Sync upstream master

.github/ISSUE_TEMPLATE/patch_release.md

@@ -29,7 +29,7 @@ examples of each step, assuming vX.Y.Z is being cut.
   - [ ] `xp/getting-started-with-azure`
   - [ ] `xp/getting-started-with-gcp`
 - [ ] Run the [Promote workflow][promote-workflow] with channel `stable` on the `release-X.Y` branch and verified that the tagged build version exists on the [releases.crossplane.io] `stable` channel at `stable/vX.Y.Z/...`.
-- [ ] Published a [new release] for the tagged version, with the same name as the version and descriptive release notes, taking care of generating the changes list selecting as "Previous tag" `vX.Y.<Z-1>`, so the previous patch release for the same minor.
+- [ ] Published a [new release] for the tagged version, with the same name as the version and descriptive release notes, taking care of generating the changes list selecting as "Previous tag" `vX.Y.<Z-1>`, so the previous patch release for the same minor. Before publishing the release notes, set them as Draft and ask the rest of the team to double check them.
 - [ ] Ensured that users have been notified of the release on all communication channels:
   - [ ] Slack: `#announcements` channel on Crossplane's Slack workspace.
   - [ ] Twitter: reach out to a Crossplane maintainer or steering committee member, see [OWNERS.md][owners].

.github/ISSUE_TEMPLATE/release.md

@@ -22,7 +22,7 @@ this issue for posterity. Refer to this [prior release issue][release-1.11.0] fo
 examples of each step, assuming release vX.Y.0 is being cut.
 
 - [ ] Prepared the release branch `release-X.Y` at the beginning of [Code Freeze]:
-  - [ ] Created the release branch.
+  - [ ] Created the release branch using the [GitHub UI][create-branch].
   - [ ] Created and merged an empty commit to the `master` branch, if required to have it at least one commit ahead of the release branch.
   - [ ] Run the [Tag workflow][tag-workflow] on the `master` branch with the release candidate tag for the next release `vX.Y+1.0-rc.0`.
 - [ ] Opened a [docs release issue].
@@ -34,7 +34,7 @@ examples of each step, assuming release vX.Y.0 is being cut.
   - [ ] `xp/getting-started-with-azure`
   - [ ] `xp/getting-started-with-gcp`
 - [ ] Run the [Promote workflow][promote-workflow] with channel `stable` on the `release-X.Y` branch and verified that the tagged build version exists on the [releases.crossplane.io] `stable` channel at `stable/vX.Y.0/...`.
-- [ ] Published a [new release] for the tagged version, with the same name as the version and descriptive release notes, taking care of generating the changes list selecting as "Previous tag" `vX.<Y-1>.0`, so the first of the releases for the previous minor.
+- [ ] Published a [new release] for the tagged version, with the same name as the version and descriptive release notes, taking care of generating the changes list selecting as "Previous tag" `vX.<Y-1>.0`, so the first of the releases for the previous minor. Before publishing the release notes, set them as Draft and ask the rest of the team to double check them.
 - [ ] Checked that the [docs release issue] created previously has been completed.
 - [ ] Updated, in a single PR, the following on `master`:
   - [ ] The [releases table] in the `README.md`, removing the now old unsupported release and adding the new one.
@@ -49,6 +49,7 @@ examples of each step, assuming release vX.Y.0 is being cut.
 [Code Freeze]: https://docs.crossplane.io/knowledge-base/guides/release-cycle/#code-freeze
 [ci-workflow]: https://github.com/crossplane/crossplane/actions/workflows/ci.yml
 [configurations-workflow]: https://github.com/crossplane/crossplane/actions/workflows/configurations.yml
+[create-branch]: https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-and-deleting-branches-within-your-repository
 [docs release issue]: https://github.com/crossplane/docs/issues/new?assignees=&labels=release&template=new_release.md&title=Release+Crossplane+version...+
 [new release]: https://github.com/crossplane/crossplane/releases/new
 [owners]: https://github.com/crossplane/crossplane/blob/master/OWNERS.md

.github/PULL_REQUEST_TEMPLATE.md

@@ -27,5 +27,6 @@ I have:
 - [ ] Added or updated unit **and** E2E tests for my change.
 - [ ] Run `make reviewable` to ensure this PR is ready for review.
 - [ ] Added `backport release-x.y` labels to auto-backport this PR if necessary.
+- [ ] Opened a PR updating the [docs](https://docs.crossplane.io/contribute/contribute/), if necessary.
 
