Bumping knative.dev/hack to latest main (#269)

go.mod

@@ -22,8 +22,8 @@ require (
 	k8s.io/apimachinery v0.25.4
 	k8s.io/client-go v0.25.4
 	knative.dev/client-pkg v0.0.0-20230120062501-d4ab4e492526
-	knative.dev/eventing v0.36.1
-	knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9
+	knative.dev/eventing v0.36.4
+	knative.dev/hack v0.0.0-20230210215449-d71d569c4308
 	knative.dev/pkg v0.0.0-20230117181655-247510c00e9d
 	knative.dev/reconciler-test v0.0.0-20230123181139-476a442e3644
 	knative.dev/serving v0.36.0

go.sum

@@ -1158,10 +1158,10 @@ k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJ
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 knative.dev/client-pkg v0.0.0-20230120062501-d4ab4e492526 h1:/3bTP61VARRn34cQ5e3P1KwRGxvuSsZmknt3akFpNvg=
 knative.dev/client-pkg v0.0.0-20230120062501-d4ab4e492526/go.mod h1:dpY2cjKD/xjGjLQf/esJ1jMYko0iuV15PqYOL+uCEXc=
-knative.dev/eventing v0.36.1 h1:QHLVpO8i7JWg0a3rSDjbH8WZk6YlPY2g5mPvWovh5aI=
-knative.dev/eventing v0.36.1/go.mod h1:Qka5Z6+LeMoHGL1QAznVdmq5LAu21b4F3rgxc2AMgRg=
-knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 h1:CDa7s9KspEZqPhk7cN68ZypRLuAvSgr+knoOaXSsrHk=
-knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
+knative.dev/eventing v0.36.4 h1:B9WAf1qFXP815RAEwLsBH3P5GpWJiwdVYGzlOBi/bKA=
+knative.dev/eventing v0.36.4/go.mod h1:Qka5Z6+LeMoHGL1QAznVdmq5LAu21b4F3rgxc2AMgRg=
+knative.dev/hack v0.0.0-20230210215449-d71d569c4308 h1:zH5OedRfo9SB22o25VNQ+vygceTvOujsnLYaALb8jos=
+knative.dev/hack v0.0.0-20230210215449-d71d569c4308/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
 knative.dev/networking v0.0.0-20230123233838-db2bcbea2560 h1:iprdS5tKTXtgV9dGryuwJJJTTdl5LusCHOelKdezR3I=
 knative.dev/networking v0.0.0-20230123233838-db2bcbea2560/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo=
 knative.dev/pkg v0.0.0-20230117181655-247510c00e9d h1:pjKDcvHoMib8nRp56eISRmMj/pFMzJljnzvMvGCIReI=

vendor/knative.dev/hack/release.sh

@@ -111,6 +111,7 @@ export KO_DOCKER_REPO="gcr.io/knative-nightly"
 # Build stripped binary to reduce size
 export GOFLAGS="-ldflags=-s -ldflags=-w"
 export GITHUB_TOKEN=""
+readonly IMAGES_REFS_FILE="${IMAGES_REFS_FILE:-$(mktemp -d)/images_refs.txt}"
 
 # Convenience function to run the hub tool.
 # Parameters: $1..$n - arguments to hub.
@@ -313,64 +314,109 @@ function build_from_source() {
 }
 
 function get_images_in_yamls() {
-  rm -rf imagerefs.txt
+  rm -rf "$IMAGES_REFS_FILE"
   echo "Assembling a list of image refences to sign"
-  for file in $@; do
+  for file in "$@"; do
     [[ "${file##*.}" != "yaml" ]] && continue
     echo "Inspecting ${file}"
-    for image in $(grep -oh "\S*${KO_DOCKER_REPO}\S*" "${file}"); do
-      echo $image >> imagerefs.txt
-    done
+    while read -r image; do
+      echo "$image" >> "$IMAGES_REFS_FILE"
+    done < <(grep -oh "\S*${KO_DOCKER_REPO}\S*" "${file}")
+  done
+  if [[ -f "$IMAGES_REFS_FILE" ]]; then
+    sort -uo "$IMAGES_REFS_FILE" "$IMAGES_REFS_FILE" # Remove duplicate entries
+  fi
+}
+
+function find_checksums_file() {
+  for file in "$@"; do
+    if [[ "${file}" == *"checksums.txt" ]]; then
+      echo "${file}"
+      return 0
+    fi
   done
-  sort -uo imagerefs.txt imagerefs.txt # Remove duplicate entries
+  warning "cannot find checksums file"
 }
 
 # Build a release from source.
 function sign_release() {
-  get_images_in_yamls "${ARTIFACTS_TO_PUBLISH}"
   if (( ! IS_PROW )); then # This function can't be run by devs on their laptops
     return 0
   fi
+  get_images_in_yamls "${ARTIFACTS_TO_PUBLISH}"
+  local checksums_file
+  checksums_file="$(find_checksums_file "${ARTIFACTS_TO_PUBLISH}")"
+
+  if ! [[ -f "${checksums_file}" ]]; then
+    echo '>> No checksums file found, generating one'
+    checksums_file="$(mktemp -d)/checksums.txt"
+    for file in ${ARTIFACTS_TO_PUBLISH}; do
+      pushd "$(dirname "$file")" >/dev/null
+      sha256sum "$(basename "$file")" >> "${checksums_file}"
+      popd >/dev/null
+    done
+    ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} ${checksums_file}"
+  fi
 
   # Notarizing mac binaries needs to be done before cosign as it changes the checksum values
   # of the darwin binaries
  if [ -n "${APPLE_CODESIGN_KEY}" ] && [ -n "${APPLE_CODESIGN_PASSWORD_FILE}" ] && [ -n "${APPLE_NOTARY_API_KEY}" ]; then
     banner "Notarizing macOS Binaries for the release"
-    FILES=$(find -- * -type f -name "*darwin*")
-    for file in $FILES; do
-      rcodesign sign "${file}" --p12-file="${APPLE_CODESIGN_KEY}" \
-        --code-signature-flags=runtime \
-        --p12-password-file="${APPLE_CODESIGN_PASSWORD_FILE}"
-    done
-    zip files.zip ${FILES}
-    rcodesign notary-submit files.zip --api-key-path="${APPLE_NOTARY_API_KEY}" --wait
-    sha256sum ${ARTIFACTS_TO_PUBLISH//checksums.txt/} > checksums.txt
-    echo "🧮     Post Notarization Checksum:"
-    cat checksums.txt
+    local macos_artifacts
+    declare -a macos_artifacts=()
+    while read -r file; do
+      if echo "$file" | grep -q "darwin"; then
+        macos_artifacts+=("${file}")
+        rcodesign sign "${file}" --p12-file="${APPLE_CODESIGN_KEY}" \
+          --code-signature-flags=runtime \
+          --p12-password-file="${APPLE_CODESIGN_PASSWORD_FILE}"
+      fi
+    done < <(echo "${ARTIFACTS_TO_PUBLISH}" | tr ' ' '\n')
+    if [[ -z "${macos_artifacts[*]}" ]]; then
+      warning "No macOS binaries found, skipping notarization"
+    else
+      local zip_file
+      zip_file="$(mktemp -d)/files.zip"
+      zip "$zip_file" -@ < <(printf "%s\n"  "${macos_artifacts[@]}")
+      rcodesign notary-submit "$zip_file" --api-key-path="${APPLE_NOTARY_API_KEY}" --wait
+      true > "${checksums_file}" # Clear the checksums file
+      for file in ${ARTIFACTS_TO_PUBLISH}; do
+        if echo "$file" | grep -q "checksums.txt"; then
+          continue # Don't checksum the checksums file
+        fi
+        pushd "$(dirname "$file")" >/dev/null
+        sha256sum "$(basename "$file")" >> "${checksums_file}"
+        popd >/dev/null
+      done
+      echo "🧮     Post Notarization Checksum:"
+      cat "$checksums_file"
+    fi
   fi
 
