merge conflicts

.github/workflows/ci.yaml

@@ -5,7 +5,9 @@ on:
       - "master"
       - "release-*"
   pull_request:
-    branches: [ master ]
+    branches:
+      - "master"
+      - "release-*"
 
 permissions:
   contents: read

.github/workflows/default-branch-check.yaml

@@ -0,0 +1,18 @@
+name: PR check
+
+on:
+  pull_request:
+    branches:
+      - "release-*"
+
+jobs:
+  test-default-branch:
+    name: base branch is a default branch
+    runs-on: ubuntu-latest
+    steps:
+    - name: fail if base branch is not default branch
+      if: ${{ github.event.pull_request.base.ref != github.event.repository.default_branch }}
+      uses: actions/github-script@v3
+      with:
+        script: |
+            core.setFailed("Base branch of the PR - ${{ github.event.pull_request.base.ref }} is not a default branch. Please reopen your PR to ${{ github.event.repository.default_branch }}")

.github/workflows/release.yml

@@ -5,8 +5,8 @@ on:
     tags:
       - 'v*'
     branches:
-      - master
-      - dev-*
+      - "master"
+      - "release-*"
 
 defaults:
   run:
@@ -18,7 +18,6 @@ permissions:
 jobs:
   build-binaries:
     runs-on: ubuntu-20.04
-    if: github.repository == 'argoproj/argo-events'
     name: Build binaries
     steps:
       - name: Checkout
@@ -45,10 +44,11 @@ jobs:
     name: Build & push linux/amd64 and linux/arm64
     needs: [ build-binaries ]
     runs-on: ubuntu-20.04
-    if: github.repository == 'argoproj/argo-events'
     strategy:
       matrix:
         target: [ argo-events ]
+    outputs:
+      VERSION: ${{ steps.version.outputs.VERSION }}
     steps:
       - uses: actions/checkout@v4
 
@@ -78,30 +78,36 @@ jobs:
           echo "VERSION=$tag" >> $GITHUB_OUTPUT
 
       - name: Container build and push with arm64/amd64
+        env:
+          IMAGE_NAMESPACE: quay.io/${{ secrets.QUAYIO_ORG }}
         run: |
-          IMAGE_NAMESPACE=${{ secrets.QUAYIO_ORG }} VERSION=${{ steps.version.outputs.VERSION }} DOCKER_PUSH=true make image-multi
+          VERSION=${{ steps.version.outputs.VERSION }} DOCKER_PUSH=true make image-multi
 
   bom:
     runs-on: ubuntu-latest
-    if: github.repository == 'argoproj/argo-events'
     needs: [ build-push-linux-multi ]
     steps:
       # https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
-      - run: |
+      - id: version
+        run: |
           if [ ${GITHUB_REF##*/} = master ]; then
            echo "VERSION=latest" >> $GITHUB_ENV
           else
-            echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV
+            echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_OUTPUT
           fi
       - uses: actions/setup-go@v5
         with:
           go-version: "1.21"
       - uses: actions/checkout@v4
-      - run: go install sigs.k8s.io/bom/cmd/bom@v0.2.0
+      - run: go install sigs.k8s.io/bom/cmd/bom@v0.5.1
       - run: go install github.com/spdx/spdx-sbom-generator/cmd/[email protected]
       - run: mkdir -p dist
-      - run: generator -o /tmp -p .
-      - run: bom generate --image quay.io/argoproj/argo-events:$VERSION -o /tmp/argo-events.spdx
+      - run: generator -o dist -p .
+      # do not scan images, this is only supported for debian-based images. See: https://github.com/kubernetes-sigs/bom#usage
+      - env:
+          VERSION: ${{ steps.version.outputs.VERSION }}
+        run:
+          bom generate --scan-images=false --image quay.io/${{ secrets.QUAYIO_ORG }}/argo-events:$VERSION -o /tmp/argo-events.spdx
       # pack the boms into one file to make it easy to download
       - run: cd /tmp && tar -zcf sbom.tar.gz *.spdx
       - uses: actions/upload-artifact@v3
@@ -110,11 +116,11 @@ jobs:
           path: /tmp/sbom.tar.gz
 
   release:
-    permissions:
-      contents: write  # for softprops/action-gh-release to create GitHub release
     runs-on: ubuntu-latest
-    if: github.repository == 'argoproj/argo-events'
     needs: [ build-push-linux-multi, bom ]
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
+      id-token: write # Needed to create an OIDC token for keyless signing
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -148,25 +154,25 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
         with:
-          cosign-release: 'v1.13.1'
+          cosign-release: 'v2.1.1'
 
