From 5b552bd73da252645b4e382b0d2f5b885b1c0c2e8d9195020ec6b8359fd2ed37 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 29 Dec 2025 09:52:39 +0000 Subject: [PATCH 1/5] - Update to version 1.3.2: * bump to latest cosign fork release (#481) * Bump golang.org/x/crypto in the go_modules group across 1 directory (#476) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=28 --- .gitattributes | 23 ++++ .gitignore | 1 + _service | 20 +++ _servicedata | 4 + hauler-1.3.0.tar.zst | 3 + hauler-1.3.1.tar.zst | 3 + hauler-1.3.2.tar.zst | 3 + hauler.changes | 313 +++++++++++++++++++++++++++++++++++++++++++ hauler.spec | 71 ++++++++++ vendor.tar.zst | 3 + 10 files changed, 444 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.3.0.tar.zst create mode 100644 hauler-1.3.1.tar.zst create mode 100644 hauler-1.3.2.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..de7e20d --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.3.2 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..bd4c0de --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + 15867e84ad629a8c63d1727f71f29309cada8890 \ No newline at end of file diff --git a/hauler-1.3.0.tar.zst b/hauler-1.3.0.tar.zst new file mode 100644 index 0000000..df6f9fd --- /dev/null +++ b/hauler-1.3.0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d9c9863cece3041f0458a8c33c459d66d7441293fa9d9b52ed61b0a23a0b8a4 +size 25650444 diff --git a/hauler-1.3.1.tar.zst b/hauler-1.3.1.tar.zst new file mode 100644 index 0000000..31cc228 --- /dev/null +++ b/hauler-1.3.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29d2ba55aa1559f81cec9d929459cbe1661b84b55be47b8d3bbcfed15cdd17ae +size 25692295 diff --git a/hauler-1.3.2.tar.zst b/hauler-1.3.2.tar.zst new file mode 100644 index 0000000..f510092 --- /dev/null +++ b/hauler-1.3.2.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aa8ade7c7ee1adff41615d2371115685c8381f9dee1fa477fd10c0a48819bf67 +size 25652983 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..b0bd905 --- /dev/null +++ b/hauler.changes @@ -0,0 +1,313 @@ +------------------------------------------------------------------- +Mon Dec 29 09:44:54 UTC 2025 - Dirk Müller + +- Update to version 1.3.2: + * bump to latest cosign fork release (#481) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#476) + +------------------------------------------------------------------- +Mon Nov 10 15:08:12 UTC 2025 - Dirk Müller + +- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911, + bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190, + bsc#1248937, CVE-2025-58058): + * bump github.com/containerd/containerd (#474) + * another fix to tests for new tests (#472) + * fixed typo in testdata (#471) + * fixed/cleaned new tests (#470) + * trying a new way for hauler testing (#467) + * update for cosign v3 verify (#469) + * added digests view to info (#465) + * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457) + * update oras-go to v1.2.7 for security patches (#464) + * update cosign to v3.0.2+hauler.1 (#463) + * fixed homebrew directory deprecation (#462) + * add registry logout command (#460) + +------------------------------------------------------------------- +Mon Oct 27 08:34:44 UTC 2025 - Dirk Müller + +- Update to version 1.3.0: + * bump the go_modules group across 1 directory with 2 updates (#455) + * upgraded versions/dependencies/deprecations (#454) + * allow loading of docker tarballs (#452) + * bump the go_modules group across 1 directory with 2 updates (#449) + +------------------------------------------------------------------- +Mon Jul 21 12:28:01 UTC 2025 - Dirk Müller + +- update to 1.2.5 (bsc#1246722, CVE-2025-46569): + * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in + the go_modules group across 1 directory (CVE-2025-46569) + * deprecate auth from hauler store copy + * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the + go_modules group across 1 directory + * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 + in the go_modules group across 1 directory + * upgraded go and dependencies versions + +------------------------------------------------------------------- +Mon Jul 21 12:23:59 UTC 2025 - Dirk Müller + +- Update to version 1.2.5: + * upgraded go and dependencies versions (#444) + * Bump github.com/go-viper/mapstructure/v2 (#442) + * bump github.com/cloudflare/circl (#441) + * deprecate auth from hauler store copy (#440) + * Bump github.com/open-policy-agent/opa (#438) + +------------------------------------------------------------------- +Thu May 1 16:34:57 UTC 2025 - Dirk Müller + +- update to 1.2.4 (CVE-2025-22872, bsc#1241804): + * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules + group across 1 directory + * minor tests updates + +------------------------------------------------------------------- +Mon Apr 28 09:58:05 UTC 2025 - Dirk Müller + +- Update to version 1.2.3: + * formatting and flag text updates + * add keyless signature verification (#434) + * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430) + * add --only flag to hauler store copy (for images) (#429) + * fix tlog verification error/warning output (#428) + +------------------------------------------------------------------- +Tue Apr 15 08:10:25 UTC 2025 - dmueller@suse.com + +- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406): + * cleanup new tlog flag typos and add shorthand (#426) + * default public transparency log verification to false to be airgap friendly but allow override (#425) + * bump github.com/golang-jwt/jwt/v4 (#423) + * bump the go_modules group across 1 directory with 2 updates (#422) + * bump github.com/go-jose/go-jose/v3 (#417) + * bump github.com/go-jose/go-jose/v4 (#415) + * clear default manifest name if product flag used with sync (#412) + * updates for v1.2.0 (#408) + * fixed remote code (#407) + * added remote file fetch to load (#406) + * added remote and multiple file fetch to sync (#405) + * updated save flag and related logs (#404) + * updated load flag and related logs [breaking change] (#403) + * updated sync flag and related logs [breaking change] (#402) + * upgraded api update to v1/updated dependencies (#400) + * fixed consts for oci declarations (#398) + * fix for correctly grabbing platform post cosign 2.4 updates (#393) + * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390) + * Bump the go_modules group across 1 directory with 2 updates (#385) + * replace mholt/archiver with mholt/archives (#384) + * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383) + * cleaned up registry and improved logging (#378) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377) +- drop + 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + (upstream) + +------------------------------------------------------------------- +Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller + +- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + to bump net/html dependencies (bsc#1235332, CVE-2024-45338) + +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..aec4951 --- /dev/null +++ b/hauler.spec @@ -0,0 +1,71 @@ +# +# spec file for package hauler +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.3.2 +%global git_commit 5edc8802eec20adc7d0b75847f77446d6f531012 +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.25 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..a207e8f --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:27d316fcf92201332c65030413f046bcbe973e7250053ab289c9e68b29dbc9d5 +size 13208826 -- 2.51.1 From 9f9eaf483cdeab8e728a55dc02a159f80049f78a8496ad93a8dda7430378b00c Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Tue, 13 Jan 2026 14:08:36 +0000 Subject: [PATCH 2/5] - Update to version 1.4.0: * added/updated logging for `serve` and `remove` (#487) * added/fixed helm chart images/dependencies features (#485) * more experimental feature updates (#486) * add experimental notes (#483) * updated tempdir flag to store persistent flags (#484) * delete artifacts from store (#473) * path rewrites (#475) * updated/fixed workflow dependency versions (#478) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=30 --- .gitattributes | 23 +++ .gitignore | 1 + _service | 20 +++ _servicedata | 4 + hauler-1.3.0.tar.zst | 3 + hauler-1.3.1.tar.zst | 3 + hauler-1.3.2.tar.zst | 3 + hauler-1.4.0.tar.zst | 3 + hauler.changes | 326 +++++++++++++++++++++++++++++++++++++++++++ hauler.spec | 71 ++++++++++ vendor.tar.zst | 3 + 11 files changed, 460 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.3.0.tar.zst create mode 100644 hauler-1.3.1.tar.zst create mode 100644 hauler-1.3.2.tar.zst create mode 100644 hauler-1.4.0.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..204d00e --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.4.0 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..07a0e9c --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + ac7d82b55fb2d2e22e8f76b06312d68815ffa109 \ No newline at end of file diff --git a/hauler-1.3.0.tar.zst b/hauler-1.3.0.tar.zst new file mode 100644 index 0000000..df6f9fd --- /dev/null +++ b/hauler-1.3.0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d9c9863cece3041f0458a8c33c459d66d7441293fa9d9b52ed61b0a23a0b8a4 +size 25650444 diff --git a/hauler-1.3.1.tar.zst b/hauler-1.3.1.tar.zst new file mode 100644 index 0000000..31cc228 --- /dev/null +++ b/hauler-1.3.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29d2ba55aa1559f81cec9d929459cbe1661b84b55be47b8d3bbcfed15cdd17ae +size 25692295 diff --git a/hauler-1.3.2.tar.zst b/hauler-1.3.2.tar.zst new file mode 100644 index 0000000..f510092 --- /dev/null +++ b/hauler-1.3.2.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aa8ade7c7ee1adff41615d2371115685c8381f9dee1fa477fd10c0a48819bf67 +size 25652983 diff --git a/hauler-1.4.0.tar.zst b/hauler-1.4.0.tar.zst new file mode 100644 index 0000000..993d4d7 --- /dev/null +++ b/hauler-1.4.0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0a361f74710ffb6753dd2eaaff8d8375e4606d57a0cfdc59491b8677985617ef +size 25658546 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..2579f5d --- /dev/null +++ b/hauler.changes @@ -0,0 +1,326 @@ +------------------------------------------------------------------- +Tue Jan 13 13:57:02 UTC 2026 - Dirk Müller + +- Update to version 1.4.0: + * added/updated logging for `serve` and `remove` (#487) + * added/fixed helm chart images/dependencies features (#485) + * more experimental feature updates (#486) + * add experimental notes (#483) + * updated tempdir flag to store persistent flags (#484) + * delete artifacts from store (#473) + * path rewrites (#475) + * updated/fixed workflow dependency versions (#478) + +------------------------------------------------------------------- +Mon Dec 29 09:44:54 UTC 2025 - Dirk Müller + +- Update to version 1.3.2: + * bump to latest cosign fork release (#481) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#476) + +------------------------------------------------------------------- +Mon Nov 10 15:08:12 UTC 2025 - Dirk Müller + +- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911, + bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190, + bsc#1248937, CVE-2025-58058): + * bump github.com/containerd/containerd (#474) + * another fix to tests for new tests (#472) + * fixed typo in testdata (#471) + * fixed/cleaned new tests (#470) + * trying a new way for hauler testing (#467) + * update for cosign v3 verify (#469) + * added digests view to info (#465) + * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457) + * update oras-go to v1.2.7 for security patches (#464) + * update cosign to v3.0.2+hauler.1 (#463) + * fixed homebrew directory deprecation (#462) + * add registry logout command (#460) + +------------------------------------------------------------------- +Mon Oct 27 08:34:44 UTC 2025 - Dirk Müller + +- Update to version 1.3.0: + * bump the go_modules group across 1 directory with 2 updates (#455) + * upgraded versions/dependencies/deprecations (#454) + * allow loading of docker tarballs (#452) + * bump the go_modules group across 1 directory with 2 updates (#449) + +------------------------------------------------------------------- +Mon Jul 21 12:28:01 UTC 2025 - Dirk Müller + +- update to 1.2.5 (bsc#1246722, CVE-2025-46569): + * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in + the go_modules group across 1 directory (CVE-2025-46569) + * deprecate auth from hauler store copy + * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the + go_modules group across 1 directory + * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 + in the go_modules group across 1 directory + * upgraded go and dependencies versions + +------------------------------------------------------------------- +Mon Jul 21 12:23:59 UTC 2025 - Dirk Müller + +- Update to version 1.2.5: + * upgraded go and dependencies versions (#444) + * Bump github.com/go-viper/mapstructure/v2 (#442) + * bump github.com/cloudflare/circl (#441) + * deprecate auth from hauler store copy (#440) + * Bump github.com/open-policy-agent/opa (#438) + +------------------------------------------------------------------- +Thu May 1 16:34:57 UTC 2025 - Dirk Müller + +- update to 1.2.4 (CVE-2025-22872, bsc#1241804): + * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules + group across 1 directory + * minor tests updates + +------------------------------------------------------------------- +Mon Apr 28 09:58:05 UTC 2025 - Dirk Müller + +- Update to version 1.2.3: + * formatting and flag text updates + * add keyless signature verification (#434) + * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430) + * add --only flag to hauler store copy (for images) (#429) + * fix tlog verification error/warning output (#428) + +------------------------------------------------------------------- +Tue Apr 15 08:10:25 UTC 2025 - dmueller@suse.com + +- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406): + * cleanup new tlog flag typos and add shorthand (#426) + * default public transparency log verification to false to be airgap friendly but allow override (#425) + * bump github.com/golang-jwt/jwt/v4 (#423) + * bump the go_modules group across 1 directory with 2 updates (#422) + * bump github.com/go-jose/go-jose/v3 (#417) + * bump github.com/go-jose/go-jose/v4 (#415) + * clear default manifest name if product flag used with sync (#412) + * updates for v1.2.0 (#408) + * fixed remote code (#407) + * added remote file fetch to load (#406) + * added remote and multiple file fetch to sync (#405) + * updated save flag and related logs (#404) + * updated load flag and related logs [breaking change] (#403) + * updated sync flag and related logs [breaking change] (#402) + * upgraded api update to v1/updated dependencies (#400) + * fixed consts for oci declarations (#398) + * fix for correctly grabbing platform post cosign 2.4 updates (#393) + * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390) + * Bump the go_modules group across 1 directory with 2 updates (#385) + * replace mholt/archiver with mholt/archives (#384) + * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383) + * cleaned up registry and improved logging (#378) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377) +- drop + 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + (upstream) + +------------------------------------------------------------------- +Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller + +- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + to bump net/html dependencies (bsc#1235332, CVE-2024-45338) + +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..89ce9f4 --- /dev/null +++ b/hauler.spec @@ -0,0 +1,71 @@ +# +# spec file for package hauler +# +# Copyright (c) 2026 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.4.0 +%global git_commit 5edc8802eec20adc7d0b75847f77446d6f531012 +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.25 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..498c813 --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c3b4d993ca1811a137222d919f0076df5ed9e9d48bcf349bf5d874278f6af0dc +size 13206649 -- 2.51.1 From 35acbb4360c064c16292929c8863d045d2e9fc3e1c7e11cbf49e1b050c20dfaa Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 19 Jan 2026 12:39:11 +0000 Subject: [PATCH 3/5] - Update to version 1.4.1: * fixed typos for containerd imports (#493) * fix and support containerd imports of `hauls` (#492) * bump github.com/sigstore/fulcio (#489) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=32 --- .gitattributes | 23 +++ .gitignore | 1 + _service | 20 +++ _servicedata | 4 + hauler-1.3.0.tar.zst | 3 + hauler-1.3.1.tar.zst | 3 + hauler-1.3.2.tar.zst | 3 + hauler-1.4.0.tar.zst | 3 + hauler-1.4.1.tar.zst | 3 + hauler.changes | 334 +++++++++++++++++++++++++++++++++++++++++++ hauler.spec | 71 +++++++++ vendor.tar.zst | 3 + 12 files changed, 471 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 hauler-1.3.0.tar.zst create mode 100644 hauler-1.3.1.tar.zst create mode 100644 hauler-1.3.2.tar.zst create mode 100644 hauler-1.4.0.tar.zst create mode 100644 hauler-1.4.1.tar.zst create mode 100644 hauler.changes create mode 100644 hauler.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..807336e --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + https://github.com/rancherfederal/hauler + git + v1.4.1 + @PARENT_TAG@ + v(.*) + enable + + + hauler-*.tar + zst + + + hauler + + + zst + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..6ed6795 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rancherfederal/hauler + 4a2b7b13a7a3e3dab926893c0be1a67dea6d8457 \ No newline at end of file diff --git a/hauler-1.3.0.tar.zst b/hauler-1.3.0.tar.zst new file mode 100644 index 0000000..df6f9fd --- /dev/null +++ b/hauler-1.3.0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d9c9863cece3041f0458a8c33c459d66d7441293fa9d9b52ed61b0a23a0b8a4 +size 25650444 diff --git a/hauler-1.3.1.tar.zst b/hauler-1.3.1.tar.zst new file mode 100644 index 0000000..31cc228 --- /dev/null +++ b/hauler-1.3.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29d2ba55aa1559f81cec9d929459cbe1661b84b55be47b8d3bbcfed15cdd17ae +size 25692295 diff --git a/hauler-1.3.2.tar.zst b/hauler-1.3.2.tar.zst new file mode 100644 index 0000000..f510092 --- /dev/null +++ b/hauler-1.3.2.