chore: Update ko builder to use ko v0.13.0

docs-v2/content/en/docs/builders/builder-types/ko.md

@@ -6,7 +6,7 @@ featureId: build.ko
 aliases: [/docs/pipeline-stages/builders/ko]
 ---
 
-[`ko`](https://github.com/google/ko) enables fast, standardized, reproducible,
+[`ko`](https://ko.build/) enables fast, standardized, reproducible,
 configuration-less, Docker-less, and multi-platform container image builds for
 Go apps.
 
@@ -21,9 +21,8 @@ Compared to ...
   the ko builder is
   [fast](https://cloud.google.com/blog/topics/developers-practitioners/ship-your-go-applications-faster-cloud-run-ko),
   doesn't require Docker, and uses a default base image that has a small
-  attack surface
-  ([distroless](https://github.com/GoogleContainerTools/distroless)).
-
+  attack surface.
+
 - [the Docker builder]({{< relref "/docs/builders/builder-types/docker" >}}),
   the ko builder standardizes builds, avoiding artisanal
   [snowflake](https://martinfowler.com/bliki/SnowflakeServer.html)
@@ -57,20 +56,31 @@ build:
 
 ### Base image
 
-`ko` uses the [Distroless](https://github.com/GoogleContainerTools/distroless)
-image `gcr.io/distroless/static:nonroot` as the default base image. This is a
-small image that provides a
-[minimal environment for Go binaries](https://github.com/GoogleContainerTools/distroless/tree/main/base).
-The  default base image does not provide a shell, and it does not include
+`ko` uses the
+[`cgr.dev/chainguard/static`](https://github.com/chainguard-images/images/tree/main/images/static)
+image as the default base image. This is a small image that provides a
+minimal environment for Go binaries.
+The default base image does not provide a shell, and it does not include
 `glibc`.
 
 You can specify a different base image using the ko builder `fromImage` config
-field. For instance, if you want to use a base image that contains `glibc` and
-a shell, you can use this configuration:
+field. For instance, if you want to use a base image that contains `glibc`,
+you can use this configuration:
 
 ```yaml
     ko:
-      fromImage: gcr.io/distroless/base:debug-nonroot
+      fromImage: cgr.dev/chainguard/glibc-dynamic
+```
+
+If you run Skaffold in a Google Cloud VPC network with limited or no internet
+access, you can use a
+[distroless](https://github.com/GoogleContainerTools/distroless)
+base image from Google Container Registry, accessible via
+[Private Google Access](https://cloud.google.com/vpc/docs/private-google-access):
+
+```yaml
+    ko:
+      fromImage: gcr.io/distroless/static-debian11:nonroot
 ```
 
 ### Multi-platform images
@@ -197,7 +207,7 @@ e.g.:
 
 These templates are evaluated by Skaffold. Note that the syntax is slightly
 different to
-[`ko`'s template expansion](https://github.com/google/ko/blob/v0.12.0/pkg/build/gobuild.go#L632-L660),
+[`ko`'s template expansion](https://github.com/ko-build/ko/blob/v0.13.0/pkg/build/gobuild.go#L702-L769),
 specifically, there's no `.Env` prefix.
 
 ### Source file locations
@@ -243,13 +253,13 @@ Useful tips for existing `ko` users:
   [default repo]({{< relref "/docs/environment/image-registries" >}}).
 
 - The ko builder supports reading
-  [base image configuration](https://github.com/google/ko#overriding-base-images)
+  [base image configuration](https://ko.build/configuration/#overriding-base-images)
   from the `.ko.yaml` file. If you already configure your base images using
   this file, you do not need to specify the `fromImage` field for the
   artifact in `skaffold.yaml`.
 
 - The ko builder supports reading
-  [build configs](https://github.com/google/ko#overriding-go-build-settings)
+  [build configs](https://ko.build/configuration/#overriding-go-build-settings)
   from the `.ko.yaml` file if `skaffold.yaml` does not specify any of the build
   config fields (`dir`, `main`, `env`, `flags`, and `ldflags`). If you already
   specify these fields in `.ko.yaml`, you do not need to repeat them in
@@ -341,10 +351,9 @@ skaffold render --build-artifacts artifacts.json --digest-source none --offline
 Specify the location of your Kubernetes manifests in `skaffold.yaml`:
 
 ```yaml
-deploy:
-  kubectl:
-    manifests:
-    - k8s/*.yaml # this is the default
+manifests:
+  rawYaml:
+  - k8s/*.yaml
 ```
 
 To build images in parallel, consider setting the `SKAFFOLD_BUILD_CONCURRENCY`
@@ -372,7 +381,7 @@ can debug images built using `ko`.
 
 Images built using `ko` are automatically identified as Go apps by the presence
 of the
-[`KO_DATA_PATH` environment variable](https://github.com/google/ko#static-assets).
+[`KO_DATA_PATH` environment variable](https://ko.build/features/static-assets/).
 
 Skaffold configures `ko` to build with compiler optimizations and inlining
 disabled (`-gcflags='all=-N -l'`) when you run `skaffold debug` or use
@@ -395,7 +404,7 @@ The `ko` builder can
 when you run `skaffold dev`.
 
 The sync feature for the `ko` builder only works for 
-[static assets bundled with the container image](https://github.com/google/ko#static-assets).
+[static assets bundled with the container image](https://ko.build/features/static-assets/).
 
 Use `infer` mode to specify patterns for the files you want to sync. The
 infer patterns are relative to the `context` directory.
@@ -414,7 +423,7 @@ Note that the file sync feature requires the `tar` command to be available in
 the container. The default `ko` builder base image does not include the `tar`
 command. Use the `fromImage` field in the `ko` builder configuration in your
 `skaffold.yaml` file to specify a base image that contains the `tar` command,
-such as `gcr.io/distroless/base:debug`.
+such as `gcr.io/distroless/base-debian11:debug`.
 