       - name: Install crane to get digest of image
         uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4 # v0.2
 
       - name: Get digests of container images
+        id: get-digest
+        env:
+          VERSION: ${{ needs.build-push-linux-multi.outputs.VERSION }}
         run: |
-          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argo-events:$VERSION)" >> $GITHUB_ENV
+          echo "digest=$(crane digest quay.io/${{ secrets.QUAYIO_ORG }}/argo-events:$VERSION)" >> $GITHUB_OUTPUT
 
-      - name: Sign Argo Events container images and assets
-        run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-events@${{ env.IMAGE_DIGEST }}
-          cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argo-events-checksums.txt > ./dist/argo-events-checksums.sig
-          cosign sign-blob --key env://COSIGN_PRIVATE_KEY /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig
-          # Retrieves the public key to release as an asset
-          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-events-cosign.pub
+      - name: Sign Argo Events container image and assets
         env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          IMAGE_DIGEST: ${{ steps.get-digest.outputs.digest }}
+        run: |
+          cosign sign -y quay.io/${{ secrets.QUAYIO_ORG }}/argo-events@$IMAGE_DIGEST
+          cosign sign-blob -y ./dist/argo-events-checksums.txt > ./dist/argo-events-checksums.sig
+          cosign sign-blob -y /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig
 
       - name: Release binaries
         uses: softprops/action-gh-release@v2
@@ -176,7 +182,6 @@ jobs:
             dist/*.gz
             dist/argo-events-checksums.txt
             dist/argo-events-checksums.sig
-            dist/argo-events-cosign.pub
             manifests/*.yaml
             /tmp/sbom.tar.gz
             /tmp/sbom.tar.gz.sig

.gitignore

@@ -15,3 +15,8 @@ debug.test
 site/
 /go-diagrams/
 argo-events
+# telepresence
+.env
+telepresence.log
+# codefresh
+update_argo_events_manifests.sh

Makefile

@@ -15,9 +15,9 @@ EXECUTABLES = curl docker gzip go
 
 #  docker image publishing options
 DOCKER_PUSH?=false
-IMAGE_NAMESPACE?=quay.io/argoproj
-VERSION?=v1.9.2
-BASE_VERSION:=v1.9.2
+IMAGE_NAMESPACE?=quay.io/codefresh
+VERSION?=v1.9.0-cap-CR-22221
+BASE_VERSION:=v1.9.0-cap-CR-22221
 
 override LDFLAGS += \
   -X ${PACKAGE}.version=${VERSION} \
@@ -151,7 +151,7 @@ docs/assets/diagram.png: go-diagrams/diagram.dot
 .PHONY: start
 start: image
 	kubectl apply -f test/manifests/argo-events-ns.yaml
-	kubectl kustomize test/manifests | sed '[email protected]/argoproj/@$(IMAGE_NAMESPACE)/@' | sed 's/argo-events:$(BASE_VERSION)/argo-events:$(VERSION)/' | kubectl -n argo-events apply -l app.kubernetes.io/part-of=argo-events --prune=false --force -f -
+	kubectl kustomize test/manifests | sed '[email protected]/codefresh/@$(IMAGE_NAMESPACE)/@' | sed 's/:$(BASE_VERSION)/:$(VERSION)/' | kubectl -n argo-events apply -l app.kubernetes.io/part-of=argo-events --prune=false --force -f -
 	kubectl -n argo-events wait --for=condition=Ready --timeout 60s pod --all
 
 $(GOPATH)/bin/golangci-lint:
@@ -187,7 +187,7 @@ check-version-warning:
 
 .PHONY: update-manifests-version
 update-manifests-version:
-	cat manifests/base/kustomization.yaml | sed 's/newTag: .*/newTag: $(VERSION)/' | sed 's@value: quay.io/argoproj/argo-events:.*@value: quay.io/argoproj/argo-events:$(VERSION)@' > /tmp/base_kustomization.yaml
+	cat manifests/base/kustomization.yaml | sed 's/newTag: .*/newTag: $(VERSION)/' | sed 's@value: quay.io/codefresh/argo-events:.*@value: quay.io/codefresh/argo-events:$(VERSION)@' > /tmp/base_kustomization.yaml
 	mv /tmp/base_kustomization.yaml manifests/base/kustomization.yaml
 	cat manifests/extensions/validating-webhook/kustomization.yaml | sed 's/newTag: .*/newTag: $(VERSION)/' > /tmp/wh_kustomization.yaml
 	mv /tmp/wh_kustomization.yaml manifests/extensions/validating-webhook/kustomization.yaml