Consider all SHA's of a manifest

.github/workflows/build-test.yaml

@@ -19,10 +19,12 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - name: Setup Golang
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
         with:
@@ -34,6 +36,10 @@ jobs:
     runs-on: ubuntu-latest
     name: Run govulncheck
     steps:
+      # We only need to checkout as govuln does the go setup...
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - id: govulncheck
         uses: golang/govulncheck-action@v1
         with:
@@ -45,8 +51,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4 # v3.5.3
-      - name: Setup Go
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup Golang
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
@@ -88,6 +95,7 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -106,6 +114,9 @@ jobs:
           tags: quay.io/jetstack/version-checker:${{github.sha}}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          attests: |-
+            type=sbom,generator=image
+            type=provenance,mode=max
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@0.30.0

.github/workflows/helm-docs.yaml

@@ -4,8 +4,8 @@ on:
   workflow_call:
   push:
     paths:
-      - '!*.md'
-      - 'deploy/charts/version-checker/**'
+      - "!*.md"
+      - "deploy/charts/version-checker/**"
     branches:
       - main
 

.github/workflows/helm-test.yaml

@@ -2,10 +2,10 @@ name: Test Helm Chart
 on:
   pull_request:
     paths:
-      - '!*.md'
-      - 'deploy/charts/version-checker/**'
+      - "!*.md"
+      - "deploy/charts/version-checker/**"
     branches:
-      - 'main'
+      - "main"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,14 +14,19 @@ concurrency:
 jobs:
   lint:
     permissions:
-      contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      contents: read # for actions/checkout to fetch code
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Helm Chart
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
+      - name: Setup Golang
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
       - uses: azure/setup-helm@v4
 
       - run: helm lint deploy/charts/version-checker
@@ -33,9 +38,12 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - uses: azure/setup-helm@v4
+      - name: Setup Golang
+        uses: actions/setup-go@v5
         with:
-          token: ${{ github.token }}
+          go-version-file: go.mod
+
+      - uses: azure/setup-helm@v4
 
       - name: Install helm Plugins
         run: |
@@ -57,7 +65,9 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - name: Install Kyverno CLI
         uses: kyverno/action-install-cli@v0.2.0
-      - uses: azure/setup-helm@v4
-      - run: kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/)
+
+      - run: |-
+          kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/)

.github/workflows/release.yaml

@@ -15,15 +15,19 @@ jobs:
   prepare-release:
     # Don't push back to a tag!
     if: ${{ !startsWith(github.ref, 'refs/tags/') }}
-    name: Prepair release
+    name: Prepare release
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Setup Golang
+        uses: actions/setup-go@v5
         with:
-          fetch-depth: 0
+          go-version-file: go.mod
+
       - uses: bhowell2/github-substring-action@1.0.2
         id: release_number
         with:
@@ -113,10 +117,8 @@ jobs:
   helm-release:
     runs-on: ubuntu-latest
     steps:
-      # Checkout our Repo
-      - uses: actions/checkout@v4
-        with:
-          path: version-checker
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: checkout jetstack-charts
         uses: actions/checkout@v4
@@ -134,6 +136,9 @@ jobs:
         run: |
           helm package version-checker/deploy/charts/version-checker -d jetstack-charts/charts/
 
+      - name: Login to Quay.io
+        run: echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin
+
       - name: Creating PR
         if: startsWith(github.ref, 'refs/tags/')
         uses: peter-evans/create-pull-request@v7
@@ -149,10 +154,16 @@ jobs:
           base: main
           draft: ${{ !startsWith(github.ref, 'refs/tags/') }}
 
+      - name: Push to Quay
+        run: |-
+          helm push jetstack-charts/charts/version-checker-${{ github.ref_name }}.tgz oci://quay.io/quay.io/jetstack/version-checker/chart
+
   docker-release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -185,8 +196,6 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-
       - name: Create Release / Change Logs
         uses: softprops/action-gh-release@v2
         with:

cmd/app/app.go

@@ -59,7 +59,7 @@ func NewCommand(ctx context.Context) *cobra.Command {
 				return fmt.Errorf("failed to build kubernetes rest config: %s", err)
 			}
 
-			log.Infof("flag --test-all-containers=%t %s", opts.DefaultTestAll, defaultTestAllInfoMsg)
+			log.Warnf("flag --test-all-containers=%t %s", opts.DefaultTestAll, defaultTestAllInfoMsg)
 
 			mgr, err := ctrl.NewManager(restConfig, ctrl.Options{
 				LeaderElection: false,
@@ -115,6 +115,7 @@ func NewCommand(ctx context.Context) *cobra.Command {
 				client,
 				mgr.GetClient(),
 				log,
+				opts.RequeueDuration,
 				opts.DefaultTestAll,
 			)
 

cmd/app/options.go

@@ -64,19 +64,26 @@ var (
 
 // Options is a struct to hold options for the version-checker.
 type Options struct {
+	kubeConfigFlags *genericclioptions.ConfigFlags
+
+	Client                client.Options
 	MetricsServingAddress string
-	DefaultTestAll        bool
-	CacheTimeout          time.Duration
 	LogLevel              string
 
-	PprofBindAddress        string
+	PprofBindAddress string
+	selfhosted       selfhosted.Options
+
+	CacheTimeout            time.Duration
+	RequeueDuration         time.Duration
 	GracefulShutdownTimeout time.Duration
 	CacheSyncPeriod         time.Duration
 
-	kubeConfigFlags *genericclioptions.ConfigFlags
-	selfhosted      selfhosted.Options
+	DefaultTestAll bool
+}
 
-	Client client.Options
+type envMatcher struct {
+	re     *regexp.Regexp
+	action func(matches []string, value string)
 }
 
 func (o *Options) addFlags(cmd *cobra.Command) {
@@ -124,6 +131,10 @@ func (o *Options) addAppFlags(fs *pflag.FlagSet) {
 		"The time for an image version in the cache to be considered fresh. Images "+
 			"will be rechecked after this interval.")
 
+	fs.DurationVarP(&o.RequeueDuration,
+		"requeue-duration", "r", time.Hour,
+		"The time a pod will be re-checked for new versions/tags")
+
 	fs.StringVarP(&o.LogLevel,
 		"log-level", "v", "info",
 		"Log level (debug, info, warn, error, fatal, panic).")
@@ -358,56 +369,81 @@ func (o *Options) assignSelfhosted(envs []string) {
 	}
 
 	initOptions := func(name string) {
+		if name == "" {
+			panic("Not meant to be empty!")
+		}
 		if o.Client.Selfhosted[name] == nil {
 			o.Client.Selfhosted[name] = new(selfhosted.Options)
 		}
 	}
 
-	regexActions := map[*regexp.Regexp]func(matches []string, value string){
-		selfhostedHostReg: func(matches []string, value string) {
-			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].Host = value
+	// Go maps iterate in random order - Using a slice to consistency
+	regexActions := []envMatcher{
+		{
+			re: selfhostedTokenPath,
+			action: func(matches []string, value string) {
+				initOptions(matches[1])
+				o.Client.Selfhosted[matches[1]].TokenPath = value
+			},
 		},
-		selfhostedUsernameReg: func(matches []string, value string) {
-			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].Username = value
+		{
+			re: selfhostedTokenReg,
+			action: func(matches []string, value string) {
+				initOptions(matches[1])
+				o.Client.Selfhosted[matches[1]].Bearer = value
+			},
 		},
-		selfhostedPasswordReg: func(matches []string, value string) {
-			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].Password = value
+		// All your other patterns (host, username, password, insecure, capath...)
+		{
+			re: selfhostedHostReg,
+			action: func(matches []string, value string) {
+				initOptions(matches[1])
+				o.Client.Selfhosted[matches[1]].Host = value
+			},
 		},
-		selfhostedTokenPath: func(matches []string, value string) {
-			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].TokenPath = value
+		{
+			re: selfhostedUsernameReg,
+			action: func(matches []string, value string) {
+				initOptions(matches[1])
+				o.Client.Selfhosted[matches[1]].Username = value
+			},
 		},
-		selfhostedTokenReg: func(matches []string, value string) {
-			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].Bearer = value
+		{
+			re: selfhostedPasswordReg,
+			action: func(matches []string, value string) {
+				initOptions(matches[1])
+				o.Client.Selfhosted[matches[1]].Password = value
+			},
 		},
-		selfhostedInsecureReg: func(matches []string, value string) {
-			initOptions(matches[1])
-			if val, err := strconv.ParseBool(value); err == nil {
-				o.Client.Selfhosted[matches[1]].Insecure = val
-			}
+		{
+			re: selfhostedInsecureReg,
+			action: func(matches []string, value string) {
+				initOptions(matches[1])
+				if b, err := strconv.ParseBool(value); err == nil {
+					o.Client.Selfhosted[matches[1]].Insecure = b
+				}
+			},
 		},
-		selfhostedCAPath: func(matches []string, value string) {
-			initOptions(matches[1])
-			o.Client.Selfhosted[matches[1]].CAPath = value
+		{
+			re: selfhostedCAPath,
+			action: func(matches []string, value string) {
+				initOptions(matches[1])
+				o.Client.Selfhosted[matches[1]].CAPath = value
+			},
 		},
 	}
 
 	for _, env := range envs {
-		pair := strings.SplitN(env, "=", 2)
-		if len(pair) != 2 || len(pair[1]) == 0 {
+		parts := strings.SplitN(env, "=", 2)
+		if len(parts) != 2 || parts[1] == "" {
 			continue
 		}
+		key := strings.ToUpper(parts[0])
+		val := parts[1]
 
-		key := strings.ToUpper(pair[0])
-		value := pair[1]
-
-		for regex, action := range regexActions {
-			if matches := regex.FindStringSubmatch(key); len(matches) == 2 {
-				action(matches, value)
+		for _, p := range regexActions {
+			if match := p.re.FindStringSubmatch(key); len(match) == 2 {
+				p.action(match, val)
 				break
 			}
 		}