Accepting request 1327801 from devel:tools:scm

OBS-URL: https://build.opensuse.org/request/show/1327801
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/act?expand=0&rev=14

_service

@@ -3,7 +3,7 @@
     <param name="url">https://github.com/nektos/act.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v0.2.82</param>
+    <param name="revision">v0.2.84</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

_servicedata

@@ -1,6 +1,6 @@
 <servicedata>
  <service name="tar_scm">
     <param name="url">https://github.com/nektos/act.git</param>
-    <param name="changesrevision">3d71542867d7cbdac6a75e540be6f64362e94de2</param>
+    <param name="changesrevision">d93106d194bba273d70d2ba604ea633c3f396b59</param>
  </service>
 </servicedata>

act-0.2.82.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d20710720b054e161cda3fce3bc5fb95e66f9982f0591d5d39623c5099bfd788
-size 5785576

act-0.2.84.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:749e84877366ed91fe5fae947f0ddaff41d246d524421191efd4ce0f94b375a7
+size 5787636

act.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Jan 16 12:06:02 UTC 2026 - Alice Brooks <alice.brooks@suse.com>
+
+- Remove update-crypto-cve-2025-47913.patch: This was fixed upstream in v0.2.84
+- Update to version 0.2.84:
+  * chore: bump VERSION to 0.2.84
+  * fix: explode yaml anchors (#5987)
+  * chore(deps): Security update December 2025 (#5984)
+  * chore: bump VERSION to 0.2.83
+  * chore(mergify) Add merge queue configuration to .mergify.yml (#5944)
+
 -------------------------------------------------------------------
 Sun Nov 16 20:31:41 UTC 2025 - Matthias Eliasson <elimat@opensuse.org>
 

act.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package act
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
 # Copyright (c) 2021 Orville Q. Song <orville@anislet.dev>
 #
 # All modifications and additions to the file contributed by third parties
@@ -24,7 +24,7 @@
 %global provider_prefix %{provider}.%{provider_tld}/%{project}
 %global import_path     %{provider_prefix}/%{repo}
 Name:           act
-Version:        0.2.82
+Version:        0.2.84
 Release:        0
 Summary:        Run your GitHub Actions locally
 License:        MIT
@@ -32,8 +32,6 @@ Group:          Development/Tools/Other
 URL:            https://github.com/nektos/act
 Source0:        %{name}-%{version}.tar.xz
 Source1:        vendor.tar.gz
-# PATCH-FIX-UPSTREAM update-crypto-cve-2025-47913.patch bsc#1253608 elimat@opensuse.org -- Update golang.org/x/crypto to v0.43.0 to fix CVE-2025-47913 (GO-2025-4116)
-Patch0:         update-crypto-cve-2025-47913.patch
 BuildRequires:  golang-packaging
 BuildRequires:  golang(API) >= 1.16
 Requires:       (docker or podman)
@@ -46,7 +44,6 @@ act helps you run your Github Actions locally.
 %prep
 %setup -q
 %setup -q -a1 %{SOURCE1}
-%patch -P 0 -p0
 sed -i 's_var version = \"v0.2.27-dev\"_var version = "%{version}"_g' main.go
 
 %build

update-crypto-cve-2025-47913.patch

@@ -1,58 +0,0 @@
-From: Matthias Eliasson <elimat@opensuse.org>
-Date: Sat Nov 16 21:00:00 UTC 2025
-Subject: Update golang.org/x/crypto to fix SSH agent DoS vulnerability
-References: bsc#1253608
-Upstream: no (dependency version update)
-
-Update golang.org/x/crypto from v0.37.0 to v0.43.0 to fix CVE-2025-47913
-(GO-2025-4116). SSH clients receiving SSH_AGENT_SUCCESS when expecting a
-typed response will panic and cause early termination of the client process.
-
-The vulnerability affects pkg/runner/action_cache.go which uses SSH agent
-functions via go-git. The fix was introduced in golang.org/x/crypto v0.43.0.
-
-See:
-- https://pkg.go.dev/vuln/GO-2025-4116
-- https://go.dev/issue/75178
-- https://go.dev/cl/700295
-
-This also updates related golang.org/x dependencies to maintain compatibility:
-- golang.org/x/term: v0.35.0 -> v0.36.0
-- golang.org/x/net: v0.39.0 -> v0.45.0
-- golang.org/x/sync: v0.13.0 -> v0.17.0
-- golang.org/x/sys: v0.36.0 -> v0.37.0
-- golang.org/x/text: v0.24.0 -> v0.30.0
-
----
- go.mod | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
---- go.mod.orig
-+++ go.mod
-@@ -29,7 +29,7 @@ require (
- 	github.com/stretchr/testify v1.11.1
- 	github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928
- 	go.etcd.io/bbolt v1.4.3
--	golang.org/x/term v0.35.0
-+	golang.org/x/term v0.36.0
- 	gopkg.in/yaml.v3 v3.0.1
- 	gotest.tools/v3 v3.5.2
- )
-@@ -100,12 +100,12 @@ require (
- 	go.opentelemetry.io/otel/metric v1.33.0 // indirect
- 	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
- 	go.opentelemetry.io/otel/trace v1.33.0 // indirect
--	golang.org/x/crypto v0.37.0 // indirect
-+	golang.org/x/crypto v0.43.0 // indirect
- 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
--	golang.org/x/net v0.39.0 // indirect
--	golang.org/x/sync v0.13.0 // indirect
--	golang.org/x/sys v0.36.0 // indirect
--	golang.org/x/text v0.24.0 // indirect
-+	golang.org/x/net v0.45.0 // indirect
-+	golang.org/x/sync v0.17.0 // indirect
-+	golang.org/x/sys v0.37.0 // indirect
-+	golang.org/x/text v0.30.0 // indirect
- 	golang.org/x/time v0.6.0 // indirect
- 	google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
- 	gopkg.in/warnings.v0 v0.1.2 // indirect

vendor.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:9818b6371a61afadeb922e797a3ef9cc7d75abd17d1645d013c7295859238cb2
-size 5769128
+oid sha256:018d2eab552ab0a42a6b84d9a5421872c2197b89718c7e4dc14304a582947f3e
+size 5509702