feat(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.28.4 to 1.28.5 (#223)

Bumps
[github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2)
from 1.28.4 to 1.28.5.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d125de3792"><code>d125de3</code></a>
Release 2024-11-18</li>
<li><a
href="fec51f3fff"><code>fec51f3</code></a>
Regenerated Clients</li>
<li><a
href="fba5997045"><code>fba5997</code></a>
Update API model</li>
<li><a
href="0b8e5c842f"><code>0b8e5c8</code></a>
Bump smithy-go dependency (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2902">#2902</a>)</li>
<li><a
href="50ba45ce16"><code>50ba45c</code></a>
Release 2024-11-15.2</li>
<li><a
href="444bdffccd"><code>444bdff</code></a>
Regenerated Clients</li>
<li><a
href="55ab381b20"><code>55ab381</code></a>
Update endpoints model</li>
<li><a
href="94c083768b"><code>94c0837</code></a>
Update API model</li>
<li><a
href="2398a7903c"><code>2398a79</code></a>
Remove elastictranscoder service's integration test (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2901">#2901</a>)</li>
<li><a
href="93e0f294f6"><code>93e0f29</code></a>
Release 2024-11-15</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/config/v1.28.4...config/v1.28.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/aws/aws-sdk-go-v2/config&package-manager=go_modules&previous-version=1.28.4&new-version=1.28.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug-report.md

@@ -0,0 +1,19 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ""
+labels: bug
+assignees: ""
+---
+
+**What steps did you take and what happened:**
+[A clear and concise description of what the bug is.]
+
+**What did you expect to happen:**
+
+**Anything else you would like to add:**
+[Miscellaneous information that will assist in solving the issue.]
+
+**Environment:**
+
+- Attest version:

.github/ISSUE_TEMPLATE/feature-request.md

@@ -0,0 +1,13 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ""
+labels: enhancement
+assignees: ""
+---
+
+**Describe the solution you'd like**
+[A clear and concise description of what you want to happen.]
+
+**Anything else you would like to add:**
+[Miscellaneous information that will assist in solving the issue.]

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,11 @@
+## Summary
+
+<!-- Description of why the pull request is needed and what it changes -->
+
+### Tests
+
+<!-- Provide evidence of testing -->
+
+### Issue
+
+<!-- Link to issue that this is part of -->

.github/dco.yml

@@ -0,0 +1,2 @@
+require:
+  members: false

.github/release-drafter-config.yml

@@ -14,6 +14,9 @@ categories:
   - title: "🧰 Maintenance"
     labels:
       - "chore"
+  - title: "💥 Breaking Changes"
+    labels:
+      - "breaking"
 
 change-template: "- $TITLE @$AUTHOR (#$NUMBER)"
 change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
@@ -21,6 +24,7 @@ version-resolver:
   major:
     labels:
       - "major"
+      - "breaking"
   minor:
     labels:
       - "minor"
@@ -37,26 +41,19 @@ autolabeler:
   - label: "chore"
     files:
       - "*.md"
-    branch:
-      - '/docs{0,1}\/.+/'
-      - '/tests{0,1}\/.+/'
-      - '/chore{0,1}\/.+/'
     title:
-      - "/docs/i"
-      - "/test/i"
-      - "/chore/i"
+      - "/^docs!?:/i"
+      - "/^test!?:/i"
+      - "/^chore!?:/i"
+      - "/^refactor!?:/i"
   - label: "bug"
-    branch:
-      - '/fix\/.+/'
-      - '/revert\/.+/'
     title:
-      - "/fix/i"
-      - "/revert/i"
+      - "/^fix!?:/i"
+      - "/^revert!?:/i"
   - label: "feature"
-    branch:
-      - '/feature\/.+/'
-      - '/feat\/.+/'
-      - '/add\/.+/'
     title:
-      - "/feat/i"
-      - "/add/i"
+      - "/^feat!?:/i"
+      - "/^add!?:/i"
+  - label: "breaking"
+    title:
+      - "/^[a-zA-Z]+!:/i"

.github/workflows/release.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Generate GitHub App Token
         id: app-token
-        uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         with:
             app-id: ${{ vars.ATTEST_RELEASE_APP_ID }}
             private-key: ${{ secrets.ATTEST_RELEASE_APP_PRIVATE_KEY }}

.github/workflows/test.yml

@@ -12,7 +12,7 @@ jobs:
       id-token: write
     strategy:
       matrix:
-        go-version: [1.22.x]
+        go-version: [1.22.x, 1.23.x]
         # temp disable windows tests see https://github.com/docker/image-signer-verifier/pull/154
         # os: [ubuntu-latest, macos-latest, windows-latest]
         os: [ubuntu-latest, macos-latest]
@@ -56,7 +56,7 @@ jobs:
         run: go test -v ./...
       - name: Upload coverage to Codecov
         if: matrix.os == 'ubuntu-latest' && github.actor != 'dependabot[bot]'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           file: ./coverage.out
           flags: unittests

.gitignore

@@ -19,3 +19,4 @@
 
 # Go workspace file
 go.work
+.aider*

CODE-OF-CONDUCT.md

@@ -0,0 +1,131 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official email address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by submitting an [incident report](https://docs.google.com/forms/d/e/1FAIpQLScezna1ZXRPzC_phSDoPEF4c5nvw8yQW-vvtI8xHjv-BB9MOg/viewform?c=0&w=1).
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+[https://www.contributor-covenant.org/version/2/0/code_of_conduct.html][v2.0].
+
+Community Impact Guidelines were inspired by 
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available 
+at [https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.0]: https://www.contributor-covenant.org/version/2/0/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

NOTICE

@@ -0,0 +1,15 @@
+Docker attest
+Copyright Docker attest authors
+
+This product includes software developed at Docker, Inc. (https://www.docker.com).
+
+The following is courtesy of our legal counsel:
+
+Use and transfer of Docker may be subject to certain restrictions by the
+United States and other governments.
+It is your responsibility to ensure that your use and/or transfer does not
+violate applicable laws.
+
+For more information, please see https://www.bis.doc.gov
+
+See also https://www.apache.org/dev/crypto.html and/or seek legal counsel.

README.md

@@ -40,9 +40,6 @@ Examples of attestations include statements about the provenance and SBOM of an
 This library can be used to verify these attestations using Rego policy.
 Policy can be used to check whether an attestation is correctly signed, and that the contents of the attestation are correct.
 
-Our overall goal with this project is adoption of the ideas into other open-source projects, rather than to create another standalone tool.
-It would be a great outcome if this library was no longer needed because the functionality was built into other tools.
-
 # Features
 
 - Sign in-toto attestations
@@ -66,7 +63,7 @@ See [Policy Mapping](#policy-mapping) for more details.
 
 The `attest.Verify` function returns a `VerificationSummary` object, which contains the results of the policy evaluation.
 
-See [example_verify_test.go](./pkg/attest/example_verify_test.go) for an example of how to verify an image against a policy.
+See [example_verify_test.go](./example_verify_test.go) for an example of how to verify an image against a policy.
 
 ## Signing Attestations
 
@@ -76,7 +73,7 @@ This function takes a statement and DSSE signer, and returns a signed DSSE envel
 For the common use case of signing a statement and adding it to a manifest, e.g. for pushing to a registry as a referrer to the image being attested, the `attestation.AttestationManifest` type can be used.
 See [example_attestation_manifest_test.go](./pkg/attestation/example_attestation_manifest_test.go)
 
-See also [example_sign_test.go](./pkg/attest/example_sign_test.go) for an example of how to sign all attached in-toto statements on an image, e.g. those produced by buildkit.
+See also [example_sign_test.go](./example_sign_test.go) for an example of how to sign all attached in-toto statements on an image, e.g. those produced by buildkit.
 
