From 0625e3f22504725eb0072bbfb5efae9d2196a32a Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 15:10:22 +0800 Subject: [PATCH 01/14] build(deps): update super-linter to version 8 Signed-off-by: Shiwei Zhang --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 14fecfb..7bf6ad0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -30,7 +30,7 @@ jobs: with: fetch-depth: 0 - name: Lint Code Base - uses: super-linter/super-linter@v7 + uses: super-linter/super-linter@v8 env: VALIDATE_ALL_CODEBASE: false DEFAULT_BRANCH: main From 254ad6a7b8b09bde5b36a786d813de8dc0d5eb71 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 15:15:56 +0800 Subject: [PATCH 02/14] build(deps): update package references for Azure libraries and System.Security.Cryptography.Pkcs Signed-off-by: Shiwei Zhang --- .../Notation.Plugin.AzureKeyVault.Tests.csproj | 6 +++--- .../Notation.Plugin.AzureKeyVault.csproj | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Notation.Plugin.AzureKeyVault.Tests/Notation.Plugin.AzureKeyVault.Tests.csproj b/Notation.Plugin.AzureKeyVault.Tests/Notation.Plugin.AzureKeyVault.Tests.csproj index 73b7f7b..1cf9134 100644 --- a/Notation.Plugin.AzureKeyVault.Tests/Notation.Plugin.AzureKeyVault.Tests.csproj +++ b/Notation.Plugin.AzureKeyVault.Tests/Notation.Plugin.AzureKeyVault.Tests.csproj @@ -8,12 +8,12 @@ - + - + - + runtime; build; native; contentfiles; analyzers; buildtransitive all diff --git a/Notation.Plugin.AzureKeyVault/Notation.Plugin.AzureKeyVault.csproj b/Notation.Plugin.AzureKeyVault/Notation.Plugin.AzureKeyVault.csproj index 824ca9a..745e65f 100644 --- a/Notation.Plugin.AzureKeyVault/Notation.Plugin.AzureKeyVault.csproj +++ b/Notation.Plugin.AzureKeyVault/Notation.Plugin.AzureKeyVault.csproj @@ -17,11 +17,11 @@ - - - - - + + + + + From 8b3e6280c0e403df02544a07845501d38cfd4b37 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 15:17:30 +0800 Subject: [PATCH 03/14] build(deps): upgrade actions/download-artifact from v4 to v5 in workflows Signed-off-by: Shiwei Zhang --- .github/workflows/release.yml | 4 ++-- .github/workflows/test.yml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d5cd704..b94e9c6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,7 +63,7 @@ jobs: with: fetch-depth: 0 - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v5 with: name: ${{ matrix.runtime }} path: ${{ github.workspace }}/bin/artifacts @@ -86,7 +86,7 @@ jobs: with: fetch-depth: 0 - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v5 with: path: ${{ github.workspace }}/bin/artifacts - name: Create release diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7bf6ad0..e9cd0b2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -144,7 +144,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v5 with: name: linux-amd64-binary path: ./bin/artifacts @@ -199,7 +199,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v5 with: name: linux-${{ matrix.config.arch }}-binary path: ./bin/artifacts @@ -242,7 +242,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v5 with: name: windows-amd64-binary path: ./bin/artifacts @@ -285,7 +285,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v5 with: name: darwin-amd64-binary path: ./bin/artifacts From ed77fe8c2972c1a5f23a8b784511d61e01f93418 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:11:47 +0800 Subject: [PATCH 04/14] build(deps): upgrade actions/checkout from v4 to v5 in workflows Signed-off-by: Shiwei Zhang --- .github/workflows/release.yml | 6 +++--- .github/workflows/test.yml | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b94e9c6..da2eaf9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,7 +34,7 @@ jobs: runs-on: ${{ matrix.config.os }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - name: Setup .NET @@ -59,7 +59,7 @@ jobs: needs: build steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - name: Download artifacts @@ -82,7 +82,7 @@ jobs: needs: macos_codesign steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - name: Download artifacts diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e9cd0b2..ba56fa4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -26,7 +26,7 @@ jobs: statuses: write steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - name: Lint Code Base @@ -53,7 +53,7 @@ jobs: with: dotnet-version: '8.0.x' - name: Check out code into the project directory - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - name: Run unit tests @@ -94,7 +94,7 @@ jobs: with: dotnet-version: '8.0.x' - name: Check out code into the project directory - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - name: Run unit tests @@ -121,7 +121,7 @@ jobs: with: dotnet-version: '8.0.x' - name: Check out code into the project directory - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - name: Run unit tests @@ -141,7 +141,7 @@ jobs: needs: test-linux steps: - name: Check out code into the project directory - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - uses: actions/download-artifact@v5 @@ -196,7 +196,7 @@ jobs: needs: [test-linux, test-linux-arm] steps: - name: Check out code into the project directory - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - uses: actions/download-artifact@v5 @@ -239,7 +239,7 @@ jobs: needs: test-windows steps: - name: Check out code into the project directory - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - uses: actions/download-artifact@v5 @@ -282,7 +282,7 @@ jobs: needs: test-linux steps: - name: Check out code into the project directory - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - uses: actions/download-artifact@v5 From 62806df148317056263563e84009ed9ed10717c0 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:13:01 +0800 Subject: [PATCH 05/14] build(deps): upgrade actions/setup-dotnet from v4 to v5 in workflows Signed-off-by: Shiwei Zhang --- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index da2eaf9..458046b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,7 +38,7 @@ jobs: with: fetch-depth: 0 - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@v5 with: dotnet-version: '8.0.x' - name: Build .NET project diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ba56fa4..d3016a6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -49,7 +49,7 @@ jobs: contents: read steps: - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@v5 with: dotnet-version: '8.0.x' - name: Check out code into the project directory @@ -90,7 +90,7 @@ jobs: contents: read steps: - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@v5 with: dotnet-version: '8.0.x' - name: Check out code into the project directory @@ -117,7 +117,7 @@ jobs: contents: read steps: - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@v5 with: dotnet-version: '8.0.x' - name: Check out code into the project directory From f08a274c92cbe41ab62818805e1d83d20e0846aa Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:13:44 +0800 Subject: [PATCH 06/14] build(deps): upgrade actions/github-script from v7 to v8 in workflow Signed-off-by: Shiwei Zhang --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d3016a6..c8c94ea 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -159,7 +159,7 @@ jobs: - name: Install OIDC Client from Core Package run: npm install @actions/core@1.6.0 @actions/http-client - name: Write Id Token - uses: actions/github-script@v7 + uses: actions/github-script@v8 id: idtoken with: script: | From b69431b3d535d27829c7714ac13ab287cbf447d2 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:23:30 +0800 Subject: [PATCH 07/14] style: format JSON configuration for consistency Signed-off-by: Shiwei Zhang --- test/e2e/zot/config.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/test/e2e/zot/config.json b/test/e2e/zot/config.json index 1ec5194..1b20e90 100644 --- a/test/e2e/zot/config.json +++ b/test/e2e/zot/config.json @@ -1,12 +1,12 @@ - { - "storage":{ - "rootDirectory":"." - }, - "http":{ - "address":"0.0.0.0", - "port":"5000" - }, - "log":{ - "level":"debug" - } - } \ No newline at end of file +{ + "storage": { + "rootDirectory": "." + }, + "http": { + "address": "0.0.0.0", + "port": "5000" + }, + "log": { + "level": "debug" + } +} \ No newline at end of file From b67b6d181c54c7677a66265006542a68d2e1a3a1 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:32:07 +0800 Subject: [PATCH 08/14] build: update base image and notation version in Dockerfile Signed-off-by: Shiwei Zhang --- test/e2e/containerized/Dockerfile.mariner | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/test/e2e/containerized/Dockerfile.mariner b/test/e2e/containerized/Dockerfile.mariner index 272ed4f..792fa2c 100644 --- a/test/e2e/containerized/Dockerfile.mariner +++ b/test/e2e/containerized/Dockerfile.mariner @@ -1,16 +1,26 @@ -FROM busybox:latest as base +FROM busybox:1.36 as base -RUN wget https://github.com/notaryproject/notation/releases/download/v1.0.1/notation_1.0.1_linux_amd64.tar.gz -RUN tar -xzf notation_1.0.1_linux_amd64.tar.gz +RUN wget https://github.com/notaryproject/notation/releases/download/v1.3.2/notation_1.3.2_linux_amd64.tar.gz +RUN tar -xzf notation_1.3.2_linux_amd64.tar.gz COPY ./bin/artifacts/notation-azure-kv_0.0.1_linux_amd64.tar.gz . RUN tar -xzf notation-azure-kv_0.0.1_linux_amd64.tar.gz FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 RUN mkdir -p $HOME/.config/notation/plugins/azure-kv -RUN yum install ca-certificates -y +RUN yum install ca-certificates -y && yum clean all COPY --from=base ./notation /usr/local/bin -COPY --from=base ./notation-azure-kv /root/.config/notation/plugins/azure-kv + +# Create non-root user +RUN useradd -m -u 1000 notation && \ + mkdir -p /home/notation/.config/notation/plugins/azure-kv + +COPY --from=base --chown=notation:notation ./notation-azure-kv /home/notation/.config/notation/plugins/azure-kv + +USER notation + +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ + CMD notation version || exit 1 CMD ["notation"] From 69ded07c636a7b67a3490e9b91f7fb71d66835f8 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:35:43 +0800 Subject: [PATCH 09/14] style: format JSON configuration for consistency Signed-off-by: Shiwei Zhang --- test/e2e/zot/config.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/test/e2e/zot/config.json b/test/e2e/zot/config.json index 1b20e90..f95872e 100644 --- a/test/e2e/zot/config.json +++ b/test/e2e/zot/config.json @@ -1,12 +1,12 @@ { - "storage": { - "rootDirectory": "." - }, - "http": { - "address": "0.0.0.0", - "port": "5000" - }, - "log": { - "level": "debug" - } + "storage": { + "rootDirectory": "." + }, + "http": { + "address": "0.0.0.0", + "port": "5000" + }, + "log": { + "level": "debug" + } } \ No newline at end of file From 883a6a8a89434555f3073ce241ac62c9098d6f3a Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:39:14 +0800 Subject: [PATCH 10/14] style: add newline at end of JSON configuration file Signed-off-by: Shiwei Zhang --- test/e2e/zot/config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/zot/config.json b/test/e2e/zot/config.json index f95872e..e473b3d 100644 --- a/test/e2e/zot/config.json +++ b/test/e2e/zot/config.json @@ -9,4 +9,4 @@ "log": { "level": "debug" } -} \ No newline at end of file +} From d3189a7422347fee4336ac4be1fca0c523967ec1 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:43:10 +0800 Subject: [PATCH 11/14] style: format JSON configuration for consistency Signed-off-by: Shiwei Zhang --- test/e2e/zot/config.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/test/e2e/zot/config.json b/test/e2e/zot/config.json index e473b3d..5333b30 100644 --- a/test/e2e/zot/config.json +++ b/test/e2e/zot/config.json @@ -1,12 +1,12 @@ { - "storage": { - "rootDirectory": "." - }, - "http": { - "address": "0.0.0.0", - "port": "5000" - }, - "log": { - "level": "debug" - } + "storage": { + "rootDirectory": "." + }, + "http": { + "address": "0.0.0.0", + "port": "5000" + }, + "log": { + "level": "debug" + } } From e4e71e2a1856b2bd068d3d754209253bf8fd6262 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:43:46 +0800 Subject: [PATCH 12/14] style: add missing statuses permission in workflow configuration Signed-off-by: Shiwei Zhang --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c8c94ea..9d20e66 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,6 +15,7 @@ on: permissions: id-token: write # Require write permission to Fetch an OIDC token. contents: read + statuses: write jobs: lint: From ef8f304b57911bdcdbc9a489cb328c4cd6622a00 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:46:47 +0800 Subject: [PATCH 13/14] style: update filter regex to exclude test files in workflow configuration Signed-off-by: Shiwei Zhang --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9d20e66..9538f6a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -37,7 +37,7 @@ jobs: DEFAULT_BRANCH: main DEFAULT_WORKSPACE: ./Notation.Plugin.AzureKeyVault GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - FILTER_REGEX_EXCLUDE: '.*Tests/.*|.*.yml|.*/scripts/generate-certs.sh|.*.py' + FILTER_REGEX_EXCLUDE: '.*Tests/.*|test/.*|.*.yml|.*/scripts/generate-certs.sh|.*.py' VALIDATE_CHECKOV: false VALIDATE_MARKDOWN: false VALIDATE_JSCPD: false From b89b320d055af4da8cd5a2bc7e004ea8a63a9bf4 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 9 Oct 2025 18:47:28 +0800 Subject: [PATCH 14/14] style: update Dockerfile to use stable notation version and clean up config.json formatting Signed-off-by: Shiwei Zhang --- test/e2e/containerized/Dockerfile.mariner | 20 +++++-------------- test/e2e/zot/config.json | 24 +++++++++++------------ 2 files changed, 17 insertions(+), 27 deletions(-) diff --git a/test/e2e/containerized/Dockerfile.mariner b/test/e2e/containerized/Dockerfile.mariner index 792fa2c..272ed4f 100644 --- a/test/e2e/containerized/Dockerfile.mariner +++ b/test/e2e/containerized/Dockerfile.mariner @@ -1,26 +1,16 @@ -FROM busybox:1.36 as base +FROM busybox:latest as base -RUN wget https://github.com/notaryproject/notation/releases/download/v1.3.2/notation_1.3.2_linux_amd64.tar.gz -RUN tar -xzf notation_1.3.2_linux_amd64.tar.gz +RUN wget https://github.com/notaryproject/notation/releases/download/v1.0.1/notation_1.0.1_linux_amd64.tar.gz +RUN tar -xzf notation_1.0.1_linux_amd64.tar.gz COPY ./bin/artifacts/notation-azure-kv_0.0.1_linux_amd64.tar.gz . RUN tar -xzf notation-azure-kv_0.0.1_linux_amd64.tar.gz FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 RUN mkdir -p $HOME/.config/notation/plugins/azure-kv -RUN yum install ca-certificates -y && yum clean all +RUN yum install ca-certificates -y COPY --from=base ./notation /usr/local/bin - -# Create non-root user -RUN useradd -m -u 1000 notation && \ - mkdir -p /home/notation/.config/notation/plugins/azure-kv - -COPY --from=base --chown=notation:notation ./notation-azure-kv /home/notation/.config/notation/plugins/azure-kv - -USER notation - -HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ - CMD notation version || exit 1 +COPY --from=base ./notation-azure-kv /root/.config/notation/plugins/azure-kv CMD ["notation"] diff --git a/test/e2e/zot/config.json b/test/e2e/zot/config.json index 5333b30..1ec5194 100644 --- a/test/e2e/zot/config.json +++ b/test/e2e/zot/config.json @@ -1,12 +1,12 @@ -{ - "storage": { - "rootDirectory": "." - }, - "http": { - "address": "0.0.0.0", - "port": "5000" - }, - "log": { - "level": "debug" - } -} + { + "storage":{ + "rootDirectory":"." + }, + "http":{ + "address":"0.0.0.0", + "port":"5000" + }, + "log":{ + "level":"debug" + } + } \ No newline at end of file