From a6079974dc746ca05115ff3ba323a97a12e63699 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 10 Jan 2025 17:14:34 +0000
Subject: [PATCH 1/3] build(deps): Bump github.com/fluxcd/pkg/runtime from
 0.51.1 to 0.52.0

Bumps [github.com/fluxcd/pkg/runtime](https://github.com/fluxcd/pkg) from 0.51.1 to 0.52.0.
- [Commits](https://github.com/fluxcd/pkg/compare/runtime/v0.51.1...runtime/v0.52.0)

---
updated-dependencies:
- dependency-name: github.com/fluxcd/pkg/runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 71881b3cbf..41451c1f5d 100644
--- a/go.mod
+++ b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/fluxcd/kustomize-controller/api v1.4.0
 	github.com/fluxcd/notification-controller/api v1.4.0
 	github.com/fluxcd/pkg/apis/meta v1.9.0
-	github.com/fluxcd/pkg/runtime v0.51.1
+	github.com/fluxcd/pkg/runtime v0.52.0
 	github.com/fluxcd/pkg/ssa v0.43.0
 	github.com/fluxcd/source-controller/api v1.4.1
 	github.com/go-git/go-git/v5 v5.13.1
diff --git a/go.sum b/go.sum
index 391eb2898f..960631b8d8 100644
--- a/go.sum
+++ b/go.sum
@@ -125,8 +125,8 @@ github.com/fluxcd/pkg/apis/kustomize v1.8.0 h1:HH6YRa3SMS72KK4cUyb9m5sK/dZH+Eti1
 github.com/fluxcd/pkg/apis/kustomize v1.8.0/go.mod h1:QCKIFj1ocdndaWSkrLs5JKvdGNYyTzQX1ZB3lYTwma0=
 github.com/fluxcd/pkg/apis/meta v1.9.0 h1:wPgm7bWNJZ/ImS5GqikOxt362IgLPFBG73dZ27uWRiQ=
 github.com/fluxcd/pkg/apis/meta v1.9.0/go.mod h1:pMea8eEZcsFSI7ngRnTHFtDZk2CEZGgtrueNgI6Iu70=
-github.com/fluxcd/pkg/runtime v0.51.1 h1:68C6V/P2l/IwivqzvkgcR6Aa7zKds5ihsvoo0NcLarA=
-github.com/fluxcd/pkg/runtime v0.51.1/go.mod h1:uMJ+s81+TyNGVjcnn+PIXUGGYs9VA3AK8nDmQWXAnis=
+github.com/fluxcd/pkg/runtime v0.52.0 h1:bgYgXURy94MNbHzthJ8SRZJxuZB1X4atj/LLeR6AgDk=
+github.com/fluxcd/pkg/runtime v0.52.0/go.mod h1:66sowtjeLubCmwBTDC+2t41xgjs2eRlNzaWbPWN2nhk=
 github.com/fluxcd/pkg/ssa v0.43.0 h1:XmADD3C0erYZayKfGI0WTsMlW9TtS4bp5gy4Axo1dcA=
 github.com/fluxcd/pkg/ssa v0.43.0/go.mod h1:MjkaOr4/5C8wkwsdVLMmfS64lDZOgJP4VNxmmJL0Iuc=
 github.com/fluxcd/source-controller/api v1.4.1 h1:zV01D7xzHOXWbYXr36lXHWWYS7POARsjLt61Nbh3kVY=

From 3ebd326ffe0a55f2bef336af1d99ea4d4356747f Mon Sep 17 00:00:00 2001
From: Erik Godding Boye <egboye@gmail.com>
Date: Fri, 10 Jan 2025 20:11:15 +0100
Subject: [PATCH 2/3] ci: first cut on signing images with Cosign

---
 .github/workflows/pr.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 51121aa040..28a88a1941 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -74,6 +74,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write # for docker/build-push-action to push images
+      id-token: write # for Cosign to be able to sign images with GHA token
     strategy:
       matrix:
         docker-image:
@@ -99,6 +100,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
+        id: build
         with:
           context: .
           file: ${{ matrix.docker-image }}.dockerfile
@@ -111,6 +113,20 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+      - name: Install cosign
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+      - name: Keyless signing of image
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
+        run: |
+          echo ${{ steps.build.outputs.digest }}
+          cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${{ steps.digest.outputs.digest }}
+      - name: Verify the image signing
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
+        run: |
+          cosign verify --rekor-url "https://rekor.sigstore.dev/" ${{ steps.digest.outputs.digest }}
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}"
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq .
 
   ci-upload-binary:
     name: Upload Binary - Disabled

From 0e17e1631be22f18804a553de901fc8624f14739 Mon Sep 17 00:00:00 2001
From: Erik Godding Boye <egboye@gmail.com>
Date: Fri, 10 Jan 2025 23:06:36 +0100
Subject: [PATCH 3/3] ci: fix typo in cosign commands

---
 .github/workflows/pr.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 28a88a1941..3ad2b53f4e 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -120,11 +120,11 @@ jobs:
         if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
         run: |
           echo ${{ steps.build.outputs.digest }}
-          cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${{ steps.digest.outputs.digest }}
+          cosign sign --yes ${{ steps.build.outputs.digest }}
       - name: Verify the image signing
         if: ${{ github.event_name != 'pull_request' && github.repository == 'weaveworks/weave-gitops' }}
         run: |
-          cosign verify --rekor-url "https://rekor.sigstore.dev/" ${{ steps.digest.outputs.digest }}
+          cosign verify ${{ steps.build.outputs.digest }}
             --certificate-identity "https://github.com/${{ github.workflow_ref }}"
             --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq .