feat: update kmp crds

Signed-off-by: Juncheng Zhu <[email protected]> chore: update config Signed-off-by: Juncheng Zhu <[email protected]> feat: update crl config Signed-off-by: Juncheng Zhu <[email protected]> chore: Bump github/codeql-action from 3.27.3 to 3.27.4 (ratify-project#1929) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump alpine from `beefdbd` to `1e42bbe` (ratify-project#1937) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump golang from `4cfe4a9` to `147f428` in /httpserver (ratify-project#1936) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump distroless/static from `3a03fc0` to `d71f4b2` in /httpserver (ratify-project#1935) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/aliyun/credentials-go from 1.3.10 to 1.3.11 (ratify-project#1934) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.44 to 1.17.45 (ratify-project#1933) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump codecov/codecov-action from 4.6.0 to 5.0.2 (ratify-project#1932) Signed-off-by: dependabot[bot] <[email protected]> chore: Replace deprecated autorest SDK with azidentity (ratify-project#1904) Signed-off-by: Shahram Kalantari <[email protected]> chore: Bump step-security/harden-runner from 2.10.1 to 2.10.2 (ratify-project#1938) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump codecov/codecov-action from 5.0.2 to 5.0.4 (ratify-project#1939) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump codecov/codecov-action from 5.0.4 to 5.0.7 (ratify-project#1946) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github/codeql-action from 3.27.4 to 3.27.5 (ratify-project#1945) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump anchore/sbom-action from 0.17.7 to 0.17.8 (ratify-project#1948) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.45 to 1.17.46 (ratify-project#1953) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> fix: add missing pod annotations and labels to deployment spec (ratify-project#1949) Signed-off-by: akashsinghal <[email protected]> chore: Bump github.com/sigstore/rekor from 1.3.6 to 1.3.7 (ratify-project#1952) Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Susan Shi <[email protected]> Signed-off-by: Binbin Li <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: bump up golangci-lint version (ratify-project#1961) Signed-off-by: Binbin Li <[email protected]> fix(tls): allowing TLS when crd-manager disabled (ratify-project#1954) Signed-off-by: Jordan Langue <[email protected]> chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.28.3 to 1.28.6 (ratify-project#1957) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump distroless/static from `d71f4b2` to `6cd937e` in /httpserver (ratify-project#1960) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github/codeql-action from 3.27.5 to 3.27.6 (ratify-project#1963) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> build: add image signing for all release images (ratify-project#1947) Signed-off-by: Akash Singhal <[email protected]> chore: Bump golang from `73f06be` to `574185e` in /httpserver (ratify-project#1973) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> docs: update dev image release guidance (ratify-project#1974) Signed-off-by: Akash Singhal <[email protected]> feat: Implementation of KMP CRL revocation factory with cache (ratify-project#1900) Signed-off-by: Juncheng Zhu <[email protected]> Co-authored-by: Binbin Li <[email protected]> Co-authored-by: Susan Shi <[email protected]> chore: Bump alpine from `1e42bbe` to `21dc606` (ratify-project#1972) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump google.golang.org/grpc from 1.68.0 to 1.68.1 (ratify-project#1971) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump actions/cache from 4.1.2 to 4.2.0 (ratify-project#1967) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump codecov/codecov-action from 5.0.7 to 5.1.1 (ratify-project#1966) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/notaryproject/notation-core-go from 1.2.0-rc.1 to 1.2.0-rc.2 (ratify-project#1970) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump actions/setup-go from 5.1.0 to 5.2.0 (ratify-project#1979) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github/codeql-action from 3.27.6 to 3.27.7 (ratify-project#1978) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: bump K8s versions (ratify-project#1975) Signed-off-by: Akash Singhal <[email protected]> chore: bump makefile tool dependency version (ratify-project#1976) Signed-off-by: Akash Singhal <[email protected]> chore: bump up golang.org/x/crypto pkg to fix vuln (ratify-project#1981) Signed-off-by: Juncheng Zhu <[email protected]> chore: Bump github/codeql-action from 3.27.7 to 3.27.9 (ratify-project#1983) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump anchore/sbom-action from 0.17.8 to 0.17.9 (ratify-project#1988) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/sigstore/sigstore from 1.8.10 to 1.8.11 (ratify-project#1986) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/notaryproject/notation-go from 1.3.0-rc.1 to 1.3.0-rc.2 (ratify-project#1987) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: bump GK support to 3.18 (ratify-project#1980) Signed-off-by: Akash Singhal <[email protected]>
junczhu · Dec 18, 2024 · 7c4b788 · 7c4b788
1 parent 0837c02
commit 7c4b788
Show file tree