 # Rego Policy
 
@@ -203,8 +200,14 @@ rules:
   - pattern: "^docker[.]io/library/(.*)$"
     policy-id: docker-official-images
   - pattern: "^public[.]ecr[.]aws/docker/library/(.*)$"
+    platforms: ["linux/amd64"] # optional: restrict image platforms for matching policies (default: all)
     rewrite: docker.io/library/$1
 ```
+`platforms` in the second rule above is optional and can be used to restrict the platforms for which the policy
+ is evaluated. If the `platforms` field is not present, the policy will be applied to all platforms.
+ It's important to note that the `platforms` field is a filter, and is applied before the `pattern`
+ field is processed, so both `platforms` and `pattern` need to match in order for the policy to be selected
+ (or the rewrite to be processed if present).
 
 As before, any repository in the `docker.io/library` namespace will be evaluated against the policy in `doi/policy.rego`.
 The second rule will rewrite any repository in the `public.ecr.aws/docker/library` namespace to `docker.io/library`.

attestation/attestation.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attestation
 
 import (
@@ -8,7 +24,7 @@ import (
 	"maps"
 	"strings"
 
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
@@ -96,8 +112,9 @@ func layersFromImage(image v1.Image) ([]*Layer, error) {
 		// copy original annotations
 		ann := maps.Clone(layerDesc.Annotations)
 		// only decode intoto statements
-		stmt := new(intoto.Statement)
+		var stmt *intoto.Statement
 		if mt == types.MediaType(intoto.PayloadType) {
+			stmt = new(intoto.Statement)
 			err = json.NewDecoder(r).Decode(&stmt)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode statement layer contents: %w", err)
@@ -315,8 +332,8 @@ func buildImageFromLayers(layers []*Layer, manifest *v1.Descriptor, subject *v1.
 	return newImg, nil
 }
 
-func ExtractEnvelopes(manifest *Manifest, predicateType string) ([]*Envelope, error) {
-	var envs []*Envelope
+func ExtractEnvelopes(manifest *Manifest, predicateType string) ([]*EnvelopeReference, error) {
+	var envs []*EnvelopeReference
 	dsseMediaType, err := DSSEMediaType(predicateType)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get DSSE media type for predicate '%s': %w", predicateType, err)
@@ -332,11 +349,20 @@ func ExtractEnvelopes(manifest *Manifest, predicateType string) ([]*Envelope, er
 				return nil, fmt.Errorf("failed to get layer contents: %w", err)
 			}
 			defer reader.Close()
-			env := new(Envelope)
+			env := new(EnvelopeReference)
 			err = json.NewDecoder(reader).Decode(&env)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode envelope: %w", err)
 			}
+			var uri string
+			if len(manifest.OriginalDescriptor.URLs) > 0 {
+				uri = manifest.OriginalDescriptor.URLs[0]
+			}
+			env.ResourceDescriptor = &ResourceDescriptor{
+				MediaType: string(mt),
+				Digest:    map[string]string{manifest.OriginalDescriptor.Digest.Algorithm: manifest.OriginalDescriptor.Digest.Hex},
+				URI:       uri,
+			}
 			envs = append(envs, env)
 		}
 	}

attestation/attestation_test.go

@@ -0,0 +1,34 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package attestation_test
+
+import (
+	"testing"
+
+	"github.com/docker/attest/attestation"
+	"github.com/docker/attest/internal/test"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/stretchr/testify/assert"
+)
+
+const ExpectedStatements = 4
+
+func TestExtractAnnotatedStatements(t *testing.T) {
+	statements, err := attestation.ExtractAnnotatedStatements(test.UnsignedTestIndex(".."), intoto.PayloadType)
+	assert.NoError(t, err)
+	assert.Equalf(t, len(statements), ExpectedStatements, "expected %d statement, got %d", ExpectedStatements, len(statements))
+}

attestation/example_attestation_manifest_test.go

@@ -1,12 +1,28 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attestation_test
 
 import (
 	"context"
 	"time"
 
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest/attestation"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/signerverifier"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
@@ -26,12 +42,12 @@ func ExampleManifest() {
 
 	// configure signing options
 	opts := &attestation.SigningOptions{
-		SkipTL: true, // skip trust logging to a transparency log
+		TransparencyLog: nil, // set this to log to a transparency log
 	}
 
 	ref := "docker/image-signer-verifier:latest"
 
-	digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
+	digest, err := v1.NewHash("sha256:7ae6b41655929ad8e1848064874a98ac3f68884996c79907f6525e3045f75390")
 	if err != nil {
 		panic(err)
 	}
@@ -82,7 +98,8 @@ func ExampleManifest() {
 	if err != nil {
 		panic(err)
 	}
-	err = oci.SaveImagesNoTag(artifacts, output)
+	ctx := context.Background()
+	err = oci.SaveImagesNoTag(ctx, artifacts, output)
 	if err != nil {
 		panic(err)
 	}

attestation/layout.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attestation
 
 import (
@@ -5,12 +21,18 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/docker/attest/pkg/oci"
+	containerd "github.com/containerd/containerd/v2/core/images"
+	"github.com/distribution/reference"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // implementation of Resolver that closes over attestations from an oci layout.
+
+var _ Resolver = (*LayoutResolver)(nil)
+
 type LayoutResolver struct {
 	*Manifest
 	*oci.ImageSpec
@@ -39,8 +61,8 @@ func (r *LayoutResolver) fetchManifest() (*Manifest, error) {
 	return r.Manifest, nil
 }
 
-func (r *LayoutResolver) Attestations(_ context.Context, predicateType string) ([]*Envelope, error) {
-	var envs []*Envelope
+func (r *LayoutResolver) Attestations(_ context.Context, predicateType string) ([]*EnvelopeReference, error) {
+	var envs []*EnvelopeReference
 	dsseMediaType, err := DSSEMediaType(predicateType)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get DSSE media type for predicate '%s': %w", predicateType, err)
@@ -54,17 +76,26 @@ func (r *LayoutResolver) Attestations(_ context.Context, predicateType string) (
 		if mts != dsseMediaType {
 			continue
 		}
-		env := new(Envelope)
+		env := new(EnvelopeReference)
 		// parse layer blob as json
-		r, err := attestationLayer.Layer.Uncompressed()
+		layer, err := attestationLayer.Layer.Uncompressed()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get layer contents: %w", err)
 		}
-		defer r.Close()
-		err = json.NewDecoder(r).Decode(env)
+		defer layer.Close()
+		err = json.NewDecoder(layer).Decode(env)
 		if err != nil {
 			return nil, fmt.Errorf("failed to decode envelope: %w", err)
 		}
+		var uri string
+		if len(r.Manifest.OriginalDescriptor.URLs) > 0 {
+			uri = r.Manifest.OriginalDescriptor.URLs[0]
+		}
+		env.ResourceDescriptor = &ResourceDescriptor{
+			MediaType: string(mt),
+			Digest:    map[string]string{r.Manifest.OriginalDescriptor.Digest.Algorithm: r.Manifest.OriginalDescriptor.Digest.Hex},
+			URI:       uri,
+		}
 		envs = append(envs, env)
 	}
 	return envs, nil
@@ -83,30 +114,49 @@ func (r *LayoutResolver) ImagePlatform(_ context.Context) (*v1.Platform, error)
 }
 
 func manifestFromOCILayout(path string, platform *v1.Platform) (*Manifest, error) {
-	idx, err := layout.ImageIndexFromPath(path)
+	layoutIndex, err := layout.ImageIndexFromPath(path)
 	if err != nil {
 		return nil, err
 	}
 
-	idxm, err := idx.IndexManifest()
+	layoutIndexManifest, err := layoutIndex.IndexManifest()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get digest: %w", err)
 	}
 
-	idxDescriptor := idxm.Manifests[0]
-	idxDigest := idxDescriptor.Digest
-
-	mfs, err := idx.ImageIndex(idxDigest)
-	if err != nil {
-		return nil, fmt.Errorf("failed to extract ImageIndex for digest %s: %w", idxDigest.String(), err)
+	layoutDescriptor := layoutIndexManifest.Manifests[0]
+	layoutDescriptorDigest := layoutDescriptor.Digest
+	subjectName := layoutDescriptor.Annotations[ocispec.AnnotationRefName]
+	if _, err := reference.ParseNamed(subjectName); err != nil {
+		// try the containerd annotation if the org.opencontainers.image.ref.name is not a full name
+		subjectName = layoutDescriptor.Annotations[containerd.AnnotationImageName]
+		if _, err := reference.ParseNamed(subjectName); err != nil {
+			return nil, fmt.Errorf("failed to find subject name in annotations")
+		}
 	}
-	mfs2, err := mfs.IndexManifest()
+
+	// check if digest refers to an image or an index
+	_, err = layoutIndex.Image(layoutDescriptorDigest)
+	if err == nil {
+		return &Manifest{
+			OriginalLayers:     nil,
+			OriginalDescriptor: nil,
+			SubjectName:        subjectName,
+			SubjectDescriptor:  &layoutDescriptor,
+		}, nil
+	}
+
+	subjectIndex, err := layoutIndex.ImageIndex(layoutDescriptorDigest)
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract ImageIndex for digest %s: %w", layoutDescriptorDigest.String(), err)
+	}
+	subjectIndexManifest, err := subjectIndex.IndexManifest()
 	if err != nil {
 		return nil, fmt.Errorf("failed to extract IndexManifest from ImageIndex: %w", err)
 	}
 	var subjectDescriptor *v1.Descriptor
-	for i := range mfs2.Manifests {
-		manifest := &mfs2.Manifests[i]
+	for i := range subjectIndexManifest.Manifests {
+		manifest := &subjectIndexManifest.Manifests[i]
 		if manifest.Platform != nil {
 			if manifest.Platform.Equals(*platform) {
 				subjectDescriptor = manifest
@@ -117,8 +167,8 @@ func manifestFromOCILayout(path string, platform *v1.Platform) (*Manifest, error
 	if subjectDescriptor == nil {
 		return nil, fmt.Errorf("platform not found in index")
 	}
-	for i := range mfs2.Manifests {
-		mf := &mfs2.Manifests[i]
+	for i := range subjectIndexManifest.Manifests {
+		mf := &subjectIndexManifest.Manifests[i]
 		if mf.Annotations[DockerReferenceType] != AttestationManifestType {
 			continue
 		}
@@ -127,7 +177,7 @@ func manifestFromOCILayout(path string, platform *v1.Platform) (*Manifest, error
 			continue
 		}
 
-		attestationImage, err := mfs.Image(mf.Digest)
+		attestationImage, err := subjectIndex.Image(mf.Digest)
 		if err != nil {
 			return nil, fmt.Errorf("failed to extract attestation image with digest %s: %w", mf.Digest.String(), err)
 		}
@@ -138,7 +188,7 @@ func manifestFromOCILayout(path string, platform *v1.Platform) (*Manifest, error
 		attest := &Manifest{
 			OriginalLayers:     layers,
 			OriginalDescriptor: mf,
-			SubjectName:        idxDescriptor.Annotations["org.opencontainers.image.ref.name"],
+			SubjectName:        subjectName,
 			SubjectDescriptor:  subjectDescriptor,
 		}
 		return attest, nil

attestation/layout_test.go

@@ -0,0 +1,123 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package attestation_test
+
+import (
+	"context"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/docker/attest"
+	"github.com/docker/attest/attestation"
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/policy"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAttestationFromOCILayout(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	outputLayout := test.CreateTempDir(t, "", "attest-oci-layout")
+
+	invalidPlatform := &v1.Platform{
+		Architecture: "invalid",
+		OS:           "invalid",
+	}
+
+	opts := &attestation.SigningOptions{}
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
+	require.NoError(t, err)
+	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
+	require.NoError(t, err)
+	signedIndex := attIdx.Index
+	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
+	require.NoError(t, err)
+	spec, err := oci.ParseImageSpec(oci.LocalPrefix + outputLayout)
+	require.NoError(t, err)
+	err = oci.SaveIndex(ctx, []*oci.ImageSpec{spec}, signedIndex, "docker.io/library/test-image:test")
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name     string
+		platform *v1.Platform
+		errorStr string
+	}{
+		{name: "nominal", platform: spec.Platform},
+		{name: "invalid platform", platform: invalidPlatform, errorStr: "platform not found in index"},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			spec := &oci.ImageSpec{
+				Type:       oci.OCI,
+				Identifier: outputLayout,
+				Platform:   tc.platform,
+			}
+			resolver, err := policy.CreateImageDetailsResolver(spec)
+			if tc.errorStr != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.errorStr)
+				return
+			}
+			require.NoError(t, err)
+			desc, err := resolver.ImageDescriptor(ctx)
+			require.NoError(t, err)
+			digest := desc.Digest.String()
+			assert.True(t, strings.Contains(digest, "sha256:"))
+		})
+	}
+}
+
+func TestSubjectNameAnnotations(t *testing.T) {
+	testCases := []struct {
+		name          string
+		ociLayoutPath string
+		errorStr      string
+	}{
+		{name: "oci annotation", ociLayoutPath: test.UnsignedTestIndex("..")},
+		{name: "containerd annotation", ociLayoutPath: filepath.Join("..", "test", "testdata", "containerd-subject-layout")},
+		{name: "missing subject name", ociLayoutPath: filepath.Join("..", "test", "testdata", "missing-subject-layout"), errorStr: "failed to find subject name in annotations"},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			spec, err := oci.ParseImageSpec(oci.LocalPrefix+tc.ociLayoutPath, oci.WithPlatform("linux/arm64"))
+			require.NoError(t, err)
+			_, err = policy.CreateImageDetailsResolver(spec)
+			if tc.errorStr != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.errorStr)
+				return
+			}
+			require.NoError(t, err)
+		})
+	}
+}
+
+func TestImageDetailsFromImageLayout(t *testing.T) {
+	spec, err := oci.ParseImageSpec(oci.LocalPrefix+test.UnsignedTestImage(".."), oci.WithPlatform("linux/arm64"))
+	require.NoError(t, err)
+	resolver, err := policy.CreateImageDetailsResolver(spec)
+	require.NoError(t, err)
+	desc, err := resolver.ImageDescriptor(context.Background())
+	require.NoError(t, err)
+	digest := desc.Digest.String()
+	assert.Equal(t, "sha256:7ae6b41655929ad8e1848064874a98ac3f68884996c79907f6525e3045f75390", digest)
+}

attestation/mock.go

@@ -0,0 +1,86 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package attestation
+
+import (
+	"context"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/oci"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
+
+// ensure MockResolver implements Resolver.
+var _ oci.ImageDetailsResolver = MockResolver{}
+
+type MockResolver struct {
+	Envs         []*EnvelopeReference
+	Image        string
+	PlatformFn   func() (*v1.Platform, error)
+	DescriptorFn func() (*v1.Descriptor, error)
+	ImangeNameFn func() (string, error)
+}
+
+func (r MockResolver) Attestations(_ context.Context, _ string) ([]*EnvelopeReference, error) {
+	return r.Envs, nil
+}
+
+func (r MockResolver) ImageName(_ context.Context) (string, error) {
+	if r.Image != "" {
+		return r.Image, nil
+	}
+	if r.ImangeNameFn != nil {
+		return r.ImangeNameFn()
+	}
+	return "library/alpine:latest", nil
+}
+
+func (r MockResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error) {
+	if r.DescriptorFn != nil {
+		return r.DescriptorFn()
+	}
+	digest, err := v1.NewHash(test.UnsignedLinuxAMD64ImageDigest)
+	if err != nil {
+		return nil, err
+	}
+	return &v1.Descriptor{
+		Digest:    digest,
+		Size:      1234,
+		MediaType: "application/vnd.oci.image.manifest.v1+json",
+	}, nil
+}
+
+func (r MockResolver) ImagePlatform(_ context.Context) (*v1.Platform, error) {
+	if r.PlatformFn != nil {
+		return r.PlatformFn()
+	}
+	return oci.ParsePlatform("linux/amd64")
+}
+
+type MockRegistryResolver struct {
+	Subject      *v1.Descriptor
+	ImageNameStr string
+	*MockResolver
+}
+
+func (r *MockRegistryResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error) {
+	return r.Subject, nil
+}
+
+func (r *MockRegistryResolver) ImageName(_ context.Context) (string, error) {
+	return r.ImageNameStr, nil
+}

attestation/referrers.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attestation
 
 import (
@@ -5,11 +21,14 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 )
 
+// ensure ReferrersResolver implements Resolver.
+var _ Resolver = &ReferrersResolver{}
+
 type ReferrersResolver struct {
 	referrersRepo string
 	oci.ImageDetailsResolver
@@ -106,12 +125,12 @@ func (r *ReferrersResolver) resolveAttestations(ctx context.Context, predicateTy
 	return aManifests, nil
 }
 
-func (r *ReferrersResolver) Attestations(ctx context.Context, predicateType string) ([]*Envelope, error) {
+func (r *ReferrersResolver) Attestations(ctx context.Context, predicateType string) ([]*EnvelopeReference, error) {
 	manifests, err := r.resolveAttestations(ctx, predicateType)
 	if err != nil {
 		return nil, fmt.Errorf("failed to resolve attestations: %w", err)
 	}
-	var envs []*Envelope
+	var envs []*EnvelopeReference
 	for _, attest := range manifests {
 		es, err := ExtractEnvelopes(attest, predicateType)
 		if err != nil {

attestation/referrers_test.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attestation_test
 
 import (
@@ -7,12 +23,12 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/docker/attest"
+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attest"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/config"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
+	"github.com/docker/attest/mapping"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/policy"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/registry"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
@@ -21,18 +37,17 @@ import (
 )
 
 var (
-	NoProvenanceImage   = filepath.Join("..", "..", "test", "testdata", "no-provenance-image")
-	PassPolicyDir       = filepath.Join("..", "..", "test", "testdata", "local-policy-pass")
-	LocalPolicy         = filepath.Join("..", "..", "test", "testdata", "local-policy")
-	LocalPolicyAttached = filepath.Join("..", "..", "test", "testdata", "local-policy-attached")
-	PassNoTLPolicyDir   = filepath.Join("..", "..", "test", "testdata", "local-policy-no-tl")
-	FailPolicyDir       = filepath.Join("..", "..", "test", "testdata", "local-policy-fail")
+	NoProvenanceImage   = filepath.Join("..", "test", "testdata", "no-provenance-image")
+	PassPolicyDir       = filepath.Join("..", "test", "testdata", "local-policy-pass")
+	LocalPolicy         = filepath.Join("..", "test", "testdata", "local-policy")
+	LocalPolicyAttached = filepath.Join("..", "test", "testdata", "local-policy-attached")
+	PassNoTLPolicyDir   = filepath.Join("..", "test", "testdata", "local-policy-no-tl")
+	FailPolicyDir       = filepath.Join("..", "test", "testdata", "local-policy-fail")
 	TestTempDir         = "attest-sign-test"
 )
 
 func TestAttestationReferenceTypes(t *testing.T) {
 	ctx, signer := test.Setup(t)
-	ctx = policy.WithPolicyEvaluator(ctx, policy.NewRegoEvaluator(true))
 	platforms := []string{"linux/amd64", "linux/arm64"}
 	for _, tc := range []struct {
 		name              string
@@ -40,42 +55,43 @@ func TestAttestationReferenceTypes(t *testing.T) {
 		referrersServer   *httptest.Server
 		useDigest         bool
 		referrersRepo     string
-		attestationSource config.AttestationStyle
+		attestationSource mapping.AttestationStyle
 		expectFailure     bool
 	}{
 		{
 			name:   "referrers support, defaults",
-			server: httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			server: test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
 		},
 		{
 			name:      "use digest",
-			server:    httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			server:    test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
 			useDigest: true,
 		},
 		{
 			name:              "attached attestations, referrers repo (mismatched args)",
-			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			server:            test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
 			expectFailure:     true, // mismatched args
-			attestationSource: config.AttestationStyleAttached,
+			attestationSource: mapping.AttestationStyleAttached,
 			referrersRepo:     "referrers",
 		},
 		{
 			name:              "referrers attestations, referrers repo (no policy)",
-			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			server:            test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
 			expectFailure:     true, // no policy
-			attestationSource: config.AttestationStyleReferrers,
+			attestationSource: mapping.AttestationStyleReferrers,
 			referrersRepo:     "referrers",
 		},
 		{
 			name:              "referrers attestations",
-			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
-			attestationSource: config.AttestationStyleReferrers,
+			server:            test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
+			attestationSource: mapping.AttestationStyleReferrers,
 		},
 		{
-			name:              "referrers attestations, no referrers support on server",
-			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(false))),
-			attestationSource: config.AttestationStyleReferrers,
-			referrersServer:   httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			name:   "referrers attestations, no referrers support on server",
+			server: test.NewLocalRegistry(ctx, registry.WithReferrersSupport(false)),
+
+			attestationSource: mapping.AttestationStyleReferrers,
+			referrersServer:   test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
@@ -88,10 +104,8 @@ func TestAttestationReferenceTypes(t *testing.T) {
 			u, err := url.Parse(s.URL)
 			require.NoError(t, err)
 
-			opts := &attestation.SigningOptions{
-				SkipTL: true,
-			}
-			attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+			opts := &attestation.SigningOptions{}
+			attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 			require.NoError(t, err)
 
 			indexName := fmt.Sprintf("%s/repo:root", u.Host)
@@ -110,7 +124,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
 
 			// push subject image so that it can be resolved
 			require.NoError(t, err)
-			err = oci.PushIndexToRegistry(attIdx.Index, indexName)
+			err = oci.PushIndexToRegistry(ctx, attIdx.Index, indexName)
 			require.NoError(t, err)
 
 			// upload referrers
@@ -119,7 +133,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
 			for _, attIdx := range signedManifests {
 				images, err := attIdx.BuildReferringArtifacts()
 				require.NoError(t, err)
-				err = oci.SaveImagesNoTag(images, []*oci.ImageSpec{output})
+				err = oci.SaveImagesNoTag(ctx, images, []*oci.ImageSpec{output})
 				require.NoError(t, err)
 			}
 
@@ -191,13 +205,13 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 	}{
 		{
 			name:      "referrers support",
-			server:    httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
-			refServer: httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			server:    test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
+			refServer: test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
 		},
 		{
 			name:      "no referrers support",
-			server:    httptest.NewServer(registry.New()),
-			refServer: httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
+			server:    test.NewLocalRegistry(ctx, registry.WithReferrersSupport(false)),
+			refServer: test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
 		},
 	} {
 		server := tc.server
@@ -210,14 +224,12 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 		refServerURL, err := url.Parse(refServer.URL)
 		require.NoError(t, err)
 
-		opts := &attestation.SigningOptions{
-			SkipTL: true,
-		}
-		attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+		opts := &attestation.SigningOptions{}
+		attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 		require.NoError(t, err)
 
 		indexName := fmt.Sprintf("%s/%s:latest", serverURL.Host, repoName)
-		err = oci.PushIndexToRegistry(attIdx.Index, indexName)
+		err = oci.PushIndexToRegistry(ctx, attIdx.Index, indexName)
 		require.NoError(t, err)
 
 		signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
@@ -228,7 +240,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 			// push references using subject-digest.att convention
 			image, err := signedManifest.BuildImage()
 			require.NoError(t, err)
-			err = oci.PushImageToRegistry(image, fmt.Sprintf("%s/%s:tag-does-not-matter", refServerURL.Host, repoName))
+			err = oci.PushImageToRegistry(ctx, image, fmt.Sprintf("%s/%s:tag-does-not-matter", refServerURL.Host, repoName))
 			require.NoError(t, err)
 
 			refServer := tc.refServer
@@ -236,14 +248,12 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 			refServerURL, err := url.Parse(refServer.URL)
 			require.NoError(t, err)
 
-			opts := &attestation.SigningOptions{
-				SkipTL: true,
-			}
-			attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+			opts := &attestation.SigningOptions{}
+			attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 			require.NoError(t, err)
 
 			indexName := fmt.Sprintf("%s/%s:latest", serverURL.Host, repoName)
-			err = oci.PushIndexToRegistry(attIdx.Index, indexName)
+			err = oci.PushIndexToRegistry(ctx, attIdx.Index, indexName)
 			require.NoError(t, err)
 
 			signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
@@ -255,7 +265,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 				imgs, err := mf.BuildReferringArtifacts()
 				require.NoError(t, err)
 				for _, img := range imgs {
-					err = oci.PushImageToRegistry(img, fmt.Sprintf("%s/%s:tag-does-not-matter", refServerURL.Host, repoName))
+					err = oci.PushImageToRegistry(ctx, img, fmt.Sprintf("%s/%s:tag-does-not-matter", refServerURL.Host, repoName))
 					require.NoError(t, err)
 				}
 			}
@@ -284,22 +294,19 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 
 func TestCorrectArtifactTypeInTagFallback(t *testing.T) {
 	ctx, signer := test.Setup(t)
-	server := httptest.NewServer(registry.New())
-
-	defer server.Close()
-	serverURL, err := url.Parse(server.URL)
+	regServer := test.NewLocalRegistry(ctx, registry.WithReferrersSupport(false))
+	defer regServer.Close()
+	serverURL, err := url.Parse(regServer.URL)
 	require.NoError(t, err)
 
 	repoName := "repo"
 
-	opts := &attestation.SigningOptions{
-		SkipTL: true,
-	}
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+	opts := &attestation.SigningOptions{}
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 	require.NoError(t, err)
 
 	indexName := fmt.Sprintf("%s/%s:latest", serverURL.Host, repoName)
-	err = oci.PushIndexToRegistry(attIdx.Index, indexName)
+	err = oci.PushIndexToRegistry(ctx, attIdx.Index, indexName)
 	require.NoError(t, err)
 
 	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
@@ -310,14 +317,14 @@ func TestCorrectArtifactTypeInTagFallback(t *testing.T) {
 		imgs, err := mf.BuildReferringArtifacts()
 		require.NoError(t, err)
 		for _, img := range imgs {
-			err = oci.PushImageToRegistry(img, fmt.Sprintf("%s/%s:tag-does-not-matter", serverURL.Host, repoName))
+			err = oci.PushImageToRegistry(ctx, img, fmt.Sprintf("%s/%s:tag-does-not-matter", serverURL.Host, repoName))
 			require.NoError(t, err)
 			mf, err := img.Manifest()
 			require.NoError(t, err)
 			subject := mf.Subject
 			subjectRef, err := name.ParseReference(fmt.Sprintf("%s/%s:sha256-%s", serverURL.Host, repoName, subject.Digest.Hex))
 			require.NoError(t, err)
-			idx, err := remote.Index(subjectRef)
+			idx, err := remote.Index(subjectRef, oci.WithOptions(ctx, nil)...)
 			require.NoError(t, err)
 			imf, err := idx.IndexManifest()
 			require.NoError(t, err)

attestation/registry.go

@@ -1,15 +1,34 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attestation
 
 import (
 	"context"
 	"fmt"
 
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 )
 
+// ensure RegistryResolver implements Resolver.
+var _ Resolver = &RegistryResolver{}
+
 type RegistryResolver struct {
 	*oci.RegistryImageDetailsResolver
 	*Manifest
@@ -21,7 +40,7 @@ func NewRegistryResolver(src *oci.RegistryImageDetailsResolver) (*RegistryResolv
 	}, nil
 }
 
-func (r *RegistryResolver) Attestations(ctx context.Context, predicateType string) ([]*Envelope, error) {
+func (r *RegistryResolver) Attestations(ctx context.Context, predicateType string) ([]*EnvelopeReference, error) {
 	if r.Manifest == nil {
 		attest, err := FetchManifest(ctx, r.Identifier, r.ImageSpec.Platform)
 		if err != nil {

attestation/registry_test.go

@@ -0,0 +1,75 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package attestation_test
+
+import (
+	"fmt"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/docker/attest"
+	"github.com/docker/attest/attestation"
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/policy"
+	"github.com/google/go-containerregistry/pkg/registry"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRegistry(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	regServer := test.NewLocalRegistry(ctx, registry.WithReferrersSupport(false))
+	defer regServer.Close()
+	u, err := url.Parse(regServer.URL)
+	require.NoError(t, err)
+
+	opts := &attestation.SigningOptions{}
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
+	require.NoError(t, err)
+	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
+	require.NoError(t, err)
+	signedIndex := attIdx.Index
+	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
+	require.NoError(t, err)
+
+	indexName := fmt.Sprintf("%s/repo:root", u.Host)
+	require.NoError(t, err)
+	err = oci.PushIndexToRegistry(ctx, signedIndex, indexName)
+	require.NoError(t, err)
+
+	spec, err := oci.ParseImageSpec(indexName)
+	require.NoError(t, err)
+
+	resolver, err := policy.CreateImageDetailsResolver(spec)
+	require.NoError(t, err)
+	desc, err := resolver.ImageDescriptor(ctx)
+	require.NoError(t, err)
+	digest := desc.Digest.String()
+	assert.True(t, strings.Contains(digest, "sha256:"))
+
+	// resolver also works with platform specific digest
+	spec, err = oci.ParseImageSpec(fmt.Sprintf("%s@%s", indexName, digest))
+	require.NoError(t, err)
+
+	resolver, err = policy.CreateImageDetailsResolver(spec)
+	require.NoError(t, err)
+	desc, err = resolver.ImageDescriptor(ctx)
+	require.NoError(t, err)
+	assert.Equal(t, desc.Digest.String(), digest)
+}

attestation/resolver.go

@@ -0,0 +1,28 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package attestation
+
+import (
+	"context"
+
+	"github.com/docker/attest/oci"
+)
+
+type Resolver interface {
+	oci.ImageDetailsResolver
+	Attestations(ctx context.Context, mediaType string) ([]*EnvelopeReference, error)
+}

attestation/sign.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attestation
 
 import (
@@ -5,7 +21,7 @@ import (
 	"fmt"
 
 	"github.com/docker/attest/internal/util"
-	"github.com/docker/attest/pkg/tlog"
+	"github.com/docker/attest/tlog"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
@@ -37,10 +53,10 @@ func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, o
 		KeyID: keyID,
 		Sig:   base64Encoding.EncodeToString(sig),
 	}
-	if !opts.SkipTL {
-		ext, err := logSignature(ctx, tlog.GetTL(ctx), &sig, &encPayload, signer)
+	if opts.TransparencyLog != nil {
+		ext, err := logSignature(ctx, opts.TransparencyLog, sig, encPayload, signer)
 		if err != nil {
-			return nil, fmt.Errorf("failed to log to rekor: %w", err)
+			return nil, fmt.Errorf("failed to log signature: %w", err)
 		}
 		dsseSig.Extension = ext
 	}
@@ -51,27 +67,21 @@ func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, o
 }
 
 // returns a new envelope with the transparency log entry added to the signature extension.
-func logSignature(ctx context.Context, t tlog.TL, sig *[]byte, encPayload *[]byte, signer dsse.SignerVerifier) (*Extension, error) {
+func logSignature(ctx context.Context, t tlog.TransparencyLog, sig []byte, encPayload []byte, signer dsse.SignerVerifier) (*Extension, error) {
 	// get Key ID from signer
 	keyID, err := signer.KeyID()
 	if err != nil {
 		return nil, fmt.Errorf("error getting public key ID: %w", err)
 	}
-	entry, err := t.UploadLogEntry(ctx, keyID, *encPayload, *sig, signer)
+	entry, err := t.UploadEntry(ctx, keyID, encPayload, sig, signer)
 	if err != nil {
 		return nil, fmt.Errorf("error uploading TL entry: %w", err)
 	}
-	entryObj, err := t.UnmarshalEntry(entry)
-	if err != nil {
-		return nil, fmt.Errorf("error unmarshaling tl entry: %w", err)
-	}
+
 	return &Extension{
 		Kind: DockerDSSEExtKind,
 		Ext: &DockerDSSEExtension{
-			TL: &DockerTLExtension{
-				Kind: RekorTLExtKind,
-				Data: entryObj, // transparency log entry metadata
-			},
+			TL: entry,
 		},
 	}, nil
 }

attestation/sign_test.go

@@ -1,20 +1,37 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attestation_test
 
 import (
+	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"encoding/json"
 	"fmt"
-	"net/http/httptest"
 	"net/url"
 	"testing"
 	"time"
 
+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/signerverifier"
+	"github.com/docker/attest/tlog"
 	"github.com/google/go-containerregistry/pkg/registry"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/static"
@@ -36,7 +53,10 @@ func TestSignVerifyAttestation(t *testing.T) {
 
 	payload, err := json.Marshal(stmt)
 	require.NoError(t, err)
-	opts := &attestation.SigningOptions{}
+	tl := tlog.GetMockTL()
+	opts := &attestation.SigningOptions{
+		TransparencyLog: tl,
+	}
 	env, err := attestation.SignDSSE(ctx, payload, signer, opts)
 	require.NoError(t, err)
 
@@ -147,8 +167,17 @@ func TestSignVerifyAttestation(t *testing.T) {
 			opts := &attestation.VerifyOptions{
 				Keys: attestation.Keys{keyMeta},
 			}
-			_, err = attestation.VerifyDSSE(ctx, deserializedEnv, opts)
+			getTL := func(_ context.Context, opts *attestation.VerifyOptions) (tlog.TransparencyLog, error) {
+				if opts.SkipTL {
+					return nil, nil
+				}
+				return tl, nil
+			}
+			verifier, err := attestation.NewVerfier(attestation.WithLogVerifierFactory(getTL))
+			require.NoError(t, err)
+			_, err = attestation.VerifyDSSE(ctx, verifier, deserializedEnv, opts)
 			if tc.expectedError != "" {
+				require.Error(t, err)
 				assert.Contains(t, err.Error(), tc.expectedError)
 			} else {
 				assert.NoError(t, err)
@@ -223,7 +252,6 @@ func TestSimpleStatementSigning(t *testing.T) {
 		{"replaced", true},
 		{"not replaced", false},
 	}
-
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			opts := &attestation.SigningOptions{}
@@ -237,7 +265,7 @@ func TestSimpleStatementSigning(t *testing.T) {
 					PredicateType: attestation.VSAPredicateType,
 				},
 			}
-			digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
+			digest, err := v1.NewHash(test.UnsignedLinuxAMD64ImageDigest)
 			require.NoError(t, err)
 			subject := &v1.Descriptor{
 				MediaType: "application/vnd.oci.image.manifest.v1+json",
@@ -283,10 +311,10 @@ func TestSimpleStatementSigning(t *testing.T) {
 				require.NoError(t, err)
 				assert.Len(t, layers, 1)
 			}
-			server := httptest.NewServer(registry.New(registry.WithReferrersSupport(true)))
-			defer server.Close()
+			regServer := test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true))
+			defer regServer.Close()
 
-			u, err := url.Parse(server.URL)
+			u, err := url.Parse(regServer.URL)
 			require.NoError(t, err)
 
 			indexName := fmt.Sprintf("%s/repo:root", u.Host)
@@ -294,7 +322,7 @@ func TestSimpleStatementSigning(t *testing.T) {
 			require.NoError(t, err)
 			artifacts, err := manifest.BuildReferringArtifacts()
 			require.NoError(t, err)
-			err = oci.SaveImagesNoTag(artifacts, output)
+			err = oci.SaveImagesNoTag(ctx, artifacts, output)
 			require.NoError(t, err)
 		})
 	}

attestation/types.go

@@ -1,12 +1,32 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attestation
 
 import (
+	"crypto"
 	"encoding/base64"
 	"fmt"
+	"time"
 
+	"github.com/docker/attest/tlog"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	v02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	slsav1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
 	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
@@ -16,7 +36,6 @@ const (
 	InTotoPredicateType           = "in-toto.io/predicate-type"
 	DockerReferenceDigest         = "vnd.docker.reference.digest"
 	DockerDSSEExtKind             = "application/vnd.docker.attestation-verification.v1+json"
-	RekorTLExtKind                = "Rekor"
 	OCIDescriptorDSSEMediaType    = ociv1.MediaTypeDescriptor + "+dsse"
 	InTotoReferenceLifecycleStage = "vnd.docker.lifecycle-stage"
 	LifecycleStageExperimental    = "experimental"
@@ -64,6 +83,17 @@ type Extension struct {
 	Ext  *DockerDSSEExtension `json:"ext"`
 }
 
+type EnvelopeReference struct {
+	*Envelope
+	ResourceDescriptor *ResourceDescriptor `json:"resourceDescriptor"`
+}
+
+type ResourceDescriptor struct {
+	MediaType string            `json:"mediaType"`
+	Digest    map[string]string `json:"digest"`
+	URI       string            `json:"uri,omitempty"`
+}
+
 type AnnotatedStatement struct {
 	OCIDescriptor   *v1.Descriptor
 	InTotoStatement *intoto.Statement
@@ -71,22 +101,40 @@ type AnnotatedStatement struct {
 }
 
 type DockerDSSEExtension struct {
-	TL *DockerTLExtension `json:"tl"`
+	TL *tlog.DockerTLExtension `json:"tl"`
 }
 
-type DockerTLExtension struct {
-	Kind string `json:"kind"`
-	Data any    `json:"data"`
-}
+type TransparencyLogKind string
+
+const (
+	RekorTransparencyLogKind = "rekor"
+)
 
 type VerifyOptions struct {
-	Keys   []*KeyMetadata `json:"keys"`
-	SkipTL bool           `json:"skip_tl"`
+	Keys            []*KeyMetadata      `json:"keys"`
+	SkipTL          bool                `json:"skip_tl"`
+	TransparencyLog TransparencyLogKind `json:"tl"`
 }
 
+type KeyMetadata struct {
+	ID            string     `json:"id"`
+	PEM           string     `json:"key"`
+	From          time.Time  `json:"from"`
+	To            *time.Time `json:"to"`
+	Status        string     `json:"status"`
+	SigningFormat string     `json:"signing-format"`
+	Distrust      bool       `json:"distrust,omitempty"`
+	publicKey     crypto.PublicKey
+}
+
+type (
+	Keys    []*KeyMetadata
+	KeysMap map[string]*KeyMetadata
+)
+
 type SigningOptions struct {
-	// don't log to the configured transparency log
-	SkipTL bool
+	// set this in order to log to a transparency log
+	TransparencyLog tlog.TransparencyLog
 }
 
 type Options struct {
@@ -98,6 +146,8 @@ type Options struct {
 func DSSEMediaType(predicateType string) (string, error) {
 	var predicateName string
 	switch predicateType {
+	case slsav1.PredicateSLSAProvenance:
+		predicateName = "provenance"
 	case v02.PredicateSLSAProvenance:
 		predicateName = "provenance"
 	case intoto.PredicateSPDX:

attestation/types_test.go

@@ -0,0 +1,60 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package attestation
+
+import (
+	"fmt"
+	"testing"
+
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	v02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	slsav1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDSSEMediaType(t *testing.T) {
+	testcases := []struct {
+		name     string
+		expected string
+	}{
+		{
+			name:     slsav1.PredicateSLSAProvenance,
+			expected: "provenance",
+		},
+		{
+			name:     v02.PredicateSLSAProvenance,
+			expected: "provenance",
+		},
+		{
+			name:     intoto.PredicateSPDX,
+			expected: "spdx",
+		},
+		{
+			name:     VSAPredicateType,
+			expected: "verification_summary",
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			mt, err := DSSEMediaType(tc.name)
+			require.NoError(t, err)
+			assert.Equal(t, fmt.Sprintf("application/vnd.in-toto.%s+dsse", tc.expected), mt)
+		})
+	}
+}

attestation/verifier.go

@@ -0,0 +1,159 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package attestation
+
+import (
+	"context"
+	"crypto"
+	"crypto/x509"
+	"fmt"
+
+	"github.com/docker/attest/signerverifier"
+	"github.com/docker/attest/tlog"
+	"github.com/docker/attest/tuf"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+func WithTUFDownloader(tufDownloader tuf.Downloader) func(*verifier) {
+	return func(r *verifier) {
+		r.tufDownloader = tufDownloader
+	}
+}
+
+type SignatureVerifierFactory func(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error)
+
+func WithSignatureVerifierFactory(factory SignatureVerifierFactory) func(*verifier) {
+	return func(r *verifier) {
+		r.signatureVerifierFactory = factory
+	}
+}
+
+func WithLogVerifierFactory(factory LogVerifierFactory) func(*verifier) {
+	return func(r *verifier) {
+		r.logVerifierFactory = factory
+	}
+}
+
+type LogVerifierFactory func(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error)
+
+func NewVerfier(options ...func(*verifier)) (Verifier, error) {
+	verifier := &verifier{}
+	for _, opt := range options {
+		opt(verifier)
+	}
+	return verifier, nil
+}
+
+type Verifier interface {
+	GetSignatureVerifier(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error)
+	GetLogVerifier(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error)
+	VerifySignature(ctx context.Context, publicKey crypto.PublicKey, data []byte, signature []byte, opts *VerifyOptions) error
+	VerifyLog(ctx context.Context, keyMeta *KeyMetadata, data []byte, sig *Signature, opts *VerifyOptions) error
+}
+
+// ensure it has all the necessary methods.
+var _ Verifier = (*verifier)(nil)
+
+type verifier struct {
+	tufDownloader            tuf.Downloader
+	signatureVerifierFactory SignatureVerifierFactory
+	logVerifierFactory       LogVerifierFactory
+}
+
+// GetLogVerifier implements Verifier.
+func (v *verifier) GetLogVerifier(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error) {
+	if v.logVerifierFactory != nil {
+		return v.logVerifierFactory(ctx, opts)
+	}
+	if opts.SkipTL {
+		return nil, nil
+	}
+	// TODO support other transparency logs
+	var transparencyLog tlog.TransparencyLog
+	switch opts.TransparencyLog {
+	case "", RekorTransparencyLogKind:
+		var err error
+		transparencyLog, err = tlog.NewRekorLog(tlog.WithTUFDownloader(v.tufDownloader))
+		if err != nil {
+			return nil, fmt.Errorf("error failed to create rekor verifier: %w", err)
+		}
+	default:
+		return nil, fmt.Errorf("unsupported transparency log: %s", opts.TransparencyLog)
+	}
+	return transparencyLog, nil
+}
+
+// GetSignatureVerifier implements Verifier.
+func (v *verifier) GetSignatureVerifier(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error) {
+	if v.signatureVerifierFactory != nil {
+		return v.signatureVerifierFactory(ctx, publicKey, opts)
+	}
+	// TODO: use details from opts to decide which algorithm to use here
+	ecdsaVerifier, err := signerverifier.NewECDSAVerifier(publicKey)
+	if err != nil {
+		return nil, fmt.Errorf("error failed to create ecdsa verifier: %w", err)
+	}
+	return ecdsaVerifier, nil
+}
+
+func (v *verifier) VerifySignature(ctx context.Context, publicKey crypto.PublicKey, data []byte, signature []byte, opts *VerifyOptions) error {
+	sigVerifier, err := v.GetSignatureVerifier(ctx, publicKey, opts)
+	if err != nil {
+		return fmt.Errorf("error failed to get verifier: %w", err)
+	}
+	return sigVerifier.Verify(ctx, data, signature)
+}
+
+func (v *verifier) VerifyLog(ctx context.Context, keyMeta *KeyMetadata, encPayload []byte, sig *Signature, opts *VerifyOptions) error {
+	if opts.SkipTL {
+		return nil
+	}
+	if sig.Extension == nil || sig.Extension.Kind == "" {
+		return fmt.Errorf("error missing signature extension")
+	}
+	if sig.Extension.Kind != DockerDSSEExtKind {
+		return fmt.Errorf("error unsupported signature extension kind: %s", sig.Extension.Kind)
+	}
+	transparencyLog, err := v.GetLogVerifier(ctx, opts)
+	if err != nil {
+		return fmt.Errorf("error failed to get transparency log verifier: %w", err)
+	}
+	if transparencyLog == nil {
+		return fmt.Errorf("error missing transparency log verifier")
+	}
+
+	// verify TL entry payload
+	publicKey, err := keyMeta.ParsedKey()
+	if err != nil {
+		return fmt.Errorf("error failed to parse public key: %w", err)
+	}
+	encodedPub, err := x509.MarshalPKIXPublicKey(publicKey)
+	if err != nil {
+		return fmt.Errorf("error failed to marshal public key: %w", err)
+	}
+	integratedTime, err := transparencyLog.VerifyEntry(ctx, sig.Extension.Ext.TL, encPayload, encodedPub)
+	if err != nil {
+		return fmt.Errorf("TL entry failed verification: %w", err)
+	}
+	if integratedTime.Before(keyMeta.From) {
+		return fmt.Errorf("key %s was not yet valid at TL log time %s (key valid from %s)", keyMeta.ID, integratedTime, keyMeta.From)
+	}
+	if keyMeta.To != nil && !integratedTime.Before(*keyMeta.To) {
+		return fmt.Errorf("key %s was already %s at TL log time %s (key %s at %s)", keyMeta.ID, keyMeta.Status, integratedTime, keyMeta.Status, *keyMeta.To)
+	}
+	return nil
+}

attestation/verifier_test.go

@@ -0,0 +1,71 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package attestation
+
+import (
+	"context"
+	"reflect"
+	"testing"
+
+	"github.com/docker/attest/tlog"
+	"github.com/docker/attest/tuf"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_verifier_GetLogVerifier(t *testing.T) {
+	type fields struct {
+		tufDownloader            tuf.Downloader
+		signatureVerifierFactory SignatureVerifierFactory
+		logVerifierFactory       LogVerifierFactory
+	}
+	type args struct {
+		ctx  context.Context
+		opts *VerifyOptions
+	}
+	rekor, err := tlog.NewRekorLog()
+	require.NoError(t, err)
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    tlog.TransparencyLog
+		wantErr bool
+	}{
+		{name: "skip_tl true", fields: fields{}, args: args{ctx: context.Background(), opts: &VerifyOptions{SkipTL: true}}},
+		{name: "skip_tl false", fields: fields{}, args: args{ctx: context.Background(), opts: &VerifyOptions{SkipTL: false}}, want: rekor},
+		{name: "tl: rekor", fields: fields{logVerifierFactory: func(_ context.Context, _ *VerifyOptions) (tlog.TransparencyLog, error) {
+			return &tlog.Rekor{}, nil
+		}}, args: args{ctx: context.Background(), opts: &VerifyOptions{}}, want: &tlog.Rekor{}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			v := &verifier{
+				tufDownloader:            tt.fields.tufDownloader,
+				signatureVerifierFactory: tt.fields.signatureVerifierFactory,
+				logVerifierFactory:       tt.fields.logVerifierFactory,
+			}
+			got, err := v.GetLogVerifier(tt.args.ctx, tt.args.opts)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("verifier.GetLogVerifier() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("verifier.GetLogVerifier() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

attestation/verify.go

@@ -0,0 +1,99 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package attestation
+
+import (
+	"context"
+	"crypto"
+	"encoding/base64"
+	"fmt"
+
+	"github.com/docker/attest/signerverifier"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+func VerifyDSSE(ctx context.Context, verifier Verifier, env *Envelope, opts *VerifyOptions) ([]byte, error) {
+	// enforce payload type
+	if !ValidPayloadType(env.PayloadType) {
+		return nil, fmt.Errorf("unsupported payload type %s", env.PayloadType)
+	}
+
+	if len(env.Signatures) == 0 {
+		return nil, fmt.Errorf("no signatures found")
+	}
+
+	keys := make(map[string]*KeyMetadata, len(opts.Keys))
+	for _, key := range opts.Keys {
+		keys[key.ID] = key
+	}
+
+	payload, err := base64Encoding.DecodeString(env.Payload)
+	if err != nil {
+		return nil, fmt.Errorf("error failed to decode payload: %w", err)
+	}
+
+	encPayload := dsse.PAE(env.PayloadType, payload)
+	// verify signatures and transparency log entry
+	for _, sig := range env.Signatures {
+		// resolve public key used to sign
+		keyMeta, ok := keys[sig.KeyID]
+		if !ok {
+			return nil, fmt.Errorf("error key not found: %s", sig.KeyID)
+		}
+
+		if keyMeta.Distrust {
+			return nil, fmt.Errorf("key %s is distrusted", keyMeta.ID)
+		}
+		publicKey, err := keyMeta.ParsedKey()
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse public key: %w", err)
+		}
+		// decode signature
+		signature, err := base64.StdEncoding.Strict().DecodeString(sig.Sig)
+		if err != nil {
+			return nil, fmt.Errorf("error failed to decode signature: %w", err)
+		}
+
+		err = verifier.VerifySignature(ctx, publicKey, encPayload, signature, opts)
+		if err != nil {
+			return nil, fmt.Errorf("error failed to verify signature: %w", err)
+		}
+		if err := verifier.VerifyLog(ctx, keyMeta, encPayload, sig, opts); err != nil {
+			return nil, fmt.Errorf("error failed to verify transparency log entry: %w", err)
+		}
+	}
+
+	return payload, nil
+}
+
+func ValidPayloadType(payloadType string) bool {
+	return payloadType == intoto.PayloadType || payloadType == ociv1.MediaTypeDescriptor
+}
+
+func (km *KeyMetadata) ParsedKey() (crypto.PublicKey, error) {
+	if km.publicKey != nil {
+		return km.publicKey, nil
+	}
+	publicKey, err := signerverifier.ParsePublicKey([]byte(km.PEM))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse public key: %w", err)
+	}
+	km.publicKey = publicKey
+	return publicKey, nil
+}

attestation/verify_test.go

@@ -1,11 +1,27 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attestation_test
 
 import (
 	"encoding/base64"
 	"testing"
 
+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/stretchr/testify/assert"
@@ -42,8 +58,7 @@ func TestVerifyUnsignedAttestation(t *testing.T) {
 	opts := &attestation.VerifyOptions{
 		Keys: attestation.Keys{},
 	}
-
-	_, err := attestation.VerifyDSSE(ctx, env, opts)
+	_, err := attestation.VerifyDSSE(ctx, nil, env, opts)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "no signatures")
 }

attestation/vsa.go

@@ -0,0 +1,79 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package attestation
+
+import (
+	"fmt"
+
+	"github.com/docker/attest/version"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/package-url/packageurl-go"
+)
+
+const (
+	VSAPredicateType = "https://slsa.dev/verification_summary/v1"
+)
+
+type VSAPredicate struct {
+	Verifier           VSAVerifier          `json:"verifier"`
+	TimeVerified       string               `json:"timeVerified"`
+	ResourceURI        string               `json:"resourceUri"`
+	Policy             VSAPolicy            `json:"policy"`
+	InputAttestations  []ResourceDescriptor `json:"inputAttestations,omitempty"`
+	VerificationResult string               `json:"verificationResult"`
+	VerifiedLevels     []string             `json:"verifiedLevels"`
+}
+
+type VSAVerifier struct {
+	ID      string          `json:"id"`
+	Version VerifierVersion `json:"version"`
+}
+
+type VerifierVersion map[string]string
+
+type VSAPolicy struct {
+	URI              string            `json:"uri,omitempty"`
+	Digest           map[string]string `json:"digest"`
+	DownloadLocation string            `json:"downloadLocation,omitempty"`
+}
+
+func ToVSAResourceURI(sub intoto.Subject) (string, error) {
+	// parse purl
+	purl, err := packageurl.FromString(sub.Name)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse package url: %w", err)
+	}
+	quals := purl.Qualifiers.Map()
+	if quals["digest"] == "" {
+		quals["digest"] = "sha256:" + sub.Digest["sha256"]
+	}
+	purl.Qualifiers = packageurl.QualifiersFromMap(quals)
+	return purl.String(), nil
+}
+
+func GetVerifierVersion(fetcher version.Fetcher) (VerifierVersion, error) {
+	attestVersion, err := fetcher.Get()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get attest version: %w", err)
+	}
+	if attestVersion == nil {
+		return nil, nil
+	}
+	return VerifierVersion{
+		version.ThisModulePath: attestVersion.String(),
+	}, nil
+}

example_sign_test.go

@@ -1,12 +1,29 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attest_test
 
 import (
 	"context"
 
-	"github.com/docker/attest/pkg/attest"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest"
+	"github.com/docker/attest/attestation"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/signerverifier"
+	"github.com/docker/attest/tlog"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
@@ -25,13 +42,19 @@ func ExampleSignStatements_remote() {
 	// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)
 
 	// configure signing options
+
+	// use rekor transparency log wit static rekor public key (see options to use dynamic rekor public key)
+	rekor, err := tlog.NewRekorLog()
+	if err != nil {
+		panic(err)
+	}
 	opts := &attestation.SigningOptions{
-		SkipTL: true, // skip trust logging to a transparency log
+		TransparencyLog: rekor, // unset this to disable signature transparency logging
 	}
 
 	// load image index with unsigned attestation-manifests
 	ref := "docker/image-signer-verifier:latest"
-	attIdx, err := oci.IndexFromRemote(ref)
+	attIdx, err := oci.IndexFromRemote(context.Background(), ref)
 	if err != nil {
 		panic(err)
 	}
@@ -54,7 +77,7 @@ func ExampleSignStatements_remote() {
 	}
 
 	// push image index with signed attestation-manifests
-	err = oci.PushIndexToRegistry(signedIndex, ref)
+	err = oci.PushIndexToRegistry(context.Background(), signedIndex, ref)
 	if err != nil {
 		panic(err)
 	}

example_verify_test.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package attest_test
 
 import (
@@ -6,10 +22,10 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/docker/attest/pkg/attest"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/policy"
+	"github.com/docker/attest/tuf"
 )
 
 func ExampleVerify_remote() {

go.mod

@@ -1,30 +1,32 @@
 module github.com/docker/attest
 
-go 1.22.5
+go 1.22.8
 
 require (
 	github.com/Masterminds/semver/v3 v3.3.0
-	github.com/aws/aws-sdk-go-v2/config v1.27.31
+	github.com/aws/aws-sdk-go-v2/config v1.28.5
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8
-	github.com/containerd/platforms v0.2.1
+	github.com/containerd/containerd/v2 v2.0.0
+	github.com/containerd/platforms v1.0.0-rc.0
 	github.com/distribution/reference v0.6.0
+	github.com/docker-library/bashbrew v0.1.12
+	github.com/go-git/go-git/v5 v5.12.0
 	github.com/go-openapi/runtime v0.28.0
 	github.com/go-openapi/strfmt v0.23.0
-	github.com/google/go-containerregistry v0.20.1
-	github.com/hashicorp/go-cleanhttp v0.5.2
+	github.com/google/go-containerregistry v0.20.2
 	github.com/in-toto/in-toto-golang v0.9.0
-	github.com/open-policy-agent/opa v0.67.1
+	github.com/open-policy-agent/opa v0.70.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0
-	github.com/sigstore/cosign/v2 v2.4.0
+	github.com/sigstore/cosign/v2 v2.4.1
 	github.com/sigstore/rekor v1.3.6
-	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8
-	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8
+	github.com/sigstore/sigstore v1.8.10
+	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10
+	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10
 	github.com/stretchr/testify v1.9.0
-	github.com/testcontainers/testcontainers-go/modules/registry v0.33.0
-	github.com/theupdateframework/go-tuf/v2 v2.0.0
-	google.golang.org/api v0.194.0
+	github.com/theupdateframework/go-tuf/v2 v2.0.2
+	google.golang.org/api v0.205.0
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -32,63 +34,62 @@ require (
 replace github.com/google/go-containerregistry => github.com/docker/go-containerregistry v0.0.0-20240808132857-c8bfc44af7c8
 
 require (
-	cloud.google.com/go v0.115.1 // indirect
-	cloud.google.com/go/auth v0.9.1 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
-	cloud.google.com/go/compute/metadata v0.5.0 // indirect
-	cloud.google.com/go/iam v1.1.12 // indirect
-	cloud.google.com/go/kms v1.18.4 // indirect
-	cloud.google.com/go/longrunning v0.5.11 // indirect
-	dario.cat/mergo v1.0.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	cloud.google.com/go v0.116.0 // indirect
+	cloud.google.com/go/auth v0.10.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect
+	cloud.google.com/go/compute/metadata v0.5.2 // indirect
+	cloud.google.com/go/iam v1.2.1 // indirect
+	cloud.google.com/go/kms v1.20.0 // indirect
+	cloud.google.com/go/longrunning v0.6.1 // indirect
+	dario.cat/mergo v1.0.1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.12.9 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
-	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/agnivade/levenshtein v1.2.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.30.4 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.30 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.32.5 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.46 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.29.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.35.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.30.5 // indirect
-	github.com/aws/smithy-go v1.20.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.37.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.1 // indirect
+	github.com/aws/smithy-go v1.22.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.3.8 // indirect
-	github.com/containerd/containerd v1.7.20 // indirect
+	github.com/containerd/containerd v1.7.23 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
-	github.com/cpuguy83/dockercfg v0.3.1 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/docker/cli v27.1.1+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v27.1.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.1 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
 	github.com/go-openapi/errors v0.22.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -98,59 +99,54 @@ require (
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/certificate-transparency-go v1.2.1 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
-	github.com/jellydator/ttlcache/v3 v3.2.0 // indirect
+	github.com/jellydator/ttlcache/v3 v3.3.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/klauspost/compress v1.17.8 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
-	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/sys/user v0.1.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/prometheus/client_golang v1.20.5 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/shirou/gopsutil/v3 v3.24.4 // indirect
-	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/sigstore/protobuf-specs v0.3.2 // indirect
-	github.com/sigstore/sigstore v1.8.8 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/skeema/knownhosts v1.2.2 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
@@ -160,44 +156,44 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
-	github.com/testcontainers/testcontainers-go v0.33.0 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
-	github.com/tklauser/go-sysconf v0.3.14 // indirect
-	github.com/tklauser/numcpus v0.8.0 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.mongodb.org/mongo-driver v1.15.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
-	go.opentelemetry.io/otel v1.28.0 // indirect
-	go.opentelemetry.io/otel/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
+	go.opentelemetry.io/otel v1.31.0 // indirect
+	go.opentelemetry.io/otel/metric v1.31.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.31.0 // indirect
+	go.opentelemetry.io/otel/trace v1.31.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.26.0 // indirect
-	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.28.0 // indirect
-	golang.org/x/oauth2 v0.22.0 // indirect
+	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.24.0 // indirect
-	golang.org/x/term v0.23.0 // indirect
-	golang.org/x/text v0.17.0 // indirect
-	golang.org/x/time v0.6.0 // indirect
-	google.golang.org/genproto v0.0.0-20240814211410-ddb44dafa142 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240730163845-b1a4ccb954bf // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
-	google.golang.org/grpc v1.65.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/term v0.25.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
+	google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 // indirect
+	google.golang.org/grpc v1.67.1 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/klog/v2 v2.120.1 // indirect
+	gotest.tools/v3 v3.5.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	pault.ag/go/debian v0.12.0 // indirect
+	pault.ag/go/topsort v0.1.1 // indirect
 )

go.sum

@@ -1,36 +1,34 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.115.1 h1:Jo0SM9cQnSkYfp44+v+NQXHpcHqlnRJk2qxh6yvxxxQ=
-cloud.google.com/go v0.115.1/go.mod h1:DuujITeaufu3gL68/lOFIirVNJwQeyf5UXyi+Wbgknc=
-cloud.google.com/go/auth v0.9.1 h1:+pMtLEV2k0AXKvs/tGZojuj6QaioxfUjOpMsG5Gtx+w=
-cloud.google.com/go/auth v0.9.1/go.mod h1:Sw8ocT5mhhXxFklyhT12Eiy0ed6tTrPMCJjSI8KhYLk=
-cloud.google.com/go/auth/oauth2adapt v0.2.4 h1:0GWE/FUsXhf6C+jAkWgYm7X9tK8cuEIfy19DBn6B6bY=
-cloud.google.com/go/auth/oauth2adapt v0.2.4/go.mod h1:jC/jOpwFP6JBxhB3P5Rr0a9HLMC/Pe3eaL4NmdvqPtc=
-cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY=
-cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY=
-cloud.google.com/go/iam v1.1.12 h1:JixGLimRrNGcxvJEQ8+clfLxPlbeZA6MuRJ+qJNQ5Xw=
-cloud.google.com/go/iam v1.1.12/go.mod h1:9LDX8J7dN5YRyzVHxwQzrQs9opFFqn0Mxs9nAeB+Hhg=
-cloud.google.com/go/kms v1.18.4 h1:dYN3OCsQ6wJLLtOnI8DGUwQ5shMusXsWCCC+s09ATsk=
-cloud.google.com/go/kms v1.18.4/go.mod h1:SG1bgQ3UWW6/KdPo9uuJnzELXY5YTTMJtDYvajiQ22g=
-cloud.google.com/go/longrunning v0.5.11 h1:Havn1kGjz3whCfoD8dxMLP73Ph5w+ODyZB9RUsDxtGk=
-cloud.google.com/go/longrunning v0.5.11/go.mod h1:rDn7//lmlfWV1Dx6IB4RatCPenTwwmqXuiP0/RgoEO4=
+cloud.google.com/go v0.116.0 h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE=
+cloud.google.com/go v0.116.0/go.mod h1:cEPSRWPzZEswwdr9BxE6ChEn01dWlTaF05LiC2Xs70U=
+cloud.google.com/go/auth v0.10.1 h1:TnK46qldSfHWt2a0b/hciaiVJsmDXWy9FqyUan0uYiI=
+cloud.google.com/go/auth v0.10.1/go.mod h1:xxA5AqpDrvS+Gkmo9RqrGGRh6WSNKKOXhY3zNOr38tI=
+cloud.google.com/go/auth/oauth2adapt v0.2.5 h1:2p29+dePqsCHPP1bqDJcKj4qxRyYCcbzKpFyKGt3MTk=
+cloud.google.com/go/auth/oauth2adapt v0.2.5/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8=
+cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo=
+cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k=
+cloud.google.com/go/iam v1.2.1 h1:QFct02HRb7H12J/3utj0qf5tobFh9V4vR6h9eX5EBRU=
+cloud.google.com/go/iam v1.2.1/go.mod h1:3VUIJDPpwT6p/amXRC5GY8fCCh70lxPygguVtI0Z4/g=
+cloud.google.com/go/kms v1.20.0 h1:uKUvjGqbBlI96xGE669hcVnEMw1Px/Mvfa62dhM5UrY=
+cloud.google.com/go/kms v1.20.0/go.mod h1:/dMbFF1tLLFnQV44AoI2GlotbjowyUfgVwezxW291fM=
+cloud.google.com/go/longrunning v0.6.1 h1:lOLTFxYpr8hcRtcwWir5ITh1PAKUD/sG2lKrTSYjyMc=
+cloud.google.com/go/longrunning v0.6.1/go.mod h1:nHISoOZpBcmlwbJmiVk5oDRz0qG/ZxPynEGs1iZ79s0=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2 h1:BnG6pr9TTr6CYlrJznYUDj6V7xldD1W+1iXPum0wT/w=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2/go.mod h1:pK23AUVXuNzzTpfMCA06sxZGeVQ/75FdVtW249de9Uo=
 cuelang.org/go v0.9.2 h1:pfNiry2PdRBr02G/aKm5k2vhzmqbAOoaB4WurmEbWvs=
 cuelang.org/go v0.9.2/go.mod h1:qpAYsLOf7gTM1YdEg6cxh553uZ4q9ZDWlPbtZr9q1Wk=
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
+dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjqpY4C7H15HjRPEenkS4SAn3Jy2eRRjkjZbGR30TOg=
 github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d/go.mod h1:XNqJ7hv2kY++g8XEHREpi+JqZo3+0l+CH2egBVN4yqM=
-github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw=
-github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs=
+github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 h1:kcnfY4vljxXliXDBrA9K9lwF8IoEZ4Up6Eg9kWTIm28=
+github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0/go.mod h1:tlqp9mUGbsP+0z3Q+c0Q5MgSdq/OMwQhm5bffR3Q3ss=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0 h1:GJHeeA2N7xrG3q30L2UXDyuWRzDM900/65j70wcM4Ww=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
@@ -39,8 +37,6 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJ
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0/go.mod h1:qLIye2hwb/ZouqhpSD9Zn3SJipvpEnz1Ywl3VUk9Y0s=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw=
@@ -60,18 +56,22 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/DataDog/zstd v1.4.8/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
 github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
 github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/Microsoft/hcsshim v0.12.9 h1:2zJy5KA+l0loz1HzEGqyNnjd3fyZA31ZBCGKacp6lLg=
+github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEPuoIWYVvZ8Y=
 github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
 github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
 github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78=
 github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E=
 github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
-github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
-github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
+github.com/agnivade/levenshtein v1.2.0 h1:U9L4IOT0Y3i0TIlUIDJ7rVUziKi/zPbrJGaFrtYH3SY=
+github.com/agnivade/levenshtein v1.2.0/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
 github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
 github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo=
@@ -94,56 +94,60 @@ github.com/alibabacloud-go/tea-utils v1.4.5 h1:h0/6Xd2f3bPE4XHTvkpjwxowIwRCJAJOq
 github.com/alibabacloud-go/tea-utils v1.4.5/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw=
 github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0=
 github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
-github.com/aliyun/credentials-go v1.3.1 h1:uq/0v7kWrxmoLGpqjx7vtQ/s03f0zR//0br/xWDTE28=
-github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0=
+github.com/aliyun/credentials-go v1.3.2 h1:L4WppI9rctC8PdlMgyTkF8bBsy9pyKQEzBD1bHMRl+g=
+github.com/aliyun/credentials-go v1.3.2/go.mod h1:tlpz4uys4Rn7Ik4/piGRrTbXy2uLKvePgQJJduE+Y5c=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
 github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
-github.com/aws/aws-sdk-go-v2 v1.30.4 h1:frhcagrVNrzmT95RJImMHgabt99vkXGslubDaDagTk8=
-github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0=
-github.com/aws/aws-sdk-go-v2/config v1.27.31 h1:kxBoRsjhT3pq0cKthgj6RU6bXTm/2SgdoUMyrVw0rAI=
-github.com/aws/aws-sdk-go-v2/config v1.27.31/go.mod h1:z04nZdSWFPaDwK3DdJOG2r+scLQzMYuJeW0CujEm9FM=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.30 h1:aau/oYFtibVovr2rDt8FHlU17BTicFEMAi29V1U+L5Q=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.30/go.mod h1:BPJ/yXV92ZVq6G8uYvbU0gSl8q94UB63nMT5ctNO38g=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 h1:yjwoSyDZF8Jth+mUk5lSPJCkMC0lMy6FaCD51jm6ayE=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12/go.mod h1:fuR57fAgMk7ot3WcNQfb6rSEn+SUffl7ri+aa8uKysI=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 h1:TNyt/+X43KJ9IJJMjKfa3bNTiZbUP7DeCxfbTROESwY=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16/go.mod h1:2DwJF39FlNAUiX5pAc0UNeiz16lK2t7IaFcm0LFHEgc=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 h1:jYfy8UPmd+6kJW5YhY0L1/KftReOGxI/4NtVSTh9O/I=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16/go.mod h1:7ZfEPZxkW42Afq4uQB8H2E2e6ebh6mXTueEpYzjCzcs=
+github.com/aws/aws-sdk-go-v2 v1.32.5 h1:U8vdWJuY7ruAkzaOdD7guwJjD06YSKmnKCJs7s3IkIo=
+github.com/aws/aws-sdk-go-v2 v1.32.5/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=
+github.com/aws/aws-sdk-go-v2/config v1.28.5 h1:Za41twdCXbuyyWv9LndXxZZv3QhTG1DinqlFsSuvtI0=
+github.com/aws/aws-sdk-go-v2/config v1.28.5/go.mod h1:4VsPbHP8JdcdUDmbTVgNL/8w9SqOkM5jyY8ljIxLO3o=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.46 h1:AU7RcriIo2lXjUfHFnFKYsLCwgbz1E7Mm95ieIRDNUg=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.46/go.mod h1:1FmYyLGL08KQXQ6mcTlifyFXfJVCNJTVGuQP4m0d/UA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 h1:sDSXIrlsFSFJtWKLQS4PUWRvrT580rrnuLydJrCQ/yA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20/go.mod h1:WZ/c+w0ofps+/OUqMwWgnfrgzZH1DZO1RIkktICsqnY=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 h1:4usbeaes3yJnCFC7kfeyhkdkPtoRYPa/hTmCqMpKpLI=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24/go.mod h1:5CI1JemjVwde8m2WG3cz23qHKPOxbpkq0HaoreEgLIY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 h1:N1zsICrQglfzaBnrfM0Ys00860C+QFwu6u/5+LomP+o=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24/go.mod h1:dCn9HbJ8+K31i8IQ8EWmWj0EiIk0+vKiHNMxTTYveAg=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.29.1 h1:ywNLJrn/Qn4enDsz/XnKlvpnLqvJxFGQV2BltWltbis=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.29.1/go.mod h1:WadVIk+UrTvWuAsCp6BKGX4i2snurpz8mPWhJQnS7Dg=
 github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1 h1:Eq9i/mvOlGghiKe9NtsmeD9Wlwg8p4fbsqrMb3nWirM=
 github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.24.1/go.mod h1:VtOgEoLEPV1YADuq+Z2XOK6/wKkGW2YK6DjChZ/GvDs=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbLPPHEmf9DgMGw51jMj77VfGPAN2Kv4cfhlfgI=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 h1:tJ5RnkHCiSH0jyd6gROjlJtNwov0eGYNz8s8nFcR0jQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18/go.mod h1:++NHzT+nAF7ZPrHPsA+ENvsXkOO8wEu+C6RXltAG4/c=
-github.com/aws/aws-sdk-go-v2/service/kms v1.35.3 h1:UPTdlTOwWUX49fVi7cymEN6hDqCwe3LNv1vi7TXUutk=
-github.com/aws/aws-sdk-go-v2/service/kms v1.35.3/go.mod h1:gjDP16zn+WWalyaUqwCCioQ8gU8lzttCCc9jYsiQI/8=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 h1:zCsFCKvbj25i7p1u94imVoO447I/sFv8qq+lGJhRN0c=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.5/go.mod h1:ZeDX1SnKsVlejeuz41GiajjZpRSWR7/42q/EyA/QEiM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 h1:SKvPgvdvmiTWoi0GAJ7AsJfOz3ngVkD/ERbs5pUnHNI=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5/go.mod h1:20sz31hv/WsPa3HhU3hfrIet2kxM4Pe0r20eBZ20Tac=
-github.com/aws/aws-sdk-go-v2/service/sts v1.30.5 h1:OMsEmCyz2i89XwRwPouAJvhj81wINh+4UK+k/0Yo/q8=
-github.com/aws/aws-sdk-go-v2/service/sts v1.30.5/go.mod h1:vmSqFK+BVIwVpDAGZB3CoCXHzurt4qBE8lf+I/kRTh0=
-github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4=
-github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 h1:wtpJ4zcwrSbwhECWQoI/g6WM9zqCcSpHDJIWSbMLOu4=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5/go.mod h1:qu/W9HXQbbQ4+1+JcZp0ZNPV31ym537ZJN+fiS7Ti8E=
+github.com/aws/aws-sdk-go-v2/service/kms v1.37.2 h1:tfBABi5R6aSZlhgTWHxL+opYUDOnIGoNcJLwVYv0jLM=
+github.com/aws/aws-sdk-go-v2/service/kms v1.37.2/go.mod h1:dZYFcQwuoh+cLOlFnZItijZptmyDhRIkOKWFO1CfzV8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.6 h1:3zu537oLmsPfDMyjnUS2g+F2vITgy5pB74tHI+JBNoM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.6/go.mod h1:WJSZH2ZvepM6t6jwu4w/Z45Eoi75lPN7DcydSRtJg6Y=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 h1:K0OQAsDywb0ltlFrZm0JHPY3yZp/S9OaoLU33S7vPS8=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5/go.mod h1:ORITg+fyuMoeiQFiVGoqB3OydVTLkClw/ljbblMq6Cc=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.1 h1:6SZUVRQNvExYlMLbHdlKB48x0fLbc2iVROyaNEwBHbU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.1/go.mod h1:GqWyYCwLXnlUB1lOAXQyNSPqPLQJvmo8J0DWBzp9mtg=
+github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=
+github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M=
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/buildkite/agent/v3 v3.76.2 h1:SweFq3e0N20RikWsVeOXzTjfr0AoOskxm9c0bcNyI0E=
-github.com/buildkite/agent/v3 v3.76.2/go.mod h1:9ffbmJD7d7C/nOcElj6Qm+uIj1QoYh3NNvka4rkKkss=
-github.com/buildkite/go-pipeline v0.10.0 h1:EDffu+LfMY2k5u+iEdo6Jn3obGKsrL5wicc1O/yFeRs=
-github.com/buildkite/go-pipeline v0.10.0/go.mod h1:eMH1kiav5VeiTiu0Mk2/M7nZhKyFeL4iGj7Y7rj4f3w=
+github.com/buildkite/agent/v3 v3.81.0 h1:JVfkng2XnsXesFXwiFwLJFkuzVu4zvoJCvedfoIXD6E=
+github.com/buildkite/agent/v3 v3.81.0/go.mod h1:edJeyycODRxaFvpT22rDGwaQ5oa4eB8GjtbjgX5VpFw=
+github.com/buildkite/go-pipeline v0.13.1 h1:Y9p8pQIwPtauVwNrcmTDH6+XK7jE1nLuvWVaK8oymA8=
+github.com/buildkite/go-pipeline v0.13.1/go.mod h1:2HHqlSFTYgHFhzedJu0LhLs9n5c9XkYnHiQFVN5HE4U=
 github.com/buildkite/interpolate v0.1.3 h1:OFEhqji1rNTRg0u9DsSodg63sjJQEb1uWbENq9fUOBM=
 github.com/buildkite/interpolate v0.1.3/go.mod h1:UNVe6A+UfiBNKbhAySrBbZFZFxQ+DXr9nWen6WVt/A8=
 github.com/buildkite/roko v1.2.0 h1:hbNURz//dQqNl6Eo9awjQOVOZwSDJ8VEbBDxSfT9rGQ=
@@ -178,23 +182,25 @@ github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUo
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
 github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ=
 github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=
-github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ=
-github.com/containerd/containerd v1.7.20/go.mod h1:52GsS5CwquuqPuLncsXwG0t2CiUce+KsNHJZQJvAgR0=
+github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ=
+github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw=
+github.com/containerd/containerd/v2 v2.0.0 h1:qLDdFaAykQrIyLiqwQrNLLz95wiC36bAZVwioUwqShM=
+github.com/containerd/containerd/v2 v2.0.0/go.mod h1:j25kDy9P48/ngb1sxWIFfK6GsnqOHoSqo1EpAod20VQ=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
-github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
+github.com/containerd/platforms v1.0.0-rc.0 h1:GuHWSKgVVO3POn6nRBB4sH63uPOLa87yuuhsGLWaXAA=
+github.com/containerd/platforms v1.0.0-rc.0/go.mod h1:T1XAzzOdYs3it7l073MNXyxRwQofJfqwi/8cRjufIk4=
 github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU=
 github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
 github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
 github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
-github.com/cpuguy83/dockercfg v0.3.1 h1:/FpZ+JaygUR/lZP2NlFI2DVfrOEMAIKP5wWEJdoYe9E=
-github.com/cpuguy83/dockercfg v0.3.1/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f h1:eHnXnuK47UlSTOQexbzxAZfekVz6i+LKRdj1CU5DPaM=
 github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs=
 github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -205,8 +211,8 @@ github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0
 github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw=
 github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8=
 github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA=
-github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g=
-github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
+github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo=
+github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
 github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
 github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE=
 github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
@@ -216,26 +222,26 @@ github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi
 github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker-library/bashbrew v0.1.12 h1:qykd2fxTMiudN/70XItEQqgk/7LeVoDiBTEnKTpkst8=
+github.com/docker-library/bashbrew v0.1.12/go.mod h1:6fyRRSm4vgBAgTw87EsfOT7wXKsc4JA9I5cdQJmwOm8=
 github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
 github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY=
-github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
 github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-containerregistry v0.0.0-20240808132857-c8bfc44af7c8 h1:T/wutVfQ1Oj4H5tbP5IZL5l6PZqzvapVJ5cB4Wy4Ucc=
 github.com/docker/go-containerregistry v0.0.0-20240808132857-c8bfc44af7c8/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8=
-github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
-github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emicklei/proto v1.12.1 h1:6n/Z2pZAnBwuhU66Gs8160B8rrrYKo7h2F2sCOnNceE=
 github.com/emicklei/proto v1.12.1/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -255,22 +261,31 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/gliderlabs/ssh v0.3.7 h1:iV3Bqi942d9huXnzEF2Mt+CY9gLu8DNM4Obd+8bODRE=
+github.com/gliderlabs/ssh v0.3.7/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec=
 github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
+github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys=
+github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
-github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
-github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
-github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU=
 github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo=
 github.com/go-openapi/errors v0.22.0 h1:c4xY/OLxUBSTiepAg3j/MHuAv5mJhnf53LLMWFB+u/w=
@@ -307,8 +322,8 @@ github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4=
-github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY=
+github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -342,7 +357,6 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -362,15 +376,15 @@ github.com/google/trillian v1.6.0/go.mod h1:Yu3nIMITzNhhMJEHjAtp6xKiu+H/iHu2Oq5F
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
-github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
+github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw=
+github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA=
 github.com/googleapis/gax-go/v2 v2.13.0 h1:yitjD5f7jQHhyDsnhKEBU52NdvvdSeGzlAnDPT0hH1s=
 github.com/googleapis/gax-go/v2 v2.13.0/go.mod h1:Z/fvTZXF8/uw7Xu5GuslPw+bplx6SS338j1Is2S+B7A=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
@@ -399,14 +413,18 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/in-toto/attestation v1.1.0 h1:oRWzfmZPDSctChD0VaQV7MJrywKOzyNrtpENQFq//2Q=
+github.com/in-toto/attestation v1.1.0/go.mod h1:DB59ytd3z7cIHgXxwpSX2SABrU6WJUKg/grpdgHVgVs=
 github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
 github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY=
 github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E=
-github.com/jellydator/ttlcache/v3 v3.2.0 h1:6lqVJ8X3ZaUwvzENqPAobDsXNExfUJd61u++uW8a3LE=
-github.com/jellydator/ttlcache/v3 v3.2.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4=
+github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc=
+github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -417,21 +435,22 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
-github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
+github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/kjk/lzma v0.0.0-20161016003348-3fd93898850d/go.mod h1:phT/jsRPBAEqjAibu1BurrabCBNTYiVI+zbmyCZJY6Q=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ=
 github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk=
-github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
-github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae h1:dIZY4ULFcto4tAFlj1FYZl8ztUZ13bdq+PLY+NOfbyI=
-github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
@@ -450,24 +469,12 @@ github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQ
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
-github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
-github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
-github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg=
-github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/mozillazg/docker-credential-acr-helper v0.3.0 h1:DVWFZ3/O8BP6Ue3iS/Olw+G07u1hCq1EOVCDZZjCIBI=
-github.com/mozillazg/docker-credential-acr-helper v0.3.0/go.mod h1:cZlu3tof523ujmLuiNUb6JsjtHcNA70u1jitrrdnuyA=
+github.com/mozillazg/docker-credential-acr-helper v0.4.0 h1:Uoh3Z9CcpEDnLiozDx+D7oDgRq7X+R296vAqAumnOcw=
+github.com/mozillazg/docker-credential-acr-helper v0.4.0/go.mod h1:2kiicb3OlPytmlNC9XGkLvVC+f0qTiJw3f/mhmeeQBg=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE=
@@ -478,8 +485,8 @@ github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
 github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/oleiade/reflections v1.0.1 h1:D1XO3LVEYroYskEsoSiGItp9RUxG6jWnCVvrqH0HHQM=
-github.com/oleiade/reflections v1.0.1/go.mod h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60=
+github.com/oleiade/reflections v1.1.0 h1:D+I/UsXQB4esMathlt0kkZRJZdUDmhv5zGi/HOwYTWo=
+github.com/oleiade/reflections v1.1.0/go.mod h1:mCxx0QseeVCHs5Um5HhJeCKVC7AwS8kO67tky4rdisA=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
@@ -489,10 +496,11 @@ github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
-github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw=
 github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
-github.com/open-policy-agent/opa v0.67.1 h1:rzy26J6g1X+CKknAcx0Vfbt41KqjuSzx4E0A8DAZf3E=
-github.com/open-policy-agent/opa v0.67.1/go.mod h1:aqKlHc8E2VAAylYE9x09zJYr/fYzGX+JKne89UGqFzk=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/open-policy-agent/opa v0.70.0 h1:B3cqCN2iQAyKxK6+GI+N40uqkin+wzIrM7YA60t9x1U=
+github.com/open-policy-agent/opa v0.70.0/go.mod h1:Y/nm5NY0BX0BqjBriKUiV81sCl8XOjjvqQG7dXrggtI=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -503,8 +511,10 @@ github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoX
 github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
 github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
+github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
+github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -512,11 +522,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
-github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
-github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
+github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
+github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
@@ -528,8 +535,8 @@ github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf h1:014O62
 github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
@@ -545,38 +552,37 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm
 github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
-github.com/shirou/gopsutil/v3 v3.24.4 h1:dEHgzZXt4LMNm+oYELpzl9YCqV65Yr/6SfrvgRBtXeU=
-github.com/shirou/gopsutil/v3 v3.24.4/go.mod h1:lTd2mdiOspcqLgAnr9/nGi71NkeMpWKdmhuxm9GusH8=
-github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
-github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
-github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
-github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
-github.com/sigstore/cosign/v2 v2.4.0 h1:2NdidNgClg+oXr/fDIr37E/BE6j00gqgUhSiBK2kjSQ=
-github.com/sigstore/cosign/v2 v2.4.0/go.mod h1:j+fH1DCUkcn92qp6ezDj4JbGMri6eG1nLJC+hs64rvc=
-github.com/sigstore/fulcio v1.5.1 h1:Iasy1zfNjaq8BV4S8o6pXspLDU28PQC2z07GmOu9zpM=
-github.com/sigstore/fulcio v1.5.1/go.mod h1:W1A/UHrTopy1IBZPMtHmxg7GPYAu+vt5dRXM3W6yjPo=
+github.com/sigstore/cosign/v2 v2.4.1 h1:b8UXEfJFks3hmTwyxrRNrn6racpmccUycBHxDMkEPvU=
+github.com/sigstore/cosign/v2 v2.4.1/go.mod h1:GvzjBeUKigI+XYnsoVQDmMAsMMc6engxztRSuxE+x9I=
+github.com/sigstore/fulcio v1.6.3 h1:Mvm/bP6ELHgazqZehL8TANS1maAkRoM23CRAdkM4xQI=
+github.com/sigstore/fulcio v1.6.3/go.mod h1:5SDgLn7BOUVLKe1DwOEX3wkWFu5qEmhUlWm+SFf0GH8=
 github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWwQvORuRQo=
 github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA=
 github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
-github.com/sigstore/sigstore v1.8.8 h1:B6ZQPBKK7Z7tO3bjLNnlCMG+H66tO4E/+qAphX8T/hg=
-github.com/sigstore/sigstore v1.8.8/go.mod h1:GW0GgJSCTBJY3fUOuGDHeFWcD++c4G8Y9K015pwcpDI=
-github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y=
-github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8 h1:2zHmUvaYCwV6LVeTo+OAkTm8ykOGzA9uFlAjwDPAUWM=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8/go.mod h1:OEhheBplZinUsm7W9BupafztVZV3ldkAxEHbpAeC0Pk=
+github.com/sigstore/sigstore v1.8.10 h1:r4t+TYzJlG9JdFxMy+um9GZhZ2N1hBTyTex0AHEZxFs=
+github.com/sigstore/sigstore v1.8.10/go.mod h1:BekjqxS5ZtHNJC4u3Q3Stvfx2eyisbW/lUZzmPU2u4A=
+github.com/sigstore/sigstore-go v0.6.1 h1:tGkkv1oDIER+QYU5MrjqlttQOVDWfSkmYwMqkJhB/cg=
+github.com/sigstore/sigstore-go v0.6.1/go.mod h1:Xe5GHmUeACRFbomUWzVkf/xYCn8xVifb9DgqJrV2dIw=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10 h1:e5GfVngPjGap/N3ODefayt7vKIPS1/v3hWLZ9+4MrN4=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10/go.mod h1:HOr3AdFPKdND2FNl/sUD5ZifPl1OMJvrbf9xIaaWcus=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8 h1:RKk4Z+qMaLORUdT7zntwMqKiYAej1VQlCswg0S7xNSY=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8/go.mod h1:dMJdlBWKHMu2xf0wIKpbo7+QfG+RzVkBB3nHP8EMM5o=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8 h1:89Xtxj8oqZt3UlSpCP4wApFvnQ2Z/dgowW5QOVhQigI=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8/go.mod h1:Wa4xn/H3pU/yW/6tHiMXTpObBtBSGC5q29KYFEPKN6o=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10 h1:Xre51HdjIIaVo5ox5zyL+6h0tkrx7Ke9Neh7fLmmZK0=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10/go.mod h1:VNfdklQDbyGJog8S7apdxiEfmYmCkKyxrsCL9xprkTY=
 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8 h1:Zte3Oogkd8m+nu2oK3yHtGmN++TZWh2Lm6q2iSprT1M=
 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8/go.mod h1:j00crVw6ki4/WViXflw0zWgNALrAzZT+GbIK8v7Xlz4=
 github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE=
 github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
+github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
@@ -596,15 +602,15 @@ github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
@@ -613,43 +619,35 @@ github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDd
 github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48=
 github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
 github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
-github.com/testcontainers/testcontainers-go v0.33.0 h1:zJS9PfXYT5O0ZFXM2xxXfk4J5UMw/kRiISng037Gxdw=
-github.com/testcontainers/testcontainers-go v0.33.0/go.mod h1:W80YpTa8D5C3Yy16icheD01UTDu+LmXIA2Keo+jWtT8=
-github.com/testcontainers/testcontainers-go/modules/registry v0.33.0 h1:rpQS5KcFpyRPM3xVKERuXDqUcE5xjwE8MQUgmKVkL0o=
-github.com/testcontainers/testcontainers-go/modules/registry v0.33.0/go.mod h1:qr3nJgBZ2ovQva6vadXchwi786/mBBDzhBPbrmWkYIE=
 github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.0.0 h1:rD8d9RotYBprZVgC+9oyTZ5MmawepnTSTqoDuxjWgbs=
-github.com/theupdateframework/go-tuf/v2 v2.0.0/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
+github.com/theupdateframework/go-tuf/v2 v2.0.2 h1:PyNnjV9BJNzN1ZE6BcWK+5JbF+if370jjzO84SS+Ebo=
+github.com/theupdateframework/go-tuf/v2 v2.0.2/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=
 github.com/tjfoc/gmsm v1.4.1/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
-github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
-github.com/tklauser/go-sysconf v0.3.14 h1:g5vzr9iPFFz24v2KZXs/pvpvh8/V9Fw6vQK5ZZb78yU=
-github.com/tklauser/go-sysconf v0.3.14/go.mod h1:1ym4lWMLUOhuBOPGtRcJm7tEGX4SCYNEEEtghGG/8uY=
-github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
-github.com/tklauser/numcpus v0.8.0 h1:Mx4Wwe/FjZLeQsK/6kt2EOepwwSl7SmJrK5bV/dXYgY=
-github.com/tklauser/numcpus v0.8.0/go.mod h1:ZJZlAY+dmR4eut8epnzf0u/VwodKmryxR8txiloSqBE=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
 github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
 github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
 github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
-github.com/xanzy/go-gitlab v0.107.0 h1:P2CT9Uy9yN9lJo3FLxpMZ4xj6uWcpnigXsjvqJ6nd2Y=
-github.com/xanzy/go-gitlab v0.107.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/xanzy/go-gitlab v0.109.0 h1:RcRme5w8VpLXTSTTMZdVoQWY37qTJWg+gwdQl4aAttE=
+github.com/xanzy/go-gitlab v0.109.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY=
+github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
+github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
 github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg=
 github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
-github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms=
 github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk=
 github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
@@ -658,28 +656,26 @@ go.mongodb.org/mongo-driver v1.15.0 h1:rJCKC8eEliewXjZGf0ddURtl7tTVy1TK3bfl0gkUS
 go.mongodb.org/mongo-driver v1.15.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 h1:vS1Ao/R55RNV4O7TA2Qopok8yN+X0LIP6RVWLFkprck=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
-go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
-go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
-go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
-go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
-go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
-go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
-go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 h1:yMkBS9yViCc7U7yeLzJPM2XizlfdVvBRSmsQDWu6qc0=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0/go.mod h1:n8MR6/liuGB5EmTETUBeU5ZgqMOlqKRxUaqPQBOANZ8=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 h1:UP6IpuHFkUgOQL9FFQFrZ+5LiwhhYRbi7VZSIx6Nj5s=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0/go.mod h1:qxuZLtbq5QDtdeSHsS7bcf6EH6uO6jUAgk764zd3rhM=
+go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY=
+go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0 h1:K0XaT3DwHAcV4nKLzcQvwAgSyisUghWoY20I7huthMk=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0/go.mod h1:B5Ki776z/MBnVha1Nzwp5arlzBbE3+1jk+pGmaP5HME=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0 h1:FFeLy03iVTXP6ffeN2iXrxfGsZGCjVx0/4KlizjyBwU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0/go.mod h1:TMu73/k1CP8nBUpDLc71Wj/Kf7ZS9FK5b53VapRsP9o=
+go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE=
+go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY=
+go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk=
+go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0=
+go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys=
+go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A=
 go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
 go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
-go.step.sm/crypto v0.51.1 h1:ktUg/2hetEMiBAqgz502ktZDGoDoGrcHFg3XpkmkvvA=
-go.step.sm/crypto v0.51.1/go.mod h1:PdrhttNU/tG9/YsVd4fdlysBN+UV503p0o2irFZQlAw=
+go.step.sm/crypto v0.51.2 h1:5EiCGIMg7IvQTGmJrwRosbXeprtT80OhoS/PJarg60o=
+go.step.sm/crypto v0.51.2/go.mod h1:QK7czLjN2k+uqVp5CHXxJbhc70kVRSP+0CQF3zsR5M0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -689,23 +685,24 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
-golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
+golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY=
+golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
-golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -713,27 +710,26 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
+golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
-golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -744,40 +740,35 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
-golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
+golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
+golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -785,19 +776,17 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
+golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
@@ -807,26 +796,26 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-google.golang.org/api v0.194.0 h1:dztZKG9HgtIpbI35FhfuSNR/zmaMVdxNlntHj1sIS4s=
-google.golang.org/api v0.194.0/go.mod h1:AgvUFdojGANh3vI+P7EVnxj3AISHllxGCJSFmggmnd0=
+google.golang.org/api v0.205.0 h1:LFaxkAIpDb/GsrWV20dMMo5MR0h8UARTbn24LmD+0Pg=
+google.golang.org/api v0.205.0/go.mod h1:NrK1EMqO8Xk6l6QwRAmrXXg2v6dzukhlOyvkYtnvUuc=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20240814211410-ddb44dafa142 h1:oLiyxGgE+rt22duwci1+TG7bg2/L1LQsXwfjPlmuJA0=
-google.golang.org/genproto v0.0.0-20240814211410-ddb44dafa142/go.mod h1:G11eXq53iI5Q+kyNOmCvnzBaxEA2Q/Ik5Tj7nqBE8j4=
-google.golang.org/genproto/googleapis/api v0.0.0-20240730163845-b1a4ccb954bf h1:GillM0Ef0pkZPIB+5iO6SDK+4T9pf6TpaYR6ICD5rVE=
-google.golang.org/genproto/googleapis/api v0.0.0-20240730163845-b1a4ccb954bf/go.mod h1:OFMYQFHJ4TM3JRlWDZhJbZfra2uqc3WLBZiaaqP4DtU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU=
+google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38/go.mod h1:xBI+tzfqGGN2JBeSebfKXFSdBpWVQ7sLW40PTupVRm4=
+google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 h1:fVoAXEKA4+yufmbdVYv+SE73+cPZbbbe8paLsHfkK+U=
+google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53/go.mod h1:riSXTwQ4+nqmPGtobMFyW5FqVAmIs0St6VPp4Ug7CE4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
-google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -838,9 +827,10 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
+google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
@@ -850,6 +840,8 @@ gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
+gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -863,24 +855,29 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.28.3 h1:Gj1HtbSdB4P08C8rs9AR94MfSGpRhJgsS+GF9V26xMM=
-k8s.io/api v0.28.3/go.mod h1:MRCV/jr1dW87/qJnZ57U5Pak65LGmQVkKTzf3AtKFHc=
-k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A=
-k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8=
-k8s.io/client-go v0.28.3 h1:2OqNb72ZuTZPKCl+4gTKvqao0AMOl9f3o2ijbAj3LI4=
-k8s.io/client-go v0.28.3/go.mod h1:LTykbBp9gsA7SwqirlCXBWtK0guzfhpoW4qSm7i9dxo=
-k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
-k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0=
+k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk=
+k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw=
+k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc=
+k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
-k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak=
-k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+pault.ag/go/debian v0.12.0 h1:b8ctSdBSGJ98NE1VLn06aSx70EUpczlP2qqSHEiYYJA=
+pault.ag/go/debian v0.12.0/go.mod h1:UbnMr3z/KZepjq7VzbYgBEfz8j4+Pyrm2L5X1fzhy/k=
+pault.ag/go/topsort v0.0.0-20160530003732-f98d2ad46e1a/go.mod h1:INqx0ClF7kmPAMk2zVTX8DRnhZ/yaA/Mg52g8KFKE7k=
+pault.ag/go/topsort v0.1.1 h1:L0QnhUly6LmTv0e3DEzbN2q6/FGgAcQvaEw65S53Bg4=
+pault.ag/go/topsort v0.1.1/go.mod h1:r1kc/L0/FZ3HhjezBIPaNVhkqv8L0UJ9bxRuHRVZ0q4=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/release-utils v0.8.4 h1:4QVr3UgbyY/d9p74LBhg0njSVQofUsAZqYOzVZBhdBw=
 sigs.k8s.io/release-utils v0.8.4/go.mod h1:m1bHfscTemQp+z+pLCZnkXih9n0+WukIUU70n6nFnU0=
-sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk=
-sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=

internal/embed/root.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package embed
 
 import (

internal/git/git.go

@@ -0,0 +1,176 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package git
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"os/exec"
+
+	"github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/config"
+	"github.com/go-git/go-git/v5/plumbing"
+)
+
+// GitCommand is the path to the git binary, overridden in tests to check behavior when git is not installed.
+var GitCommand = "git"
+
+func Clone(ctx context.Context, gitRepo string, gitCommit string, targetDir string) error {
+	const localBranch = "FETCH_HEAD"
+
+	repo, err := git.PlainInit(targetDir, false)
+	if err != nil {
+		return fmt.Errorf("failed to init: %w", err)
+	}
+
+	remote, err := repo.CreateRemote(&config.RemoteConfig{
+		Name: "origin",
+		URLs: []string{gitRepo},
+		Fetch: []config.RefSpec{
+			config.RefSpec(fmt.Sprintf("%s:%s", gitCommit, localBranch)),
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("failed to add remote: %w", err)
+	}
+
+	err = remote.FetchContext(ctx, &git.FetchOptions{
+		Depth: 1,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to fetch: %w", err)
+	}
+
+	wt, err := repo.Worktree()
+	if err != nil {
+		return fmt.Errorf("failed to get worktree: %w", err)
+	}
+	err = wt.Checkout(&git.CheckoutOptions{
+		Hash: plumbing.NewHash(gitCommit),
+	})
+	if err != nil {
+		return fmt.Errorf("failed to checkout: %w", err)
+	}
+
+	return nil
+}
+
+type execError struct {
+	*exec.ExitError
+	stderr []byte
+}
+
+func (e *execError) Error() string {
+	trimmed := bytes.TrimSpace(e.stderr)
+	if len(trimmed) == 0 {
+		return e.ExitError.Error()
+	}
+	return fmt.Sprintf("%s, %q", e.ExitError.Error(), string(bytes.TrimSpace(e.stderr)))
+}
+
+func (e *execError) Unwrap() error {
+	return e.ExitError
+}
+
+// Archive creates a tar archive of the files in the subdirectory given by subdir of the git repository at gitRepoDir.
+// This is accomplished by running `git archive --format=tar HEAD:subdir` in the git repository directory.
+//
+// The archive is written to the returned io.Reader. It is not necessary to close the returned reader.
+// Any error encountered while starting the command will be returned immediately.
+// Any error encountered after the command is running will be returned on the next read from the returned io.Reader.
+func Archive(ctx context.Context, gitRepoDir string, subdir string) (io.Reader, error) {
+	readPipe, writePipe := io.Pipe()
+
+	treeish := fmt.Sprintf("HEAD:%s", subdir)
+	cmd := exec.CommandContext(ctx, GitCommand, "archive", "--format=tar", treeish)
+	// run the command inside the git repo directory
+	cmd.Dir = gitRepoDir
+
+	// set the standard output to the write end of the pipe
+	cmd.Stdout = writePipe
+
+	// capture standard error so we can include it in the error message if the command fails
+	stderr := new(bytes.Buffer)
+	cmd.Stderr = stderr
+
+	err := cmd.Start()
+	if err != nil {
+		return nil, fmt.Errorf("failed to start command: %w", err)
+	}
+
+	// spawn a goroutine to wait for the command to finish and close the write pipe
+	go func() {
+		var err error // variable to hold any error
+
+		defer func() {
+			if p := recover(); p != nil {
+				// if we panic, set err to a new error wrapping the panic value
+				err = fmt.Errorf("panic: %v", p)
+			}
+
+			// send any error from the command (or the panic above) to the write pipe
+			// or nil if there was no error
+			// this will cause the error to be returned on the next read from the read pipe
+			writePipe.CloseWithError(err)
+		}()
+
+		// wait for the command to finish and capture any error
+		err = cmd.Wait()
+		if err != nil {
+			if ee, ok := err.(*exec.ExitError); ok {
+				err = &execError{ExitError: ee, stderr: stderr.Bytes()}
+			}
+		}
+	}()
+
+	return readPipe, nil
+}
+
+func TarScrub(in io.Reader, out io.Writer) error {
+	tr := tar.NewReader(in)
+	tw := tar.NewWriter(out)
+	defer tw.Flush() // note: flush instead of close to avoid the empty block at EOF
+
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			return nil
+		}
+		if err != nil {
+			return err
+		}
+		newHdr := &tar.Header{
+			Typeflag: hdr.Typeflag,
+			Name:     hdr.Name,
+			Linkname: hdr.Linkname,
+			Size:     hdr.Size,
+			Mode:     hdr.Mode,
+			Devmajor: hdr.Devmajor,
+			Devminor: hdr.Devminor,
+		}
+		if err := tw.WriteHeader(newHdr); err != nil {
+			return err
+		}
+		_, err = io.CopyN(tw, tr, hdr.Size)
+		if err != nil {
+			return err
+		}
+	}
+}

internal/git/git_test.go

@@ -0,0 +1,42 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package git
+
+import (
+	"context"
+	"os"
+	"os/exec"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestArchiveWithInvalidGitCommand(t *testing.T) {
+	originalGitCommand := GitCommand
+	GitCommand = "invalid-git-command"
+	defer func() { GitCommand = originalGitCommand }()
+
+	tempDir, err := os.MkdirTemp("", "gitrepo")
+	if err != nil {
+		t.Fatalf("failed to create temp dir: %v", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	ctx := context.Background()
+	_, err = Archive(ctx, tempDir, "")
+	require.ErrorIs(t, err, exec.ErrNotFound)
+}

internal/test/test.go

@@ -1,27 +1,60 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package test
 
 import (
 	"context"
+	"crypto"
+	"crypto/x509"
+	_ "embed"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/http/httptest"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
-	"github.com/docker/attest/pkg/policy"
-	"github.com/docker/attest/pkg/signerverifier"
-	"github.com/docker/attest/pkg/tlog"
+	"github.com/docker/attest/signerverifier"
+	"github.com/docker/attest/useragent"
+	"github.com/google/go-containerregistry/pkg/registry"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
 
 const (
-	UseMockTL     = true
-	UseMockKMS    = true
-	UseMockPolicy = true
-
-	AWSRegion    = "us-east-1"
-	AWSKMSKeyARN = "arn:aws:kms:us-east-1:175142243308:alias/doi-signing" // sandbox
+	UseMockKMS                    = true
+	AWSRegion                     = "us-east-1"
+	AWSKMSKeyARN                  = "arn:aws:kms:us-east-1:175142243308:alias/doi-signing" // sandbox
+	UnsignedLinuxAMD64ImageDigest = "sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620"
+	UnsignedLinuxArm64ImageDigest = "sha256:7a76cec943853f9f7105b1976afa1bf7cd5bb6afc4e9d5852dd8da7cf81ae86e"
 )
 
-var UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
+func UnsignedTestIndex(rel ...string) string {
+	rel = append(rel, "test", "testdata", "unsigned-index")
+	return filepath.Join(rel...)
+}
+
+func UnsignedTestImage(rel ...string) string {
+	rel = append(rel, "test", "testdata", "unsigned-image")
+	return filepath.Join(rel...)
+}
 
 func CreateTempDir(t *testing.T, dir, pattern string) string {
 	// Create a temporary directory for output oci layout
@@ -39,33 +72,15 @@ func CreateTempDir(t *testing.T, dir, pattern string) string {
 	return tempDir
 }
 
+//go:embed test-signing-key.pem
+var signingKey []byte
+
 func GetMockSigner(_ context.Context) (dsse.SignerVerifier, error) {
-	priv, err := os.ReadFile(filepath.Join("..", "..", "test", "testdata", "test-signing-key.pem"))
-	if err != nil {
-		return nil, err
-	}
-	return signerverifier.LoadKeyPair(priv)
+	return signerverifier.LoadKeyPair(signingKey)
 }
 
 func Setup(t *testing.T) (context.Context, dsse.SignerVerifier) {
-	var tl tlog.TL
-	if UseMockTL {
-		tl = tlog.GetMockTL()
-	} else {
-		tl = &tlog.RekorTL{}
-	}
-
-	ctx := tlog.WithTL(context.Background(), tl)
-
-	var policyEvaluator policy.Evaluator
-	if UseMockPolicy {
-		policyEvaluator = policy.GetMockPolicy()
-	} else {
-		policyEvaluator = policy.NewRegoEvaluator(true)
-	}
-
-	ctx = policy.WithPolicyEvaluator(ctx, policyEvaluator)
-
+	ctx := context.Background()
 	var signer dsse.SignerVerifier
 	var err error
 	if UseMockKMS {
@@ -82,3 +97,31 @@ func Setup(t *testing.T) (context.Context, dsse.SignerVerifier) {
 
 	return ctx, signer
 }
+
+func NewLocalRegistry(ctx context.Context, options ...registry.Option) *httptest.Server {
+	options = append(options, registry.Logger(log.New(io.Discard, "", log.LstdFlags)))
+	regHandler := registry.New(options...)
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Check the user agent
+		ua := r.Header.Get("User-Agent")
+		userAgent := useragent.Get(ctx)
+		if !strings.HasPrefix(ua, userAgent) {
+			http.Error(w, fmt.Sprintf("expected user agent to contain %q, got %q", userAgent, ua), http.StatusForbidden)
+		}
+		regHandler.ServeHTTP(w, r)
+	}))
+}
+
+func PublicKeyToPEM(pubKey crypto.PublicKey) (string, error) {
+	derBytes, err := x509.MarshalPKIXPublicKey(pubKey)
+	if err != nil {
+		return "", err
+	}
+
+	pemBlock := &pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: derBytes,
+	}
+
+	return string(pem.EncodeToMemory(pemBlock)), nil
+}

internal/util/crypto.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package util
 
 import (

mapping/mapping.go

@@ -0,0 +1,154 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package mapping
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+
+	"github.com/docker/attest/tuf"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"sigs.k8s.io/yaml"
+)
+
+const (
+	MappingFilename = "mapping.yaml"
+)
+
+func validateMappingsFile(mappings *policyMappingsFile) error {
+	var validationErrors []error
+	if mappings.Kind != "policy-mapping" {
+		validationErrors = append(validationErrors, fmt.Errorf("file is not of kind policy-mapping: %s", mappings.Kind))
+	}
+	if mappings.Version != "v1" {
+		validationErrors = append(validationErrors, fmt.Errorf("unsupported policy mapping file version: %s", mappings.Version))
+	}
+	for _, rule := range mappings.Rules {
+		if rule.Pattern == "" {
+			validationErrors = append(validationErrors, fmt.Errorf("rule missing pattern: %s", rule))
+		}
+		if rule.PolicyID == "" && rule.Replacement == "" {
+			validationErrors = append(validationErrors, fmt.Errorf("rule must have policy-id or replacement: %s", rule))
+		}
