Bump sigs.k8s.io/promo-tools/v4 from 4.1.0 to 4.4.0

[dependabot]

Bumps sigs.k8s.io/promo-tools/v4 from 4.1.0 to 4.4.0.

Release notes

Sourced from sigs.k8s.io/promo-tools/v4's releases.

v4.4.0

Changes by Kind

Feature

• Add progress logging and bound goroutine concurrency in signature replication phase (#1748, @​saschagrunert) [SIG Release]
• Give full rate limit budget to the active pipeline phase, increasing promotion throughput from 35 to 50 req/sec. (#1735, @​saschagrunert) [SIG Release]
• Improve standalone signature replication throughput by using the full rate budget and skipping unsigned images early (#1727, @​saschagrunert) [SIG Release]
• Optimize standalone signature replication by batch-listing tags and copying only missing signatures, reducing API calls significantly. (#1749, @​saschagrunert) [SIG Release]
• Parallelize signature replication, increase default threads to 20 (#1737, @​saschagrunert) [SIG Release]
• Parallelize registry reads, reducing the plan phase from ~19 minutes to ~2 minutes for large promotions. (#1736, @​saschagrunert) [SIG Release]
• Provenance attestations are now always generated and verified using verify-if-present semantics. (#1754, @​saschagrunert) [SIG Release]
• Provenance attestations use cosign OCI APIs with predicate-type-aware idempotency. SBOM promotion is removed. (#1764, @​saschagrunert) [SIG Release]

Documentation

• Fix outdated documentation including missing sigcheck command, incorrect install paths, and stale version examples (#1747, @​saschagrunert) [SIG Release]

Bug or Regression

• Add retry logic for all pipeline network operations including registry reads, signature copies, and attestation writes (#1742, @​saschagrunert) [SIG Release]
• Fix FixMissingSignatures panic on empty check results and mirrorsList race condition (#1738, @​saschagrunert) [SIG Release]
• Fix default promotion threads being zero, which caused image promotion to hang indefinitely. (#1733, @​saschagrunert) [SIG Release]
• Fix empty version fields in pipeline log output (#1743, @​saschagrunert) [SIG Release]
• Fix regression where image promotion marked all source images as LOST due to registry inventory key mismatch. (#1731, @​saschagrunert) [SIG Release]
• Fix signature replication failing on images without signatures (#1726, @​saschagrunert) [SIG Release]
• Fixed intermittent hangs in signature replication by adding per-request timeouts and automatic retry on deadline exceeded errors. (#1763, @​saschagrunert) [SIG Release]
• Recognize Docker manifest v1 media types to eliminate ~15k spurious error log lines per promotion run. (#1734, @​saschagrunert) [SIG Release]
• Retry image promotion on transient registry errors (429, 5xx) instead of aborting (#1740, @​saschagrunert) [SIG Release]
• Retry transient registry errors (429, 5xx) in signature replication instead of failing the job (#1730, @​saschagrunert) [SIG Release]

Other (Cleanup or Flake)

• Give the full rate limit budget to all pipeline phases instead of splitting between promotion and signing (#1741, @​saschagrunert) [SIG Release]
• Improve promotion logging with per-image progress counters and copy timing (#1732, @​saschagrunert) [SIG Release]
• Reduce rate limiter log spam by removing per-request backoff warnings (#1745, @​saschagrunert) [SIG Release]
• Remove deprecated --key-files, --use-service-account, --json-log-summary, and --snapshot-service-account flags from kpromo; use Application Default Credentials instead (#1758, @​saschagrunert) [SIG Release]
• Remove inline signature replication from the promotion pipeline in favor of the dedicated periodic ci-k8sio-image-signature-replication Prow job. (#1750, @​saschagrunert) [SIG Release]
• The promotion record attestation is no longer wrapped in a slsa build predicate. It is its own predicate type. (#1767, @​puerco) [SIG Release]

Dependencies

Added

• golang.org/x/tools/go/expect: v0.1.0-deprecated
• golang.org/x/tools/go/packages/packagestest: v0.1.1-deprecated

Changed

• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: v1.7.5 → v1.7.6
• github.com/aws/aws-sdk-go-v2/config: v1.32.10 → v1.32.11

... (truncated)

Changelog

Sourced from sigs.k8s.io/promo-tools/v4's changelog.

Releasing the artifact promoter tools

This is a draft document to describe the release process for artifact promotion tooling.

(If there are improvements you'd like to see, please comment on the tracking issue.)

• Workflow- Tracking
• Tagging
• Release notes
• Image promotion
• Rollout
• Announce

Tracking

As the first task, a Release Manager should open a tracking issue for the release.

We don't currently have a template for releasing, but the following issue is a good example to draw inspiration from.

We're not striving for perfection with the template, but the tracking issue will serve as a reference point to aggregate feedback, so try your best to be as descriptive as possible.

Validation

TODO: Talk about canaries

Tagging

There are two tags that we care about:

• git tags
• image tags

We use with SemVer-compliant versions for git tags and GitHub releases, prefixed with v. SemVer is described in detail here.

Example:

v4.3.0

Image tags are derived from the git tag, with the addition of a revision.

... (truncated)

Commits

• 0205bd8 Merge pull request #1757 from saschagrunert/release-prep-v4.4.0
• 6c92f8a Merge pull request #1770 from saschagrunert/fix/grouping-performance
• 632ac29 Fix groupEdgesByIdentityDigest performance with large edge sets
• ee3d826 Merge pull request #1769 from saschagrunert/fix/provenance-review-nits
• 1f6001d Fix stale SLSA references and add Generate unit test
• cfa3131 Merge pull request #1767 from puerco/attestation
• 505fed1 Update mocks
• 3d7ba66 Update tests to use proto message
• a68b80d Generate attestation from proto
• d56594c Add temp promo record proto
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[k8s-ci-robot]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dependabot[bot], puerco, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [puerco,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment