[bot] Update nightly from tektoncd-catalog/git-clone:main to c3498c69cf6de9583e1c667e723fd8626af1b33c

head

@@ -1 +1 @@
-768a778f1f7ccee8a4dd142e7f115e12c7e422fd
+c3498c69cf6de9583e1c667e723fd8626af1b33c

upstream/.github/dependabot.yml

@@ -8,3 +8,7 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+  - package-ecosystem: "docker"
+    directory: "/image/base"
+    schedule:
+      interval: "weekly"

upstream/.github/pull_request_template.md

@@ -0,0 +1,18 @@
+<!-- Thank you for the PR! -->
+
+# Changes
+
+<!-- Describe your changes here — ideally from your descriptive commit message(s). -->
+
+# Submitter Checklist
+
+- [ ] Includes [tests](https://github.com/tektoncd/community/blob/main/standards.md#tests) for new or changed functionality
+- [ ] Includes [docs](https://github.com/tektoncd/community/blob/main/standards.md#docs) for user-facing changes
+- [ ] Commit messages follow [best practices](https://github.com/tektoncd/community/blob/main/standards.md#commits)
+- [ ] Meets the [Tekton contributor standards](https://github.com/tektoncd/community/blob/main/standards.md)
+
+# Release Notes
+
+```release-note
+NONE
+```

upstream/.github/workflows/base-image.yaml

@@ -0,0 +1,42 @@
+name: Base Image
+
+on:
+  push:
+    branches: [main]
+    paths: ['image/base/**']
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday — catch upstream updates
+  workflow_dispatch: {}
+
+permissions:
+  packages: write
+
+jobs:
+  build:
+    name: Build and push base image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+
+      - name: Log in to GHCR
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        with:
+          context: image/base
+          push: true
+          platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
+          tags: |
+            ghcr.io/${{ github.repository }}/base:latest
+            ghcr.io/${{ github.repository }}/base:${{ github.sha }}

upstream/.github/workflows/build.yaml

@@ -4,33 +4,162 @@ on:
   pull_request:
     branches: ['main']
   push:
-    branches: [ main ]
+    branches: [main]
   schedule:
     - cron: '0 0 * * *'
 
-jobs:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
+jobs:
   build:
+    name: Build & Test
+    runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: image/git-init
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: "image/git-init/go.mod"
+          cache-dependency-path: "image/git-init/go.sum"
+      - run: go build ./...
+      - run: go vet ./...
+      - run: go test ./...
+
+      - name: Verify StepAction is in sync
+        working-directory: .
+        run: |
+          ./hack/generate-stepaction.sh
+          if ! git diff --exit-code stepaction/; then
+            echo "StepAction is out of sync with Task. Run: ./hack/generate-stepaction.sh"
+            exit 1
+          fi
 
-    name: Build ${{ matrix.go-version }}
+  e2e:
+    name: E2E (${{ matrix.pipeline-version }})
+    needs: [build]
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # All supported Tekton Pipelines LTS versions
+        # Update quarterly when new LTS is released
+        pipeline-version:
+          - v1.12.0  # LTS, EOL 2027-05-04
+          - v1.9.3   # LTS, EOL 2027-01-30
+          - v1.6.2   # LTS, EOL 2026-10-31
+          - v1.3.4   # LTS, EOL 2026-08-04
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: "image/git-init/go.mod"
+          cache-dependency-path: "image/git-init/go.sum"
+
+      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
+
+      - name: Create Kind cluster
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
+        with:
+          cluster_name: kind
+          wait: 120s
+
+      - name: Build base image
+        run: |
+          docker build -t ghcr.io/${{ github.repository }}/base:latest image/base/
+          docker tag ghcr.io/${{ github.repository }}/base:latest ko.local/git-clone-base:latest
+
+      - name: Build and load image into Kind
+        env:
+          KO_DOCKER_REPO: kind.local
+          KO_DEFAULTBASEIMAGE: ko.local/git-clone-base:latest
+        run: |
+          cd image/git-init
+          ko build --sbom=none -B -t e2e .
+          echo "GIT_INIT_IMAGE=kind.local/git-init:e2e" >> "$GITHUB_ENV"
+
+      - name: Run e2e tests
+        env:
+          PIPELINE_VERSION: ${{ matrix.pipeline-version }}
+          TIMEOUT: 180s
+        run: ./test/e2e-tests.sh
+
+  e2e-bundle:
+    name: E2E Bundle
+    needs: [build]
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: "image/git-init/go.mod"
           cache-dependency-path: "image/git-init/go.sum"
 
-      # FIXME: figure out how to configure or use golangci-lint
-      # - uses: golang/govulncheck-action@dd3ead030e4f2cf713062f7a3395191802364e13 # v1
-      #   with:
-      #     go-package: ./image/git-init/...
-      #     go-version-input: ${{ matrix.go-version }}
+      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
+
+      - uses: tektoncd/actions/setup-tektoncd-cli@dd92514472167b361de1c95fd31fc2ef83c282ec # main
 
