Merge branch 'main' into stepacton-enumparam-example

Author: waveywaves

.github/workflows/ci.yaml

@@ -43,9 +43,10 @@ jobs:
         fi
         echo "$gofmt_out"
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae  # v6.2.0
+      uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837  # v6.5.0
       with:
-        version: v1.62.2
+        version: v1.64.6
+        only-new-issues: true
         args: --timeout=10m
     - name: yamllint
       run: |

.github/workflows/codeql-analysis.yml

@@ -62,15 +62,15 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    - uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+    - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
       with:
         path: |
           ~/.cache/go-build
@@ -96,4 +96,4 @@ jobs:
         make -j 4 all
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11

.github/workflows/scorecard.yml

@@ -38,7 +38,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -61,6 +61,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
         with:
           sarif_file: results.sarif

.github/workflows/woke.yml

@@ -19,7 +19,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45.0.6
+        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8 # v45.0.7
         with:
           write_output_files: true
           files: |

.pre-commit-config.yaml

@@ -18,6 +18,11 @@ repos:
     exclude: "(.*_test.go|^examples\/v1\/pipelineruns\/beta\/isolated-workspaces.yaml$)"
 - repo: local
   hooks:
+  - id: lint-yaml
+    name: "Lint YAML files"
+    entry: bash -c 'yamllint -c .yamllint $(find . -path ./vendor -prune -o -type f -regex ".*y[a]ml" -print)'
+    language: system
+    types: [yaml]
   - id: lint-go
     name: "Run make golangci-lint"
     entry: make

Makefile

@@ -10,7 +10,7 @@ BIN      = $(CURDIR)/.bin
 WOKE 	?= go run -modfile go.mod github.com/get-woke/woke
 
 # Get golangci_version from tools/go.mod
-GOLANGCI_VERSION := $(shell cat tools/go.mod | grep golangci-lint | awk '{ print $$3 }')
+GOLANGCI_VERSION := $(shell yq '.jobs.linting.steps[] | select(.name == "golangci-lint") | .with.version' .github/workflows/ci.yaml)
 WOKE_VERSION     = v0.19.0
 
 GO           = go
@@ -168,11 +168,12 @@ errcheck: | $(ERRCHECK) ; $(info $(M) running errcheck…) ## Run errcheck
 
 GOLANGCILINT = $(BIN)/golangci-lint-$(GOLANGCI_VERSION)
 $(BIN)/golangci-lint-$(GOLANGCI_VERSION): ; $(info $(M) getting golangci-lint $(GOLANGCI_VERSION))
-	cd tools; go mod download github.com/golangci/golangci-lint && go mod tidy 
-	cd tools; go build -o $(BIN)/golangci-lint-$(GOLANGCI_VERSION) github.com/golangci/golangci-lint/cmd/golangci-lint
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(BIN) $(GOLANGCI_VERSION)
+	mv $(BIN)/golangci-lint $(BIN)/golangci-lint-$(GOLANGCI_VERSION)
 
 .PHONY: golangci-lint
 golangci-lint: | $(GOLANGCILINT) ; $(info $(M) running golangci-lint…) @ ## Run golangci-lint
+	$Q $(GOLANGCILINT) config verify
 	$Q $(GOLANGCILINT) run --modules-download-mode=vendor --max-issues-per-linter=0 --max-same-issues=0 --timeout 5m
 
 .PHONY: golangci-lint-check

cmd/entrypoint/main.go

@@ -29,16 +29,13 @@ import (
 	"time"
 
 	"github.com/tektoncd/pipeline/cmd/entrypoint/subcommands"
-	featureFlags "github.com/tektoncd/pipeline/pkg/apis/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	"github.com/tektoncd/pipeline/pkg/credentials"
 	"github.com/tektoncd/pipeline/pkg/credentials/dockercreds"
 	"github.com/tektoncd/pipeline/pkg/credentials/gitcreds"
 	"github.com/tektoncd/pipeline/pkg/entrypoint"
 	"github.com/tektoncd/pipeline/pkg/platforms"
-	"github.com/tektoncd/pipeline/pkg/spire"
-	"github.com/tektoncd/pipeline/pkg/spire/config"
 	"github.com/tektoncd/pipeline/pkg/termination"
 )
 
