fix: enforce host checking before exchanging a refresh token (#2069) (#2081)

Signed-off-by: Binbin Li <[email protected]>

Author: binbin-li

.github/crd.trivyignore.yaml

@@ -0,0 +1,3 @@
+vulnerabilities:
+  - id: CVE-2024-45338
+    statement: kubectl is not vulnerable to this and is reason for being flagged

.github/dependabot.yml

@@ -33,7 +33,7 @@ updates:
       interval: "weekly"
     ignore:
       - dependency-name: "golang"
-        versions: '> 1.22'
+        versions: '> 1.23'
     commit-message:
       prefix: "chore"
 
@@ -43,6 +43,6 @@ updates:
       interval: "weekly"
     ignore:
       - dependency-name: "vscode/devcontainers/go"
-        versions: '> 1.22'
+        versions: '> 1.23'
     commit-message:
       prefix: "chore"

.github/workflows/build-pr.yml

@@ -24,7 +24,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.29.2"]
+        KUBERNETES_VERSION: ["1.30.6"]
         GATEKEEPER_VERSION: ["3.17.0"]
     uses: ./.github/workflows/e2e-k8s.yml
     with:
@@ -37,7 +37,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
+        KUBERNETES_VERSION: ["1.29.10", "1.30.6"]
         GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
     uses: ./.github/workflows/e2e-k8s.yml
     with:
@@ -53,7 +53,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
+        KUBERNETES_VERSION: ["1.29.10", "1.30.6"]
         GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
     uses: ./.github/workflows/e2e-aks.yml
     with:
@@ -76,10 +76,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.22
+      - name: Set up Go 1.23
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1

.github/workflows/codeql.yml

@@ -35,7 +35,7 @@ jobs:
       - name: setup go environment
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - name: Initialize CodeQL
         uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # tag=v3.26.6
         with:

.github/workflows/e2e-aks.yml

@@ -9,7 +9,7 @@ on:
       k8s_version:
         description: "Kubernetes version"
         required: true
-        default: "1.29.2"
+        default: "1.30.6"
         type: string
       gatekeeper_version:
         description: "Gatekeeper version"
@@ -34,10 +34,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.22
+      - name: Set up Go 1.23
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
         with:

.github/workflows/e2e-cli.yml

@@ -43,7 +43,7 @@ jobs:
       - name: setup go environment
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
@@ -72,7 +72,7 @@ jobs:
       - name: setup go environment
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI

.github/workflows/e2e-k8s.yml

@@ -9,7 +9,7 @@ on:
       k8s_version:
         description: "Kubernetes version"
         required: true
-        default: "1.29.2"
+        default: "1.30.6"
         type: string
       gatekeeper_version:
         description: "Gatekeeper version"
@@ -32,10 +32,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.22
+      - name: Set up Go 1.23
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: Bootstrap e2e
         run: |

.github/workflows/golangci-lint.yml

@@ -21,10 +21,10 @@ jobs:
 
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: golangci-lint
         uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
         with:
-          version: v1.59.1
-          args: --timeout=10m
+          version: v1.62.2
+          args: --timeout=20m

.github/workflows/high-availability.yml

@@ -36,10 +36,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.22
+      - name: Set up Go 1.23
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: Bootstrap e2e
         run: |

.github/workflows/publish-dev-assets.yml

@@ -69,7 +69,7 @@ jobs:
           docker buildx build \
             --attest type=sbom \
             --attest type=provenance,mode=max \
-            --build-arg KUBE_VERSION="1.29.2" \
+            --build-arg KUBE_VERSION="1.30.6" \
             -f crd.Dockerfile \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --label org.opencontainers.image.revision=${{ github.sha }} \

.github/workflows/publish-package.yml

@@ -51,7 +51,7 @@ jobs:
           docker buildx build \
             --attest type=sbom \
             --attest type=provenance,mode=max \
-            --build-arg KUBE_VERSION="1.29.2" \
+            --build-arg KUBE_VERSION="1.30.6" \
             -f crd.Dockerfile \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --label org.opencontainers.image.revision=${{ github.sha }} \

.github/workflows/quick-start.yml

@@ -27,7 +27,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        KUBERNETES_VERSION: ["1.29.2"]
+        KUBERNETES_VERSION: ["1.30.6"]
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -39,7 +39,7 @@ jobs:
       - name: setup go environment
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - name: Run tidy
         run: go mod tidy
       - name: Bootstrap e2e

.github/workflows/release.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: Goreleaser
         id: goreleaser

.github/workflows/run-full-validation.yml

@@ -26,7 +26,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
+        KUBERNETES_VERSION: ["1.29.10", "1.30.6"]
         GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
     uses: ./.github/workflows/e2e-k8s.yml
     with:
@@ -41,7 +41,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
+        KUBERNETES_VERSION: ["1.29.10", "1.30.6"]
         GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
     uses: ./.github/workflows/e2e-aks.yml
     with:
@@ -64,10 +64,10 @@ jobs:
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Go 1.22
+      - name: Set up Go 1.23
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1

.github/workflows/scan-vulns.yaml

@@ -37,6 +37,8 @@ jobs:
     name: "[Trivy] Scan for vulnerabilities"
     runs-on: ubuntu-22.04
     timeout-minutes: 15
+    env:
+      TRIVY_VERSION: 0.58.2
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -52,8 +54,6 @@ jobs:
           wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
           tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
           echo "$(pwd)" >> $GITHUB_PATH
-        env:
-          TRIVY_VERSION: "0.46.0"
 
       - name: Run trivy on git repository
         run: |
@@ -70,6 +70,5 @@ jobs:
           done
       - name: Run trivy on images and exit on HIGH severity
         run: |
-          for img in "localbuild:test" "localbuildcrd:test"; do
-              trivy image --ignore-unfixed --exit-code 1 --severity HIGH --vuln-type="os,library" "${img}"
-          done
+          trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" "localbuild:test"
+          trivy image --skip-db-update --ignore-unfixed --exit-code 1 --severity HIGH,CRITICAL --vuln-type="os,library" --show-suppressed --ignorefile ./.github/crd.trivyignore.yaml "localbuildcrd:test"

CONTRIBUTING.md

@@ -186,7 +186,7 @@ export REGISTRY=yourregistry
 docker buildx create --use
 
 docker buildx build -f httpserver/Dockerfile --platform linux/amd64 --build-arg build_sbom=true --build-arg build_licensechecker=true --build-arg build_schemavalidator=true --build-arg build_vulnerabilityreport=true -t ${REGISTRY}/ratify-project/ratify:yourtag .
-docker build --progress=plain --build-arg KUBE_VERSION="1.29.2" --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t ${REGISTRY}/localbuildcrd:yourtag ./charts/ratify/crds
+docker build --progress=plain --build-arg KUBE_VERSION="1.30.6" --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t ${REGISTRY}/localbuildcrd:yourtag ./charts/ratify/crds
 ```
 
 #### [Authenticate](https://docs.docker.com/engine/reference/commandline/login/#usage) with your registry,  and push the newly built image

Makefile

@@ -25,9 +25,9 @@ LDFLAGS += -X $(GO_PKG)/internal/version.GitCommitHash=$(GIT_COMMIT_HASH)
 LDFLAGS += -X $(GO_PKG)/internal/version.GitTreeState=$(GIT_TREE_STATE)
 LDFLAGS += -X $(GO_PKG)/internal/version.GitTag=$(GIT_TAG)
 
-KIND_VERSION ?= 0.22.0
-KUBERNETES_VERSION ?= 1.29.2
-KIND_KUBERNETES_VERSION ?= 1.29.2
+KIND_VERSION ?= 0.25.0
+KUBERNETES_VERSION ?= 1.30.6
+KIND_KUBERNETES_VERSION ?= 1.30.6
 GATEKEEPER_VERSION ?= 3.17.0
 DAPR_VERSION ?= 1.12.5
 COSIGN_VERSION ?= 2.2.3
@@ -202,7 +202,7 @@ e2e-dependencies:
 	# Download and install kind
 	curl -L https://github.com/kubernetes-sigs/kind/releases/download/v${KIND_VERSION}/kind-linux-amd64 --output ${GITHUB_WORKSPACE}/bin/kind && chmod +x ${GITHUB_WORKSPACE}/bin/kind
 	# Download and install kubectl
-	curl -L https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl --output ${GITHUB_WORKSPACE}/bin/kubectl && chmod +x ${GITHUB_WORKSPACE}/bin/kubectl
+	curl -L https://dl.k8s.io/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl --output ${GITHUB_WORKSPACE}/bin/kubectl && chmod +x ${GITHUB_WORKSPACE}/bin/kubectl
 	# Download and install bats
 	curl -sSLO https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz && tar -zxvf v${BATS_VERSION}.tar.gz && bash bats-core-${BATS_VERSION}/install.sh ${GITHUB_WORKSPACE}
 	# Download and install jq
@@ -270,6 +270,7 @@ e2e-helmfile-install:
 	cd .staging/helmfilebin && tar -xvf helmfilebin.tar.gz
 
 e2e-docker-credential-store-setup:
+	sudo apt-get install pass
 	rm -rf .staging/pass
 	mkdir -p .staging/pass
 	cd .staging/pass && git clone https://github.com/docker/docker-credential-helpers.git