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aa8ade7c7ee1adff41615d2371115685c8381f9dee1fa477fd10c0a48819bf67 +size 25652983 diff --git a/hauler-1.4.0.tar.zst b/hauler-1.4.0.tar.zst new file mode 100644 index 0000000..993d4d7 --- /dev/null +++ b/hauler-1.4.0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0a361f74710ffb6753dd2eaaff8d8375e4606d57a0cfdc59491b8677985617ef +size 25658546 diff --git a/hauler-1.4.1.tar.zst b/hauler-1.4.1.tar.zst new file mode 100644 index 0000000..2bddefc --- /dev/null +++ b/hauler-1.4.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b46056b6a9777cf944a513a10efecca8f6737a103f41126abca8828a798b3bf2 +size 25658690 diff --git a/hauler.changes b/hauler.changes new file mode 100644 index 0000000..6719c22 --- /dev/null +++ b/hauler.changes @@ -0,0 +1,334 @@ +------------------------------------------------------------------- +Mon Jan 19 12:38:03 UTC 2026 - Dirk Müller + +- Update to version 1.4.1: + * fixed typos for containerd imports (#493) + * fix and support containerd imports of `hauls` (#492) + * bump github.com/sigstore/fulcio (#489) + +------------------------------------------------------------------- +Tue Jan 13 13:57:02 UTC 2026 - Dirk Müller + +- Update to version 1.4.0: + * added/updated logging for `serve` and `remove` (#487) + * added/fixed helm chart images/dependencies features (#485) + * more experimental feature updates (#486) + * add experimental notes (#483) + * updated tempdir flag to store persistent flags (#484) + * delete artifacts from store (#473) + * path rewrites (#475) + * updated/fixed workflow dependency versions (#478) + +------------------------------------------------------------------- +Mon Dec 29 09:44:54 UTC 2025 - Dirk Müller + +- Update to version 1.3.2: + * bump to latest cosign fork release (#481) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#476) + +------------------------------------------------------------------- +Mon Nov 10 15:08:12 UTC 2025 - Dirk Müller + +- Update to version 1.3.1 (bsc#1251516, CVE-2025-47911, + bsc#1251891, CVE-2025-11579, bsc#1251651, CVE-2025-58190, + bsc#1248937, CVE-2025-58058): + * bump github.com/containerd/containerd (#474) + * another fix to tests for new tests (#472) + * fixed typo in testdata (#471) + * fixed/cleaned new tests (#470) + * trying a new way for hauler testing (#467) + * update for cosign v3 verify (#469) + * added digests view to info (#465) + * bump github.com/nwaples/rardecode/v2 from 2.1.1 to 2.2.0 in the go_modules group across 1 directory (#457) + * update oras-go to v1.2.7 for security patches (#464) + * update cosign to v3.0.2+hauler.1 (#463) + * fixed homebrew directory deprecation (#462) + * add registry logout command (#460) + +------------------------------------------------------------------- +Mon Oct 27 08:34:44 UTC 2025 - Dirk Müller + +- Update to version 1.3.0: + * bump the go_modules group across 1 directory with 2 updates (#455) + * upgraded versions/dependencies/deprecations (#454) + * allow loading of docker tarballs (#452) + * bump the go_modules group across 1 directory with 2 updates (#449) + +------------------------------------------------------------------- +Mon Jul 21 12:28:01 UTC 2025 - Dirk Müller + +- update to 1.2.5 (bsc#1246722, CVE-2025-46569): + * Bump github.com/open-policy-agent/opa from 1.1.0 to 1.4.0 in + the go_modules group across 1 directory (CVE-2025-46569) + * deprecate auth from hauler store copy + * Bump github.com/cloudflare/circl from 1.3.7 to 1.6.1 in the + go_modules group across 1 directory + * Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 + in the go_modules group across 1 directory + * upgraded go and dependencies versions + +------------------------------------------------------------------- +Mon Jul 21 12:23:59 UTC 2025 - Dirk Müller + +- Update to version 1.2.5: + * upgraded go and dependencies versions (#444) + * Bump github.com/go-viper/mapstructure/v2 (#442) + * bump github.com/cloudflare/circl (#441) + * deprecate auth from hauler store copy (#440) + * Bump github.com/open-policy-agent/opa (#438) + +------------------------------------------------------------------- +Thu May 1 16:34:57 UTC 2025 - Dirk Müller + +- update to 1.2.4 (CVE-2025-22872, bsc#1241804): + * Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules + group across 1 directory + * minor tests updates + +------------------------------------------------------------------- +Mon Apr 28 09:58:05 UTC 2025 - Dirk Müller + +- Update to version 1.2.3: + * formatting and flag text updates + * add keyless signature verification (#434) + * bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430) + * add --only flag to hauler store copy (for images) (#429) + * fix tlog verification error/warning output (#428) + +------------------------------------------------------------------- +Tue