+		if rule.PolicyID != "" && rule.Replacement != "" {
+			validationErrors = append(validationErrors, fmt.Errorf("rule cannot have both policy-id and replacement: %s", rule))
+		}
+		if rule.Platforms != nil {
+			for _, platform := range rule.Platforms {
+				if platform == "" {
+					validationErrors = append(validationErrors, fmt.Errorf("rule has empty platform: %s", rule))
+				}
+			}
+		}
+	}
+	for _, policy := range mappings.Policies {
+		if policy.ID == "" {
+			validationErrors = append(validationErrors, fmt.Errorf("policy missing id: %s", policy.ID))
+		}
+		if len(policy.Files) == 0 {
+			validationErrors = append(validationErrors, fmt.Errorf("policy missing files: %v", policy))
+		}
+		for _, file := range policy.Files {
+			if file.Path == "" {
+				validationErrors = append(validationErrors, fmt.Errorf("file missing path: %s", file))
+			}
+		}
+	}
+
+	if len(validationErrors) > 0 {
+		return errors.Join(validationErrors...)
+	}
+
+	return nil
+}
+
+func parsePolicyMappingsFile(data []byte) (*PolicyMappings, error) {
+	mappings := &policyMappingsFile{}
+	err := yaml.Unmarshal(data, mappings)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal policy mapping file: %w", err)
+	}
+	err = validateMappingsFile(mappings)
+	if err != nil {
+		return nil, fmt.Errorf("invalid policy mapping file: %w", err)
+	}
+	return expandMappingFile(mappings)
+}
+
+func LoadLocalMappings(configDir string) (*PolicyMappings, error) {
+	if configDir == "" {
+		return nil, nil
+	}
+	path := filepath.Join(configDir, MappingFilename)
+	mappingFile, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read local policy mapping file %s: %w", path, err)
+	}
+	return parsePolicyMappingsFile(mappingFile)
+}
+
+func LoadTUFMappings(tufClient tuf.Downloader, localTargetsDir string) (*PolicyMappings, error) {
+	if tufClient == nil {
+		return nil, fmt.Errorf("tuf client not set")
+	}
+	filename := MappingFilename
+	file, err := tufClient.DownloadTarget(filename, filepath.Join(localTargetsDir, filename))
+	if err != nil {
+		return nil, fmt.Errorf("failed to download policy mapping file %s: %w", filename, err)
+	}
+	return parsePolicyMappingsFile(file.Data)
+}
+
+func expandMappingFile(mappingFile *policyMappingsFile) (*PolicyMappings, error) {
+	policies := make(map[string]*PolicyMapping)
+	for _, policy := range mappingFile.Policies {
+		policies[policy.ID] = policy
+	}
+
+	var rules []*PolicyRule
+	for _, rule := range mappingFile.Rules {
+		patternRegex, err := regexp.Compile(rule.Pattern)
+		if err != nil {
+			return nil, err
+		}
+		platforms := make([]*v1.Platform, 0, len(rule.Platforms))
+		for _, platform := range rule.Platforms {
+			parsedPlatform, err := v1.ParsePlatform(platform)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse platform %s: %w", platform, err)
+			}
+			platforms = append(platforms, parsedPlatform)
+		}
+
+		rules = append(rules, &PolicyRule{
+			Pattern:     patternRegex,
+			PolicyID:    rule.PolicyID,
+			Replacement: rule.Replacement,
+			Platforms:   platforms,
+		})
+	}
+
+	return &PolicyMappings{
+		Version:  mappingFile.Version,
+		Kind:     mappingFile.Kind,
+		Policies: policies,
+		Rules:    rules,
+	}, nil
+}

mapping/mapping_test.go

@@ -0,0 +1,98 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package mapping
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func newMapping() *policyMappingsFile {
+	return &policyMappingsFile{
+		Version: "v1",
+		Kind:    "policy-mapping",
+		Policies: []*PolicyMapping{
+			{
+				ID: "docker-official-images",
+				Files: []PolicyMappingFile{
+					{
+						Path: "docker.io/library/alpine",
+					},
+				},
+			},
+		},
+		Rules: []*policyRuleFile{
+			{
+				Pattern:  "docker.io/library/alpine",
+				PolicyID: "docker-official-images",
+			},
+		},
+	}
+}
+
+func TestMappingsFileValidation(t *testing.T) {
+	mappings := newMapping()
+	err := validateMappingsFile(mappings)
+	require.NoError(t, err)
+
+	mappings = newMapping()
+	mappings.Kind = "not-policy-mapping"
+	err = validateMappingsFile(mappings)
+	require.ErrorContains(t, err, "file is not of kind policy-mapping: not-policy-mapping")
+
+	mappings = newMapping()
+	mappings.Version = "v2"
+	err = validateMappingsFile(mappings)
+	require.ErrorContains(t, err, "unsupported policy mapping file version: v2")
+
+	mappings = newMapping()
+	mappings.Rules[0].Pattern = ""
+	err = validateMappingsFile(mappings)
+	require.ErrorContains(t, err, "rule missing pattern")
+
+	mappings = newMapping()
+	mappings.Rules[0].PolicyID = ""
+	err = validateMappingsFile(mappings)
+	require.ErrorContains(t, err, "rule must have policy-id or replacement")
+
+	mappings = newMapping()
+	mappings.Rules[0].PolicyID = "docker-official-images"
+	mappings.Rules[0].Replacement = "docker.io/library/alpine"
+	err = validateMappingsFile(mappings)
+	require.ErrorContains(t, err, "rule cannot have both policy-id and replacement")
+
+	mappings = newMapping()
+	mappings.Policies[0].ID = ""
+	err = validateMappingsFile(mappings)
+	require.ErrorContains(t, err, "policy missing id")
+
+	mappings = newMapping()
+	mappings.Policies[0].Files = nil
+	err = validateMappingsFile(mappings)
+	require.ErrorContains(t, err, "policy missing files")
+
+	mappings = newMapping()
+	mappings.Policies[0].Files[0].Path = ""
+	err = validateMappingsFile(mappings)
+	require.ErrorContains(t, err, "file missing path")
+
+	// multiple errors
+	mappings.Policies[0].ID = ""
+	err = validateMappingsFile(mappings)
+	require.ErrorContains(t, err, "policy missing id: \nfile missing path: {}")
+}

mapping/match.go

@@ -0,0 +1,96 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package mapping
+
+import (
+	"fmt"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
+
+type matchType string
+
+const (
+	MatchTypePolicy        matchType = "policy"
+	MatchTypeMatchNoPolicy matchType = "match_no_policy"
+	MatchTypeNoMatch       matchType = "no_match"
+)
+
+type PolicyMatch struct {
+	MatchType   matchType
+	Policy      *PolicyMapping
+	Rule        *PolicyRule
+	MatchedName string
+}
+
+func (mappings *PolicyMappings) FindPolicyMatch(imageName string, platform *v1.Platform) (*PolicyMatch, error) {
+	if mappings == nil {
+		return &PolicyMatch{MatchType: MatchTypeNoMatch, MatchedName: imageName}, nil
+	}
+	return mappings.findPolicyMatchImpl(imageName, platform, make(map[*PolicyRule]bool))
+}
+
+func (mappings *PolicyMappings) findPolicyMatchImpl(imageName string, platform *v1.Platform, matched map[*PolicyRule]bool) (*PolicyMatch, error) {
+	for _, rule := range mappings.Rules {
+		if !rule.matchesPlatform(platform) {
+			continue
+		}
+		if rule.Pattern.MatchString(imageName) {
+			switch {
+			case rule.PolicyID == "" && rule.Replacement == "":
+				return nil, fmt.Errorf("rule %s has neither policy-id nor rewrite", rule.Pattern)
+			case rule.PolicyID != "" && rule.Replacement != "":
+				return nil, fmt.Errorf("rule %s has both policy-id and rewrite", rule.Pattern)
+			case rule.PolicyID != "":
+				policy := mappings.Policies[rule.PolicyID]
+				if policy != nil {
+					return &PolicyMatch{
+						MatchType:   MatchTypePolicy,
+						Policy:      policy,
+						Rule:        rule,
+						MatchedName: imageName,
+					}, nil
+				}
+				return &PolicyMatch{
+					MatchType:   MatchTypeMatchNoPolicy,
+					Rule:        rule,
+					MatchedName: imageName,
+				}, nil
+			case rule.Replacement != "":
+				if matched[rule] {
+					return nil, fmt.Errorf("rewrite loop detected")
+				}
+				matched[rule] = true
+				imageName = rule.Pattern.ReplaceAllString(imageName, rule.Replacement)
+				return mappings.findPolicyMatchImpl(imageName, platform, matched)
+			}
+		}
+	}
+	return &PolicyMatch{MatchType: MatchTypeNoMatch}, nil
+}
+
+func (rule *PolicyRule) matchesPlatform(platform *v1.Platform) bool {
+	if len(rule.Platforms) == 0 {
+		return true
+	}
+	for i := range rule.Platforms {
+		if rule.Platforms[i].Equals(*platform) {
+			return true
+		}
+	}
+	return false
+}

mapping/match_test.go

@@ -0,0 +1,216 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package mapping
+
+import (
+	"path/filepath"
+	"testing"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFindPolicyMatch(t *testing.T) {
+	defaultPlatform, err := v1.ParsePlatform("linux/amd64")
+	require.NoError(t, err)
+	testCases := []struct {
+		name               string
+		imageName          string
+		mappingDir         string
+		expectError        bool
+		expectLoadingError bool
+		expectedMatchType  matchType
+		expectedPolicyID   string
+		expectedImageName  string
+		platform           string
+	}{
+		{
+			name:       "alpine",
+			mappingDir: "doi",
+			imageName:  "docker.io/library/alpine",
+
+			expectedMatchType: MatchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "no match",
+			mappingDir: "doi",
+			imageName:  "docker.io/something/else",
+
+			expectedMatchType: MatchTypeNoMatch,
+		},
+		{
+			name:       "match, no policy",
+			mappingDir: "local",
+			imageName:  "docker.io/library/alpine",
+
+			expectedMatchType: MatchTypeMatchNoPolicy,
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "simple rewrite",
+			mappingDir: "simple-rewrite",
+			imageName:  "mycoolmirror.org/library/alpine",
+
+			expectedMatchType: MatchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "rewrite no match",
+			mappingDir: "rewrite-to-no-match",
+			imageName:  "mycoolmirror.org/library/alpine",
+
+			expectedMatchType: MatchTypeNoMatch,
+		},
+		{
+			name:       "rewrite to match, no policy",
+			mappingDir: "rewrite-to-local",
+			imageName:  "mycoolmirror.org/library/alpine",
+
+			expectedMatchType: MatchTypeMatchNoPolicy,
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "multiple rewrites",
+			mappingDir: "rewrite-multiple",
+			imageName:  "myevencoolermirror.org/library/alpine",
+
+			expectedMatchType: MatchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:       "rewrite loop",
+			mappingDir: "rewrite-loop",
+			imageName:  "yin/alpine",
+
+			expectError: true,
+		},
+		{
+			name:              "alpine with platform",
+			mappingDir:        "doi",
+			imageName:         "docker.io/library/alpine",
+			platform:          "linux/amd64",
+			expectedMatchType: MatchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:              "alpine with platform",
+			mappingDir:        "doi-platform",
+			imageName:         "docker.io/library/alpine",
+			platform:          "linux/amd64",
+			expectedMatchType: MatchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:              "alpine with no matching platform",
+			mappingDir:        "doi-platform",
+			imageName:         "docker.io/library/alpine",
+			platform:          "linux/arm64",
+			expectedMatchType: MatchTypeNoMatch,
+			expectedPolicyID:  "docker-official-images",
+		},
+		{
+			name:              "alpine with platform",
+			mappingDir:        "doi-platform",
+			imageName:         "docker.io/library/alpine",
+			platform:          "linux/amd64",
+			expectedMatchType: MatchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:               "alpine with invalid platform in mapping",
+			mappingDir:         "doi-platform-broken",
+			imageName:          "docker.io/library/alpine",
+			platform:           "linux/amd64",
+			expectLoadingError: true,
+		},
+		{
+			name:              "firefox with > 1 platforms in policy",
+			mappingDir:        "doi-platform",
+			imageName:         "docker.io/mozilla/firefox",
+			platform:          "linux/arm64",
+			expectedMatchType: MatchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/mozilla/firefox",
+		},
+		{
+			name:              "firefox with > 1 platforms in policy (no match)",
+			mappingDir:        "doi-platform",
+			imageName:         "docker.io/mozilla/firefox",
+			platform:          "macOs/arm64",
+			expectedMatchType: MatchTypeNoMatch,
+			expectedPolicyID:  "docker-official-images",
+		},
+		{
+			name:              "rewrite and platform",
+			mappingDir:        "doi-platform",
+			imageName:         "mycoolmirror.org/library/alpine",
+			platform:          "linux/amd64",
+			expectedMatchType: MatchTypePolicy,
+			expectedPolicyID:  "docker-official-images",
+			expectedImageName: "docker.io/library/alpine",
+		},
+		{
+			name:              "rewrite and platform mismatch",
+			mappingDir:        "doi-platform",
+			imageName:         "mycoolmirror.org/library/alpine",
+			platform:          "macOs/amd64",
+			expectedMatchType: MatchTypeNoMatch,
+			expectedPolicyID:  "docker-official-images",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mappings, err := LoadLocalMappings(filepath.Join("testdata", "mappings", tc.mappingDir))
+			if tc.expectLoadingError {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+
+			platform := defaultPlatform
+			if tc.platform != "" {
+				platform, err = v1.ParsePlatform(tc.platform)
+				require.NoError(t, err)
+			}
+			match, err := mappings.FindPolicyMatch(tc.imageName, platform)
+			if tc.expectError {
+				require.Error(t, err)
+				// TODO: check error matches expected error message
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tc.expectedMatchType, match.MatchType)
+			if match.MatchType == MatchTypePolicy {
+				if assert.NotNil(t, match.Policy) {
+					assert.Equal(t, tc.expectedPolicyID, match.Policy.ID)
+				}
+			}
+			if match.MatchType == MatchTypeMatchNoPolicy || match.MatchType == MatchTypePolicy {
+				assert.Equal(t, tc.expectedImageName, match.MatchedName)
+			}
+		})
+	}
+}

mapping/testdata/mappings/doi-platform-broken/mapping.yaml

@@ -0,0 +1,11 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    platforms: ["linux/amd64/broken/platform/spec/1.0:foobar"]
+    policy-id: docker-official-images

mapping/testdata/mappings/doi-platform/mapping.yaml

@@ -0,0 +1,17 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    platforms: ["linux/amd64"]
+    policy-id: docker-official-images
+  - pattern: "^docker.io/mozilla/(.*)$"
+    platforms: ["linux/amd64", "linux/arm64"]
+    policy-id: docker-official-images
+  - pattern: "^mycoolmirror[.]org/library/(.*)$"
+    platforms: ["linux/amd64"]
+    rewrite: "docker.io/library/$1"

mapping/types.go

@@ -1,7 +1,25 @@
-package config
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package mapping
 
 import (
 	"regexp"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
 )
 
 type policyMappingsFile struct {
@@ -12,9 +30,10 @@ type policyMappingsFile struct {
 }
 
 type policyRuleFile struct {
-	Pattern     string `json:"pattern"`
-	PolicyID    string `json:"policy-id"`
-	Replacement string `json:"rewrite"`
+	Pattern     string   `json:"pattern"`
+	Platforms   []string `json:"platforms"`
+	PolicyID    string   `json:"policy-id"`
+	Replacement string   `json:"rewrite"`
 }
 
 type PolicyMappings struct {
@@ -51,4 +70,5 @@ type PolicyRule struct {
 	Pattern     *regexp.Regexp
 	PolicyID    string
 	Replacement string
+	Platforms   []*v1.Platform
 }

mirror/example_mirror_test.go

@@ -1,14 +1,31 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package mirror_test
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 
-	"github.com/docker/attest/pkg/mirror"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/mirror"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/tuf"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 )
 
@@ -29,7 +46,8 @@ func ExampleNewTUFMirror() {
 	// configure TUF mirror
 	metadataURI := "https://docker.github.io/tuf-staging/metadata"
 	targetsURI := "https://docker.github.io/tuf-staging/targets"
-	m, err := mirror.NewTUFMirror(tuf.DockerTUFRootStaging.Data, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
+	ctx := context.Background()
+	m, err := mirror.NewTUFMirror(ctx, tuf.DockerTUFRootStaging.Data, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
 	if err != nil {
 		panic(err)
 	}
@@ -64,7 +82,7 @@ func ExampleNewTUFMirror() {
 	}
 
 	// push metadata and targets to registry (optional)
-	err = mirrorToRegistry(mirrorOutput)
+	err = mirrorToRegistry(ctx, mirrorOutput)
 	if err != nil {
 		panic(err)
 	}
@@ -77,10 +95,10 @@ func ExampleNewTUFMirror() {
 	}
 }
 
-func mirrorToRegistry(o *TufMirrorOutput) error {
+func mirrorToRegistry(ctx context.Context, o *TufMirrorOutput) error {
 	// push metadata to registry
 	metadataRepo := "registry-1.docker.io/docker/tuf-metadata:latest"
-	err := oci.PushImageToRegistry(o.metadata, metadataRepo)
+	err := oci.PushImageToRegistry(ctx, o.metadata, metadataRepo)
 	if err != nil {
 		return err
 	}
@@ -91,7 +109,7 @@ func mirrorToRegistry(o *TufMirrorOutput) error {
 			return fmt.Errorf("failed to get repo without tag: %s", metadataRepo)
 		}
 		imageName := fmt.Sprintf("%s:%s", repo, metadata.Tag)
-		err = oci.PushImageToRegistry(metadata.Image, imageName)
+		err = oci.PushImageToRegistry(ctx, metadata.Image, imageName)
 		if err != nil {
 			return err
 		}
@@ -101,7 +119,7 @@ func mirrorToRegistry(o *TufMirrorOutput) error {
 	targetsRepo := "registry-1.docker.io/docker/tuf-targets"
 	for _, target := range o.targets {
 		imageName := fmt.Sprintf("%s:%s", targetsRepo, target.Tag)
-		err = oci.PushImageToRegistry(target.Image, imageName)
+		err = oci.PushImageToRegistry(ctx, target.Image, imageName)
 		if err != nil {
 			return err
 		}
@@ -109,7 +127,7 @@ func mirrorToRegistry(o *TufMirrorOutput) error {
 	// push delegated targets to registry
 	for _, target := range o.delegatedTargets {
 		imageName := fmt.Sprintf("%s:%s", targetsRepo, target.Tag)
-		err = oci.PushIndexToRegistry(target.Index, imageName)
+		err = oci.PushIndexToRegistry(ctx, target.Index, imageName)
 		if err != nil {
 			return err
 		}

mirror/metadata.go

@@ -1,10 +1,26 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package mirror
 
 import (
 	"fmt"
 	"strconv"
 
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"

mirror/metadata_test.go

@@ -1,6 +1,23 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package mirror
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -10,7 +27,7 @@ import (
 	"testing"
 
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/tuf"
 	"github.com/stretchr/testify/assert"
 	"github.com/theupdateframework/go-tuf/v2/metadata"
 )
@@ -21,11 +38,11 @@ const (
 )
 
 func TestGetTufMetadataMirror(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTUFMirror(tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
+	m, err := NewTUFMirror(context.Background(), tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	tufMetadata, err := m.getMetadataMirror(server.URL + metadataPath)
@@ -39,11 +56,11 @@ func TestGetTufMetadataMirror(t *testing.T) {
 }
 
 func TestGetMetadataManifest(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTUFMirror(tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
+	m, err := NewTUFMirror(context.Background(), tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	img, err := m.GetMetadataManifest(server.URL + metadataPath)
@@ -78,11 +95,11 @@ func TestGetMetadataManifest(t *testing.T) {
 }
 
 func TestGetDelegatedMetadataMirrors(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTUFMirror(tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
+	m, err := NewTUFMirror(context.Background(), tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	delegations, err := m.GetDelegatedMetadataMirrors()

mirror/mirror.go

@@ -0,0 +1,35 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package mirror
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/attest/tuf"
+)
+
+func NewTUFMirror(ctx context.Context, root []byte, tufPath, metadataURL, targetsURL string, versionChecker tuf.VersionChecker) (*TUFMirror, error) {
+	if root == nil {
+		root = tuf.DockerTUFRootDefault.Data
+	}
+	tufClient, err := tuf.NewClient(ctx, &tuf.ClientOptions{InitialRoot: root, LocalStorageDir: tufPath, MetadataSource: metadataURL, TargetsSource: targetsURL, VersionChecker: versionChecker})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create TUF client: %w", err)
+	}
+	return &TUFMirror{TUFClient: tufClient, tufPath: tufPath, metadataURL: metadataURL, targetsURL: targetsURL}, nil
+}

mirror/targets.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package mirror
 
 import (
@@ -5,7 +21,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"

mirror/targets_test.go

@@ -1,6 +1,23 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package mirror
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -9,7 +26,7 @@ import (
 	"testing"
 
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/tuf"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -22,11 +39,11 @@ type Layers struct {
 }
 
 func TestGetTufTargetsMirror(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTUFMirror(tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
+	m, err := NewTUFMirror(context.Background(), tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	targets, err := m.GetTUFTargetMirrors()
@@ -56,11 +73,11 @@ func TestGetTufTargetsMirror(t *testing.T) {
 }
 
 func TestTargetDelegationMetadata(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	tm, err := NewTUFMirror(tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
+	tm, err := NewTUFMirror(context.Background(), tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	targets, err := tm.TUFClient.LoadDelegatedTargets("test-role", "targets")
@@ -69,11 +86,11 @@ func TestTargetDelegationMetadata(t *testing.T) {
 }
 
 func TestGetDelegatedTargetMirrors(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTUFMirror(tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
+	m, err := NewTUFMirror(context.Background(), tuf.DockerTUFRootDev.Data, path, server.URL+metadataPath, server.URL+targetsPath, tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	mirrors, err := m.GetDelegatedTargetMirrors()

mirror/types.go

@@ -1,8 +1,24 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package mirror
 
 import (
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/tuf"
+	"github.com/docker/attest/oci"
+	"github.com/docker/attest/tuf"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/theupdateframework/go-tuf/v2/metadata"
 )

oci/authn.go

@@ -0,0 +1,39 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package oci
+
+import (
+	"io"
+
+	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/v1/google"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
+
+func MultiKeychainOption() remote.Option {
+	return remote.WithAuthFromKeychain(MultiKeychainAll())
+}
+
+func MultiKeychainAll() authn.Keychain {
+	// Create a multi-keychain that will use the default Docker, Google, or ECR keychain
+	return authn.NewMultiKeychain(
+		authn.DefaultKeychain,
+		google.Keychain,
+		authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard))),
+	)
+}

oci/authn_test.go

@@ -0,0 +1,49 @@
+//go:build e2e
+
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package oci_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/oci"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRegistryAuth(t *testing.T) {
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
+	require.NoError(t, err)
+	// test cases for ecr, gcr and dockerhub
+	testCases := []struct {
+		Image string
+	}{
+		{Image: "175142243308.dkr.ecr.us-east-1.amazonaws.com/e2e-test-image:latest"},
+		{Image: "docker/image-signer-verifier-test:latest"},
+	}
+	ctx := context.Background()
+	for _, tc := range testCases {
+		t.Run(tc.Image, func(t *testing.T) {
+			err := oci.PushIndexToRegistry(ctx, attIdx.Index, tc.Image)
+			require.NoError(t, err)
+			_, err = oci.IndexFromRemote(ctx, tc.Image)
+			require.NoError(t, err)
+		})
+	}
+}

oci/oci.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package oci
 
 import (
@@ -7,6 +23,7 @@ import (
 
 	"github.com/containerd/platforms"
 	"github.com/distribution/reference"
+	"github.com/docker/attest/useragent"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
@@ -33,7 +50,11 @@ func ParsePlatform(platformStr string) (*v1.Platform, error) {
 
 func WithOptions(ctx context.Context, platform *v1.Platform) []remote.Option {
 	// prepare options
-	options := []remote.Option{MultiKeychainOption(), remote.WithTransport(HTTPTransport()), remote.WithContext(ctx)}
+	options := []remote.Option{
+		MultiKeychainOption(),
+		remote.WithContext(ctx),
+		remote.WithUserAgent(useragent.Get(ctx)),
+	}
 
 	// add in platform into remote Get operation; this might conflict with an explicit digest, but we are trying anyway
 	if platform != nil {
@@ -87,7 +108,7 @@ func RefToPURL(named reference.Named, platform *v1.Platform) (string, bool, erro
 		})
 	}
 
-	p := packageurl.NewPackageURL("docker", ns, name, version, qualifiers, "")
+	p := packageurl.NewPackageURL(packageurl.TypeDocker, ns, name, version, qualifiers, "")
 	return p.ToString(), isCanonical, nil
 }
 

oci/oci_test.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package oci_test
 
 import (
@@ -5,7 +21,7 @@ import (
 
 	"github.com/distribution/reference"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	"github.com/stretchr/testify/assert"
@@ -67,7 +83,7 @@ func TestRefToPurl(t *testing.T) {
 
 // Test fix for https://github.com/docker/secure-artifacts-team-issues/issues/202
 func TestImageDigestForPlatform(t *testing.T) {
-	idx, err := layout.ImageIndexFromPath(test.UnsignedTestImage)
+	idx, err := layout.ImageIndexFromPath(test.UnsignedTestIndex(".."))
 	assert.NoError(t, err)
 
 	idxm, err := idx.IndexManifest()
@@ -86,14 +102,14 @@ func TestImageDigestForPlatform(t *testing.T) {
 	desc, err := oci.ImageDescriptor(mfs2, p)
 	assert.NoError(t, err)
 	digest := desc.Digest.String()
-	assert.Equal(t, "sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620", digest)
+	assert.Equal(t, test.UnsignedLinuxAMD64ImageDigest, digest)
 
 	p, err = oci.ParsePlatform("linux/arm64")
 	assert.NoError(t, err)
 	desc, err = oci.ImageDescriptor(mfs2, p)
 	assert.NoError(t, err)
 	digest = desc.Digest.String()
-	assert.Equal(t, "sha256:7a76cec943853f9f7105b1976afa1bf7cd5bb6afc4e9d5852dd8da7cf81ae86e", digest)
+	assert.Equal(t, test.UnsignedLinuxArm64ImageDigest, digest)
 }
 
 func TestWithoutTag(t *testing.T) {

oci/output.go

@@ -1,6 +1,23 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package oci
 
 import (
+	"context"
 	"fmt"
 	"os"
 
@@ -13,18 +30,18 @@ import (
 )
 
 // PushImageToRegistry pushes an image to the registry with the specified name.
-func PushImageToRegistry(image v1.Image, imageName string) error {
+func PushImageToRegistry(ctx context.Context, image v1.Image, imageName string) error {
 	ref, err := name.ParseReference(imageName)
 	if err != nil {
 		return fmt.Errorf("Failed to parse image name '%s': %w", imageName, err)
 	}
 
 	// Push the image to the registry
-	return remote.Write(ref, image, MultiKeychainOption())
+	return remote.Write(ref, image, WithOptions(ctx, nil)...)
 }
 
 // PushIndexToRegistry pushes an index to the registry with the specified name.
-func PushIndexToRegistry(index v1.ImageIndex, imageName string) error {
+func PushIndexToRegistry(ctx context.Context, index v1.ImageIndex, imageName string) error {
 	// Parse the index name
 	ref, err := name.ParseReference(imageName)
 	if err != nil {
@@ -32,7 +49,7 @@ func PushIndexToRegistry(index v1.ImageIndex, imageName string) error {
 	}
 
 	// Push the index to the registry
-	return remote.WriteIndex(ref, index, MultiKeychainOption())
+	return remote.WriteIndex(ref, index, WithOptions(ctx, nil)...)
 }
 
 // SaveIndexAsOCILayout saves an image as an OCI layout to the specified path.
@@ -66,7 +83,7 @@ func SaveIndexAsOCILayout(image v1.ImageIndex, path string) error {
 }
 
 // SaveIndex saves an index to the specified outputs.
-func SaveIndex(outputs []*ImageSpec, index v1.ImageIndex, indexName string) error {
+func SaveIndex(ctx context.Context, outputs []*ImageSpec, index v1.ImageIndex, indexName string) error {
 	// split output by comma and write or push each one
 	for _, output := range outputs {
 		if output.Type == OCI {
@@ -84,7 +101,7 @@ func SaveIndex(outputs []*ImageSpec, index v1.ImageIndex, indexName string) erro
 				return fmt.Errorf("failed to write signed image: %w", err)
 			}
 		} else {
-			err := PushIndexToRegistry(index, output.Identifier)
+			err := PushIndexToRegistry(ctx, index, output.Identifier)
 			if err != nil {
 				return fmt.Errorf("failed to push signed image: %w", err)
 			}
@@ -94,7 +111,7 @@ func SaveIndex(outputs []*ImageSpec, index v1.ImageIndex, indexName string) erro
 }
 
 // SaveImage saves an image to the specified output.
-func SaveImage(output *ImageSpec, image v1.Image, imageName string) error {
+func SaveImage(ctx context.Context, output *ImageSpec, image v1.Image, imageName string) error {
 	if output.Type == OCI {
 		idx := v1.ImageIndex(empty.Index)
 		idx = mutate.AppendManifests(idx, mutate.IndexAddendum{
@@ -110,7 +127,7 @@ func SaveImage(output *ImageSpec, image v1.Image, imageName string) error {
 			return fmt.Errorf("failed to write signed image: %w", err)
 		}
 	} else {
-		err := PushImageToRegistry(image, output.Identifier)
+		err := PushImageToRegistry(ctx, image, output.Identifier)
 		if err != nil {
 			return fmt.Errorf("failed to push signed image: %w", err)
 		}
@@ -119,7 +136,7 @@ func SaveImage(output *ImageSpec, image v1.Image, imageName string) error {
 }
 
 // SaveImagesNoTag saves a list of images by digest to the specified outputs.
-func SaveImagesNoTag(images []v1.Image, outputs []*ImageSpec) error {
+func SaveImagesNoTag(ctx context.Context, images []v1.Image, outputs []*ImageSpec) error {
 	for _, output := range outputs {
 		// OCI layout output not supported
 		if output.Type == OCI {
@@ -134,7 +151,7 @@ func SaveImagesNoTag(images []v1.Image, outputs []*ImageSpec) error {
 			if err != nil {
 				return fmt.Errorf("failed to create image spec: %w", err)
 			}
-			err = PushImageToRegistry(image, spec.Identifier)
+			err = PushImageToRegistry(ctx, image, spec.Identifier)
 			if err != nil {
 				return fmt.Errorf("failed to push image: %w", err)
 			}

oci/output_test.go

@@ -1,14 +1,30 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package oci_test
 
 import (
+	"context"
 	"fmt"
-	"net/http/httptest"
 	"net/url"
 	"testing"
 
+	"github.com/docker/attest/attestation"
 	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
+	"github.com/docker/attest/oci"
 	"github.com/google/go-containerregistry/pkg/registry"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
@@ -18,24 +34,25 @@ import (
 
 func TestSavingIndex(t *testing.T) {
 	outputLayout := test.CreateTempDir(t, "", "mirror-test")
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
+	attIdx, err := oci.IndexFromPath(test.UnsignedTestIndex(".."))
 	require.NoError(t, err)
 
-	server := httptest.NewServer(registry.New())
-	defer server.Close()
+	ctx := context.Background()
+	regServer := test.NewLocalRegistry(ctx)
+	defer regServer.Close()
 
-	u, err := url.Parse(server.URL)
+	u, err := url.Parse(regServer.URL)
 	require.NoError(t, err)
 
 	indexName := fmt.Sprintf("%s/repo:root", u.Host)
 	output, err := oci.ParseImageSpecs(indexName)
 	require.NoError(t, err)
-	err = oci.SaveIndex(output, attIdx.Index, indexName)
+	err = oci.SaveIndex(ctx, output, attIdx.Index, indexName)
 	require.NoError(t, err)
 
 	ociOutput, err := oci.ParseImageSpecs(oci.LocalPrefix + outputLayout)
 	require.NoError(t, err)
-	err = oci.SaveIndex(ociOutput, attIdx.Index, indexName)
+	err = oci.SaveIndex(ctx, ociOutput, attIdx.Index, indexName)
 	require.NoError(t, err)
 }
 
@@ -44,21 +61,22 @@ func TestSavingImage(t *testing.T) {
 
 	img := empty.Image
 
-	server := httptest.NewServer(registry.New())
-	defer server.Close()
+	ctx := context.Background()
+	regServer := test.NewLocalRegistry(ctx)
+	defer regServer.Close()
 
-	u, err := url.Parse(server.URL)
+	u, err := url.Parse(regServer.URL)
 	require.NoError(t, err)
 
 	indexName := fmt.Sprintf("%s/repo:root", u.Host)
 	output, err := oci.ParseImageSpec(indexName)
 	require.NoError(t, err)
-	err = oci.SaveImage(output, img, indexName)
+	err = oci.SaveImage(ctx, output, img, indexName)
 	require.NoError(t, err)
 
 	ociOutput, err := oci.ParseImageSpec(oci.LocalPrefix + outputLayout)
 	require.NoError(t, err)
-	err = oci.SaveImage(ociOutput, img, indexName)
+	err = oci.SaveImage(ctx, ociOutput, img, indexName)
 	require.NoError(t, err)
 }
 
@@ -71,7 +89,7 @@ func TestSavingReferrers(t *testing.T) {
 		},
 	}
 
-	digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
+	digest, err := v1.NewHash(test.UnsignedLinuxAMD64ImageDigest)
 	require.NoError(t, err)
 	subject := &v1.Descriptor{
 		MediaType: "application/vnd.oci.image.manifest.v1+json",
@@ -81,10 +99,10 @@ func TestSavingReferrers(t *testing.T) {
 	require.NoError(t, err)
 	err = manifest.Add(ctx, signer, statement, opts)
 	require.NoError(t, err)
-	server := httptest.NewServer(registry.New(registry.WithReferrersSupport(true)))
-	defer server.Close()
+	regServer := test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true))
+	defer regServer.Close()
 
-	u, err := url.Parse(server.URL)
+	u, err := url.Parse(regServer.URL)
 	require.NoError(t, err)
 
 	indexName := fmt.Sprintf("%s/repo:root", u.Host)
@@ -92,7 +110,7 @@ func TestSavingReferrers(t *testing.T) {
 	require.NoError(t, err)
 	artifacts, err := manifest.BuildReferringArtifacts()
 	require.NoError(t, err)
-	err = oci.SaveImagesNoTag(artifacts, output)
+	err = oci.SaveImagesNoTag(ctx, artifacts, output)
 	require.NoError(t, err)
 
 	reg := &attestation.MockRegistryResolver{

oci/registry.go

@@ -1,3 +1,19 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package oci
 
 import (
@@ -9,6 +25,9 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 )
 
+// ensure RegistryImageDetailsResolver implements ImageDetailsResolver.
+var _ ImageDetailsResolver = &RegistryImageDetailsResolver{}
+
 type RegistryImageDetailsResolver struct {
 	*ImageSpec
 	descriptor *v1.Descriptor

oci/resolver.go

@@ -0,0 +1,29 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package oci
+
+import (
+	"context"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
+
+type ImageDetailsResolver interface {
+	ImageName(ctx context.Context) (string, error)
+	ImagePlatform(ctx context.Context) (*v1.Platform, error)
+	ImageDescriptor(ctx context.Context) (*v1.Descriptor, error)
+}

oci/types.go

@@ -1,7 +1,24 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
 package oci
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"strings"
@@ -61,14 +78,14 @@ func IndexFromPath(path string) (*NamedIndex, error) {
 	}, nil
 }
 
-func IndexFromRemote(image string) (*NamedIndex, error) {
+func IndexFromRemote(ctx context.Context, image string) (*NamedIndex, error) {
 	ref, err := name.ParseReference(image)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse image reference %s: %w", image, err)
 	}
 
 	// Pull the image from the registry
-	idx, err := remote.Index(ref, MultiKeychainOption())
+	idx, err := remote.Index(ref, WithOptions(ctx, nil)...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to pull image %s: %w", image, err)
 	}
@@ -78,11 +95,11 @@ func IndexFromRemote(image string) (*NamedIndex, error) {
 	}, nil
 }
 
-func LoadIndex(input *ImageSpec) (*NamedIndex, error) {
+func LoadIndex(ctx context.Context, input *ImageSpec) (*NamedIndex, error) {
 	if input.Type == OCI {
 		return IndexFromPath(input.Identifier)
 	}
-	return IndexFromRemote(input.Identifier)
+	return IndexFromRemote(ctx, input.Identifier)
 }
 
 func (i *ImageSpec) ForPlatforms(platform string) ([]*ImageSpec, error) {

oci/types_test.go

@@ -0,0 +1,37 @@
+/*
+   Copyright Docker attest authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package oci
+
+import (
+	"testing"
+
+	"github.com/docker/attest/internal/util"
+	"github.com/google/go-containerregistry/pkg/v1/empty"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEmptyConfigImageDigest(t *testing.T) {
+	empty := empty.Image
+	img := EmptyConfigImage{Image: empty}
+	mf, err := img.RawManifest()
+	require.NoError(t, err)
+	hash := util.SHA256Hex(mf)
+	digest, err := img.Digest()
+	require.NoError(t, err)
+	assert.Equal(t, digest.Hex, hash)
+}

pkg/attest/README.md

@@ -1,2 +0,0 @@
-## attest
-This package implements the top-level signing and verification methods.

pkg/attest/sign.go

@@ -1,29 +0,0 @@
-package attest
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/docker/attest/pkg/attestation"
-	v1 "github.com/google/go-containerregistry/pkg/v1"
-	"github.com/secure-systems-lab/go-securesystemslib/dsse"
-)
-
-// this is only relevant if there are (unsigned) in-toto statements.
-func SignStatements(ctx context.Context, idx v1.ImageIndex, signer dsse.SignerVerifier, opts *attestation.SigningOptions) ([]*attestation.Manifest, error) {
-	// extract attestation manifests from index
-	attestationManifests, err := attestation.ManifestsFromIndex(idx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load attestation manifests from index: %w", err)
-	}
-	// sign every attestation layer in each manifest
-	for _, manifest := range attestationManifests {
-		for _, layer := range manifest.OriginalLayers {
-			err = manifest.Add(ctx, signer, layer.Statement, opts)
-			if err != nil {
-				return nil, fmt.Errorf("failed to sign attestation layer %w", err)
-			}
-		}
-	}
-	return attestationManifests, nil
-}

pkg/attest/types.go

@@ -1,37 +0,0 @@
-package attest
-
-import (
-	"fmt"
-
-	"github.com/docker/attest/pkg/policy"
-	v1 "github.com/google/go-containerregistry/pkg/v1"
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
-)
-
-type Outcome string
-
-const (
-	OutcomeSuccess  Outcome = "success"
-	OutcomeFailure  Outcome = "failure"
-	OutcomeNoPolicy Outcome = "no_policy"
-)
-
-func (o Outcome) StringForVSA() (string, error) {
-	switch o {
-	case OutcomeSuccess:
-		return "PASSED", nil
-	case OutcomeFailure:
-		return "FAILED", nil
-	default:
-		return "", fmt.Errorf("unknown outcome: %s", o)
-	}
-}
-
-type VerificationResult struct {
-	Outcome           Outcome
-	Policy            *policy.Policy
-	Input             *policy.Input
-	VSA               *intoto.Statement
-	Violations        []policy.Violation
-	SubjectDescriptor *v1.Descriptor
-}

pkg/attestation/attestation_test.go

@@ -1,18 +0,0 @@
-package attestation_test
-
-import (
-	"testing"
-
-	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/stretchr/testify/assert"
-)
-
-const ExpectedStatements = 4
-
-func TestExtractAnnotatedStatements(t *testing.T) {
-	statements, err := attestation.ExtractAnnotatedStatements(test.UnsignedTestImage, intoto.PayloadType)
-	assert.NoError(t, err)
-	assert.Equalf(t, len(statements), ExpectedStatements, "expected %d statement, got %d", ExpectedStatements, len(statements))
-}

pkg/attestation/layout_test.go

@@ -1,68 +0,0 @@
-package attestation_test
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attest"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
-	v1 "github.com/google/go-containerregistry/pkg/v1"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestAttestationFromOCILayout(t *testing.T) {
-	ctx, signer := test.Setup(t)
-	outputLayout := test.CreateTempDir(t, "", "attest-oci-layout")
-
-	invalidPlatform := &v1.Platform{
-		Architecture: "invalid",
-		OS:           "invalid",
-	}
-
-	opts := &attestation.SigningOptions{}
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
-	require.NoError(t, err)
-	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
-	require.NoError(t, err)
-	signedIndex := attIdx.Index
-	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
-	require.NoError(t, err)
-	spec, err := oci.ParseImageSpec(oci.LocalPrefix + outputLayout)
-	require.NoError(t, err)
-	err = oci.SaveIndex([]*oci.ImageSpec{spec}, signedIndex, outputLayout)
-	require.NoError(t, err)
-
-	testCases := []struct {
-		name     string
-		platform *v1.Platform
-		errorStr string
-	}{
-		{name: "nominal", platform: spec.Platform},
-		{name: "invalid platform", platform: invalidPlatform, errorStr: "platform not found in index"},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			spec := &oci.ImageSpec{
-				Type:       oci.OCI,
-				Identifier: outputLayout,
-				Platform:   tc.platform,
-			}
-			resolver, err := policy.CreateImageDetailsResolver(spec)
-			if tc.errorStr != "" {
-				require.Error(t, err)
-				assert.Contains(t, err.Error(), tc.errorStr)
-				return
-			}
-			require.NoError(t, err)
-			desc, err := resolver.ImageDescriptor(ctx)
-			require.NoError(t, err)
-			digest := desc.Digest.String()
-			assert.True(t, strings.Contains(digest, "sha256:"))
-		})
-	}
-}

pkg/attestation/mock.go

@@ -1,50 +0,0 @@
-package attestation
-
-import (
-	"context"
-
-	"github.com/docker/attest/pkg/oci"
-	v1 "github.com/google/go-containerregistry/pkg/v1"
-)
-
-type MockResolver struct {
-	Envs []*Envelope
-}
-
-func (r MockResolver) Attestations(_ context.Context, _ string) ([]*Envelope, error) {
-	return r.Envs, nil
-}
-
-func (r MockResolver) ImageName(_ context.Context) (string, error) {
-	return "library/alpine:latest", nil
-}
-
-func (r MockResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error) {
-	digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
-	if err != nil {
-		return nil, err
-	}
-	return &v1.Descriptor{
-		Digest:    digest,
-		Size:      1234,
-		MediaType: "application/vnd.oci.image.manifest.v1+json",
-	}, nil
-}
-
-func (r MockResolver) ImagePlatform(_ context.Context) (*v1.Platform, error) {
-	return oci.ParsePlatform("linux/amd64")
-}
-
-type MockRegistryResolver struct {
-	Subject      *v1.Descriptor
-	ImageNameStr string
-	*MockResolver
-}
-
-func (r *MockRegistryResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error) {
-	return r.Subject, nil
-}
-
-func (r *MockRegistryResolver) ImageName(_ context.Context) (string, error) {
-	return r.ImageNameStr, nil
-}

pkg/attestation/registry_test.go

@@ -1,50 +0,0 @@
-package attestation_test
-
-import (
-	"fmt"
-	"net/http/httptest"
-	"net/url"
-	"strings"
-	"testing"
-
-	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attest"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
-	"github.com/google/go-containerregistry/pkg/registry"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestRegistry(t *testing.T) {
-	ctx, signer := test.Setup(t)
-	server := httptest.NewServer(registry.New(registry.WithReferrersSupport(false)))
-	defer server.Close()
-	u, err := url.Parse(server.URL)
-	require.NoError(t, err)
-
-	opts := &attestation.SigningOptions{}
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
-	require.NoError(t, err)
-	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
-	require.NoError(t, err)
-	signedIndex := attIdx.Index
-	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
-	require.NoError(t, err)
-
-	indexName := fmt.Sprintf("%s/repo:root", u.Host)
-	require.NoError(t, err)
-	err = oci.PushIndexToRegistry(signedIndex, indexName)
-	require.NoError(t, err)
-
-	spec, err := oci.ParseImageSpec(indexName)
-	require.NoError(t, err)
-
-	resolver, err := policy.CreateImageDetailsResolver(spec)
-	require.NoError(t, err)
-	desc, err := resolver.ImageDescriptor(ctx)
-	require.NoError(t, err)
-	digest := desc.Digest.String()
-	assert.True(t, strings.Contains(digest, "sha256:"))
-}

pkg/attestation/resolver.go

@@ -1,12 +0,0 @@
-package attestation
-
-import (
-	"context"
-
-	"github.com/docker/attest/pkg/oci"
-)
-
-type Resolver interface {
-	oci.ImageDetailsResolver
-	Attestations(ctx context.Context, mediaType string) ([]*Envelope, error)
-}

pkg/attestation/verify.go

@@ -1,138 +0,0 @@
-package attestation
-
-import (
-	"context"
-	"crypto/ecdsa"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"time"
-
-	"github.com/docker/attest/internal/util"
-	"github.com/docker/attest/pkg/signerverifier"
-	"github.com/docker/attest/pkg/tlog"
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/secure-systems-lab/go-securesystemslib/dsse"
-)
-
-type KeyMetadata struct {
-	ID            string     `json:"id"`
-	PEM           string     `json:"key"`
-	From          time.Time  `json:"from"`
-	To            *time.Time `json:"to"`
-	Status        string     `json:"status"`
-	SigningFormat string     `json:"signing-format"`
-	Distrust      bool       `json:"distrust,omitempty"`
-}
-
-type (
-	Keys    []*KeyMetadata
-	KeysMap map[string]*KeyMetadata
-)
-
-func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte, error) {
-	// enforce payload type
-	if !ValidPayloadType(env.PayloadType) {
-		return nil, fmt.Errorf("unsupported payload type %s", env.PayloadType)
-	}
-
-	if len(env.Signatures) == 0 {
-		return nil, fmt.Errorf("no signatures found")
-	}
-
-	payload, err := base64Encoding.DecodeString(env.Payload)
-	if err != nil {
-		return nil, fmt.Errorf("error failed to decode payload: %w", err)
-	}
-
-	encPayload := dsse.PAE(env.PayloadType, payload)
-
-	// verify signatures and transparency log entry
-	for _, sig := range env.Signatures {
-		err := verifySignature(ctx, sig, encPayload, opts)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return payload, nil
-}
-
-func verifySignature(ctx context.Context, sig *Signature, payload []byte, opts *VerifyOptions) error {
-	keys := make(map[string]*KeyMetadata, len(opts.Keys))
-	for _, key := range opts.Keys {
-		keys[key.ID] = key
-	}
-	keyMeta, ok := keys[sig.KeyID]
-	if !ok {
-		return fmt.Errorf("error key not found: %s", sig.KeyID)
-	}
-
-	if keyMeta.Distrust {
-		return fmt.Errorf("key %s is distrusted", keyMeta.ID)
-	}
-	// TODO: this is unmarshalling with MarshalPKIXPublicKey only for us to marshal it again
-	publicKey, err := signerverifier.ParsePublicKey([]byte(keyMeta.PEM))
-	if err != nil {
-		return fmt.Errorf("failed to parse public key: %w", err)
-	}
-
-	if !opts.SkipTL {
-		t := tlog.GetTL(ctx)
-		if sig.Extension == nil || sig.Extension.Kind == "" {
-			return fmt.Errorf("error missing signature extension")
-		}
-		if sig.Extension.Kind != DockerDSSEExtKind {
-			return fmt.Errorf("error unsupported signature extension kind: %s", sig.Extension.Kind)
-		}
-
-		// verify TL entry
-		if sig.Extension.Ext.TL.Kind != RekorTLExtKind {
-			return fmt.Errorf("error unsupported TL extension kind: %s", sig.Extension.Ext.TL.Kind)
-		}
-		entry := sig.Extension.Ext.TL.Data
-		entryBytes, err := json.Marshal(entry)
-		if err != nil {
-			return fmt.Errorf("failed to marshal TL entry: %w", err)
-		}
-
-		integratedTime, err := t.VerifyLogEntry(ctx, entryBytes)
-		if err != nil {
-			return fmt.Errorf("TL entry failed verification: %w", err)
-		}
-		if integratedTime.Before(keyMeta.From) {
-			return fmt.Errorf("key %s was not yet valid at TL log time %s (key valid from %s)", keyMeta.ID, integratedTime, keyMeta.From)
-		}
-		if keyMeta.To != nil && !integratedTime.Before(*keyMeta.To) {
-			return fmt.Errorf("key %s was already %s at TL log time %s (key %s at %s)", keyMeta.ID, keyMeta.Status, integratedTime, keyMeta.Status, *keyMeta.To)
-		}
-		// verify TL entry payload
-		encodedPub, err := x509.MarshalPKIXPublicKey(publicKey)
-		if err != nil {
-			return fmt.Errorf("error failed to marshal public key: %w", err)
-		}
-		err = t.VerifyEntryPayload(entryBytes, payload, encodedPub)
-		if err != nil {
-			return fmt.Errorf("TL entry failed payload verification: %w", err)
-		}
-	}
-
-	// decode signature
-	signature, err := base64.StdEncoding.Strict().DecodeString(sig.Sig)
-	if err != nil {
-		return fmt.Errorf("error failed to decode signature: %w", err)
-	}
-	// verify payload ecdsa signature
-	ok = ecdsa.VerifyASN1(publicKey, util.SHA256(payload), signature)
-	if !ok {
-		return fmt.Errorf("payload signature is not valid")
-	}
-
-	return nil
-}
-
-func ValidPayloadType(payloadType string) bool {
-	return payloadType == intoto.PayloadType || payloadType == ociv1.MediaTypeDescriptor
-}

pkg/attestation/vsa.go

@@ -1,51 +0,0 @@
-package attestation
-
-import (
-	"fmt"
-
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/package-url/packageurl-go"
-)
-
-const (
-	VSAPredicateType = "https://slsa.dev/verification_summary/v1"
-)
-
-type VSAPredicate struct {
-	Verifier           VSAVerifier           `json:"verifier"`
-	TimeVerified       string                `json:"timeVerified"`
-	ResourceURI        string                `json:"resourceUri"`
-	Policy             VSAPolicy             `json:"policy"`
-	InputAttestations  []VSAInputAttestation `json:"inputAttestations,omitempty"`
-	VerificationResult string                `json:"verificationResult"`
-	VerifiedLevels     []string              `json:"verifiedLevels"`
-}
-
-type VSAVerifier struct {
-	ID string `json:"id"`
-}
-
-type VSAPolicy struct {
-	URI              string            `json:"uri,omitempty"`
-	Digest           map[string]string `json:"digest"`
-	DownloadLocation string            `json:"downloadLocation,omitempty"`
-}
-
-type VSAInputAttestation struct {
-	Digest    map[string]string `json:"digest"`
-	MediaType string            `json:"mediaType"`
-}
-
-func ToVSAResourceURI(sub intoto.Subject) (string, error) {
-	// parse purl
-	purl, err := packageurl.FromString(sub.Name)
-	if err != nil {
-		return "", fmt.Errorf("failed to parse package url: %w", err)
-	}
-	quals := purl.Qualifiers.Map()
-	if quals["digest"] == "" {
-		quals["digest"] = "sha256:" + sub.Digest["sha256"]
-	}
-	purl.Qualifiers = packageurl.QualifiersFromMap(quals)
-	return purl.String(), nil
-}

pkg/config/config.go

@@ -1,77 +0,0 @@
-package config
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"regexp"
-
-	"github.com/docker/attest/pkg/tuf"
-	"sigs.k8s.io/yaml"
-)
-
-const (
-	MappingFilename = "mapping.yaml"
-)
-
-func LoadLocalMappings(configDir string) (*PolicyMappings, error) {
-	if configDir == "" {
-		return nil, nil
-	}
-	mappings := &policyMappingsFile{}
-	path := filepath.Join(configDir, MappingFilename)
-	mappingFile, err := os.ReadFile(path)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read local policy mapping file %s: %w", path, err)
-	}
-	err = yaml.Unmarshal(mappingFile, mappings)
-	if err != nil {
-		return nil, fmt.Errorf("failed to unmarshal policy mapping file %s: %w", path, err)
-	}
-	return expandMappingFile(mappings)
-}
-
-func LoadTUFMappings(tufClient tuf.Downloader, localTargetsDir string) (*PolicyMappings, error) {
-	if tufClient == nil {
-		return nil, fmt.Errorf("tuf client not set")
-	}
-	filename := MappingFilename
-	file, err := tufClient.DownloadTarget(filename, filepath.Join(localTargetsDir, filename))
-	if err != nil {
-		return nil, fmt.Errorf("failed to download policy mapping file %s: %w", filename, err)
-	}
-	mappings := &policyMappingsFile{}
-
-	err = yaml.Unmarshal(file.Data, mappings)
-	if err != nil {
-		return nil, fmt.Errorf("failed to unmarshal policy mapping file %s: %w", filename, err)
-	}
-	return expandMappingFile(mappings)
-}
-
-func expandMappingFile(mappingFile *policyMappingsFile) (*PolicyMappings, error) {
-	policies := make(map[string]*PolicyMapping)
-	for _, policy := range mappingFile.Policies {
-		policies[policy.ID] = policy
-	}
-
-	var rules []*PolicyRule
-	for _, rule := range mappingFile.Rules {
-		r, err := regexp.Compile(rule.Pattern)
-		if err != nil {
-			return nil, err
-		}
-		rules = append(rules, &PolicyRule{
-			Pattern:     r,
-			PolicyID:    rule.PolicyID,
-			Replacement: rule.Replacement,
-		})
-	}
-
-	return &PolicyMappings{
-		Version:  mappingFile.Version,
-		Kind:     mappingFile.Kind,
-		Policies: policies,
-		Rules:    rules,
-	}, nil
-}

pkg/mirror/mirror.go

@@ -1,18 +0,0 @@
-package mirror
-
-import (
-	"fmt"
-
-	"github.com/docker/attest/pkg/tuf"
-)
-
-func NewTUFMirror(root []byte, tufPath, metadataURL, targetsURL string, versionChecker tuf.VersionChecker) (*TUFMirror, error) {
-	if root == nil {
-		root = tuf.DockerTUFRootDefault.Data
-	}
-	tufClient, err := tuf.NewClient(&tuf.ClientOptions{InitialRoot: root, Path: tufPath, MetadataSource: metadataURL, TargetsSource: targetsURL, VersionChecker: versionChecker})
-	if err != nil {
-		return nil, fmt.Errorf("failed to create TUF client: %w", err)
-	}
-	return &TUFMirror{TUFClient: tufClient, tufPath: tufPath, metadataURL: metadataURL, targetsURL: targetsURL}, nil
-}

pkg/oci/authn.go

@@ -1,21 +0,0 @@
-package oci
-
-import (
-	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
-	"github.com/google/go-containerregistry/pkg/authn"
-	"github.com/google/go-containerregistry/pkg/v1/google"
-	"github.com/google/go-containerregistry/pkg/v1/remote"
-)
-
-func MultiKeychainOption() remote.Option {
-	return remote.WithAuthFromKeychain(MultiKeychainAll())
-}
-
-func MultiKeychainAll() authn.Keychain {
-	// Create a multi-keychain that will use the default Docker, Google, or ECR keychain
-	return authn.NewMultiKeychain(
-		authn.DefaultKeychain,
-		google.Keychain,
-		authn.NewKeychainFromHelper(ecr.NewECRHelper()),
-	)
-}

pkg/oci/authn_test.go

@@ -1,31 +0,0 @@
-//go:build e2e
-
-package oci_test
-
-import (
-	"testing"
-
-	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/stretchr/testify/require"
-)
-
-func TestRegistryAuth(t *testing.T) {
-	attIdx, err := oci.IndexFromPath(test.UnsignedTestImage)
-	require.NoError(t, err)
-	// test cases for ecr, gcr and dockerhub
-	testCases := []struct {
-		Image string
-	}{
-		{Image: "175142243308.dkr.ecr.us-east-1.amazonaws.com/e2e-test-image:latest"},
-		{Image: "docker/image-signer-verifier-test:latest"},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.Image, func(t *testing.T) {
-			err := oci.PushIndexToRegistry(attIdx.Index, tc.Image)
-			require.NoError(t, err)
-			_, err = oci.IndexFromRemote(tc.Image)
-			require.NoError(t, err)
-		})
-	}
-}

pkg/oci/http.go

@@ -1,27 +0,0 @@
-package oci
-
-import (
-	"net/http"
-
-	"github.com/hashicorp/go-cleanhttp"
-)
-
-type userAgentTransporter struct {
-	userAgent    string
-	roundTripper http.RoundTripper
-}
-
-type Option = func(*http.Client)
-
-func (u *userAgentTransporter) RoundTrip(req *http.Request) (*http.Response, error) {
-	req.Header.Set("User-Agent", u.userAgent)
-
-	return u.roundTripper.RoundTrip(req)
-}
-
-func HTTPTransport() http.RoundTripper {
-	return &userAgentTransporter{
-		userAgent:    "Docker-Client",
-		roundTripper: cleanhttp.DefaultTransport(),
-	}
-}

pkg/oci/resolver.go

@@ -1,13 +0,0 @@
-package oci
-
-import (
-	"context"
-
-	v1 "github.com/google/go-containerregistry/pkg/v1"
-)
-
-type ImageDetailsResolver interface {
-	ImageName(ctx context.Context) (string, error)
-	ImagePlatform(ctx context.Context) (*v1.Platform, error)
-	ImageDescriptor(ctx context.Context) (*v1.Descriptor, error)
-}

pkg/oci/types_test.go

@@ -1,21 +0,0 @@
-package oci
-
-import (
-	"testing"
-
-	"github.com/docker/attest/internal/util"
-	"github.com/google/go-containerregistry/pkg/v1/empty"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestEmptyConfigImageDigest(t *testing.T) {
-	empty := empty.Image
-	img := EmptyConfigImage{Image: empty}
-	mf, err := img.RawManifest()
-	require.NoError(t, err)
-	hash := util.SHA256Hex(mf)
-	digest, err := img.Digest()
-	require.NoError(t, err)
-	assert.Equal(t, digest.Hex, hash)
-}

pkg/policy/evaluator.go

@@ -1,30 +0,0 @@
-package policy
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/docker/attest/pkg/attestation"
-)
-
-type policyEvaluatorCtxKeyType struct{}
-
-var PolicyEvaluatorCtxKey policyEvaluatorCtxKeyType
-
-// sets PolicyEvaluator in context.
-func WithPolicyEvaluator(ctx context.Context, pe Evaluator) context.Context {
-	return context.WithValue(ctx, PolicyEvaluatorCtxKey, pe)
-}
-
-// gets PolicyEvaluator from context, defaults to Rego PolicyEvaluator if not set.
-func GetPolicyEvaluator(ctx context.Context) (Evaluator, error) {
-	t, ok := ctx.Value(PolicyEvaluatorCtxKey).(Evaluator)
-	if !ok {
-		return nil, fmt.Errorf("no policy evaluator client set on context (set one with policy.WithPolicyEvaluator)")
-	}
-	return t, nil
-}
-
-type Evaluator interface {
-	Evaluate(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error)
-}

pkg/policy/match.go

@@ -1,65 +0,0 @@
-package policy
-
-import (
-	"fmt"
-
-	"github.com/docker/attest/pkg/config"
-)
-
-type matchType string
-
-const (
-	matchTypePolicy        matchType = "policy"
-	matchTypeMatchNoPolicy matchType = "match_no_policy"
-	matchTypeNoMatch       matchType = "no_match"
-)
-
-type policyMatch struct {
-	matchType   matchType
-	policy      *config.PolicyMapping
-	rule        *config.PolicyRule
-	matchedName string
-}
-
-func findPolicyMatch(imageName string, mappings *config.PolicyMappings) (*policyMatch, error) {
-	if mappings == nil {
-		return &policyMatch{matchType: matchTypeNoMatch, matchedName: imageName}, nil
-	}
-	return findPolicyMatchImpl(imageName, mappings, make(map[*config.PolicyRule]bool))
-}
-
-func findPolicyMatchImpl(imageName string, mappings *config.PolicyMappings, matched map[*config.PolicyRule]bool) (*policyMatch, error) {
-	for _, rule := range mappings.Rules {
-		if rule.Pattern.MatchString(imageName) {
-			switch {
-			case rule.PolicyID == "" && rule.Replacement == "":
-				return nil, fmt.Errorf("rule %s has neither policy-id nor rewrite", rule.Pattern)
-			case rule.PolicyID != "" && rule.Replacement != "":
-				return nil, fmt.Errorf("rule %s has both policy-id and rewrite", rule.Pattern)
-			case rule.PolicyID != "":
-				policy := mappings.Policies[rule.PolicyID]
-				if policy != nil {
-					return &policyMatch{
-						matchType:   matchTypePolicy,
-						policy:      policy,
-						rule:        rule,
-						matchedName: imageName,
-					}, nil
-				}
-				return &policyMatch{
-					matchType:   matchTypeMatchNoPolicy,
-					rule:        rule,
-					matchedName: imageName,
-				}, nil
-			case rule.Replacement != "":
-				if matched[rule] {
-					return nil, fmt.Errorf("rewrite loop detected")
-				}
-				matched[rule] = true
-				imageName = rule.Pattern.ReplaceAllString(imageName, rule.Replacement)
-				return findPolicyMatchImpl(imageName, mappings, matched)
-			}
-		}
-	}
-	return &policyMatch{matchType: matchTypeNoMatch, matchedName: imageName}, nil
-}

pkg/policy/match_test.go

@@ -1,121 +0,0 @@
-package policy
-
-import (
-	"path/filepath"
-	"testing"
-
-	"github.com/docker/attest/pkg/config"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestFindPolicyMatch(t *testing.T) {
-	testCases := []struct {
-		name       string
-		imageName  string
-		mappingDir string
-
-		expectError       bool
-		expectedMatchType matchType
-		expectedPolicyID  string
-		expectedImageName string
-	}{
-		{
-			name:       "alpine",
-			mappingDir: "doi",
-			imageName:  "docker.io/library/alpine",
-
-			expectedMatchType: matchTypePolicy,
-			expectedPolicyID:  "docker-official-images",
-			expectedImageName: "docker.io/library/alpine",
-		},
-		{
-			name:       "no match",
-			mappingDir: "doi",
-			imageName:  "docker.io/something/else",
-
-			expectedMatchType: matchTypeNoMatch,
-			expectedImageName: "docker.io/something/else",
-		},
-		{
-			name:       "match, no policy",
-			mappingDir: "local",
-			imageName:  "docker.io/library/alpine",
-
-			expectedMatchType: matchTypeMatchNoPolicy,
-			expectedImageName: "docker.io/library/alpine",
-		},
-		{
-			name:       "simple rewrite",
-			mappingDir: "simple-rewrite",
-			imageName:  "mycoolmirror.org/library/alpine",
-
-			expectedMatchType: matchTypePolicy,
-			expectedPolicyID:  "docker-official-images",
-			expectedImageName: "docker.io/library/alpine",
-		},
-		{
-			name:       "rewrite no match",
-			mappingDir: "rewrite-to-no-match",
-			imageName:  "mycoolmirror.org/library/alpine",
-
-			expectedMatchType: matchTypeNoMatch,
-			expectedImageName: "badredirect.org/alpine",
-		},
-		{
-			name:       "rewrite to match, no policy",
-			mappingDir: "rewrite-to-local",
-			imageName:  "mycoolmirror.org/library/alpine",
-
-			expectedMatchType: matchTypeMatchNoPolicy,
-			expectedImageName: "docker.io/library/alpine",
-		},
-		{
-			name:       "multiple rewrites",
-			mappingDir: "rewrite-multiple",
-			imageName:  "myevencoolermirror.org/library/alpine",
-
-			expectedMatchType: matchTypePolicy,
-			expectedPolicyID:  "docker-official-images",
-			expectedImageName: "docker.io/library/alpine",
-		},
-		{
-			name:       "invalid rewrites",
-			mappingDir: "rewrite-invalid",
-			imageName:  "mycoolmirror.org/library/alpine",
-
-			expectError:       true,
-			expectedMatchType: matchTypePolicy,
-			expectedPolicyID:  "docker-official-images",
-			expectedImageName: "docker.io/library/alpine",
-		},
-		{
-			name:       "rewrite loop",
-			mappingDir: "rewrite-loop",
-			imageName:  "yin/alpine",
-
-			expectError: true,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			mappings, err := config.LoadLocalMappings(filepath.Join("testdata", "mappings", tc.mappingDir))
-			require.NoError(t, err)
-			match, err := findPolicyMatch(tc.imageName, mappings)
-			if tc.expectError {
-				require.Error(t, err)
-				// TODO: check error matches expected error message
-				return
-			}
-			require.NoError(t, err)
-			assert.Equal(t, tc.expectedMatchType, match.matchType)
-			if match.matchType == matchTypePolicy {
-				if assert.NotNil(t, match.policy) {
-					assert.Equal(t, tc.expectedPolicyID, match.policy.ID)
-				}
-			}
-			assert.Equal(t, tc.expectedImageName, match.matchedName)
-		})
-	}
-}

pkg/policy/policy.go

@@ -1,38 +0,0 @@
-package policy
-
-import (
-	"fmt"
-
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/config"
-	"github.com/docker/attest/pkg/oci"
-)
-
-func CreateImageDetailsResolver(imageSource *oci.ImageSpec) (oci.ImageDetailsResolver, error) {
-	switch imageSource.Type {
-	case oci.OCI:
-		return attestation.NewOCILayoutResolver(imageSource)
-	case oci.Docker:
-		return oci.NewRegistryImageDetailsResolver(imageSource)
-	}
-	return nil, fmt.Errorf("unsupported image source type: %s", imageSource.Type)
-}
-
-func CreateAttestationResolver(resolver oci.ImageDetailsResolver, mapping *config.PolicyMapping) (attestation.Resolver, error) {
-	if mapping.Attestations != nil {
-		if mapping.Attestations.Style == config.AttestationStyleAttached {
-			switch resolver := resolver.(type) {
-			case *oci.RegistryImageDetailsResolver:
-				return attestation.NewRegistryResolver(resolver)
-			case *attestation.LayoutResolver:
-				return resolver, nil
-			default:
-				return nil, fmt.Errorf("unsupported image details resolver type: %T", resolver)
-			}
-		}
-		if mapping.Attestations.Repo != "" {
-			return attestation.NewReferrersResolver(resolver, attestation.WithReferrersRepo(mapping.Attestations.Repo))
-		}
-	}
-	return attestation.NewReferrersResolver(resolver)
-}

pkg/policy/policy_test.go

@@ -1,175 +0,0 @@
-package policy_test
-
-import (
-	"encoding/json"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/docker/attest/internal/test"
-	"github.com/docker/attest/pkg/attestation"
-	"github.com/docker/attest/pkg/config"
-	"github.com/docker/attest/pkg/oci"
-	"github.com/docker/attest/pkg/policy"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func loadAttestation(t *testing.T, path string) *attestation.Envelope {
-	ex, err := os.ReadFile(path)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	env := new(attestation.Envelope)
-	err = json.Unmarshal(ex, env)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return env
-}
-
-func TestRegoEvaluator_Evaluate(t *testing.T) {
-	ctx, _ := test.Setup(t)
-	resolveErrorStr := "failed to resolve policy by id: policy with id non-existent-policy-id not found"
-	TestDataPath := filepath.Join("..", "..", "test", "testdata")
-	ExampleAttestation := filepath.Join(TestDataPath, "example_attestation.json")
-
-	re := policy.NewRegoEvaluator(true)
-
-	defaultResolver := attestation.MockResolver{
-		Envs: []*attestation.Envelope{loadAttestation(t, ExampleAttestation)},
-	}
-
-	testCases := []struct {
-		repo            string
-		expectSuccess   bool
-		isCanonical     bool
-		resolver        attestation.Resolver
-		opts            *policy.Options
-		policyID        string
-		resolveErrorStr string
-	}{
-		{repo: "testdata/policies/allow", expectSuccess: true, resolver: defaultResolver},
-		{repo: "testdata/policies/allow", expectSuccess: true, resolver: defaultResolver, policyID: "docker-official-images"},
-		{repo: "testdata/policies/allow", resolver: defaultResolver, policyID: "non-existent-policy-id", resolveErrorStr: resolveErrorStr},
-		{repo: "testdata/policies/deny", resolver: defaultResolver},
-		{repo: "testdata/policies/verify-sig", expectSuccess: true, resolver: defaultResolver},
-		{repo: "testdata/policies/wrong-key", resolver: defaultResolver},
-		{repo: "testdata/policies/allow-canonical", expectSuccess: true, isCanonical: true, resolver: defaultResolver},
-		{repo: "testdata/policies/allow-canonical", resolver: defaultResolver},
-		{repo: "testdata/policies/no-rego", resolver: defaultResolver, resolveErrorStr: "no policy file found in policy mapping"},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.repo, func(t *testing.T) {
-			input := &policy.Input{
-				Digest: "sha256:test-digest",
-				PURL:   "test-purl",
-			}
-			if !tc.isCanonical {
-				input.Tag = "test"
-			}
-
-			if tc.opts == nil {
-				tc.opts = &policy.Options{
-					LocalTargetsDir: test.CreateTempDir(t, "", "tuf-targets"),
-					PolicyID:        tc.policyID,
-					LocalPolicyDir:  tc.repo,
-					DisableTUF:      true,
-				}
-			}
-			imageName, err := tc.resolver.ImageName(ctx)
-			require.NoError(t, err)
-			resolver := policy.NewResolver(nil, tc.opts)
-			policy, err := resolver.ResolvePolicy(ctx, imageName)
-			if tc.resolveErrorStr != "" {
-				require.Error(t, err)
-				assert.Contains(t, err.Error(), tc.resolveErrorStr)
-				return
-			}
-			require.NoErrorf(t, err, "failed to resolve policy")
-			require.NotNil(t, policy, "policy should not be nil")
-			result, err := re.Evaluate(ctx, tc.resolver, policy, input)
-			require.NoErrorf(t, err, "Evaluate failed")
-
-			if tc.expectSuccess {
-				assert.True(t, result.Success, "Evaluate should have succeeded")
-			} else {
-				assert.False(t, result.Success, "Evaluate should have failed")
-			}
-		})
-	}
-}
-
-func TestLoadingMappings(t *testing.T) {
-	policyMappings, err := config.LoadLocalMappings(filepath.Join("testdata", "policies", "allow"))
-	require.NoError(t, err)
-	assert.Equal(t, len(policyMappings.Rules), 3)
-	for _, mirror := range policyMappings.Rules {
-		if mirror.PolicyID != "" {
-			assert.Equal(t, "docker-official-images", mirror.PolicyID)
-		}
-	}
-}
-
-func TestCreateAttestationResolver(t *testing.T) {
-	mockResolver := attestation.MockResolver{
-		Envs: []*attestation.Envelope{},
-	}
-	layoutResolver := &attestation.LayoutResolver{}
-	registryResolver := &oci.RegistryImageDetailsResolver{}
-
-	nilRepoReferrers := &config.PolicyMapping{
-		Attestations: &config.AttestationConfig{
-			Style: config.AttestationStyleReferrers,
-		},
-	}
-	referrers := &config.PolicyMapping{
-		Attestations: &config.AttestationConfig{
-			Repo:  "localhost:5000/repo",
-			Style: config.AttestationStyleReferrers,
-		},
-	}
-	attached := &config.PolicyMapping{
-		Attestations: &config.AttestationConfig{
-			Style: config.AttestationStyleAttached,
-		},
-	}
-
-	testCases := []struct {
-		name     string
-		resolver oci.ImageDetailsResolver
-		mapping  *config.PolicyMapping
-		errorStr string
-	}{
-		{name: "referrers", resolver: layoutResolver, mapping: referrers},
-		{name: "referrers (no mapped repo)", resolver: layoutResolver, mapping: nilRepoReferrers},
-		{name: "referrers (no mapping)", resolver: layoutResolver, mapping: &config.PolicyMapping{Attestations: nil}},
-		{name: "attached (registry)", resolver: registryResolver, mapping: attached},
-		{name: "attached (layout)", resolver: layoutResolver, mapping: attached},
-		{name: "attached (unsupported)", resolver: mockResolver, mapping: attached, errorStr: "unsupported image details resolver type"},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			resolver, err := policy.CreateAttestationResolver(tc.resolver, tc.mapping)
-			if tc.errorStr == "" {
-				require.NoError(t, err)
-			} else {
-				assert.Contains(t, err.Error(), tc.errorStr)
-			}
-			if tc.mapping.Attestations == nil {
-				return
-			}
-			switch resolver.(type) {
-			case *attestation.ReferrersResolver:
-				assert.Equal(t, tc.mapping.Attestations.Style, config.AttestationStyleReferrers)
-			case *attestation.RegistryResolver:
-				assert.Equal(t, tc.mapping.Attestations.Style, config.AttestationStyleAttached)
-			case *attestation.LayoutResolver:
-				assert.Equal(t, tc.mapping.Attestations.Style, config.AttestationStyleAttached)
-			}
-		})
-	}
-}

pkg/policy/rego.go

@@ -1,277 +0,0 @@
-package policy
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"os"
-	"path/filepath"
-
-	"github.com/docker/attest/pkg/attestation"
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/open-policy-agent/opa/ast"
-	"github.com/open-policy-agent/opa/rego"
-	"github.com/open-policy-agent/opa/storage"
-	"github.com/open-policy-agent/opa/storage/inmem"
-	"github.com/open-policy-agent/opa/tester"
-	"github.com/open-policy-agent/opa/topdown"
-	"github.com/open-policy-agent/opa/types"
-	opa "github.com/open-policy-agent/opa/util"
-	"sigs.k8s.io/yaml"
-)
-
-type regoEvaluator struct {
-	debug bool
-}
-
-const (
-	DefaultQuery  = "result := data.attest.result"
-	resultBinding = "result"
-)
-
-func NewRegoEvaluator(debug bool) Evaluator {
-	return &regoEvaluator{
-		debug: debug,
-	}
-}
-
-func (re *regoEvaluator) Evaluate(ctx context.Context, resolver attestation.Resolver, pctx *Policy, input *Input) (*Result, error) {
-	var regoOpts []func(*rego.Rego)
-
-	// Create a new in-memory store
-	store := inmem.New()
-	params := storage.TransactionParams{}
-	params.Write = true
-	txn, err := store.NewTransaction(ctx, params)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, target := range pctx.InputFiles {
-		// load yaml as data (no rego opt for this!?)
-		if filepath.Ext(target.Path) == ".yaml" {
-			yamlData, err := loadYAML(target.Path, target.Content)
-			if err != nil {
-				return nil, err
-			}
-			err = store.Write(ctx, txn, storage.AddOp, storage.Path{}, yamlData)
-			if err != nil {
-				return nil, err
-			}
-		} else {
-			regoOpts = append(regoOpts, rego.Module(target.Path, string(target.Content)))
-		}
-	}
-
-	err = store.Commit(ctx, txn)
-	if err != nil {
-		store.Abort(ctx, txn)
-		return nil, err
-	}
-
-	if re.debug {
-		regoOpts = append(regoOpts,
-			rego.EnablePrintStatements(true),
-			rego.PrintHook(topdown.NewPrintHook(os.Stderr)),
-			rego.Dump(os.Stderr),
-		)
-	}
-	query := DefaultQuery
-	if pctx.Query != "" {
-		query = pctx.Query
-	}
-	regoOpts = append(regoOpts,
-		rego.Query(query),
-		rego.Input(input),
-		rego.Store(store),
-		rego.GenerateJSON(jsonGenerator[Result]()),
-	)
-	for _, custom := range RegoFunctions(resolver) {
-		regoOpts = append(regoOpts, custom.Func)
-	}
-
-	r := rego.New(regoOpts...)
-	rs, err := r.Eval(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(rs) == 0 {
-		return nil, fmt.Errorf("no policy evaluation result")
-	}
-	binding, ok := rs[0].Bindings[resultBinding]
-	if !ok {
-		return nil, fmt.Errorf("failed to extract verification result")
-	}
-	result, ok := binding.(Result)
-	if !ok {
-		return nil, fmt.Errorf("failed to extract verification result")
-	}
-
-	return &result, nil
-}
-
-func jsonGenerator[T any]() func(t *ast.Term, ec *rego.EvalContext) (any, error) {
-	return func(t *ast.Term, _ *rego.EvalContext) (any, error) {
-		// TODO: this is horrible - we're converting the AST to JSON and then back to AST, then using ast.As to convert it to a struct
-		// We can't use ast.As directly because it fails if the AST contains a set
-		json, err := ast.JSON(t.Value)
-		if err != nil {
-			return nil, err
-		}
-		v, err := ast.InterfaceToValue(json)
-		if err != nil {
-			return nil, err
-		}
-		var result T
-		err = ast.As(v, &result)
-		if err != nil {
-			return nil, err
-		}
-		return result, nil
-	}
-}
-
-var dynamicObj = types.NewObject(nil, types.NewDynamicProperty(types.A, types.A))
-
-var verifyDecl = &ast.Builtin{
-	Name:             "attest.verify",
-	Decl:             types.NewFunction(types.Args(dynamicObj, dynamicObj), dynamicObj),
-	Nondeterministic: true,
-}
-
-var attestDecl = &ast.Builtin{
-	Name:             "attest.fetch",
-	Decl:             types.NewFunction(types.Args(types.S), dynamicObj),
-	Nondeterministic: true,
-}
-
-func wrapFunctionResult(value *ast.Term, err error) (*ast.Term, error) {
-	var terms [][2]*ast.Term
-	if err != nil {
-		terms = append(terms, [2]*ast.Term{ast.StringTerm("error"), ast.StringTerm(err.Error())})
-	}
-	if value != nil {
-		terms = append(terms, [2]*ast.Term{ast.StringTerm("value"), value})
-	}
-	return ast.ObjectTerm(terms...), nil
-}
-
-func handleErrors1(f func(rCtx rego.BuiltinContext, a *ast.Term) (*ast.Term, error)) rego.Builtin1 {
-	return func(rCtx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) {
-		return wrapFunctionResult(f(rCtx, a))
-	}
-}
-
-func handleErrors2(f func(rCtx *rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error)) rego.Builtin2 {
-	return func(rCtx rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) {
-		return wrapFunctionResult(f(&rCtx, a, b))
-	}
-}
-
-func RegoFunctions(resolver attestation.Resolver) []*tester.Builtin {
-	return []*tester.Builtin{
-		{
-			Decl: verifyDecl,
-			Func: rego.Function2(
-				&rego.Function{
-					Name:             verifyDecl.Name,
-					Decl:             verifyDecl.Decl,
-					Memoize:          true,
-					Nondeterministic: verifyDecl.Nondeterministic,
-				},
-				handleErrors2(verifyInTotoEnvelope)),
-		},
-		{
-			Decl: attestDecl,
-			Func: rego.Function1(
-				&rego.Function{
-					Name:             attestDecl.Name,
-					Decl:             attestDecl.Decl,
-					Memoize:          true,
-					Nondeterministic: attestDecl.Nondeterministic,
-				},
-				handleErrors1(fetchInTotoAttestations(resolver))),
-		},
-	}
-}
-
-func fetchInTotoAttestations(resolver attestation.Resolver) rego.Builtin1 {
-	return func(rCtx rego.BuiltinContext, predicateTypeTerm *ast.Term) (*ast.Term, error) {
-		predicateTypeStr, ok := predicateTypeTerm.Value.(ast.String)
-		if !ok {
-			return nil, fmt.Errorf("predicateTypeTerm is not a string")
-		}
-		predicateType := string(predicateTypeStr)
-
-		envelopes, err := resolver.Attestations(rCtx.Context, predicateType)
-		if err != nil {
-			return nil, err
-		}
-
-		// Convert each envelope to an ast.Value.
-		values := make([]*ast.Term, len(envelopes))
-		for i, envelope := range envelopes {
-			value, err := ast.InterfaceToValue(envelope)
-			if err != nil {
-				return nil, err
-			}
-			values[i] = ast.NewTerm(value)
-		}
-
-		// Wrap the values in an ast.Set and convert it to an ast.Term.
-		set := ast.NewTerm(ast.NewSet(values...))
-
-		return set, nil
-	}
-}
-
-func verifyInTotoEnvelope(rCtx *rego.BuiltinContext, envTerm, optsTerm *ast.Term) (*ast.Term, error) {
-	env := new(attestation.Envelope)
-	opts := new(attestation.VerifyOptions)
-	err := ast.As(envTerm.Value, env)
-	if err != nil {
-		return nil, fmt.Errorf("failed to cast envelope: %w", err)
-	}
-	err = ast.As(optsTerm.Value, &opts)
-	if err != nil {
-		return nil, fmt.Errorf("failed to cast verifier options: %w", err)
-	}
-
-	payload, err := attestation.VerifyDSSE(rCtx.Context, env, opts)
-	if err != nil {
-		return nil, err
-	}
-
-	statement := new(intoto.Statement)
-
-	switch env.PayloadType {
-	case intoto.PayloadType:
-		err = json.Unmarshal(payload, statement)
-		if err != nil {
-			return nil, fmt.Errorf("failed to unmarshal statement: %w", err)
-		}
-		// TODO: implement other types of envelope
-	default:
-		return nil, fmt.Errorf("unsupported payload type: %s", env.PayloadType)
-	}
-
-	value, err := ast.InterfaceToValue(statement)
-	if err != nil {
-		return nil, err
-	}
-	return ast.NewTerm(value), nil
-}
-
-func loadYAML(path string, bs []byte) (interface{}, error) {
-	var x interface{}
-	bs, err := yaml.YAMLToJSON(bs)
-	if err != nil {
-		return nil, fmt.Errorf("%v: error converting YAML to JSON: %v", path, err)
-	}
-	err = opa.UnmarshalJSON(bs, &x)
-	if err != nil {
-		return nil, fmt.Errorf("%s: %w", path, err)
-	}
-	return x, nil
-}

pkg/policy/types.go

@@ -1,61 +0,0 @@
-package policy
-
-import (
-	"github.com/docker/attest/pkg/config"
-	"github.com/docker/attest/pkg/tuf"
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
-)
-
-type Summary struct {
-	Subjects   []intoto.Subject `json:"subjects"`
-	SLSALevels []string         `json:"slsa_levels"`
-	Verifier   string           `json:"verifier"`
-	PolicyURI  string           `json:"policy_uri"`
-}
-
-type Violation struct {
-	Type        string            `json:"type"`
-	Description string            `json:"description"`
-	Attestation *intoto.Statement `json:"attestation"`
-	Details     map[string]any    `json:"details"`
-}
-
-type Result struct {
-	Success    bool        `json:"success"`
-	Violations []Violation `json:"violations"`
-	Summary    Summary     `json:"summary"`
-}
-
-type Options struct {
-	TUFClientOptions *tuf.ClientOptions
-	DisableTUF       bool
-	LocalTargetsDir  string
-	LocalPolicyDir   string
-	PolicyID         string
-	ReferrersRepo    string
-	AttestationStyle config.AttestationStyle
-}
-
-type Policy struct {
-	InputFiles   []*File
-	Query        string
-	Mapping      *config.PolicyMapping
-	ResolvedName string
-	URI          string
-	Digest       map[string]string
-}
-
-type Input struct {
-	Digest         string `json:"digest"`
-	PURL           string `json:"purl"`
-	Tag            string `json:"tag,omitempty"`
-	Domain         string `json:"domain"`
-	NormalizedName string `json:"normalized_name"`
-	FamiliarName   string `json:"familiar_name"`
-	Platform       string `json:"platform"`
-}
-
-type File struct {
-	Path    string
-	Content []byte
-}