 You can use [profiles]({{< relref "/docs/environment/profiles" >}}) with
 activation by command to override the `fromImage` value only when running
@@ -428,7 +437,7 @@ profiles:
   patches:
   - op: add
     path: /build/artifacts/0/ko/fromImage
-    value: gcr.io/distroless/base:debug
+    value: gcr.io/distroless/base-debian11:debug
 ```
 
 ### Remote builds
@@ -447,16 +456,24 @@ See the `custom` builder
 ```yaml
 build:
   artifacts:
-  - image: ko://github.com/GoogleContainerTools/skaffold/examples/custom
+  - image: ko://github.com/googlecontainertools/skaffold/examples/custom
     custom:
       buildCommand: ./build.sh
       dependencies:
         paths:
         - "**/*.go"
-        - go.mod
+        - go.*
+        - .ko.yaml
 ```
 
 If you need to use `ko` via the custom builder rather than the ko builder,
 please consider filing an
 [issue](https://github.com/GoogleContainerTools/skaffold/issues/new)
 that describes your use case.
+
+### SBOM synthesis and upload
+
+The `ko` CLI by default generates a software bill of materials (SBOM) and
+uploads it to the image registry. The Skaffold ko builder does not generate
+or upload SBOMs. If you need this feature, please
+[raise an issue](https://github.com/GoogleContainerTools/skaffold/issues).

docs-v2/data/maturity.json

@@ -88,7 +88,7 @@
     "debug": "x",
     "area": "Build",
     "feature": "ko builder",
-    "maturity": "alpha",
+    "maturity": "beta",
     "description": "Build Go apps using ko",
     "examples": [
       {

go.mod

@@ -63,11 +63,11 @@ require (
 	github.com/go-git/go-git/v5 v5.5.2
 	github.com/golang/glog v1.0.0
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
-	github.com/golang/protobuf v1.5.2
+	github.com/golang/protobuf v1.5.3
 	github.com/google/go-cmp v0.5.9
-	github.com/google/go-containerregistry v0.11.0
+	github.com/google/go-containerregistry v0.13.1-0.20230310164735-e94d40893b2d
 	github.com/google/go-github v17.0.0+incompatible
-	github.com/google/ko v0.12.0
+	github.com/google/ko v0.13.0
 	github.com/google/uuid v1.3.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3
 	github.com/heroku/color v0.0.6
@@ -103,19 +103,19 @@ require (
 	go.opentelemetry.io/otel/sdk v1.13.0
 	go.opentelemetry.io/otel/sdk/metric v0.36.0
 	go.opentelemetry.io/otel/trace v1.13.0
-	golang.org/x/oauth2 v0.5.0
+	golang.org/x/oauth2 v0.6.0
 	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.5.0
-	golang.org/x/term v0.5.0
-	golang.org/x/tools v0.6.0
-	google.golang.org/api v0.109.0
+	golang.org/x/sys v0.6.0
+	golang.org/x/term v0.6.0
+	golang.org/x/tools v0.7.0
+	google.golang.org/api v0.110.0
 	google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc
 	google.golang.org/grpc v1.53.0
-	google.golang.org/protobuf v1.28.1
+	google.golang.org/protobuf v1.29.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.25.4
-	k8s.io/apimachinery v0.26.1
+	k8s.io/api v0.26.1
+	k8s.io/apimachinery v0.26.2
 	k8s.io/client-go v0.25.4
 	k8s.io/kubectl v0.21.6
 	k8s.io/utils v0.0.0-20230209194617-a36077c30491
@@ -174,7 +174,7 @@ require (
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20221129204813-6a4d6ed5d396 // indirect
 	github.com/cloudflare/circl v1.1.0 // indirect
 	github.com/containerd/cgroups v1.1.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.1 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/containerd/ttrpc v1.1.0 // indirect
 	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -214,7 +214,7 @@ require (
 	github.com/google/pprof v0.0.0-20210804190019-f964ff605595 // indirect
 	github.com/google/safetext v0.0.0-20230106111101-7156a760e523 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
 	github.com/googleapis/gax-go/v2 v2.7.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
@@ -224,7 +224,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.15.15 // indirect
+	github.com/klauspost/compress v1.16.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20230210162316-595a9511edd0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
@@ -257,15 +257,15 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/prometheus/common v0.39.0 // indirect
+	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/rivo/tview v0.0.0-20210624165335-29d673af0ce2 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/russross/blackfriday v1.6.0 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20201211074657-223ce5d391b0 // indirect
 	github.com/segmentio/encoding v0.2.7 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
-	github.com/sigstore/cosign v1.13.1 // indirect
+	github.com/sigstore/cosign/v2 v2.0.0 // indirect
 	github.com/sigstore/rekor v1.0.1 // indirect
 	github.com/sigstore/sigstore v1.5.1 // indirect
 	github.com/skeema/knownhosts v1.1.0 // indirect
@@ -290,10 +290,10 @@ require (
 	go.uber.org/multierr v1.9.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
 	golang.org/x/crypto v0.6.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
-	golang.org/x/time v0.2.0 // indirect
+	golang.org/x/mod v0.9.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
@@ -302,9 +302,10 @@ require (
 	gopkg.in/src-d/go-billy.v4 v4.3.2 // indirect
 	gopkg.in/src-d/go-git.v4 v4.13.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gotest.tools/v3 v3.1.0 // indirect
 	k8s.io/klog/v2 v2.90.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kind v0.17.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )