Merge remote-tracking branch 'upstream/main' into feature-improved-ja…

…va-cataloging

.binny.yaml

@@ -2,7 +2,7 @@ tools:
   # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
   - name: binny
     version:
-      want: v0.7.0
+      want: v0.8.0
     method: github-release
     with:
       repo: anchore/binny
@@ -26,7 +26,7 @@ tools:
   # used for linting
   - name: golangci-lint
     version:
-      want: v1.57.2
+      want: v1.59.1
     method: github-release
     with:
       repo: golangci/golangci-lint
@@ -58,7 +58,7 @@ tools:
   # used to release all artifacts
   - name: goreleaser
     version:
-      want: v1.25.1
+      want: v2.0.1
     method: github-release
     with:
       repo: goreleaser/goreleaser
@@ -103,15 +103,15 @@ tools:
   # used for running all local and CI tasks
   - name: task
     version:
-      want: v3.36.0
+      want: v3.37.2
     method: github-release
     with:
       repo: go-task/task
 
   # used for triggering a release
   - name: gh
     version:
-      want: v2.47.0
+      want: v2.52.0
     method: github-release
     with:
       repo: cli/cli

.github/actions/bootstrap/action.yaml

@@ -5,7 +5,7 @@ inputs:
   go-version:
     description: "Go version to install"
     required: true
-    default: "1.21.x"
+    default: "1.22.x"
   go-dependencies:
     description: "Download go dependencies"
     required: true
@@ -27,14 +27,14 @@ runs:
   using: "composite"
   steps:
     # note: go mod and build is automatically cached on default with v4+
-    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       if: inputs.go-version != ''
       with:
         go-version: ${{ inputs.go-version }}
 
     - name: Restore tool cache
       id: tool-cache
-      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
         path: ${{ github.workspace }}/.tool
         key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('.binny.yaml') }}

.github/dependabot.yml

@@ -17,3 +17,11 @@ updates:
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
+
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/boostrap"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"

.github/scripts/labeler.py

@@ -56,6 +56,8 @@ def main(changed_files: str | None = None, merge_base_schema_files: str | None =
 
     pr_json_schema_files = filter_to_schema_files(pr_changed_files)
 
+    pr_labels = get_pr_labels(pr_number)
+
     # print("schema files in pr:   ", summarize_schema_files(pr_json_schema_files))
     # print("og schema files:      ", summarize_schema_files(og_json_schema_files))
 
@@ -76,15 +78,17 @@ def main(changed_files: str | None = None, merge_base_schema_files: str | None =
         add_label(pr_number, JSON_SCHEMA_LABEL)
 
     else:
-        remove_label(pr_number, JSON_SCHEMA_LABEL)
+        if JSON_SCHEMA_LABEL in pr_labels:
+            remove_label(pr_number, JSON_SCHEMA_LABEL)
 
     # new schema files should be scrutinized, comparing the latest and added versions to see if it's a breaking
     # change (major version bump). Warn about it on the PR via adding a breaking-change label...
     if is_breaking_change(new_schema_files, og_json_schema_files[-1]):
         print("\nBreaking change detected...")
         add_label(pr_number, BREAKING_CHANGE_LABEL)
     else:
-        remove_label(pr_number, BREAKING_CHANGE_LABEL)
+        if BREAKING_CHANGE_LABEL in pr_labels:        
+            remove_label(pr_number, BREAKING_CHANGE_LABEL)
 
     # modifying an existing schema could be a breaking change, we should warn about it on the PR via a comment...
     # removing schema files should never be allowed, we should warn about it on the PR via a comment...
@@ -119,7 +123,7 @@ def add_label(pr_number: str, label: str):
     # run "gh pr edit --add-label <label>"
     result = run(f"gh pr edit {pr_number} --add-label {label}", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     if result.returncode != 0:
-        print(f"Unable to add  {label!r} label to PR with")
+        print(f"Unable to add '{label!r}' label to PR, error:")
         print(str(result.stderr))
         sys.exit(1)
 
@@ -128,7 +132,7 @@ def remove_label(pr_number: str, label: str):
     # run "gh pr edit --remove-label <label>"
     result = run(f"gh pr edit {pr_number} --remove-label {label}", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     if result.returncode != 0:
-        print(f"Unable to label PR with {label!r}")
+        print(f"Unable to remove '{label!r}' label from PR, error:")
         print(str(result.stderr))
         sys.exit(1)
 
@@ -165,6 +169,17 @@ def get_pr_changed_files(pr_number: str) -> list[str]:
     return list_of_files
 
 
+def get_pr_labels(pr_number: str) -> list[str]:
+    result = run(f"gh pr view {pr_number} --json labels --jq '.labels[].name'", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
+    if result.returncode != 0:
+        print("Unable to get list of labels on PR")
+        print(str(result.stderr))
+        sys.exit(1)
+
+    list_of_labels = result.stdout.splitlines()
+    return list_of_labels
+
+
 def filter_to_schema_files(list_of_files: list[str]) -> list[str]:
     # get files matching "schema/json/schema-*.json"
     files = []

.github/scripts/update-version-file.sh

@@ -2,8 +2,8 @@
 set -ue
 
 BIN="syft"
-DISTDIR=$1
-VERSION=$2
+VERSION_FILE="VERSION"
+VERSION=$1
 
 # the source of truth as to whether we want to notify users of an update is if the release just created is NOT
 # flagged as a pre-release on github
@@ -12,10 +12,9 @@ if [[ "$(curl -SsL https://api.github.com/repos/anchore/${BIN}/releases/tags/${V
    exit 0
 fi
 
-echo "creating and publishing version file"
+echo "creating and publishing version file (${VERSION})"
 
 # create a version file for version-update checks
-VERSION_FILE="${DISTDIR}/VERSION"
 echo "${VERSION}" | tee "${VERSION_FILE}"
 
 # upload the version file that supports the application version update check

.github/workflows/benchmark-testing.yaml

@@ -17,7 +17,7 @@ jobs:
     # the job by event.
     steps:
       - name: Checkout code
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -39,7 +39,7 @@ jobs:
           OUTPUT="${OUTPUT//$'\r'/'%0D'}" # URL encode all '\r' characters
           echo "result=$OUTPUT" >> $GITHUB_OUTPUT
 
-      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: benchmark-test-results
           path: test/results/**/*

.github/workflows/codeql-analysis.yml

@@ -36,16 +36,16 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 #v4.1.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
     - name: Install Go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5.0.0
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 #v5.0.1
       with:
         go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@df5a14dc28094dc936e103b37d749c6628682b60 #v3.25.0
+      uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 #v3.25.10
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@df5a14dc28094dc936e103b37d749c6628682b60 #v3.25.0
+      uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 #v3.25.10
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@df5a14dc28094dc936e103b37d749c6628682b60 #v3.25.0
+      uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 #v3.25.10

.github/workflows/detect-schema-changes.yaml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
 
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 #v4.1.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - run: python .github/scripts/labeler.py
         env:

.github/workflows/release-version-file.yaml

@@ -0,0 +1,31 @@
+name: "Release"
+
+on:
+
+  workflow_dispatch:
+    inputs:
+      version:
+        description: release version to update the version file with (prefixed with v)
+        required: true
+
+  workflow_call:
+    inputs:
+      version:
+        type: string
+        description: release version to update the version file with (prefixed with v)
+        required: true
+
+jobs:
+
+  release:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+
+      - name: Update version file
+        run: make ci-release-version-file
+        env:
+          RELEASE_VERSION: ${{ github.event.inputs.version }}
+          # for updating the VERSION file in S3...
+          AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}

.github/workflows/release.yaml

@@ -15,7 +15,15 @@ jobs:
     environment: release
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 #v4.1.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+
+      - name: Check if running on main
+        if: github.ref != 'refs/heads/main'
+        # we are using the following flag when running `cosign blob-verify` for checksum signature verification:
+        #   --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main"
+        # if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch
+        # at the time of when the OIDC token was issued on the Github Actions runner.
+        run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1
 
       - name: Check if tag already exists
         # note: this will fail if the tag already exists
@@ -97,21 +105,21 @@ jobs:
       # required for goreleaser signs section with cosign
       id-token: write
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 #v4.1.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
         with:
           fetch-depth: 0
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
 
       - name: Login to Docker Hub
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20  #v3.1.0
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446  #v3.2.0
         with:
           username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }}
           password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20  #v3.1.0
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446  #v3.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -139,11 +147,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # for updating brew formula in anchore/homebrew-syft
           GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}
-          # for updating the VERSION file in S3...
-          AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
 
-      - uses: anchore/sbom-action@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c #v0.15.10
+      - uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 #v0.16.0
         continue-on-error: true
         with:
           artifact-name: sbom.spdx.json
@@ -157,3 +162,10 @@ jobs:
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
         if: ${{ success() }}
+
+  release-version-file:
+    needs: [release]
+    uses: ./.github/workflows/release-version-file.yaml
+    with:
+      version: ${{ github.event.inputs.version }}
+    secrets: inherit

.github/workflows/update-bootstrap-tools.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'anchore/syft' # only run for main repo
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 #v4.1.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -50,7 +50,7 @@ jobs:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
 
-      - uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 #v6.0.3
+      - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c #v6.1.0
         with:
           signoff: true
           delete-branch: true