Merge branch 'main' into dependabot/npm_and_yarn/jsdom-26.0.0

.github/workflows/pr.yaml

@@ -74,6 +74,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write # for docker/build-push-action to push images
+      id-token: write # for Cosign to be able to sign images with GHA token
     strategy:
       matrix:
         docker-image:
@@ -99,6 +100,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
+        id: build
         with:
           context: .
           file: ${{ matrix.docker-image }}.dockerfile
@@ -111,6 +113,20 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+      - name: Install cosign
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+      - name: Keyless signing of image
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
+        run: |
+          echo ${{ steps.build.outputs.digest }}
+          cosign sign --yes ${{ steps.build.outputs.digest }}
+      - name: Verify the image signing
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
+        run: |
+          cosign verify ${{ steps.build.outputs.digest }}
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}"
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq .
 
   ci-upload-binary:
     name: Upload Binary - Disabled

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/fluxcd/kustomize-controller/api v1.4.0
 	github.com/fluxcd/notification-controller/api v1.4.0
 	github.com/fluxcd/pkg/apis/meta v1.9.0
-	github.com/fluxcd/pkg/runtime v0.51.1
+	github.com/fluxcd/pkg/runtime v0.52.0
 	github.com/fluxcd/pkg/ssa v0.43.0
 	github.com/fluxcd/source-controller/api v1.4.1
 	github.com/go-git/go-git/v5 v5.13.1

go.sum

@@ -125,8 +125,8 @@ github.com/fluxcd/pkg/apis/kustomize v1.8.0 h1:HH6YRa3SMS72KK4cUyb9m5sK/dZH+Eti1
 github.com/fluxcd/pkg/apis/kustomize v1.8.0/go.mod h1:QCKIFj1ocdndaWSkrLs5JKvdGNYyTzQX1ZB3lYTwma0=
 github.com/fluxcd/pkg/apis/meta v1.9.0 h1:wPgm7bWNJZ/ImS5GqikOxt362IgLPFBG73dZ27uWRiQ=
 github.com/fluxcd/pkg/apis/meta v1.9.0/go.mod h1:pMea8eEZcsFSI7ngRnTHFtDZk2CEZGgtrueNgI6Iu70=
-github.com/fluxcd/pkg/runtime v0.51.1 h1:68C6V/P2l/IwivqzvkgcR6Aa7zKds5ihsvoo0NcLarA=
-github.com/fluxcd/pkg/runtime v0.51.1/go.mod h1:uMJ+s81+TyNGVjcnn+PIXUGGYs9VA3AK8nDmQWXAnis=
+github.com/fluxcd/pkg/runtime v0.52.0 h1:bgYgXURy94MNbHzthJ8SRZJxuZB1X4atj/LLeR6AgDk=
+github.com/fluxcd/pkg/runtime v0.52.0/go.mod h1:66sowtjeLubCmwBTDC+2t41xgjs2eRlNzaWbPWN2nhk=
 github.com/fluxcd/pkg/ssa v0.43.0 h1:XmADD3C0erYZayKfGI0WTsMlW9TtS4bp5gy4Axo1dcA=
 github.com/fluxcd/pkg/ssa v0.43.0/go.mod h1:MjkaOr4/5C8wkwsdVLMmfS64lDZOgJP4VNxmmJL0Iuc=
 github.com/fluxcd/source-controller/api v1.4.1 h1:zV01D7xzHOXWbYXr36lXHWWYS7POARsjLt61Nbh3kVY=