Merge pull request #7 from coder/merge

Update Kaniko

Author: johnstcn

.github/workflows/images.yaml

@@ -31,6 +31,8 @@ jobs:
         - warmer
 
         include:
+
+        
         - image: executor
           target: kaniko-executor
           platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
@@ -64,13 +66,13 @@ jobs:
 
     # Setup auth if not a PR.
     - if: github.event_name != 'pull_request'
-      uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
+      uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
       with:
         credentials_json: '${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}'
         export_environment_variables: true
         create_credentials_file: true
     - if: github.event_name != 'pull_request'
-      uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
     - if: github.event_name != 'pull_request'
       run: gcloud auth configure-docker
 
@@ -85,11 +87,11 @@ jobs:
           echo "platforms=${platforms}" >> $GITHUB_OUTPUT
         fi
     # Build and push with Docker.
-    - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+    - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
       with:
         platforms: ${{ matrix.platforms }}
-    - uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v1
-    - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+    - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v1
+    - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
       id: build-and-push
       with:
         context: .
@@ -105,7 +107,7 @@ jobs:
 
     # Sign images if not a PR.
     - if: github.event_name != 'pull_request'
-      uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
     - if: github.event_name != 'pull_request'
       run: |
         cosign sign --yes \

.github/workflows/integration-tests.yaml

@@ -15,6 +15,7 @@ jobs:
     env:
       IMAGE_REPO: 'localhost:5000'
       REGISTRY: 'localhost:5000'
+      DOCKER_BUILDKIT: '0'
     strategy:
       fail-fast: false
       matrix:
@@ -25,11 +26,17 @@ jobs:
         - k8s-executor-build-push integration-test-k8s
 
     steps:
-    - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+    - name: Maximize build space
+      uses: AdityaGarg8/remove-unwanted-software@v3
       with:
-        go-version: '1.20'
+        remove-android: 'true'
+        remove-dotnet: 'true'
+        remove-haskell: 'true'
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      with:
+        go-version: '1.22'
     - uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 # v3
-    - uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v1
+    - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v1
 
     - run: make install-container-diff k3s-setup
     - run: make ${{ matrix.make-target }}

.github/workflows/nightly-vulnerability-scan.yml

@@ -0,0 +1,40 @@
+name: Nightly Vulnerability Scan
+
+on:
+  schedule:
+    # Schedule to run every night at midnight
+    - cron: '0 0 * * *'
+
+jobs:
+  vulnerability-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Set up Grype
+        run: |
+          # Install Grype
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Get latest commit SHA of Kaniko project
+        id: get-commit
+        run: |
+          LATEST_COMMIT_SHA=$(git rev-parse HEAD)
+          echo "Latest commit SHA: $LATEST_COMMIT_SHA"
+          echo "::set-output name=sha::$LATEST_COMMIT_SHA"
+
+      - name: Scan the latest CI/CD image
+        run: |
+          IMAGE_ID="gcr.io/kaniko-project/executor:${{ steps.get-commit.outputs.sha }}"
+          echo "Scanning image $IMAGE_ID"
+          grype $IMAGE_ID > grype-output.txt
+
+      - name: Check for vulnerabilities and create an issue
+        run: |
+          if grep -q 'No vulnerabilities found' grype-output.txt; then
+            echo "No vulnerabilities found."
+          else
+            gh issue create --title "Vulnerabilities Found in Nightly Scan" --body "Vulnerabilities found in the latest image scan. Please check the attached report." --file grype-output.txt
+          fi

.github/workflows/unit-tests.yaml

@@ -13,9 +13,8 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.01
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4.01
       with:
-        go-version: '1.20'
+        go-version: '1.22'
     - uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 # v3
-
     - run: make test