Merge branch 'main' into validate-pol-issue

.github/ISSUE_TEMPLATE/bug-cli.yaml

@@ -44,6 +44,7 @@ body:
         - 1.12.2
         - 1.12.3
         - 1.12.4
+        - 1.12.5
     validations:
       required: true
   - type: textarea

.github/ISSUE_TEMPLATE/bug-other.yaml

@@ -43,6 +43,7 @@ body:
         - 1.12.2
         - 1.12.3
         - 1.12.4
+        - 1.12.5
     validations:
       required: true
   - type: textarea

.github/ISSUE_TEMPLATE/bug-webhook.yaml

@@ -43,6 +43,7 @@ body:
         - 1.12.2
         - 1.12.3
         - 1.12.4
+        - 1.12.5
     validations:
       required: true
   - type: dropdown

.github/workflows/clean-stale-branches.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Cleanup Stale Branches
-        uses: cbrgm/cleanup-stale-branches-action@d0f8b6440d1a5eb71cec3ebe376d83a74b901ca0 # v1.1.18
+        uses: cbrgm/cleanup-stale-branches-action@03d7d18e1a5ca5663846c6399e0614941d4985c3 # v1.1.19
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.repository }}

.github/workflows/conformance.yaml

@@ -646,7 +646,7 @@ jobs:
         uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster and setup Sigstore Scaffolding
-        uses: sigstore/scaffolding/actions/setup@bfc40f4d3aa430f28cec9c68b628df983601810e
+        uses: sigstore/scaffolding/actions/setup@634364a897dff805b1a26ab18abaefe379616785
         with:
           version: main
           k8s-version: ${{ matrix.k8s-version.version }}

.github/workflows/devcontainer-build.yaml

@@ -23,7 +23,7 @@ jobs:
       - name: Build devcontainer image
         run: docker build .devcontainer   
       - name: Trivy Scan Image
-        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true

.github/workflows/helm-release.yaml

@@ -25,7 +25,7 @@ jobs:
       - name: Setup build env
         uses: ./.github/actions/setup-build-env
         timeout-minutes: 10
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: 3.7
       - name: Set up chart-testing

.github/workflows/helm-test.yaml

@@ -33,7 +33,7 @@ jobs:
         uses: ./.github/actions/setup-build-env
         timeout-minutes: 10
       - name: Setup python
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: 3.7
       - name: Set up chart-testing

.github/workflows/images-build.yaml

@@ -31,7 +31,7 @@ jobs:
       - name: ko build
         run: VERSION=${{ github.ref_name }} make ko-build-all
       - name: Trivy Scan Image
-        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true

.github/workflows/images-publish.yaml

@@ -40,7 +40,7 @@ jobs:
         uses: ./.github/actions/setup-build-env
         timeout-minutes: 30
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true

.github/workflows/lint.yaml

@@ -33,7 +33,7 @@ jobs:
         uses: ./.github/actions/setup-build-env
         timeout-minutes: 10
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v3.7.1
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v3.7.1
         with:
           version: v1.54.2
           skip-cache: true

.github/workflows/release.yaml

@@ -35,7 +35,7 @@ jobs:
         uses: ./.github/actions/setup-build-env
         timeout-minutes: 30
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -300,7 +300,7 @@ jobs:
           file_glob: true
           tag: ${{ github.ref }}
       - name: Login to GHCR
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/report-on-vulnerabilities.yaml

@@ -30,7 +30,7 @@ jobs:
         echo "releasebranch2=$releasebranch2" >> $GITHUB_OUTPUT
     
     - name: Scan for vulnerabilities in latest image
-      uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.8.0 (Trivy v0.34.0)
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.8.0 (Trivy v0.34.0)
 
       with: 
         image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
@@ -40,7 +40,7 @@ jobs:
         output: scan1.json
 
     - name: Scan for vulnerabilities in latest-1 image
-      uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.8.0 (Trivy v0.34.0)
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.8.0 (Trivy v0.34.0)
       with: 
         image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch1 }}
         format: json
@@ -49,7 +49,7 @@ jobs:
         output: scan2.json
 
     - name: Scan for vulnerabilities in latest-2 image
-      uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.8.0 (Trivy v0.34.0)
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.8.0 (Trivy v0.34.0)
       with: 
         image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch2 }}
         format: json

.github/workflows/scorecard.yaml

@@ -27,7 +27,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Run analysis
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -40,6 +40,6 @@ jobs:
           path: results.sarif
           retention-days: 5
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           sarif_file: results.sarif

.nancy-ignore

@@ -1,6 +1,6 @@
-# golang/k8s.io/apiserver@v0.29.2
-CVE-2020-8561 until=2024-06-30
-# golang/github.com/notaryproject/notation-go@v1.1.0
-CVE-2024-23332 until=2024-06-30
-# golang/github.com/hashicorp/vault/api@v1.12.2
-CVE-2024-2660 until=2024-06-30
+# golang/k8s.io/apiserver@v0.30.1
+CVE-2020-8561 until=2024-12-30
+# golang/github.com/notaryproject/notation-go@v1.1.1
+CVE-2024-23332 until=2024-12-30
+# golang/github.com/hashicorp/vault/api@v1.14.0
+CVE-2024-2660 until=2024-12-30

CODE_OF_CONDUCT.md

@@ -1,36 +1,6 @@
-# Kyverno Community Code of Conduct v1.0
+# Code of Conduct
 
-## Contributor Code of Conduct
+[Kyverno and its sub-projects](https://github.com/kyverno#projects) follow the Code of Conduct published and maintained at https://github.com/kyverno/community/blob/main/CODE_OF_CONDUCT.md.
+
 
-As contributors and maintainers of this project, and in the interest of fostering
-an open and welcoming community, we pledge to respect all people who contribute
-through reporting issues, posting feature requests, updating documentation,
-submitting pull requests or patches, and other activities.
 
-We are committed to making participation in this project a harassment-free experience for
-everyone, regardless of level of experience, gender, gender identity and expression,
-sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
-religion, or nationality.
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
-* Public or private harassment
-* Publishing other's private information, such as physical or electronic addresses, without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are not
-aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
-commit themselves to fairly and consistently applying these principles to every aspect
-of managing this project. Project maintainers who do not follow or enforce the Code of
-Conduct may be permanently removed from the project team.
-
-This code of conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior in Kubernetes may be reported by contacting the project maintainer(s).
-
-This Code of Conduct is adapted from the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md) and the [Contributor Covenant](https://www.contributor-covenant.org/), [version 1.2.0](https://www.contributor-covenant.org/version/1/2/0/code-of-conduct/).

CONTRIBUTING.md

@@ -1,46 +1,24 @@
-# Contributing Guidelines for Kyverno
+# Contributor Guidelines for Kyverno
 
-We welcome all contributions, suggestions, and feedback, so please do not hesitate to reach out!
+[Kyverno and its sub-projects](https://github.com/kyverno#projects) follow the contributor guidelines published at: https://github.com/kyverno/community/blob/main/CODE_OF_CONDUCT.md.
 
-Before you contribute, please take a moment to review and agree to abide by our community [Code of Conduct](/CODE_OF_CONDUCT.md).
+Please review the general guidelines before proceeding further to the project specific information below.
 
-- [Contributing Guidelines for Kyverno](#contributing-guidelines-for-kyverno)
-  - [Engage with us](#engage-with-us)
-  - [Ways you can contribute](#ways-you-can-contribute)
-    - [1. Report issues](#1-report-issues)
-    - [2. Fix or Improve Documentation](#2-fix-or-improve-documentation)
-    - [3. Submit Pull Requests](#3-submit-pull-requests)
-      - [How to Create a PR](#how-to-create-a-pr)
-      - [Developer Certificate of Origin (DCO) Sign off](#developer-certificate-of-origin-dco-sign-off)
-  - [Release Processes](#release-processes)
+### Fix or Improve Kyverno Documentation
 
-## Engage with us
-
-The Kyverno website has the most updated information on [how to engage with the Kyverno community](https://kyverno.io/community/) including its maintainers and contributors. There are three classes of contributors possible: Contributor, Code Owner, and Maintainer. Please see the [Contributing section on the website](https://kyverno.io/community/#contributing) for the requirements and privileges afforded to each.
-
-Join our community meetings to learn more about Kyverno and engage with other contributors.
-
-## Ways you can contribute
-
-### 1. Report issues
-
-Issues to Kyverno help improve the project in multiple ways including the following:
-
-- Report potential bugs
-- Request a feature
-- Request a sample policy
+The [Kyverno website](https://kyverno.io), like the main Kyverno codebase, is stored in its own [git repo](https://github.com/kyverno/website). To get started with contributions to the documentation, [follow the guide](https://github.com/kyverno/website#contributing) on that repository.
 
-### 2. Fix or Improve Documentation
+### Developer Guides
 
-The [Kyverno website](https://kyverno.io), like the main Kyverno codebase, is stored in its own [git repo](https://github.com/kyverno/website). To get started with contributions to the documentation, [follow the guide](https://github.com/kyverno/website#contributing) on that repository.
+To learn about the code base and developer processes, refer to the [development guide](/DEVELOPMENT.md).
 
-### 3. Submit Pull Requests
+### Good First Issues
 
-[Pull requests](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests) (PRs) allow you to contribute back the changes you've made on your side enabling others in the community to benefit from your hard work. They are the main source by which all changes are made to this project and are a standard piece of GitHub operational flows.
+Maintainers identify issues that are ideal for new contributors with a `good first issue` label.
 
-New contributors may easily view all [open issues labeled as good first issues](https://github.com/kyverno/kyverno/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) allowing you to get started in an approachable manner.
+View all Kyverno [good first issues](https://github.com/kyverno/kyverno/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).
 
-Once you wish to get started contributing to the code base, please refer to our [development guide](/DEVELOPMENT.md) for a how-to.
+### Pull Request Guidelines
 
 In the process of submitting your PRs, please read and abide by the template provided to ensure the maintainers are able to understand your changes and quickly come up to speed. There are some important pieces that are required outside the code itself. Some of these are up to you, others are up to the maintainers.
 
@@ -49,99 +27,6 @@ In the process of submitting your PRs, please read and abide by the template pro
 3. Test your change with the [Kyverno CLI](https://kyverno.io/docs/kyverno-cli/) and provide a test manifest in the proper format. If your feature/fix does not work with the CLI, a separate issue requesting CLI support must be made. For changes which can be tested as an end user, we require conformance/e2e tests by using the `chainsaw` tool. See [here](https://github.com/kyverno/kyverno/tree/main/test/conformance/chainsaw/README.md) for a specific guide on how and when to write these tests.
 4. Indicate which release this PR is triaged for (maintainers). This step is important especially for the documentation maintainers in order to understand when and where the necessary changes should be made.
 
-#### How to Create a PR
-
-Head over to the project repository on GitHub and click the **"Fork"** button. With the forked copy, you can try new ideas and implement changes to the project.
-
-1. **Clone the repository to your device:**
-
-Get the link of your forked repository, paste it in your device terminal and clone it using the command.
-
-```sh
-git clone https://hostname/YOUR-USERNAME/YOUR-REPOSITORY
-```
-
-2. **Create a branch:**
-
-Create a new brach and navigate to the branch using this command.
-
-```sh
-git checkout -b <new-branch>
-```
-
-Great, it's time to start hacking! You can now go ahead to make all the changes you want.
-
-3. **Stage, Commit, and Push changes:**
-
-Now that we have implemented the required changes, use the command below to stage the changes and commit them.
-
-```sh
-git add .
-```
-
-```sh
-git commit -s -m "Commit message"
-```
-
-The `-s` signifies that you have signed off the commit.
-
-Go ahead and push your changes to GitHub using this command.
-
-```sh
-git push
-```
-
-#### Cherry-pick PRs to release branches
-
-Add repository as remote 
-
-```sh
-git remote add <name> https://github.com/kyverno/kyverno
-```
-Then fetch the branches of remote:
-
-```sh
-git fetch <name>
-```
-
- You will notice that there are a number of branches related to Kyverno's releases such as release-1.7. You can always view the list of remote branches by using the command below:
-
-```sh
-$ git branch -r
-...
-origin/release-1.5
-origin/release-1.6
-origin/release-1.7
-```
-
-Checkout one of the release branch and cherry-pick the PRs you want to merge into the release branch:
-
-```sh
-$ git checkout release-1.7
-
-git cherry-pick <commit-hash> -s
-
-git push --set-upstream origin release-1.7
-```
-
-Once the commit has been cherry-picked, the author will need to open a PR merging to the release branch, release-1.7 for example.
-
-#### Developer Certificate of Origin (DCO) Sign off
-
-For contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project, we are requiring everyone to acknowledge this by signing their work which indicates you agree to the DCO found [here](https://developercertificate.org/).
-
-To sign your work, just add a line like this at the end of your commit message:
-
-```sh
-Signed-off-by: Random J Developer <random@developer.example.org>
-```
-
-This can easily be done with the `-s` command line option to append this automatically to your commit message.
-
-```sh
-git commit -s -m 'This is my commit message'
-```
-
 ## Release Processes
 
 Review the Kyverno release process at: https://kyverno.io/docs/releases/