044099e1b +d8173b5b3d825c1c19acf91cb66599f453187705ca9cdb4608d7be5482768cba images/blobs/sha256/d8173b5b3d825c1c19acf91cb66599f453187705ca9cdb4608d7be5482768cba +d95fa8da986254bcd64c1251b695fe91875383dac1ed1780480fdf70f02cea3b images/blobs/sha256/d95fa8da986254bcd64c1251b695fe91875383dac1ed1780480fdf70f02cea3b +f55cf5db16c790710ce2cd7b3d4fa00db89bdeea9d516aa83a596e910de103b2 components/podinfo-kustomize.tar +f59dcac0742ce66d707aed956c25cd0fc20d162ecaca308637197eac1cef13fc components/httpd-local.tar diff --git a/hack/examples-checksums/zarf-package-variables-amd64.txt b/hack/examples-checksums/zarf-package-variables-amd64.txt new file mode 100644 index 0000000000..a0fdb11006 --- /dev/null +++ b/hack/examples-checksums/zarf-package-variables-amd64.txt @@ -0,0 +1,12 @@ +1ff0f94a80076ab49af75159e23f062a30a75d333a8e9c021bf39669230afcfe images/blobs/sha256/1ff0f94a80076ab49af75159e23f062a30a75d333a8e9c021bf39669230afcfe +291f5d3c8c1742164379dfd09b17eeec4f70bcb165773d65d450dec5ef94d907 images/index.json +4b2a24be75c4766f2d20892ddb84841e3773d0e26249ee57eed530da19c07bb2 components/variables-with-nginx.tar +557c9ede65655e5a70e4a32f1651638ea3bfb0802edd982810884602f700ba25 images/blobs/sha256/557c9ede65655e5a70e4a32f1651638ea3bfb0802edd982810884602f700ba25 +84181e80d10e844350789d3324e848cf728df4f3d0f6c978789dd489f493934a images/blobs/sha256/84181e80d10e844350789d3324e848cf728df4f3d0f6c978789dd489f493934a +a8a737eacb28af35791c2a444d8095ca3d493ba31eca78cd57a6fe3cced79154 components/variables-with-terraform.tar +ac232364af842735579e922641ae2f67d5b8ea97df33a207c5ea05f60c63a92d images/blobs/sha256/ac232364af842735579e922641ae2f67d5b8ea97df33a207c5ea05f60c63a92d +b66dbb27a73334db6ac9c030475837bd7f4472d835c72b2360534b203edce6cb images/oci-layout +d4ceccbfc2696101c94fbf2149036e4ff815e4723e518721ff85105ce5aa8afc images/blobs/sha256/d4ceccbfc2696101c94fbf2149036e4ff815e4723e518721ff85105ce5aa8afc +d776269cad101c9f8e33e2baa0a05993ed0786604d86ea525f62d5d7ae7b9540 images/blobs/sha256/d776269cad101c9f8e33e2baa0a05993ed0786604d86ea525f62d5d7ae7b9540 +e9427fcfa8642f8ddf5106f742a75eca0dbac676cf8145598623d04fa45dd74e images/blobs/sha256/e9427fcfa8642f8ddf5106f742a75eca0dbac676cf8145598623d04fa45dd74e +f1f26f5702560b7e591bef5c4d840f76a232bf13fd5aefc4e22077a1ae4440c7 images/blobs/sha256/f1f26f5702560b7e591bef5c4d840f76a232bf13fd5aefc4e22077a1ae4440c7 diff --git a/hack/examples-checksums/zarf-package-yolo-amd64.txt b/hack/examples-checksums/zarf-package-yolo-amd64.txt new file mode 100644 index 0000000000..e925a4d3d9 --- /dev/null +++ b/hack/examples-checksums/zarf-package-yolo-amd64.txt @@ -0,0 +1 @@ +b31cd4195a94c235f6560274fac9efb9934c517381d16593592d02f212e1cd70 components/yolo-games.tar diff --git a/packages/gitea/zarf.yaml b/packages/gitea/zarf.yaml index 2f59bebdba..6a51afe161 100644 --- a/packages/gitea/zarf.yaml +++ b/packages/gitea/zarf.yaml @@ -71,12 +71,6 @@ components: - name: GIT_SERVER_CREATE_PVC mute: true after: - - wait: - cluster: - kind: pod - namespace: zarf - name: app=gitea - condition: Ready - cmd: ./zarf internal create-read-only-gitea-user --no-progress maxRetries: 3 maxTotalSeconds: 60 diff --git a/packages/zarf-agent/zarf.yaml b/packages/zarf-agent/zarf.yaml index 65ee63170f..1e1dac492f 100644 --- a/packages/zarf-agent/zarf.yaml +++ b/packages/zarf-agent/zarf.yaml @@ -40,11 +40,3 @@ components: windows: pwsh dir: ../.. description: Build the local agent image (if 'AGENT_IMAGE_TAG' was specified as 'local') - onDeploy: - after: - - wait: - cluster: - kind: pod - namespace: zarf - name: app=agent-hook - condition: Ready diff --git a/packages/zarf-registry/zarf.yaml b/packages/zarf-registry/zarf.yaml index 190eeba4c0..2a5b60dbed 100644 --- a/packages/zarf-registry/zarf.yaml +++ b/packages/zarf-registry/zarf.yaml @@ -171,12 +171,3 @@ components: images: # This image (or images) must match that used for injection (see zarf-config.toml) - "###ZARF_PKG_TMPL_REGISTRY_IMAGE_DOMAIN######ZARF_PKG_TMPL_REGISTRY_IMAGE###:###ZARF_PKG_TMPL_REGISTRY_IMAGE_TAG###" - actions: - onDeploy: - after: - - wait: - cluster: - kind: deployment - namespace: zarf - name: app=docker-registry - condition: Available diff --git a/src/pkg/packager/creator/normal.go b/src/pkg/packager/creator/normal.go index 099fda5e2b..3b7d4a7698 100644 --- a/src/pkg/packager/creator/normal.go +++ b/src/pkg/packager/creator/normal.go @@ -206,6 +206,12 @@ func (pc *PackageCreator) Assemble(ctx context.Context, dst *layout.PackagePaths sbomImageList = append(sbomImageList, info) } } + + // Sort images index to make build reproducible. + err = utils.SortImagesIndex(dst.Images.Base) + if err != nil { + return err + } } // Ignore SBOM creation if the flag is set. diff --git a/src/pkg/utils/image.go b/src/pkg/utils/image.go index 3756a759e1..cd62128159 100644 --- a/src/pkg/utils/image.go +++ b/src/pkg/utils/image.go @@ -9,6 +9,8 @@ import ( "fmt" "os" "path/filepath" + "slices" + "strings" "github.com/defenseunicorns/pkg/helpers/v2" v1 "github.com/google/go-containerregistry/pkg/v1" @@ -102,3 +104,25 @@ func OnlyHasImageLayers(img v1.Image) (bool, error) { } return true, nil } + +// SortImagesIndex sorts the index.json by digest. +func SortImagesIndex(ociPath string) error { + indexPath := filepath.Join(ociPath, "index.json") + b, err := os.ReadFile(indexPath) + if err != nil { + return err + } + var index ocispec.Index + err = json.Unmarshal(b, &index) + if err != nil { + return err + } + slices.SortFunc(index.Manifests, func(a, b ocispec.Descriptor) int { + return strings.Compare(string(a.Digest), string(b.Digest)) + }) + b, err = json.Marshal(index) + if err != nil { + return err + } + return os.WriteFile(indexPath, b, helpers.ReadWriteUser) +}