Hide file tree

Showing 69 changed files with 1,639 additions and 774 deletions.
diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -24,8 +24,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.29.2"]
-        GATEKEEPER_VERSION: ["3.17.0"]
+        KUBERNETES_VERSION: ["1.30.6"]
+        GATEKEEPER_VERSION: ["3.18.0"]
     uses: ./.github/workflows/e2e-k8s.yml
     with:
       k8s_version: ${{ matrix.KUBERNETES_VERSION }}
@@ -37,8 +37,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
-        GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
+        KUBERNETES_VERSION: ["1.29.10", "1.30.6"]
+        GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"]
     uses: ./.github/workflows/e2e-k8s.yml
     with:
       k8s_version: ${{ matrix.KUBERNETES_VERSION }}
@@ -53,8 +53,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
-        GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
+        KUBERNETES_VERSION: ["1.29.10", "1.30.6"]
+        GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"]
     uses: ./.github/workflows/e2e-aks.yml
     with:
       k8s_version: ${{ matrix.KUBERNETES_VERSION }}
@@ -70,14 +70,14 @@ jobs:
     environment: azure-test
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go 1.22
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "1.22"
 

diff --git a/.github/workflows/cache-cleanup.yml b/.github/workflows/cache-cleanup.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/clean-dev-package.yml b/.github/workflows/clean-dev-package.yml
@@ -13,7 +13,7 @@ jobs:
       packages: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -26,23 +26,23 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2
       - name: setup go environment
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "1.22"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@396bb3e45325a47dd9ef434068033c6d5bb0d11a # tag=v3.27.3
+        uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # tag=v3.27.9
         with:
           languages: go
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
         run: make build
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@396bb3e45325a47dd9ef434068033c6d5bb0d11a # tag=v3.27.3
+        uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # tag=v3.27.9
diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
@@ -9,12 +9,12 @@ on:
       k8s_version:
         description: "Kubernetes version"
         required: true
-        default: "1.29.2"
+        default: "1.30.6"
         type: string
       gatekeeper_version:
         description: "Gatekeeper version"
         required: true
-        default: "3.17.0"
+        default: "3.18.0"
         type: string
 
 jobs:
@@ -28,14 +28,14 @@ jobs:
       contents: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go 1.22
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "1.22"
       - name: Az CLI login

diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
@@ -34,14 +34,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: setup go environment
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "1.22"
       - name: Run tidy
@@ -51,7 +51,7 @@ jobs:
       - name: Check build
         run: bin/ratify version
       - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
       - name: Run helm lint
@@ -63,14 +63,14 @@ jobs:
       contents: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: setup go environment
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "1.22"
       - name: Run tidy
@@ -86,14 +86,14 @@ jobs:
           make install ratify-config install-bats
           make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover
       - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/e2e-k8s.yml b/.github/workflows/e2e-k8s.yml
@@ -9,12 +9,12 @@ on:
       k8s_version:
         description: "Kubernetes version"
         required: true
-        default: "1.29.2"
+        default: "1.30.6"
         type: string
       gatekeeper_version:
         description: "Gatekeeper version"
         required: true
-        default: "3.17.0"
+        default: "3.18.0"
         type: string
 
 jobs:
@@ -26,14 +26,14 @@ jobs:
       contents: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go 1.22
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "1.22"
       - name: Restore Trivy cache

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -15,16 +15,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "1.22"
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
-          version: v1.59.1
+          version: v1.62.2
           args: --timeout=10m
diff --git a/.github/workflows/high-availability.yml b/.github/workflows/high-availability.yml
@@ -27,17 +27,17 @@ jobs:
       contents: read
     strategy:
       matrix:
-        DAPR_VERSION: ["1.13.2"]
+        DAPR_VERSION: ["1.14.4"]
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go 1.22
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "1.22"
 

diff --git a/.github/workflows/pr-to-main.yml b/.github/workflows/pr-to-main.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/publish-charts.yml b/.github/workflows/publish-charts.yml
@@ -13,7 +13,7 @@ jobs:
       contents: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/publish-cosign-sample.yml b/.github/workflows/publish-cosign-sample.yml
@@ -20,7 +20,7 @@ jobs:
       id-token: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml
@@ -17,7 +17,7 @@ jobs:
     environment: azure-publish
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
         with:
           egress-policy: audit
       - name: Checkout
@@ -37,6 +37,10 @@ jobs:
           az version
           # Key Vault: 
           az account get-access-token --scope https://vault.azure.net/.default --output none
+      - name: Prepare notation certificate
+        run: |
+          mkdir -p truststore/x509/ca/ratify-verify
+          cp ./.well-known/pki-validation/ratify-verification.crt truststore/x509/ca/ratify-verify
       - name: prepare
         id: prepare
         run: |
@@ -69,7 +73,7 @@ jobs:
           docker buildx build \
             --attest type=sbom \
             --attest type=provenance,mode=max \
-            --build-arg KUBE_VERSION="1.29.2" \
+            --build-arg KUBE_VERSION="1.30.6" \
             -f crd.Dockerfile \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --label org.opencontainers.image.revision=${{ github.sha }} \
@@ -138,6 +142,44 @@ jobs:
           cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
           cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
           cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
+      - name: Verify with Notation
+        uses: notaryproject/notation-action/verify@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
+        with:
+          target_artifact_reference: |-
+            ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
+          trust_policy: ./.well-known/pki-validation/trustpolicy.json
+          trust_store: truststore
+      - name: Verify with Cosign
+        run: |
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-github-workflow-repository ratify-project/ratify \
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
       - name: clear
         if: always()
         run: |