chore: bumps version for v1.4.6 release

.github/workflows/chart.yaml

@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
         with:
           submodules: true
           fetch-depth: 0

.github/workflows/codecov.yaml

@@ -14,16 +14,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
-      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: "^1.20"
       - name: Run tests
         run: make go-test
-      - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d
+      - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673
         with:
           files: ./cover.out

.github/workflows/codeql.yaml

@@ -21,20 +21,20 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6

.github/workflows/create-release.yaml

@@ -12,18 +12,18 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
         with:
           fetch-depth: 0
       - name: Goreleaser
         uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
         with:
-          version: latest
-          args: release --rm-dist --timeout 60m --debug
+          version: "~> v2"
+          args: release --clean --fail-fast --timeout 60m --verbose
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dependency-review.yaml

@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

.github/workflows/e2e.yaml

@@ -29,14 +29,14 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        KUBERNETES_VERSION: ["v1.24.12", "v1.25.8", "v1.26.3", "v1.27.1"]
+        KUBERNETES_VERSION: ["v1.28.9", "v1.29.4", "v1.30.2"]
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
         with:
           submodules: true
           fetch-depth: 0
@@ -47,7 +47,7 @@ jobs:
       - name: Setup Kind
         uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
-          version: "v0.18.0"
+          version: "v0.23.0"
           image: "kindest/node:${{ matrix.KUBERNETES_VERSION }}"
       - name: Test
         run: |

.github/workflows/markdown-link-check.yaml

@@ -22,10 +22,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
         egress-policy: audit
-    - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
     - uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15
       with:
         # this will only show errors in the output

.github/workflows/scan-vulns.yaml

@@ -0,0 +1,30 @@
+name: scan_vulns
+
+on:
+  push:
+    paths-ignore:
+    - "docs/**"
+    - "**.md"
+  pull_request:
+    paths-ignore:
+    - "docs/**"
+    - "**.md"
+
+permissions: read-all
+
+jobs:
+  govulncheck:
+    name: "Run govulncheck"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version: "1.21"
+          check-latest: true
+      - uses: golang/govulncheck-action@dd0578b371c987f96d1185abb54344b44352bd58 # v1.0.3

.github/workflows/scorecards.yaml

@@ -31,17 +31,17 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -63,14 +63,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           sarif_file: results.sarif

.goreleaser.yml

@@ -1,14 +1,15 @@
 # refer to https://goreleaser.com for more options
-build:
-  skip: true
+version: 2
+builds:
+- skip: true
 release:
   prerelease: auto
   header: |
     ## {{.Tag}} - {{ time "2006-01-02" }}
   extra_files:
     - glob: deploy/*.yaml
 changelog:
-  skip: false
+  disable: false
   groups:
     - title: Bug Fixes 🐞
       regexp: ^.*fix[(\\w)]*:+.*$

.local/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21-alpine@sha256:eeaab088668869c65a2ee0c2c4df7f8c9920140ede7fba3b777cf5b7e9fdbb69
+FROM golang:1.21-alpine@sha256:2523a6f68a0f515fe251aad40b18545155135ca6a5b2e61da8254df9153e3648
 
 ENV CGO_ENABLED=0
 ENV GOROOT=/usr/local/go

Makefile

@@ -29,12 +29,12 @@ E2E_PROVIDER_IMAGE_NAME ?= e2e-provider
 
 # Release version is the current supported release for the driver
 # Update this version when the helm chart is being updated for release
-RELEASE_VERSION := v1.3.4
-IMAGE_VERSION ?= v1.3.4
+RELEASE_VERSION := v1.4.6
+IMAGE_VERSION ?= v1.4.6
 
 # Use a custom version for E2E tests if we are testing in CI
 ifdef CI
-override IMAGE_VERSION := v1.3.0-e2e-$(BUILD_COMMIT)
+override IMAGE_VERSION := v1.5.0-e2e-$(BUILD_COMMIT)
 endif
 
 IMAGE_TAG=$(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION)
@@ -61,12 +61,12 @@ export GOPATH GOBIN GO111MODULE DOCKER_CLI_EXPERIMENTAL
 
