notaryproject
diff --git a/‎.github/licenserc.yml
Lines changed: 1 addition & 1 deletion b/‎.github/licenserc.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/codeql.yml
Lines changed: 0 additions & 4 deletions b/‎.github/workflows/codeql.yml
Lines changed: 0 additions & 4 deletions
diff --git a/‎Dockerfile
Lines changed: 1 addition & 1 deletion b/‎Dockerfile
Lines changed: 1 addition & 1 deletion
diff --git a/‎cmd/ratify-gatekeeper-provider/main.go
Lines changed: 22 additions & 9 deletions b/‎cmd/ratify-gatekeeper-provider/main.go
Lines changed: 22 additions & 9 deletions
diff --git a/‎cmd/ratify-gatekeeper-provider/main_test.go
Lines changed: 7 additions & 5 deletions b/‎cmd/ratify-gatekeeper-provider/main_test.go
Lines changed: 7 additions & 5 deletions
diff --git a/‎cmd/ratify/cmd/discover.go
Lines changed: 0 additions & 180 deletions b/‎cmd/ratify/cmd/discover.go
Lines changed: 0 additions & 180 deletions
@@ -29,7 +29,7 @@ header:
       limitations under the License.
 
   paths-ignore:
-    - "**/*.{md,svg,yaml,crt,cer,json,pub,yml,pb.go,proto,gotmpl}"
+    - "**/*.{md,svg,yaml,crt,cer,json,pub,yml,pb.go,proto,gotmpl,tpl}"
     - "CODEOWNERS"
     - "PROJECT"
     - "NOTICE"
 
@@ -42,9 +42,5 @@ jobs:
         uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # tag=v3.28.17
         with:
           languages: go
-      - name: Run tidy
-        run: go mod tidy
-      - name: Build CLI
-        run: make build
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # tag=v3.28.17
@@ -11,7 +11,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.24-alpine@sha256:7772cb5322baa875edd74705556d08f0eeca7b9c4b5367754ce3f2f00041ccee AS builder
+FROM golang:1.24-alpine@sha256:ef18ee7117463ac1055f5a370ed18b8750f01589f13ea0b48642f5792b234044 AS builder
 
 WORKDIR /app
 
 
@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/ratify-project/ratify/v2/internal/httpserver"
+	"github.com/ratify-project/ratify/v2/internal/manager"
 	"github.com/sirupsen/logrus"
 )
 
@@ -33,11 +34,13 @@ func main() {
 }
 
 type options struct {
-	configFilePath    string
-	httpServerAddress string
-	certFile          string
-	keyFile           string
-	verifyTimeout     time.Duration
+	configFilePath       string
+	httpServerAddress    string
+	certFile             string
+	keyFile              string
+	gatekeeperCACertFile string
+	disableCertRotation  bool
+	verifyTimeout        time.Duration
 }
 
 func parse() *options {
@@ -46,7 +49,9 @@ func parse() *options {
 	flag.StringVar(&opts.httpServerAddress, "address", "", "HTTP server address")
 	flag.StringVar(&opts.certFile, "cert-file", "", "Path to the TLS certificate file")
 	flag.StringVar(&opts.keyFile, "key-file", "", "Path to the TLS key file")
+	flag.StringVar(&opts.gatekeeperCACertFile, "gatekeeper-ca-cert-file", "", "Path to the Gatekeeper CA certificate file")
 	flag.DurationVar(&opts.verifyTimeout, "verify-timeout", 5*time.Second, "Verification timeout duration (e.g. 5s, 1m), default is 5 seconds")
+	flag.BoolVar(&opts.disableCertRotation, "disable-cert-rotation", false, "Disable certificate rotation")
 
 	flag.Parse()
 	logrus.Infof("Starting Ratify with options: %+v", opts)
@@ -57,11 +62,19 @@ func startRatify(opts *options) error {
 	if len(opts.httpServerAddress) == 0 {
 		return errors.New("HTTP server address is required")
 	}
+	var certRotatorReady chan struct{}
+	if !opts.disableCertRotation {
+		certRotatorReady = make(chan struct{})
+	}
 	serverOpts := &httpserver.ServerOptions{
-		HTTPServerAddress: opts.httpServerAddress,
-		CertFile:          opts.certFile,
-		KeyFile:           opts.keyFile,
-		VerifyTimeout:     opts.verifyTimeout,
+		HTTPServerAddress:    opts.httpServerAddress,
+		CertFile:             opts.certFile,
+		KeyFile:              opts.keyFile,
+		GatekeeperCACertFile: opts.gatekeeperCACertFile,
+		VerifyTimeout:        opts.verifyTimeout,
+		CertRotatorReady:     certRotatorReady,
 	}
+
+	go manager.StartManager(certRotatorReady)
 	return httpserver.StartServer(serverOpts, opts.configFilePath)
 }
@@ -112,17 +112,19 @@ func TestStartRatify(t *testing.T) {
 		{
 			name: "missing http server address",
 			opts: &options{
-				configFilePath: "config.yaml",
-				verifyTimeout:  5 * time.Second,
+				configFilePath:      "config.yaml",
+				verifyTimeout:       5 * time.Second,
+				disableCertRotation: true,
 			},
 			expectError: true,
 		},
 		{
 			name: "failed to start the server",
 			opts: &options{
-				httpServerAddress: ":8080",
-				configFilePath:    "config.yaml",
-				certFile:          "cert.pem",
+				httpServerAddress:   ":8080",
+				configFilePath:      "config.yaml",
+				certFile:            "cert.pem",
+				disableCertRotation: true,
 			},
 			expectError: true,
 		},