   ID_TOKEN=$(gcloud auth print-identity-token --audiences=sigstore \
     --include-email \
     --impersonate-service-account="${SIGNING_IDENTITY}")
   echo "Signing Images with the identity ${SIGNING_IDENTITY}"
   ## Sign the images with cosign
-  if [[ -f "imagerefs.txt" ]]; then
-      COSIGN_EXPERIMENTAL=1 cosign sign $(cat imagerefs.txt) --recursive --identity-token="${ID_TOKEN}"
-      if  [ -n "${ATTEST_IMAGES:-}" ]; then # Temporary Feature Gate
-        provenance-generator --clone-log=/logs/clone.json \
-          --image-refs=imagerefs.txt --output=attestation.json
-        mkdir -p "${ARTIFACTS}"/attestation && cp attestation.json "${ARTIFACTS}"/attestation
-        COSIGN_EXPERIMENTAL=1 cosign attest $(cat imagerefs.txt) --recursive --identity-token="${ID_TOKEN}" \
-          --predicate=attestation.json --type=slsaprovenance
-      fi
+  if [[ -f "$IMAGES_REFS_FILE" ]]; then
+    COSIGN_EXPERIMENTAL=1 cosign sign $(cat "$IMAGES_REFS_FILE") \
+      --recursive --identity-token="${ID_TOKEN}"
+    if  [ -n "${ATTEST_IMAGES:-}" ]; then # Temporary Feature Gate
+      provenance-generator --clone-log=/logs/clone.json \
+        --image-refs="$IMAGES_REFS_FILE" --output=attestation.json
+      mkdir -p "${ARTIFACTS}"/attestation && cp attestation.json "${ARTIFACTS}"/attestation
+      COSIGN_EXPERIMENTAL=1 cosign attest $(cat "$IMAGES_REFS_FILE") \
+        --recursive --identity-token="${ID_TOKEN}" \
+        --predicate=attestation.json --type=slsaprovenance
+    fi
   fi
 
-  ## Check if there is checksums.txt file. If so, sign the checksum file
-  if [[ -f "checksums.txt" ]]; then
-      echo "Signing Images with the identity ${SIGNING_IDENTITY}"
-      COSIGN_EXPERIMENTAL=1 cosign sign-blob checksums.txt --output-signature=checksums.txt.sig --output-certificate=checksums.txt.pem --identity-token="${ID_TOKEN}"
-      ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} checksums.txt.sig checksums.txt.pem"
-  fi
+  echo "Signing checksums with the identity ${SIGNING_IDENTITY}"
+  COSIGN_EXPERIMENTAL=1 cosign sign-blob "$checksums_file" \
+    --output-signature="${checksums_file}.sig" \
+    --output-certificate="${checksums_file}.pem" \
+    --identity-token="${ID_TOKEN}"
+  ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} ${checksums_file}.sig ${checksums_file}.pem"
 }
 
 # Copy tagged images from the nightly GCR to the release GCR, tagging them 'latest'.

vendor/modules.txt

@@ -1066,7 +1066,7 @@ knative.dev/client-pkg/pkg/util
 knative.dev/client-pkg/pkg/util/mock
 knative.dev/client-pkg/pkg/util/test
 knative.dev/client-pkg/pkg/wait
-# knative.dev/eventing v0.36.1
+# knative.dev/eventing v0.36.4
 ## explicit; go 1.18
 knative.dev/eventing/pkg/apis/config
 knative.dev/eventing/pkg/apis/duck
@@ -1105,7 +1105,7 @@ knative.dev/eventing/test/upgrade/prober/wathola/config
 knative.dev/eventing/test/upgrade/prober/wathola/event
 knative.dev/eventing/test/upgrade/prober/wathola/forwarder
 knative.dev/eventing/test/upgrade/prober/wathola/sender
-# knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9
+# knative.dev/hack v0.0.0-20230210215449-d71d569c4308
 ## explicit; go 1.18
 knative.dev/hack
 # knative.dev/networking v0.0.0-20230123233838-db2bcbea2560