-      - run: |
-          go build ./...
-          go test -run=^$ ./...
+      - name: Create Kind cluster
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
+        with:
+          cluster_name: kind
+          wait: 120s
+
+      - name: Build base image
+        run: |
+          docker build -t ghcr.io/${{ github.repository }}/base:latest image/base/
+          docker tag ghcr.io/${{ github.repository }}/base:latest ko.local/git-clone-base:latest
+
+      - name: Build and load image into Kind
+        env:
+          KO_DOCKER_REPO: kind.local
+          KO_DEFAULTBASEIMAGE: ko.local/git-clone-base:latest
+        run: |
+          cd image/git-init
+          ko build --sbom=none -B -t e2e .
+          echo "GIT_INIT_IMAGE=kind.local/git-init:e2e" >> "$GITHUB_ENV"
+
+      - name: Run bundle e2e test
+        env:
+          PIPELINE_VERSION: v1.12.0
+          TIMEOUT: 180s
+        run: ./test/e2e-bundle-test.sh
+
+  ci-summary:
+    name: CI summary
+    needs: [build, e2e, e2e-bundle]
+    runs-on: ubuntu-latest
+    if: always()
+    steps:
+      - name: Check CI results
+        run: |
+          results=(
+            "build=${NEEDS_BUILD_RESULT}"
+            "e2e=${NEEDS_E2E_RESULT}"
+            "e2e-bundle=${NEEDS_E2E_BUNDLE_RESULT}"
+          )
+          failed=0
+          for r in "${results[@]}"; do
+            name="${r%%=*}"
+            result="${r#*=}"
+            echo "${name}: ${result}"
+            if [ "$result" != "success" ] && [ "$result" != "skipped" ]; then
+              failed=1
+            fi
+          done
+          if [ "$failed" -eq 1 ]; then
+            echo ""
+            echo "Some CI jobs failed or were cancelled"
+            exit 1
+          fi
+          echo ""
+          echo "All CI checks passed"
+        env:
+          NEEDS_BUILD_RESULT: ${{ needs.build.result }}
+          NEEDS_E2E_RESULT: ${{ needs.e2e.result }}
+          NEEDS_E2E_BUNDLE_RESULT: ${{ needs.e2e-bundle.result }}

upstream/.github/workflows/release.yaml

@@ -26,27 +26,27 @@ jobs:
     #   run:
     #     working-directory: ./image/git-init
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - run: git fetch --prune --unshallow
 
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: "image/git-init/go.mod"
           cache-dependency-path: "image/git-init/go.sum"
 
       # This installs the current latest release.
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
-      - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
+      - uses: imjasonh/setup-crane@59c71e96a00b28651f10369ba3359a6d730740a0 # v0.6
 
-      - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+      - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - name: Set tag output
         id: tag
         run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
 
-      - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+      - uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
         id: run-goreleaser
         with:
           version: latest
@@ -55,6 +55,34 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Push Tekton Bundle
+        uses: tektoncd/actions/setup-tektoncd-cli@dd92514472167b361de1c95fd31fc2ef83c282ec # main
+
+      - name: Publish Tekton Bundle
+        working-directory: .
+        env:
+          GIT_TAG: ${{ steps.tag.outputs.tag_name }}
+          REGISTRY: "ghcr.io/${{ github.repository }}"
+        run: |
+          tkn bundle push "${REGISTRY}/bundle:${GIT_TAG}" \
+            -f task/git-clone/git-clone.yaml \
+            -f stepaction/git-clone/git-clone.yaml
+          tkn bundle push "${REGISTRY}/bundle:latest" \
+            -f task/git-clone/git-clone.yaml \
+            -f stepaction/git-clone/git-clone.yaml
+
+      - name: Sign Tekton Bundle
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GIT_TAG: ${{ steps.tag.outputs.tag_name }}
+          REGISTRY: "ghcr.io/${{ github.repository }}"
+        run: |
+          digest=$(crane digest "${REGISTRY}/bundle:${GIT_TAG}")
+          cosign sign --yes \
+              -a GIT_HASH="${{ github.sha }}" \
+              -a GIT_TAG="${GIT_TAG}" \
+              "${REGISTRY}/bundle@${digest}"
+
       - name: sign ko-image
         run: |
           digest=$(crane digest "${REGISTRY}":"${GIT_TAG}")
@@ -95,7 +123,7 @@ jobs:
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
       upload-assets: true
-      upload-tag-name: "${{ needs.release.outputs.tag_name }}"
+      upload-tag-name: "${{ needs.goreleaser.outputs.tag_name }}"
 
   verification:
     needs:
@@ -113,11 +141,11 @@ jobs:
         run: |
           set -euo pipefail
 
-          gh -R slsa-framework/slsa-verifier release download v1.3.2 -p "slsa-verifier-linux-amd64"
+          gh -R slsa-framework/slsa-verifier release download v2.7.1 -p "slsa-verifier-linux-amd64"
           chmod ug+x slsa-verifier-linux-amd64
           # Note: see https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md
           COMPUTED_HASH=$(sha256sum slsa-verifier-linux-amd64 | cut -d ' ' -f1)
-          EXPECTED_HASH="b1d6c9bbce6274e253f0be33158cacd7fb894c5ebd643f14a911bfe55574f4c0"
+          EXPECTED_HASH="946dbec729094195e88ef78e1734324a27869f03e2c6bd2f61cbc06bd5350339"
           if [[ "$EXPECTED_HASH" != "$COMPUTED_HASH" ]];then
               echo "error: expected $EXPECTED_HASH, computed $COMPUTED_HASH"
               exit 1
@@ -145,9 +173,9 @@ jobs:
               fn=$(echo $line | cut -d ' ' -f2)
 
               echo "Verifying $fn"
-              ./slsa-verifier-linux-amd64 -artifact-path "$fn" \
-                                      -provenance "$PROVENANCE" \
-                                      -source "github.com/$GITHUB_REPOSITORY" \
-                                      -tag "$GITHUB_REF_NAME"
+              ./slsa-verifier-linux-amd64 verify-artifact "$fn" \
+                                      --provenance-path "$PROVENANCE" \
+                                      --source-uri "github.com/$GITHUB_REPOSITORY" \
+                                      --source-tag "$GITHUB_REF_NAME"
 
           done <<<"$checksums"

upstream/.gitignore

@@ -0,0 +1 @@
+keys/signing-key.pem