@@ -59,9 +56,7 @@ var (
 	onError             = flag.String("on_error", "", "Set to \"continue\" to ignore an error and continue when a container terminates with a non-zero exit code."+
 		" Set to \"stopAndFail\" to declare a failure with a step error and stop executing the rest of the steps.")
 	stepMetadataDir        = flag.String("step_metadata_dir", "", "If specified, create directory to store the step metadata e.g. /tekton/steps/<step-name>/")
-	enableSpire            = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
-	socketPath             = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
-	resultExtractionMethod = flag.String("result_from", featureFlags.ResultExtractionMethodTerminationMessage, "The method using which to extract results from tasks. Default is using the termination message.")
+	resultExtractionMethod = flag.String("result_from", entrypoint.ResultExtractionMethodTerminationMessage, "The method using which to extract results from tasks. Default is using the termination message.")
 )
 
 const (
@@ -131,13 +126,7 @@ func main() {
 		}
 	}
 
-	var spireWorkloadAPI spire.EntrypointerAPIClient
-	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
-		spireConfig := config.SpireConfig{
-			SocketPath: *socketPath,
-		}
-		spireWorkloadAPI = spire.NewEntrypointerAPIClient(&spireConfig)
-	}
+	spireWorkloadAPI := initializeSpireAPI()
 
 	e := entrypoint.Entrypointer{
 		Command:         append(cmd, commandArgs...),

cmd/entrypoint/runner_test.go

@@ -49,11 +49,7 @@ func TestRealRunnerSignalForwarding(t *testing.T) {
 }
 
 func TestRealRunnerStdoutAndStderrPaths(t *testing.T) {
-	tmp, err := os.MkdirTemp("", "")
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-	defer os.RemoveAll(tmp)
+	tmp := t.TempDir()
 
 	expectedString := "hello world"
 	rr := realRunner{
@@ -112,11 +108,7 @@ func TestRealRunnerStdoutAndStderrPaths(t *testing.T) {
 }
 
 func TestRealRunnerStdoutAndStderrSamePath(t *testing.T) {
-	tmp, err := os.MkdirTemp("", "")
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-	defer os.RemoveAll(tmp)
+	tmp := t.TempDir()
 
 	path := filepath.Join(tmp, "logs")
 	expectedString := "hello world"
@@ -138,11 +130,7 @@ func TestRealRunnerStdoutAndStderrSamePath(t *testing.T) {
 }
 
 func TestRealRunnerStdoutPathWithSignal(t *testing.T) {
-	tmp, err := os.MkdirTemp("", "")
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-	defer os.RemoveAll(tmp)
+	tmp := t.TempDir()
 
 	path := filepath.Join(tmp, "stdout")
 	rr := realRunner{

cmd/entrypoint/spire.go

@@ -0,0 +1,43 @@
+//go:build !disable_spire
+
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"flag"
+	"log"
+
+	"github.com/tektoncd/pipeline/pkg/spire"
+	"github.com/tektoncd/pipeline/pkg/spire/config"
+)
+
+var (
+	enableSpire = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+	socketPath  = flag.String("spire_socket_path", "unix:///spiffe-workload-api/spire-agent.sock", "Experimental: The SPIRE agent socket for SPIFFE workload API.")
+)
+
+func initializeSpireAPI() spire.EntrypointerAPIClient {
+	if enableSpire != nil && *enableSpire && socketPath != nil && *socketPath != "" {
+		log.Println("SPIRE is enabled in this build, enableSpire is supported")
+		spireConfig := config.SpireConfig{
+			SocketPath: *socketPath,
+		}
+		return spire.NewEntrypointerAPIClient(&spireConfig)
+	}
+	return nil
+}

cmd/entrypoint/spire_disable.go

@@ -0,0 +1,47 @@
+//go:build disable_spire
+
+/*
+Copyright 2025 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"os"
+
+	"github.com/tektoncd/pipeline/pkg/result"
+)
+
+var (
+	enableSpire = flag.Bool("enable_spire", false, "If specified by configmap, this enables spire signing and verification")
+)
+
+// EntrypointerAPIClient interface maps to the spire entrypointer API to interact with spire
+type EntrypointerAPIClient interface {
+	Close() error
+	// Sign returns the signature material to be put in the RunResult to append to the output results
+	Sign(ctx context.Context, results []result.RunResult) ([]result.RunResult, error)
+}
+
+func initializeSpireAPI() EntrypointerAPIClient {
+	if enableSpire != nil && *enableSpire {
+		log.Fatal("Error: SPIRE is disabled in this build, but enableSpire was set to true. Please recompile with SPIRE support.")
+		os.Exit(1)
+	}
+	return nil
+}

cmd/entrypoint/subcommands/decode_script_test.go

@@ -30,8 +30,8 @@ func TestDecodeScript(t *testing.T) {
 	decoded := `#!/usr/bin/env sh
 echo "Hello World!"
 `
-	mode := os.FileMode(0600)
-	expectedPermissions := os.FileMode(0600)
+	mode := os.FileMode(0o600)
+	expectedPermissions := os.FileMode(0o600)
 
 	tmp := t.TempDir()
 	src := filepath.Join(tmp, "script.txt")
@@ -84,7 +84,7 @@ func TestDecodeScriptInvalidBase64(t *testing.T) {
 	invalidData := []byte("!")
 	expectedError := base64.CorruptInputError(0)
 
-	src, err := os.CreateTemp("", "decode-script-test-*")
+	src, err := os.CreateTemp(t.TempDir(), "decode-script-test-*")
 	if err != nil {
 		t.Fatalf("error creating temp file: %v", err)
 	}