 # Generate all combination of all OS, ARCH, and OSVERSIONS for iteration
 ALL_OS = linux windows
-ALL_ARCH.linux = amd64 arm64
-ALL_OS_ARCH.linux = $(foreach arch, ${ALL_ARCH.linux}, linux-$(arch))
-ALL_ARCH.windows = amd64
-ALL_OSVERSIONS.windows := 1809 ltsc2022
-ALL_OS_ARCH.windows = $(foreach arch, $(ALL_ARCH.windows), $(foreach osversion, ${ALL_OSVERSIONS.windows}, windows-${osversion}-${arch}))
-ALL_OS_ARCH = $(foreach os, $(ALL_OS), ${ALL_OS_ARCH.${os}})
+ALL_ARCH_linux ?= amd64 arm64
+ALL_OS_ARCH_linux = $(foreach arch, ${ALL_ARCH_linux}, linux-$(arch))
+ALL_ARCH_windows = amd64
+ALL_OSVERSIONS_windows := 1809 ltsc2022
+ALL_OS_ARCH_windows = $(foreach arch, $(ALL_ARCH_windows), $(foreach osversion, ${ALL_OSVERSIONS_windows}, windows-${osversion}-${arch}))
+ALL_OS_ARCH = $(foreach os, $(ALL_OS), ${ALL_OS_ARCH_${os}})
 
 # The current context of image building
 # The architecture of the image
@@ -99,9 +99,9 @@ EKSCTL := eksctl
 YQ := yq
 
 # Test variables
-KIND_VERSION ?= 0.18.0
-KUBERNETES_VERSION ?= 1.24.0
-KUBECTL_VERSION ?= 1.25.3
+KIND_VERSION ?= 0.23.0
+KUBERNETES_VERSION ?= 1.30.2
+KUBECTL_VERSION ?= 1.30.2
 BATS_VERSION ?= 1.4.1
 TRIVY_VERSION ?= 0.39.1
 PROTOC_VERSION ?= 3.20.1
@@ -328,24 +328,24 @@ docker-buildx-builder:
 
 .PHONY: container-all
 container-all: docker-buildx-builder
-	for arch in $(ALL_ARCH.linux); do \
+	for arch in $(ALL_ARCH_linux); do \
 		ARCH=$${arch} $(MAKE) container-linux; \
 		ARCH=$${arch} $(MAKE) crd-container-linux; \
 	done
-	for osversion in $(ALL_OSVERSIONS.windows); do \
+	for osversion in $(ALL_OSVERSIONS_windows); do \
   		OSVERSION=$${osversion} $(MAKE) container-windows; \
   	done
 
 .PHONY: push-manifest
 push-manifest:
 	docker manifest create --amend $(IMAGE_TAG) $(foreach osarch, $(ALL_OS_ARCH), $(IMAGE_TAG)-${osarch})
-	docker manifest create --amend $(CRD_IMAGE_TAG) $(foreach osarch, $(ALL_OS_ARCH.linux), $(CRD_IMAGE_TAG)-${osarch})
+	docker manifest create --amend $(CRD_IMAGE_TAG) $(foreach osarch, $(ALL_OS_ARCH_linux), $(CRD_IMAGE_TAG)-${osarch})
 	# add "os.version" field to windows images (based on https://github.com/kubernetes/kubernetes/blob/master/build/pause/Makefile)
 	set -x; \
 	registry_prefix=$(shell (echo ${REGISTRY} | grep -Eq ".*[\/\.].*") && echo "" || echo "docker.io/"); \
 	manifest_image_folder=`echo "$${registry_prefix}${IMAGE_TAG}" | sed "s|/|_|g" | sed "s/:/-/"`; \
-	for arch in $(ALL_ARCH.windows); do \
-		for osversion in $(ALL_OSVERSIONS.windows); do \
+	for arch in $(ALL_ARCH_windows); do \
+		for osversion in $(ALL_OSVERSIONS_windows); do \
 			BASEIMAGE=mcr.microsoft.com/windows/nanoserver:$${osversion}; \
 			full_version=`docker manifest inspect $${BASEIMAGE} | jq -r '.manifests[0].platform["os.version"]'`; \
 			sed -i -r "s/(\"os\"\:\"windows\")/\0,\"os.version\":\"$${full_version}\"/" "${HOME}/.docker/manifests/$${manifest_image_folder}/$${manifest_image_folder}-windows-$${osversion}-$${arch}"; \
@@ -359,11 +359,12 @@ push-manifest:
 ## --------------------------------------
 ## E2E Testing
 ## --------------------------------------
+.PHONY: e2e-install-prerequisites
+e2e-install-prerequisites: $(HELM) $(BATS) $(KIND) $(KUBECTL) $(ENVSUBST) $(YQ)
+
 .PHONY: e2e-bootstrap
-e2e-bootstrap: $(HELM) $(BATS) $(KIND) $(KUBECTL) $(ENVSUBST) $(YQ) #setup all required binaries and kind cluster for testing
-ifndef TEST_WINDOWS
+e2e-bootstrap: e2e-install-prerequisites #setup all required binaries and kind cluster for testing
 	$(MAKE) setup-kind
-endif
 	docker pull $(IMAGE_TAG) || $(MAKE) e2e-container
 
 .PHONY: setup-kind
@@ -378,12 +379,8 @@ setup-eks-cluster: $(HELM) $(EKSCTL) $(BATS) $(ENVSUBST) $(YQ)
 
 .PHONY: e2e-container
 e2e-container:
-ifdef TEST_WINDOWS
-	$(MAKE) container-all push-manifest
-else
 	$(MAKE) container
 	kind load docker-image --name kind $(IMAGE_TAG) $(CRD_IMAGE_TAG)
-endif
 
 .PHONY: e2e-mock-provider-container
 e2e-mock-provider-container:
@@ -437,7 +434,9 @@ e2e-helm-deploy:
 		--set enableSecretRotation=true \
 		--set rotationPollInterval=30s \
 		--set tokenRequests[0].audience="aud1" \
-		--set tokenRequests[1].audience="aud2"
+		--set tokenRequests[1].audience="aud2" \
+		--set tokenRequests[2].audience="conjur" \
+		--set tokenRequests[3].audience="api://AzureADTokenExchange"
 
 .PHONY: e2e-helm-upgrade
 e2e-helm-upgrade:
@@ -460,7 +459,8 @@ e2e-helm-deploy-release:
 		--set linux.enabled=true \
 		--set syncSecret.enabled=true \
 		--set enableSecretRotation=true \
-		--set rotationPollInterval=30s
+		--set rotationPollInterval=30s \
+		--set tokenRequests[0].audience="api://AzureADTokenExchange"
 
 .PHONY: e2e-kind-cleanup
 e2e-kind-cleanup:
@@ -494,6 +494,10 @@ e2e-gcp:
 e2e-aws:
 	bats -t test/bats/aws.bats
 
+.PHONY: e2e-conjur
+e2e-conjur:
+	bats -t test/bats/conjur.bats
+
 ## --------------------------------------
 ## Generate
 ## --------------------------------------

README.md

@@ -15,7 +15,7 @@ The Secrets Store CSI Driver `secrets-store.csi.k8s.io` allows Kubernetes to mou
 | Test                   | Status                                                                                                                                                                                                                                                                                                                                                                   |
 | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | periodic/image-scan    | [![sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-image-scan](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-image-scan/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-periodic#secrets-store-csi-driver-image-scan)                                     |
-| periodic/azure-upgrade | [![sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-upgrade-test-azure](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-upgrade-test-azure/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-periodic#secrets-store-csi-driver-upgrade-test-azure)             |
+| periodic/e2e-provider-upgrade | [![sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-upgrade-test-e2e-provider](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-upgrade-test-e2e-provider/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-periodic#secrets-store-csi-driver-upgrade-test-e2e-provider)             |
 | postsubmit/aws         | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-aws-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-aws-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-aws-postsubmit)       |
 | postsubmit/azure       | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-azure-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-azure-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-azure-postsubmit) |
 | postsubmit/gcp         | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-gcp-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-gcp-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-gcp-postsubmit)       |

charts/secrets-store-csi-driver/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: secrets-store-csi-driver
-version: 1.3.4
-appVersion: 1.3.4
+version: 1.4.5
+appVersion: 1.4.5
 kubeVersion: ">=1.16.0-0"
 description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster.
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png