Apr 15 08:10:25 UTC 2025 - dmueller@suse.com + +- Update to version 1.2.2 (bsc#1241184, CVE-2024-0406): + * cleanup new tlog flag typos and add shorthand (#426) + * default public transparency log verification to false to be airgap friendly but allow override (#425) + * bump github.com/golang-jwt/jwt/v4 (#423) + * bump the go_modules group across 1 directory with 2 updates (#422) + * bump github.com/go-jose/go-jose/v3 (#417) + * bump github.com/go-jose/go-jose/v4 (#415) + * clear default manifest name if product flag used with sync (#412) + * updates for v1.2.0 (#408) + * fixed remote code (#407) + * added remote file fetch to load (#406) + * added remote and multiple file fetch to sync (#405) + * updated save flag and related logs (#404) + * updated load flag and related logs [breaking change] (#403) + * updated sync flag and related logs [breaking change] (#402) + * upgraded api update to v1/updated dependencies (#400) + * fixed consts for oci declarations (#398) + * fix for correctly grabbing platform post cosign 2.4 updates (#393) + * use cosign v2.4.1+carbide.2 to address containerd annotation in index.json (#390) + * Bump the go_modules group across 1 directory with 2 updates (#385) + * replace mholt/archiver with mholt/archives (#384) + * forked cosign bump to 2.4.1 and use as a library vs embedded binary (#383) + * cleaned up registry and improved logging (#378) + * Bump golang.org/x/crypto in the go_modules group across 1 directory (#377) +- drop + 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + (upstream) + +------------------------------------------------------------------- +Wed Jan 29 10:25:57 UTC 2025 - Dirk Müller + +- add 0001-Bump-the-go_modules-group-across-1-directory-with-2-.patch + to bump net/html dependencies (bsc#1235332, CVE-2024-45338) + +------------------------------------------------------------------- +Mon Jan 27 19:30:58 UTC 2025 - dmueller@suse.com + +- Update to version 1.1.1: + * fixed cli desc for store env var (#374) + * updated versions for go/k8s/helm (#373) + * updated version flag to internal/flags (#369) + * renamed incorrectly named consts (#371) + * added store env var (#370) + * adding ignore errors and retries for continue on error/fail on error (#368) + * updated/fixed hauler directory (#354) + * standardize consts (#353) + * removed cachedir code (#355) + * removed k3s code (#352) + * updated dependencies for go, helm, and k8s (#351) + * [feature] build with boring crypto where available (#344) + * updated workflow to goreleaser builds (#341) + * added timeout to goreleaser workflow (#340) + * trying new workflow build processes (#337) + * improved workflow performance (#336) + * have extract use proper ref (#335) + * yet another workflow goreleaser fix (#334) + * even more workflow fixes (#333) + * added more fixes to github workflow (#332) + * fixed typo in hauler store save (#331) + * updates to fix build processes (#330) + * added integration tests for non hauler tarballs (#325) + * bump: golang >= 1.23.1 (#328) + * add platform flag to store save (#329) + * Update feature_request.md + * updated/standardize command descriptions (#313) + * use new annotation for 'store save' manifest.json (#324) + * enable docker load for hauler tarballs (#320) + * bump to cosign v2.2.3-carbide.3 for new annotation (#322) + * continue on error when adding images to store (#317) + * Update README.md (#318) + * fixed completion commands (#312) + * github.com/rancherfederal/hauler => hauler.dev/go/hauler (#311) + * pages: enable go install hauler.dev/go/hauler (#310) + * Create CNAME + * pages: initial workflow (#309) + * testing and linting updates (#305) + * feat-273: TLS Flags (#303) + * added list-repos flag (#298) + * fixed hauler login typo (#299) + * updated cobra function for shell completion (#304) + * updated install.sh to remove github api (#293) + * fix image ref keys getting squashed when containing sigs/atts (#291) + * fix missing versin info in release build (#283) + * bump github.com/docker/docker in the go_modules group across 1 directory (#281) + * updated install script (`install.sh`) (#280) + * fix digest images being lost on load of hauls (Signed). (#259) + * feat: add readonly flag (#277) + * fixed makefile for goreleaser v2 changes (#278) + * updated goreleaser versioning defaults (#279) + * update feature_request.md (#274) + * updated old references + * updated actions workflow user + * added dockerhub to github actions workflow + * removed helm chart + * added debug container and workflow + * updated products flag description + * updated chart for release + * fixed workflow errors/warnings + * fixed permissions on testdata + * updated chart versions (will need to update again) + * last bit of fixes to workflow + * updated unit test workflow + * updated goreleaser deprecations + * added helm chart release job + * updated github template names + * updated imports (and go fmt) + * formatted gitignore to match dockerignore + * formatted all code (go fmt) + * updated chart tests for new features + * Adding the timeout flag for fileserver command + * Configure chart commands to use helm clients for OCI and private registry support + * Added some documentation text to sync command + * Bump golang.org/x/net from 0.17.0 to 0.23.0 + * fix for dup digest smashing in cosign + * removed vagrant scripts + * last bit of updates and formatting of chart + * updated hauler testdata + * adding functionality and cleaning up + * added initial helm chart + * removed tag in release workflow + * updated/fixed image ref in release workflow + * updated/fixed platforms in release workflow + * updated/cleaned github actions (#222) + * Make Product Registry configurable (#194) + * updated fileserver directory name (#219) + * fix logging for files + * add extra info for the tempdir override flag + * tempdir override flag for load + * deprecate the cache flag instead of remove + * switch to using bci-golang as builder image + * fix: ensure /tmp for hauler store load + * added the copy back for now + * remove copy at the image sync not needed with cosign update + * removed misleading cache flag + * better logging when adding to store + * update to v2.2.3 of our cosign fork + * add: dockerignore + * add: Dockerfile + * Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 + * Bump github.com/docker/docker + * updated and added new logos + * updated github files + +------------------------------------------------------------------- +Tue Apr 2 14:55:42 UTC 2024 - Dirk Müller + +- update to 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * fix exit code on error @amartin120 + * add registry flag to cli for sync @amartin120 +- update to 1.0.0: + * adding graphics @bgulla + * updated readme and removed roadmap @zackbradys + * updated/cleaned up install.sh @zackbradys + * remove deprecated commands @amartin120 + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names @amartin120 + * add login command @amartin120 + * update to add size totals and cosign bits to the info +- update to 0.4.4: + * add annotations for registry @amartin120 + * add annotations for key and platform @amartin120 + * Flags passed from the CLI have a global effect on any image + UNLESS it has a (key/platform) specified on the individual + image. Individual image key/platform takes precedence. + * If you have `hauler.dev/key` and/or `hauler.dev/platform` at + the annotation level, it would work just like the CLI flag + and globally apply for everything except individual images + specifying otherwise. Just like above. + * If you just so happen to provide both an annotation AND the + CLI flag for the same thing, the CLI flag wins. + * As for the `hauler.dev/registry` annotation, it will apply + globally unless the provided image reference already has a + registry specified in its name. +- update to 0.4.3: + * dep bumps for security vuln fixes @amartin120 + * check tag to determine pre-release @amartin120 + * Update install.sh for file cleaning @clemenko + * add platform flag for image add and sync @amartin120 + * bump cosign version to v2.2.2+carbide.2 @amartin120 + * improve cosign setup @amartin120 + * updated archive default name @zackbradys + * add license file @amartin120 + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` @amartin120 + +------------------------------------------------------------------- +Tue Apr 02 13:41:54 UTC 2024 - dmueller@suse.com + +- Update to version 1.0.1: + * Fix --name option in "store add file" command + * Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 + * Exit with status code 1 if cosign is not configured + * reverting changes for logos (#189) + * adding graphics + * fix exit code on error + * add registry flag to cli for sync + * updated readme and removed roadmap + * updated/cleaned up install.sh + * remove deprecated commands + * Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 + * bug-fix: handle complex file names + * add login command + * update to add size totals and cosign bits to the info command + * switch the 'apply the registry override first in a image sync + * switch the 'not a multi-arch image' log message to be debug + * fix whitspace issue + * add better logging for save + * add annotations for registry + * add annotations for key and platform + * dep bumps for security vuln fixes + * check tag to determine pre-release + * Update install.sh + * Update install.sh for file cleaning + * clean up makefile + * remove extra debug statement + * another fix for the unit test gh action + * add platform flag for image add and sync + * adjust unit test gh action for latest updates + * bump cosign version to v2.2.2+carbide.2 + * improve cosign setup + * updated archive default name + * add license file + * adjust to make registry and fileserver subcommands + * add fileserver option for `store serve` + * added homebrew install instructions + * updated hauler version and automated default version + +------------------------------------------------------------------- +Mon Jan 22 12:19:32 UTC 2024 - Dirk Müller + +- Initial package (0.4.2) diff --git a/hauler.spec b/hauler.spec new file mode 100644 index 0000000..bf2b84e --- /dev/null +++ b/hauler.spec @@ -0,0 +1,71 @@ +# +# spec file for package hauler +# +# Copyright (c) 2026 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: hauler +Version: 1.4.1 +%global git_commit 5edc8802eec20adc7d0b75847f77446d6f531012 +Release: 0 +Summary: Airgap Swiss Army Knife +License: Apache-2.0 +Group: System/Management +URL: https://github.com/rancherfederal/hauler +Source: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +ExclusiveArch: x86_64 aarch64 +BuildRequires: cosign +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.25 + +%description +Rancher Government Hauler simplifies the airgap experience without requiring +users to adopt a specific workflow. Hauler simplifies the airgapping process, +by representing assets (images, charts, files, etc...) as content and +collections to allow users to easily fetch, store, package, and distribute +these assets with declarative manifests or through the command line. + +Hauler does this by storing contents and collections as OCI Artifacts and +allows users to serve contents and collections with an embedded registry and +fileserver. Additionally, Hauler has the ability to store and inspect various +non-image OCI Artifacts. + +%prep +%autosetup -p1 -a1 + +%build +export CGO_ENABLED=1 +mkdir -p cmd/hauler/binaries/ +%ifarch aarch64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-arm64 +%endif +%ifarch x86_64 +cp -p %{_bindir}/cosign cmd/hauler/binaries/cosign-linux-amd64 +%endif +# s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }} +go build -o hauler -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X github.com/rancherfederal/hauler/internal/version.gitVersion=%{version} \ + -X github.com/rancherfederal/hauler/internal/version.gitCommit=%{git_commit} \ + -X github.com/rancherfederal/hauler/internal/version.gitTreeState=clean" cmd/hauler/main.go + +%install +install -D -m 755 hauler %{buildroot}/%{_bindir}/%{name} + +%files +%doc README.md +%{_bindir}/%{name} + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..47949d2 --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:65d6784cd1b742c9fae72adcf8827ee4c27f52fddce4991366d11d8f901b1dc4 +size 13217912 -- 2.51.1 From 9d147b5a9b223854da850fa5dc30fcbdf6b684b937eac35fdbed200587750231 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 19 Jan 2026 12:46:14 +0000 Subject: [PATCH 4/5] - Update to version 1.4.1 (bsc#1256546, CVE-2026-22772): OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=33 --- hauler.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hauler.changes b/hauler.changes index 6719c22..38aea74 100644 --- a/hauler.changes +++ b/hauler.changes @@ -1,7 +1,7 @@ ------------------------------------------------------------------- Mon Jan 19 12:38:03 UTC 2026 - Dirk Müller -- Update to version 1.4.1: +- Update to version 1.4.1 (bsc#1256546, CVE-2026-22772): * fixed typos for containerd imports (#493) * fix and support containerd imports of `hauls` (#492) * bump github.com/sigstore/fulcio (#489) -- 2.51.1 From d3effbbab4c440cd009bc1d8fe800aa1f2a7b0cee49931d385bf39aec9bc7d86 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 19 Jan 2026 13:38:12 +0000 Subject: [PATCH 5/5] OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/hauler?expand=0&rev=34 --- hauler.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hauler.spec b/hauler.spec index bf2b84e..5e6695a 100644 --- a/hauler.spec +++ b/hauler.spec @@ -18,7 +18,7 @@ Name: hauler Version: 1.4.1 -%global git_commit 5edc8802eec20adc7d0b75847f77446d6f531012 +%global git_commit 4a2b7b13a7a3e3dab926893c0be1a67dea6d8457 Release: 0 Summary: Airgap Swiss Army Knife License: Apache-2.0 -- 2.51.1