-[contribution process]: https://git.io/fj2m9
+[contribution process]: https://git.io/fj2m9

.github/renovate.json5

@@ -2,7 +2,8 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:base",
-    "helpers:pinGitHubActionDigests"
+    "helpers:pinGitHubActionDigests",
+    ":semanticCommits"
   ],
 // We only want renovate to rebase PRs when they have conflicts,
 // default "auto" mode is not required.
@@ -11,12 +12,9 @@
   "prConcurrentLimit": 5,
 // The branches renovate should target
 // PLEASE UPDATE THIS WHEN RELEASING.
-  "baseBranches": ["master","release-1.10","release-1.11","release-1.12"],
+  "baseBranches": ["master","release-1.11","release-1.12","release-1.13"],
   "ignorePaths": ["design/**"],
   "postUpdateOptions": ["gomodTidy"],
-// By default renovate will auto detect whether semantic commits have been used
-// in the recent history and comply with that, we explicitly disable it
-  "semanticCommits": "disabled",
 // All PRs should have a label
   "labels": ["automated"],
   "regexManagers": [

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.20.5'
+  GO_VERSION: '1.20.7'
   GOLANGCI_VERSION: 'v1.53.3'
   DOCKER_BUILDX_VERSION: 'v0.10.0'
 
@@ -136,7 +136,7 @@ jobs:
 
       - name: Find the Go Build Cache
         id: go
-        run: echo "::set-output name=cache::$(make go.cachedir)"
+        run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT
 
       - name: Cache the Go Build Cache
         uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
@@ -156,12 +156,12 @@ jobs:
         run: make vendor vendor.check
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2
+        uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2
         with:
           languages: go
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2
+        uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2
 
   trivy-scan-fs:
     runs-on: ubuntu-22.04
@@ -204,7 +204,7 @@ jobs:
 
       - name: Find the Go Build Cache
         id: go
-        run: echo "::set-output name=cache::$(make go.cachedir)"
+        run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT
 
       - name: Cache the Go Build Cache
         uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
@@ -238,7 +238,7 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true'
     strategy:
       matrix:
-        area: [lifecycle, pkg, apiextensions]
+        area: [lifecycle, pkg, apiextensions, xfn]
 
     steps:
       - name: Setup QEMU
@@ -247,7 +247,7 @@ jobs:
           platforms: all
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2
         with:
           version: ${{ env.DOCKER_BUILDX_VERSION }}
           install: true
@@ -267,7 +267,7 @@ jobs:
 
       - name: Find the Go Build Cache
         id: go
-        run: echo "::set-output name=cache::$(make go.cachedir)"
+        run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT
 
       - name: Cache the Go Build Cache
         uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
@@ -303,13 +303,23 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true'
 
     steps:
+      - name: Cleanup Disk
+        uses: jlumbroso/free-disk-space@main
+        with:
+          android: true
+          dotnet: true
+          haskell: true
+          tool-cache: true
+          large-packages: false
+          swap-storage: false
+
       - name: Setup QEMU
         uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2
         with:
           platforms: all
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2
         with:
           version: ${{ env.DOCKER_BUILDX_VERSION }}
           install: true
@@ -329,7 +339,7 @@ jobs:
 
       - name: Find the Go Build Cache
         id: go
-        run: echo "::set-output name=cache::$(make go.cachedir)"
+        run: echo "cache=$(make go.cachedir)" >> $GITHUB_OUTPUT
 
       - name: Cache the Go Build Cache
         uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3

.github/workflows/promote.yml

@@ -13,7 +13,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.20.5'
+  GO_VERSION: '1.20.7'
 
   # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
   # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether

.github/workflows/scan.yaml

@@ -131,7 +131,7 @@ jobs:
           retention-days: 3
 
       - name: Upload Trivy Scan Results To GitHub Security Tab
-        uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2
+        uses: github/codeql-action/upload-sarif@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2
         with:
           sarif_file: 'trivy-results.sarif'
           category: ${{ matrix.image }}:${{ env.tag }}

ADOPTERS.md

@@ -51,3 +51,5 @@ This list is sorted in the order that organizations were added to it.
 | [PITS Global Data Recovery Services](https://www.pitsdatarecovery.net/) | @pheianox | Declarative configuration and integration with CI/CD pipelines |
 | [NASA Science Cloud](https://smce.nasa.gov/) | [[email protected]](mailto:[email protected]) ([@rezuma](https://github.com/rezuma)) | [NASA Science Cloud](https://smce.nasa.gov) has created compositions to deploy the Open Science Studio, a jupyterhub based platform that connects to HPC in the cloud and foster NASA Open Science Initiative. Navteca ([@navteca](https://github.com/Navteca)) has been helping NASA with this initiative |
 | [Navteca](https://navteca.com/) | [[email protected]](mailto:[email protected]) ([@navteca](https://github.com/Navteca)) | [Navteca](https://www.navteca.com) is adopting Crossplane to deploy [Voice Atlas](https://www.voiceatlas.com) a cloud based product that let customer connect corporate knowledge with any Large Language Model and offered to be consumed by users through any channel (slack, MS Teams, Website, etc) |
+| [SAP](https://sap.com/) | [[email protected]](mailto:[email protected])| [SAP](https://sap.com) uses Crossplane as part of a solution that gives teams owning micro-services the ability to provision hyper-scaler hosted backing services such as Redis on demand. |
+| [Airnity](https://airnity.com/) | [[email protected]](mailto:[email protected]) | [Airnity](https://airnity.com/) uses Crossplane to deploy a worldwide cellular connectivity platform for the automotive industry. |

Makefile

@@ -40,7 +40,7 @@ GOLANGCILINT_VERSION = 1.53.3
 # Setup Kubernetes tools
 
 USE_HELM3 = true
-HELM3_VERSION = v3.12.1
+HELM3_VERSION = v3.12.2
 KIND_VERSION = v0.20.0
 -include build/makelib/k8s_tools.mk
 
@@ -104,10 +104,20 @@ cobertura:
 		grep -v zz_generated.deepcopy | \
 		$(GOCOVER_COBERTURA) > $(GO_TEST_OUTPUT)/cobertura-coverage.xml
 
-e2e-tag-images:
+# TODO(pedjak):
+# https://github.com/crossplane/crossplane/issues/4294
+e2e.test.images:
+	@$(INFO) Building E2E test images
+	@docker build --load -t $(BUILD_REGISTRY)/fn-labelizer-$(TARGETARCH) test/e2e/testdata/images/labelizer
+	@docker build --load -t $(BUILD_REGISTRY)/fn-tmp-writer-$(TARGETARCH) test/e2e/testdata/images/tmp-writer
+	@$(OK) Built E2E test images
+
+e2e-tag-images: e2e.test.images
 	@$(INFO) Tagging E2E test images
 	@docker tag $(BUILD_REGISTRY)/$(PROJECT_NAME)-$(TARGETARCH) crossplane-e2e/$(PROJECT_NAME):latest || $(FAIL)
 	@docker tag $(BUILD_REGISTRY)/xfn-$(TARGETARCH) crossplane-e2e/xfn:latest || $(FAIL)
+	@docker tag $(BUILD_REGISTRY)/fn-labelizer-$(TARGETARCH) crossplane-e2e/fn-labelizer:latest || $(FAIL)
+	@docker tag $(BUILD_REGISTRY)/fn-tmp-writer-$(TARGETARCH) crossplane-e2e/fn-tmp-writer:latest || $(FAIL)
 	@$(OK) Tagged E2E test images
 
 # NOTE(negz): There's already a go.test.integration target, but it's weird.
@@ -118,7 +128,7 @@ E2E_TEST_FLAGS ?=
 # https://github.com/kubernetes-sigs/e2e-framework/issues/282
 E2E_PATH = $(WORK_DIR)/e2e
 
-e2e-run-tests: $(KIND) $(HELM3)
+e2e-run-tests:
 	@$(INFO) Run E2E tests
 	@mkdir -p $(E2E_PATH)
 	@ln -sf $(KIND) $(E2E_PATH)/kind
@@ -128,7 +138,7 @@ e2e-run-tests: $(KIND) $(HELM3)
 
 e2e.init: build e2e-tag-images
 
-e2e.run: e2e-run-tests
+e2e.run: $(KIND) $(HELM3) e2e-run-tests
 
 # Update the submodules, such as the common build scripts.
 submodules:
@@ -160,7 +170,7 @@ run: go.build
 	@# To see other arguments that can be provided, run the command with --help instead
 	$(GO_OUT_DIR)/$(PROJECT_NAME) core start --debug
 
-.PHONY: manifests cobertura submodules fallthrough test-integration run install-crds uninstall-crds gen-kustomize-crds e2e-tests-compile
+.PHONY: manifests cobertura submodules fallthrough test-integration run install-crds uninstall-crds gen-kustomize-crds e2e-tests-compile e2e.test.images
 
 # ====================================================================================
 # Special Targets

OWNERS.md

@@ -26,23 +26,24 @@ See [CODEOWNERS](CODEOWNERS) for automatic PR assignment.
 ## Maintainers
 
 * Nic Cope <[email protected]> ([negz](https://github.com/negz))
-* Daniel Mangum <[email protected]> ([hasheddan](https://github.com/hasheddan))
 * Muvaffak Onus <[email protected]> ([muvaf](https://github.com/muvaf))
 * Hasan Turken <[email protected]> ([turkenh](https://github.com/turkenh))
 * Bob Haddleton <[email protected]> ([bobh66](https://github.com/bobh66))
+* Philippe Scorsolini <[email protected]> ([phisco](https://github.com/phisco))
 
 ## Reviewers
 
 * Yury Tsarev <[email protected]> ([ytsarev](https://github.com/ytsarev))
 * Daren Iott <[email protected]> ([nullable-eth](https://github.com/nullable-eth))
 * Ezgi Demirel <[email protected]> ([ezgidemirel](https://github.com/ezgidemirel))
 * Max Blatt ([MisterMX](https://github.com/MisterMX))
-* Philippe Scorsolini <[email protected]> ([phisco](https://github.com/phisco))
 * Jared Watts <[email protected]> ([jbw976](https://github.com/jbw976))
 * Lovro Sviben <[email protected]> ([lsviben](https://github.com/lsviben))
+* Predrag Knezevic <[email protected]> ([pedjak](https://github.com/pedjak))
 
 ## Emeritus maintainers
 
 * Bassam Tabbara <[email protected]> ([bassam](https://github.com/bassam))
 * Jared Watts <[email protected]> ([jbw976](https://github.com/jbw976))
 * Illya Chekrygin <[email protected]> ([ichekrygin](https://github.com/ichekrygin))
+* Daniel Mangum <[email protected]> ([hasheddan](https://github.com/hasheddan))

SECURITY.md

@@ -11,6 +11,9 @@ The following security related audits have been performed in the Crossplane
 project and are available for download from the [security folder](./security)
 and from the direct links below:
 
+* A security audit was completed in July 2023 by [Ada
+  Logics](https://adalogics.com/). The full report is available
+  [here](./security/ADA-security-audit-23.pdf).
 * A fuzzing security audit was completed in March 2023 by [Ada
   Logics](https://adalogics.com/). The full report is available
   [here](./security/ADA-fuzzing-audit-22.pdf).