Accepting request 1318918 from devel:tools:scm

OBS-URL: https://build.opensuse.org/request/show/1318918
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/act?expand=0&rev=13

_service

@@ -3,7 +3,7 @@
     <param name="url">https://github.com/nektos/act.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v0.2.64</param>
+    <param name="revision">v0.2.82</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

_servicedata

@@ -1,6 +1,6 @@
 <servicedata>
  <service name="tar_scm">
     <param name="url">https://github.com/nektos/act.git</param>
-    <param name="changesrevision">aa54ea933591a57d1179c2691a57f2017aa855e5</param>
+    <param name="changesrevision">3d71542867d7cbdac6a75e540be6f64362e94de2</param>
  </service>
 </servicedata>

act-0.2.64.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ae5acc55842f84505d6efe799c92a2728c03461c64585880489a9069dec090b9
-size 5763472

act-0.2.82.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d20710720b054e161cda3fce3bc5fb95e66f9982f0591d5d39623c5099bfd788
+size 5785576

act.changes

@@ -1,3 +1,171 @@
+-------------------------------------------------------------------
+Sun Nov 16 20:31:41 UTC 2025 - Matthias Eliasson <elimat@opensuse.org>
+
+- Security fix for bsc#1253608, CVE-2025-47913, GO-2025-4116
+- Add update-crypto-cve-2025-47913.patch: Update golang.org/x/crypto
+  from v0.37.0 to v0.43.0 to fix SSH agent DoS vulnerability where
+  SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed
+  response will panic and cause early termination of the client
+  process. Affects pkg/runner/action_cache.go which uses SSH agent
+  functions via go-git.
+- Regenerate vendor.tar.gz with updated dependencies 
+
+-------------------------------------------------------------------
+Wed Oct 15 07:14:18 UTC 2025 - Alice Brooks <alice.brooks@suse.com>
+
+- Add podman as an alternative to docker
+- Update to version 0.2.82:
+  * chore: bump VERSION to 0.2.82
+  * build(deps): bump the dependencies group across 1 directory with 10 updates (#5935)
+  * chore: bump VERSION to 0.2.81
+  * fix: matrix expansion logic (#115) (#5294)
+  * fix: step container workdir and mounts (#93) (#5295)
+  * fix: file name (#90) (#5296)
+  * refactor: simplify adding new node versions add node 24 (#5899)
+  * chore: mergify does no longer support queue_conditions != merge_conditions for require status checks to be up to date (#5891)
+  * chore: bump VERSION to 0.2.80
+  * fix: use ubuntu-latest bookworm instead of buster for tests (#5884)
+  * build(deps): bump the dependencies group with 5 updates (#5861)
+  * chore: bump VERSION to 0.2.79
+  * build(deps): bump github.com/go-viper/mapstructure/v2 (#5837)
+  * added info log when container image platform mismatched (#3225)
+  * fix: post step failure is job failure (#5297)
+  * feat: allow workflow description (#5326)
+  * feat: `--validate` and `--strict` (#2717)
+  * ci: fix goreleaser config (#5276)
+  * fix: valueMasker concurrent map write (#5026)
+  * fix: GITHUB_ENV and GITHUB_OUTPUT allow larger lines (#5028)
+  * build(deps): bump the dependencies group across 1 directory with 5 updates (#4986)
+  * feat: log parsed commands and step summary (#2761)
+  * chore: bump VERSION to 0.2.78
+  * fix: wrap subpath in '' (#2754) (#2755)
+  * ci: make codecov informational only (#2924)
+  * feat: add cli option to set concurrent jobs count (#2762)
+  * fix: add missing punctuation to error report (#2752) (#2753)
+  * feat: add models permission level for AI inference responses (#2767)
+  * docs: Remove Gitter (#2678)
+  * chore(ci): disable invalid test case (#2875)
+  * ci: disable stale bot (#2745)
+  * update-choco (#2742)
+  * chore: bump VERSION to 0.2.77
+  * build(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 (#2735)
+  * chore(ci): Only promote if possible (#2721)
+  * build(deps): bump the dependencies group with 3 updates (#2720)
+  * chore: bump VERSION to 0.2.76
+  * feat: Support graceful job step cancellation (#2714)
+  * fix: reporting fetch failure as job error and log the error (#2715)
+  * build(deps): bump the dependencies group across 1 directory with 6 updates (#2706)
+  * build(deps): bump golang.org/x/net from 0.34.0 to 0.36.0 (#2693)
+  * chore(deps): bump to go1.24 due to deps updates (#2705)
+  * build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#2703)
+  * Report the elapsed time for each workflow step (#2700)
+  * Refer to nektosact.com (#2692)
+  * fixes #2689 Make the external url of cache server configurable if necessary  (#2690)
+  * chore: bump VERSION to 0.2.75
+  * Clarify --no-skip-checkout flag (#2687)
+  * build(deps): bump the dependencies group with 6 updates (#2675)
+  * Disable "unable to get git repo" when none exists. (#2495)
+  * build(deps): bump github.com/go-git/go-billy/v5 from 5.6.1 to 5.6.2 (#2611)
+  * fix: use non strict schema to allow some undefined behavior (#2524)
+  * fix: remote docker actions new action cache and dry run mode (#2513)
+  * Add tests against reading config files (#2682)
+  * chore: mergify and codeowners do not request review (#2683)
+  * feat: GoGitActionCache shallow fetch (#2677)
+  * build(deps): bump the dependencies group with 2 updates (#2674)
+  * Update .gitleaksignore (#2676)
+  * chore: Group DependableBot Updates monthly (#2673)
+  * build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.5.0 (#2670)
+  * build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#2669)
+  * add test workflows to cmd pkg (#2665)
+  * fix: secret file reading (#45) (#2664)
+  * chore: bump VERSION to 0.2.74
+  * build(deps): bump gotest.tools/v3 from 3.5.1 to 3.5.2 (#2655)
+  * build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0 (#2656)
+  * chore: move to environment secrets (#2653)
+  * chore: remove comments from mergify on merge conflict or check failures (#2652)
+  * Use gh auth token for default GITHUB_TOKEN secret (#2651)
+  * chore: bump VERSION to 0.2.73
+  * Incorporate Debug, Warn, Error logging. (#2490)
+  * refactor logger (#2552)
+  * Detect available flags for extensions (#2557)
+  * build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.4 (#2644)
+  * parse_env_file discard utf8 bom (#2638)
+  * chore: bump VERSION to 0.2.72
+  * Added support for dereferenced map properties (#2635)
+  * build(deps): bump github.com/docker/cli (#2634)
+  * build(deps): bump github.com/rhysd/actionlint from 1.7.6 to 1.7.7 (#2624)
+  * build(deps): bump google.golang.org/protobuf from 1.36.2 to 1.36.3 (#2623)
+  * build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 (#2622)
+  * Add GitHub Local Actions to README (#2588)
+  * build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.2 (#2612)
+  * build(deps): bump github.com/go-git/go-git/v5 from 5.13.0 to 5.13.1 (#2604)
+  * build(deps): bump github.com/rhysd/actionlint from 1.7.5 to 1.7.6 (#2603)
+  * build(deps): bump golang.org/x/term from 0.27.0 to 0.28.0 (#2602)
+  * chore: bump VERSION to 0.2.71
+  * Fix typo in `--action-offline-mode` option description (#2590)
+  * build(deps): bump github.com/go-git/go-git/v5 from 5.12.0 to 5.13.0 (#2595)
+  * build(deps): bump github.com/go-git/go-billy/v5 from 5.6.0 to 5.6.1 (#2594)
+  * build(deps): bump github.com/rhysd/actionlint from 1.7.4 to 1.7.5 (#2593)
+  * fix: prevent unintended input replacement in reusable workflows with workflow_dispatch when using workflow_call (#2502)
+  * ci(mergify): upgrade configuration to current format (#2547)
+  * feat: Adding in logic to check if act needs to be downloaded (#2575)
+  * fix: short sha has at least four digits (#2540)
+  * chore: upgrade dependencies (#2589)
+  * fix: amd64 arch to X64 (#2580)
+  * chore: bump VERSION to 0.2.70
+  * build(deps): bump megalinter/megalinter from 8.2.0 to 8.3.0 (#2541)
+  * build(deps): bump github.com/creack/pty from 1.1.23 to 1.1.24 (#2533)
+  * build(deps): bump codecov/codecov-action from 4 to 5 (#2532)
+  * build(deps): bump megalinter/megalinter from 8.1.0 to 8.2.0 (#2531)
+  * build(deps): bump github.com/rhysd/actionlint from 1.7.3 to 1.7.4 (#2527)
+  * build(deps): bump github.com/adrg/xdg from 0.5.0 to 0.5.3 (#2515)
+  * chore: bump VERSION to 0.2.69
+  * add test for listartifacts v4 filter (#2507)
+  * fix: tests with validation errors were skipped (#2496)
+  * fix: merge-multiple artifacts were broken (#2505)
+  * build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#2506)
+  * build(deps): bump github.com/opencontainers/selinux (#2498)
+  * build(deps): bump megalinter/megalinter from 8.0.0 to 8.1.0 (#2485)
+  * build(deps): bump google.golang.org/protobuf from 1.34.2 to 1.35.1 (#2484)
+  * feat: improve new action cache logging (#2474)
+  * fix: if condition in composite action misbehaves (#2473)
+  * build(deps): bump golang.org/x/term from 0.24.0 to 0.25.0 (#2480)
+  * build(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.1 (#2479)
+
+-------------------------------------------------------------------
+Tue Oct 15 08:05:35 UTC 2024 - kskarthik@disroot.org
+
+- Update to version 0.2.68:
+  * chore: bump VERSION to 0.2.68
+  * build(deps): bump github.com/rhysd/actionlint from 1.7.1 to 1.7.3 (#2477)
+  * build(deps): bump github.com/creack/pty from 1.1.21 to 1.1.23 (#2468)
+  * run_context: add GITHUB_RUN_ATTEMPT (#2458)
+  * Fix install sh usage (#2454)
+  * bug/issue #2448 - manage special bash options when no shell is defined (#2449)
+  * feat: generate a manual page automatically with cobra/doc (#2352)
+  * chore: bump VERSION to 0.2.67
+  * fix: schema validation for job if functions (#2446)
+  * build(deps): bump golang.org/x/term from 0.23.0 to 0.24.0 (#2442)
+  * fix: artifact v4 upload above 8MB (#2402)
+  * chore: bump VERSION to 0.2.66
+  * build(deps): bump golang.org/x/term from 0.22.0 to 0.23.0 (#2421)
+  * build(deps): bump megalinter/megalinter from 7.13.0 to 8.0.0 (#2436)
+  * build(deps): bump dario.cat/mergo from 1.0.0 to 1.0.1 (#2430)
+  * fix GOOS parsing to match expected GHA RUNNER_OS values (#2422)
+  * feat: Validate GitHub Actions schema (#2416)
+  * chore: bump VERSION to 0.2.65
+  * remove double negation in --help (#2405)
+  * Bump mergo to v1.0.0 with new module URL (#2403)
+  * build(deps): bump github.com/timshannon/bolthold to v0.0.0-20240314194003-30aac6950928 (#2248)
+  * Fix #2363. Add /pre- and /post-entrypoint handling (#2394)
+  * build(deps): bump golang.org/x/term from 0.21.0 to 0.22.0 (#2387)
+  * build(deps): bump github.com/adrg/xdg from 0.4.0 to 0.5.0 (#2398)
+  * fix: docker stub and add a test for this (#2355)
+  * fix: changed location of actrc in info message (#2373)
+  * fix: make node tool non volatile (#2372)
+  * fix: add missing service container health check (#2354)
+  * build(deps): bump megalinter/megalinter from 7.11.1 to 7.13.0 (#2389)
+
 -------------------------------------------------------------------
 Tue Jul 02 11:23:19 UTC 2024 - kskarthik@disroot.org
 

act.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package act
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 # Copyright (c) 2021 Orville Q. Song <orville@anislet.dev>
 #
 # All modifications and additions to the file contributed by third parties
@@ -24,7 +24,7 @@
 %global provider_prefix %{provider}.%{provider_tld}/%{project}
 %global import_path     %{provider_prefix}/%{repo}
 Name:           act
-Version:        0.2.64
+Version:        0.2.82
 Release:        0
 Summary:        Run your GitHub Actions locally
 License:        MIT
@@ -32,9 +32,11 @@ Group:          Development/Tools/Other
 URL:            https://github.com/nektos/act
 Source0:        %{name}-%{version}.tar.xz
 Source1:        vendor.tar.gz
+# PATCH-FIX-UPSTREAM update-crypto-cve-2025-47913.patch bsc#1253608 elimat@opensuse.org -- Update golang.org/x/crypto to v0.43.0 to fix CVE-2025-47913 (GO-2025-4116)
+Patch0:         update-crypto-cve-2025-47913.patch
 BuildRequires:  golang-packaging
 BuildRequires:  golang(API) >= 1.16
-Requires:       docker
+Requires:       (docker or podman)
 %{go_nostrip}
 %{go_provides}
 
@@ -44,6 +46,7 @@ act helps you run your Github Actions locally.
 %prep
 %setup -q
 %setup -q -a1 %{SOURCE1}
+%patch -P 0 -p0
 sed -i 's_var version = \"v0.2.27-dev\"_var version = "%{version}"_g' main.go
 
 %build

update-crypto-cve-2025-47913.patch

@@ -0,0 +1,58 @@
+From: Matthias Eliasson <elimat@opensuse.org>
+Date: Sat Nov 16 21:00:00 UTC 2025
+Subject: Update golang.org/x/crypto to fix SSH agent DoS vulnerability
+References: bsc#1253608
+Upstream: no (dependency version update)
+
+Update golang.org/x/crypto from v0.37.0 to v0.43.0 to fix CVE-2025-47913
+(GO-2025-4116). SSH clients receiving SSH_AGENT_SUCCESS when expecting a
+typed response will panic and cause early termination of the client process.
+
+The vulnerability affects pkg/runner/action_cache.go which uses SSH agent
+functions via go-git. The fix was introduced in golang.org/x/crypto v0.43.0.
+
+See:
+- https://pkg.go.dev/vuln/GO-2025-4116
+- https://go.dev/issue/75178
+- https://go.dev/cl/700295
+
+This also updates related golang.org/x dependencies to maintain compatibility:
+- golang.org/x/term: v0.35.0 -> v0.36.0
+- golang.org/x/net: v0.39.0 -> v0.45.0
+- golang.org/x/sync: v0.13.0 -> v0.17.0
+- golang.org/x/sys: v0.36.0 -> v0.37.0
+- golang.org/x/text: v0.24.0 -> v0.30.0
+
+---
+ go.mod | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- go.mod.orig
++++ go.mod
+@@ -29,7 +29,7 @@ require (
+ 	github.com/stretchr/testify v1.11.1
+ 	github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928
+ 	go.etcd.io/bbolt v1.4.3
+-	golang.org/x/term v0.35.0
++	golang.org/x/term v0.36.0
+ 	gopkg.in/yaml.v3 v3.0.1
+ 	gotest.tools/v3 v3.5.2
+ )
+@@ -100,12 +100,12 @@ require (
+ 	go.opentelemetry.io/otel/metric v1.33.0 // indirect
+ 	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+ 	go.opentelemetry.io/otel/trace v1.33.0 // indirect
+-	golang.org/x/crypto v0.37.0 // indirect
++	golang.org/x/crypto v0.43.0 // indirect
+ 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
+-	golang.org/x/net v0.39.0 // indirect
+-	golang.org/x/sync v0.13.0 // indirect
+-	golang.org/x/sys v0.36.0 // indirect
+-	golang.org/x/text v0.24.0 // indirect
++	golang.org/x/net v0.45.0 // indirect
++	golang.org/x/sync v0.17.0 // indirect
++	golang.org/x/sys v0.37.0 // indirect
++	golang.org/x/text v0.30.0 // indirect
+ 	golang.org/x/time v0.6.0 // indirect
+ 	google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
+ 	gopkg.in/warnings.v0 v0.1.2 // indirect

vendor.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:494c94913da596805f88626077463c90c4a47950de466f265d6f843126569867
-size 5416191
+oid sha256:9818b6371a61afadeb922e797a3ef9cc7d75abd17d1645d013c7295859238cb2
+size 5769128