kyverno
diff --git a/‎.chainsaw.yaml‎
Lines changed: 1 addition & 0 deletions b/‎.chainsaw.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/actions/run-tests/action.yaml‎
Lines changed: 5 additions & 1 deletion b/‎.github/actions/run-tests/action.yaml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎.github/dependabot.yml‎
Lines changed: 3 additions & 1 deletion b/‎.github/dependabot.yml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/cel-test.yml‎
Lines changed: 11 additions & 10 deletions b/‎.github/workflows/cel-test.yml‎
Lines changed: 11 additions & 10 deletions
diff --git a/‎.github/workflows/check-actions.yaml‎
Lines changed: 3 additions & 6 deletions b/‎.github/workflows/check-actions.yaml‎
Lines changed: 3 additions & 6 deletions
diff --git a/‎.github/workflows/check-codegen.yml‎
Lines changed: 34 additions & 0 deletions b/‎.github/workflows/check-codegen.yml‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 2 additions & 4 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 2 additions & 4 deletions
@@ -16,3 +16,4 @@ spec:
   fullName: true
   forceTerminationGracePeriod: 5s
   delayBeforeCleanup: 3s
+
@@ -7,8 +7,12 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
     - name: Install Chainsaw
-      uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
+      uses: kyverno/action-install-chainsaw@d1a61148c0437a66760d11d8575332305c2234cb # v0.2.10
+      with:
+        verify: true
     - name: Test with Chainsaw
       shell: bash
       run: |
 
@@ -1,6 +1,8 @@
 version: 2
 updates:
   - package-ecosystem: github-actions
-    directory: /
+    directories:
+      - /
+      - /.github/actions/*/
     schedule:
       interval: daily
@@ -3,10 +3,10 @@ name: E2E Tests - CEL
 permissions: {}
 
 on:
-  workflow_dispatch: {}
   pull_request:
     branches:
-      - 'main'
+      - main
+      - release-*
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -18,16 +18,14 @@ jobs:
       fail-fast: false
       matrix:
         k8s-version:
-          - name: v1.25
-            version: v1.25.16
-          - name: v1.26
-            version: v1.26.14
-          - name: v1.27
-            version: v1.27.11
           - name: v1.28
-            version: v1.28.7
+            version: v1.28.13
           - name: v1.29
-            version: v1.29.2
+            version: v1.29.8
+          - name: v1.30
+            version: v1.30.4
+          - name: v1.31
+            version: v1.31.0
         tests:
           - ^argo-cel$
           - ^aws-cel$
@@ -49,7 +47,10 @@ jobs:
           - ^other-cel$/^[s-z]
           - ^pod-security-cel$
           - ^psa-cel$
+          - ^psp-migration-cel$
           - ^traefik-cel$
+          - ^tekton-cel$
+          - ^velero-cel$
     runs-on: ubuntu-latest
     name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
     steps:
 
@@ -3,13 +3,10 @@ name: Check actions
 permissions: {}
 
 on:
-  push:
-    branches:
-      - '*'
   pull_request:
     branches:
-      - 'main'
-      - 'release*'
+      - main
+      - release-*
 
 jobs:
   check:
@@ -18,7 +15,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # v3.0.10
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b8f9a25a51fe633d9215ac7734854dc11cd299cb # v3.0.13
         with:
           allowlist: |
             kyverno/chainsaw
@@ -0,0 +1,34 @@
+name: Verify codegen
+
+permissions: {}
+
+on:
+  pull_request:
+    branches:
+      - main
+      - release-*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify-e2e-workflow:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Set up Go 
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: .hack/chainsaw-matrix/go.mod
+          cache-dependency-path: .hack/chainsaw-matrix/go.sum
+      - name: Generate workflow
+        run: |
+          set -e
+          (cd .hack/chainsaw-matrix && go run . > ../../.github/workflows/test.yml)
+      - name: Check diff
+        run: |
+          set -e
+          git --no-pager diff .
+          git diff --quiet --exit-code .
@@ -3,13 +3,10 @@ name: Policy Test
 permissions: {}
 
 on:
-  push:
-    branches:
-      - '*'
   pull_request:
     branches:
       - main
-      - release*
+      - release-*
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,6 +26,7 @@ jobs:
       - name: Run ah lint
         working-directory: .
         run: ah lint -k kyverno
+
   test:
     runs-on: ubuntu-latest
     steps: