commit c7650c87c8a818789af58de86e52c6c4356d80c7dcab271ac44b64e13b3e5aed Author: Johannes Kastl Date: Wed Jul 3 16:44:46 2024 +0000 Accepting request 1185193 from home:ojkastl_buildservice:Branch_devel_tools_building update to 0.10.0 OBS-URL: https://build.opensuse.org/request/show/1185193 OBS-URL: https://build.opensuse.org/package/show/devel:tools:building/melange?expand=0&rev=53 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..04f82ac --- /dev/null +++ b/_service @@ -0,0 +1,21 @@ + + + https://github.com/chainguard-dev/melange + git + .git + v0.10.0 + @PARENT_TAG@ + enable + v(.*) + + + melange + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..0ed0ea0 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/chainguard-dev/melange + b967cbf5d7b2ae37da9a54829f51f7383e5289be \ No newline at end of file diff --git a/melange-0.10.0.obscpio b/melange-0.10.0.obscpio new file mode 100644 index 0000000..aa26673 --- /dev/null +++ b/melange-0.10.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:61d72808f3d3fbdc884a9233b1b0c2f0c3756d2ca9ab3bddeadec12d0dddc08f +size 4475916 diff --git a/melange.changes b/melange.changes new file mode 100644 index 0000000..72b01b0 --- /dev/null +++ b/melange.changes @@ -0,0 +1,1456 @@ +------------------------------------------------------------------- +Wed Jul 03 16:33:34 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.10.0: + * debug: Populate history file via mounts + * Add git-cherry-pick pipeline (#1278) + * convert some Infofs to Warnfs + * log it real good + * log the world-writeable file + * update docs + * enforce some more lint checks + * fix stupid bug in linter logging + * Restore signalcontext + * feat - add flag to go/build to run go mod tidy (#1303) + * prevent nil pointer + * update schema.json + * stable sorted defaults + * fix lint findings + * prevent nil pointer + * fix test + * fix tests + * review feedback + * some small improvements + * rewrite linting + * build(deps): bump github.com/chainguard-dev/yam from 0.0.8 to + 0.0.9 + * build(deps): bump ko-build/setup-ko from 0.6 to 0.7 + * fix tempdir linter + * git-checkout - do not allow both branch and tag to be + specified. + * build(deps): bump google.golang.org/api from 0.184.0 to 0.185.0 + * build(deps): bump github.com/github/go-spdx/v2 from 2.2.0 to + 2.3.1 + * build(deps): bump github.com/chainguard-dev/clog from 1.3.1 to + 1.4.0 + * lint: support linting existence of info dirs + * Make melange-test-pipelines call make test-e2e + * Make running the git-checkout via melange not emit WARN + messages. + * Clean up git-checkout-build-test.yaml, fix depth test. + * create-git-repo more standalone config, do not write to stderr + * Rename test-git-checkout and put create-git-repo in + test-fixtures. + * Add test-e2e target to Makefile + * Run make docs-repo + * compile: Fix miscompilation of subpkg tests + * Pipelines should inherit workdir from parents + * git-checkout: fix recurse='true' does nothing + * Use current user's ID when building via Docker + * Add test for PreserveBaseURI + * Add flag to preserve original PyPi URIs + +------------------------------------------------------------------- +Wed Jun 19 04:44:58 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.9.0: + * Quote issues when evaluating the depth condition by @dakaneye + in #1268 + * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.11 to + 2.5.14 in the go_modules group by @dependabot in #1271 + * test: Drop seemingly useless mkdir -p by @jonjohnsonjr in #1276 + * Remove dead tarfilter code by @jonjohnsonjr in #1279 + * Add build flag to override host libc flavor by @jonjohnsonjr in + #1270 + * Separate compilation from execution by @jonjohnsonjr in #1267 + * Remove build.PipelineBuild as a concept by @jonjohnsonjr in + #1280 + * Remove ability to set logging policy by @krishjainx in #1274 + * unbreak build at head from log policy removal by @k4leung4 in + #1288 + * build(deps): bump chainguard.dev/apko from 0.14.8 to 0.14.9 by + @dependabot in #1282 + * build(deps): bump github.com/klauspost/compress from 1.17.8 to + 1.17.9 by @dependabot in #1286 + * build(deps): bump k8s.io/apimachinery from 0.30.1 to 0.30.2 by + @dependabot in #1287 + * build(deps): bump google.golang.org/api from 0.183.0 to 0.184.0 + by @dependabot in #1285 + * build(deps): bump cloud.google.com/go/storage from 1.41.0 to + 1.42.0 by @dependabot in #1284 + * Populate history for --interactive builds by @jonjohnsonjr in + #1289 + * chore(autoconf/configure): Generate configuration with + autoreconf when configuration doesn't exist by @EyeCantCU in + #1290 + * Check for nil everywhere in Compile by @jonjohnsonjr in #1292 + * stop using deprecated flags for goreleaser by @k4leung4 in + #1269 + * git-checkout - try harder if getting hash from tag fails. by + @smoser in #1277 + * build(deps): bump actions/checkout from 4.1.6 to 4.1.7 by + @dependabot in #1293 + * build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by + @dependabot in #1294 + * build(deps): bump github.com/chainguard-dev/yam from 0.0.7 to + 0.0.8 by @dependabot in #1295 + * build(deps): bump github.com/google/go-containerregistry from + 0.19.1 to 0.19.2 by @dependabot in #1296 + * Fix missing commit in ranged subpackages by @jonjohnsonjr in + #1304 + * melange numpy test include python-3.12 by @pnasrat in #1308 + * add go/bump as a default pipeline by @willswire in #1058 + * Bump apko to v0.15.0 by @jonjohnsonjr in #1309 + +------------------------------------------------------------------- +Tue Jun 11 05:36:09 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.8.6: + * build(deps): bump step-security/harden-runner from 2.8.0 to + 2.8.1 + * Add ${{build.goarch}} substitution + * fix: error out when pipeline contains with but no uses + * Remove depth option from git clone if inputs.depth is set to -1 + +------------------------------------------------------------------- +Fri Jun 07 19:34:23 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.8.5: + * Add a new property that defaults to pom.xml and allows an + override so we can call multiple uses: maven/pombump and pass + in the somewhere-else/pom.xml + * go/build: remove subpackage input + +------------------------------------------------------------------- +Fri Jun 07 19:30:47 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.8.4: + * build(deps): bump chainguard.dev/apko + * Drop go-apk to pull in faster pkginfo access + * build(deps): bump google.golang.org/api from 0.182.0 to 0.183.0 + * build(deps): bump golang.org/x/sys from 0.20.0 to 0.21.0 + * build(deps): bump golang.org/x/text from 0.15.0 to 0.16.0 + * update schema + * support HTTP auth + * order + * fix + * doc + * ordering + * bump go and lint + * build(deps): bump chainguard.dev/apko from 0.14.3 to 0.14.7 + * build(deps): bump dagger.io/dagger from 0.11.4 to 0.11.6 + * build(deps): bump google.golang.org/api from 0.181.0 to 0.182.0 + * build(deps): bump docker/login-action from 3.1.0 to 3.2.0 + * Drop version from .PKGINFO + * Speed up presubmit + * Add --env-file to melange test + +------------------------------------------------------------------- +Thu May 30 11:00:34 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.8.3: + * Disallow duplicate subpackage names + +------------------------------------------------------------------- +Thu May 30 10:43:53 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.8.2: + * build(deps): bump chainguard.dev/apko + * build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.10.0 + to 0.10.1 + * tests: add range priority replacement tests + * build(deps): bump + go.opentelemetry.io/otel/exporters/stdout/stdouttrace + * build(deps): bump actions/checkout from 4.1.4 to 4.1.6 + * build(deps): bump step-security/harden-runner from 2.7.1 to + 2.8.0 + * schmea: validate priority integer strings, and update schema + comment + * Add ReplacesPriroity like ProviderPriority, and allow + substitutions + +------------------------------------------------------------------- +Wed May 22 19:38:50 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.8.1: + * Avoid panic if no external config file ref + * Verify wolfictl scan works + * githuib: Fixup melange configfile test case + * sbom: add support for generic git-checkout urls + * github: add SBOM external ref checks + * sbom: add external ref ConfigFile itself + * lint + * externalRefs: implement github git-checkout + * Generate fully qualified and normalized PURLs straight away + * Style review comments + * sbom: include external refs for fetched tarballs in SPDX + +------------------------------------------------------------------- +Wed May 22 17:35:58 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.8.0: + * Fix typo in README + * build(deps): bump actions/checkout from 4.1.4 to 4.1.6 + * generate + * gofmt + * upgrade to new apko + * Fix camel-case after review + * kill k8s e2e test + * delete k8s runner impl + * copyright: allow custom license texts + * go.mod: upgrade everything + * build(deps): bump goreleaser/goreleaser-action from 5.0.0 to + 5.1.0 + * build(deps): bump golangci/golangci-lint-action from 5.3.0 to + 6.0.1 + +------------------------------------------------------------------- +Tue May 14 19:35:43 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.7.0: + * Find shbangs to generate depends by @smoser in #1110 + * presubmit: remove gdk-pixbuf by @imjasonh in #1143 + * Revert "presubmit: remove gdk-pixbuf" by @imjasonh in #1147 + * verify SPDX SBOMs using spdx-tools-java by @imjasonh in #1146 + * Fix sca detection case for env with multiple arguments. by + @dlorenc in #1148 + * Update shbang collection to ignore 'python' and support simple + 'env -S'. by @smoser in #1159 + * ensure shbang check only checks valid shbangs by @joshrwolf in + #1160 + * config: allow scriplets in subpackages with range replacements + by @xnox in #1165 + * Drop -release from pc versions by @jonjohnsonjr in #1173 + * fix(cargo): Install all built binaries if output isn't defined + by @EyeCantCU in #1174 + * sbom: set supplier in addition to originator by @imjasonh in + #1184 + * Add melange scan by @jonjohnsonjr in #1175 + * Bump go-apk by @jonjohnsonjr in #1185 + * add global --gcplog flag to emit GCP-compatible JSON logs by + @imjasonh in #1186 + * pipelines/go: add back symbols tables by @xnox in #1142 + * Only consider that are in a PATH dir from generateCmdProviders + by @smoser in #1164 + * Allow symlinks to provide cmd: by @smoser in #1188 + * Extract melange sign to a library by @tcnghia in #1198 + * Revert "Allow symlinks to provide cmd:" by @joshrwolf in #1200 + * Bump apko by @jonjohnsonjr in #1201 + * Make unit tests faster by @jonjohnsonjr in #1202 + * Add buildmode to go/build by @jonjohnsonjr in #1210 + * lots of updates for build dependencies + +------------------------------------------------------------------- +Tue Apr 09 06:26:37 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.11: + * build(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 + * build(deps): bump + go.opentelemetry.io/otel/exporters/stdout/stdouttrace + * build(deps): bump golang.org/x/sys from 0.18.0 to 0.19.0 + * build(deps): bump go.opentelemetry.io/otel/sdk from 1.24.0 to + 1.25.0 + * build(deps): bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1 + * build(deps): bump github.com/chainguard-dev/yam from 0.0.2 to + 0.0.3 + * bump docker + * build(deps): bump dagger.io/dagger from 0.10.2 to 0.11.0 + * build(deps): bump cloud.google.com/go/storage from 1.39.1 to + 1.40.0 + * Ensure configuration file is closed + * sca: add go-fips-bin runtime deps + * sca: add go-fips-bin test case + * build(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to + 5.12.0 + * build(deps): bump google.golang.org/api from 0.171.0 to 0.172.0 + +------------------------------------------------------------------- +Sat Mar 30 10:14:00 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.10: + * chore: CRAN -> R + * docs(cran): Add build pipeline + * fix(cran): Support passing source dir as package + * chore(cran): Remove (now known) redundant fetch/install + pipelines + * feat(pipelines): Add support for fetching, building, and + installing R packages from CRAN + * Change dependency for python to be python-Maj.Min-base. + * build(deps): bump google.golang.org/api from 0.170.0 to 0.171.0 + * build(deps): bump github.com/docker/cli + * build(deps): bump github.com/charmbracelet/log + * skip mounting resolv.conf for the docker runner + * build(deps): bump github.com/docker/docker + * Propagate user from image configuration + * build(deps): bump cloud.google.com/go/storage from 1.39.0 to + 1.39.1 + * build(deps): bump github.com/google/go-containerregistry + * build(deps): bump docker/login-action from 3.0.0 to 3.1.0 + * build(deps): bump actions/checkout from 4.1.1 to 4.1.2 + * build(deps): bump github.com/kubescape/go-git-url from 0.0.28 + to 0.0.30 + * build(deps): bump google.golang.org/api from 0.169.0 to 0.170.0 + * build(deps): bump dagger.io/dagger from 0.10.1 to 0.10.2 + * Switch to new octo-sts action (#1088) + * Move "executing:" logging to debug + * Keep symbols tables for fips builds + * Fix quotes + * pipelines/go: prefer to use netgo and osusergo by default + * pipelines/go/install: also trimpath like build + * pipelines/go: Strip by default + * pipelines/go: bump GOAMD64 to v2 + * pipelines/go: allow setting microarchitecture level settings + * Update pkg/build/pipeline.go + * open debug session in the specific workdir + * Add Harden Runner audit configs + * appease linter + * build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.9.0 + to 0.10.0 + * build(deps): bump google.golang.org/api from 0.168.0 to 0.169.0 + * build(deps): bump github.com/kubescape/go-git-url from 0.0.27 + to 0.0.28 + * feat(pipelines): Add cargo build for rust packages + * WIP: remove files from SBOM + * Bump apko + * document builtin substitutions + * build(deps): bump gitlab.alpinelinux.org/alpine/go + * fix test.environment jsonschema struct tag + +------------------------------------------------------------------- +Sun Mar 17 08:04:49 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.9: + * build(deps): bump google.golang.org/api from 0.166.0 to 0.168.0 + * build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0 + * build(deps): bump dagger.io/dagger from 0.9.10 to 0.10.1 + * Fix the bug in dropping the suffix. + * Drop WaitDelay from bubblewrap + * build(deps): bump actions/download-artifact from 4.1.2 to 4.1.4 + * build(deps): bump github.com/stretchr/testify from 1.8.4 to + 1.9.0 + * build(deps): bump cloud.google.com/go/storage from 1.38.0 to + 1.39.0 + +------------------------------------------------------------------- +Sun Mar 17 08:00:25 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.8: + * Update pombump.yaml + +------------------------------------------------------------------- +Sun Mar 17 07:51:04 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.7: + * Rename the default bump file name. + +------------------------------------------------------------------- +Sun Mar 17 07:45:18 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.6: + * Add ${{cross.triplet.rust.[glibc,musl]}} + * Add pombump pipeline. + +------------------------------------------------------------------- +Sun Mar 17 07:35:28 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.5: + * Fix resource usage in melange + * Fix job control with interactive bubblewrap + * build(deps): bump github.com/chainguard-dev/yam from 0.0.1 to + 0.0.2 + * build(deps): bump + go.opentelemetry.io/otel/exporters/stdout/stdouttrace + * build(deps): bump go.opentelemetry.io/otel/sdk from 1.23.1 to + 1.24.0 + * build(deps): bump cloud.google.com/go/storage from 1.37.0 to + 1.38.0 + * Bump apko + * Fix typo in error message + * build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 + * build(deps): bump actions/download-artifact from 4.1.1 to 4.1.2 + * build(deps): bump golangci/golangci-lint-action from 3.7.0 to + 4.0.0 + +------------------------------------------------------------------- +Sat Feb 24 09:01:37 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.4: + * Fix the yaml file so that it actually gets parsed properly. + * Propagate SourceDateEpoch from Build + +------------------------------------------------------------------- +Sat Feb 24 08:57:02 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.3: + * Don't write APK to temp file during signing + +------------------------------------------------------------------- +Tue Feb 20 20:40:47 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.2: + * Add --package-append flag to build + * apply package substitutions in + test.emvironment.contents.packages + * change docker runner labels + * label containers created by docker runner for easier external + management + * Add a --trace flag to melange build + * Add dagger runner + +------------------------------------------------------------------- +Thu Feb 15 06:14:16 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.1: + * omit arch log key when building one arch + * Remove breakpoint labels + * Clean up apko-temp dirs + * Remove images even with cancelled ctx + * Fix context.Background use + * Allow substitutions in dependencies.replaces + * doc: add diff pr + * docs: add version-transform doc and other example to + var-transform + +------------------------------------------------------------------- +Sat Feb 10 07:07:57 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.6.0: + * Split pkg/container up into smaller packages + * Mostly fix interactive interrupt signal handling + * Do more cleanup with --rm + * Continue interactive execution on exit 0 + * go fmt + * update dario/mergo + * move runner determination to pkg/cli + * Make debugging melange builds less terrible + * fix go-build example + * Make it easier to find docs-repo on ci failure + +------------------------------------------------------------------- +Thu Feb 08 20:06:17 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.5.10: + * Add --die-with-parent to bwrap flags + * fix bug with needs + * move some logs to debug + * Update build.yaml + * Update install.yaml + * Add GOEXPERIMENT to go/build + +------------------------------------------------------------------- +Wed Feb 07 07:34:17 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.5.9: + * use apko@main + * WIP: use charm logger + * Add WaitDelay to bubblewrap cmd + * Split options into separate files + * Cancel context on interrupt signal + * build(deps): bump github.com/docker/docker + * build(deps): bump cloud.google.com/go/storage from 1.36.0 to + 1.37.0 + * build(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 + +------------------------------------------------------------------- +Tue Feb 06 17:36:29 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.5.8: + * Add --rm flag (and options) to Build + * Respond to cancelled context while streaming logs + * Don't use goroutines for monitoring logs + * If arch is not specified, test all. + * Add Close() method to container runners + * use slogtest + * eliminate some more logger invocations + * Fix race condition in log monitoring + * Exclude "com.docker.grpcfuse.ownership" xattr + +------------------------------------------------------------------- +Sat Feb 03 17:40:41 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.5.7: + * Pass the correct env.env to the container. + * test: skip when executing on an unsupported arch + * melamge bump: only update expected commit shas for the main + git-checkout + * stop logging tons of "detected git commit for build + configuration" when parsing melage config + * Embed melange version in .PKGINFO + * Fix missing no-depends check + * build(deps): bump google.golang.org/api from 0.154.0 to 0.161.0 + * build(deps): bump github.com/kubescape/go-git-url from 0.0.26 + to 0.0.27 + * build(deps): bump github.com/chainguard-dev/yam + * Bump apko to v0.14.0 + * Update CODE_OF_CONDUCT.md + * Update CODE_OF_CONDUCT.md + * Switch to octo-sts-action (#968) + * build(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 + * warn on invalid license, log SCA findings + * unexport some methods in pkg/sbom + * Fix aws-c-s3 SCA + * Don't include libexec directories in SCA includes + * tidy + * drop the lima runner + * Take advantage of Octo STS to publish homebrew updates. (#956) + * Pin to digest for setup-go in melange + * build(deps): bump actions/download-artifact from 4.1.0 to 4.1.1 + +------------------------------------------------------------------- +Tue Jan 23 18:00:07 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.5.6: + * sort with key/values + * Fail if unknown variable is used in substitution + * revert simple-hello, keep it alpine + * fix simple-hello again + * fix simple-hello + * fix wolfi e2e test + * also test wolfi built packages + * update examples + * migrate examples to wolfi + * add e2e test that packages can be installed with apk + * Audit the permissions of workflows. + * Add test for vendored pkgconfig + * Make "unable to detect git commit" a debug message + * Allow vendored pkgconfig deps + * make docs-repo + * update + * use apko@main + * drop pkg/logger and use slog + * Allow execable shared objects if name has ".so." + * Fix sbom loopvar issue + * Make BuildGuest more similar for Build and Test + * Use errgroup over github.com/korovkin/limiter + * Replace packages in APKINDEX with same version + * Remove some more struct mutating and shadowing + * Drop mutable imgRef from build.Build + * Move more mutations into parameters + * Take an fs as an argument to RetrieveWorkspace + * Add a test + * Convert some sca code to early return style + * build(deps): bump github.com/cloudflare/circl from 1.3.6 to + 1.3.7 + * move test pipelines to where others are. Remove unnecessary + test packages. + * Add python/import test pipeline, as well as e2e tests for + python test pipelines. + * how many ways can I really screw this one up... + * Try James suggestion. + * Fix the filenames. + * try with explicit false. + * maybe missing a space? + * Add --test-package-append that you can specify extra test + packages for each test. + * move the comment + * meson/configure: don't download subprojects by default + * Add a python/test pipeline. + * Bypass warning about detached head + * add `*_config` pattern to split/dev pipeline + +------------------------------------------------------------------- +Sun Jan 07 18:08:16 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.5.5: + * build(deps): bump github.com/google/go-containerregistry + * bump upload/download github actions + * build(deps): bump google.golang.org/api from 0.152.0 to 0.154.0 + * build(deps): bump github.com/lima-vm/lima from 0.18.0 to 0.19.1 + * build(deps): bump github.com/containerd/containerd from 1.7.7 + to 1.7.11 + * build(deps): bump github.com/go-git/go-git/v5 from 5.10.0 to + 5.11.0 + * build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 + * build(deps): bump cloud.google.com/go/storage from 1.35.1 to + 1.36.0 + * convert: sort packages alphabetically + * build(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 + * build(deps): bump actions/setup-go from 4 to 5 + * build(deps): bump github.com/kubescape/go-git-url from 0.0.25 + to 0.0.26 + * Set a default env var for GOMODCACHE. + * Pull in `go-apk` with `provider_priority` `ini` fix. + * Mark update.manual as an optional field. + * update release to add some clarification regarding the homebrew + +------------------------------------------------------------------- +Tue Dec 05 06:06:45 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.5.4: + * build(deps): bump golang.org/x/sys from 0.14.0 to 0.15.0 + * build(deps): bump chainguard.dev/apko + * build(deps): bump k8s.io/client-go from 0.28.3 to 0.28.4 + * schema: update for new test pipeline configuration + * build(deps): bump github.com/klauspost/compress from 1.17.2 to + 1.17.4 + * build(deps): bump google.golang.org/api from 0.150.0 to 0.152.0 + * fix issue + * cleanup: don't use pkg/errors + * fix bad merge. + * Default to package.name, but allow overrides, add example docs + for specifying which package, and version to test. + * argh, fix typo. + * Add tests, simplify code. + * e2e tests for `test` command. + * checkpoint. + * Add test command / implementation. + * alphabetize commands, add test. + * Refactor so can be used with test and build. + * config struct changes for test. + * Add autogenerated 'test' docs. + * make docs-repo + * remove unnecessary wait for testing + * support resource requests and timeouts + * UTC-ify source date epoch when set + * Fix capitalization of SBOM originators + * Fix the lint warnings in pkg/linter + * Fix lints, or ignore safe ones. No functional changes. + * prefix should be /usr + * Ensure jsonschema is kept up to date. + * Add jsonschema generation binary. + * build(deps): bump go.opentelemetry.io/otel from 1.20.0 to + 1.21.0 + * build(deps): bump k8s.io/apimachinery from 0.28.3 to 0.28.4 + * build(deps): bump sigs.k8s.io/release-utils from 0.7.6 to 0.7.7 + * fix and continuously validate SBOMs + * make docs-repo + * default --use-github=true + * fix docs + * convert python: don't overwrite existing files + * format manifests with yam + * fix docs for --runner + * improve 'melange convert python' to remove manual steps + +------------------------------------------------------------------- +Thu Nov 16 14:23:15 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.5.3: + * Update release.md + * build(deps): bump golang.org/x/time from 0.3.0 to 0.4.0 + * pipelines: go/build: add support for go.mod overlay files + * build(deps): bump cloud.google.com/go/storage from 1.33.0 to + 1.35.1 + * go mod tidy + * update go-apk dependency + * build(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 + * build(deps): bump go.opentelemetry.io/otel from 1.19.0 to + 1.20.0 + * apply substitutions to .environment.contents.packages + * test runtime replacements + * build(deps): bump github.com/sigstore/cosign/v2 from 2.2.0 to + 2.2.1 + * build(deps): bump google.golang.org/api from 0.149.0 to 0.150.0 + * go mod tidy + * use merged PR + * update dep + * use pushed PRs + * WIP: use forked alpine-go in go-apk + * move spammy logs to debugf + +------------------------------------------------------------------- +Thu Nov 09 14:56:03 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.5.2: + * Update pkg/config/config.go + * GithubReleaseMonitor: add tagprefix and tagcontains to be used + in github tags filtering + * Plumb check configs through to linters + * Delete no-op sbom code + * remove unimplemented references to fulcio support + * fail if 'with' is used with 'runs' + * Error early if uses and runs are both present + * Get rid of PackageContext and SubpackageContext + * Remove impossible errors + * Make loadUse test actually test something + * Remove impossible errors + * build: use util.Dedup instead of slices.Compact + * util: bring back Dedup, slices.Collapse requires sorting + * Bump go-apk + * Filter out noise opening non-ELF files + * Bump go-apk and use faster tarfs implementation + * Add a test to ensure that ranges are handled properly. + * Add linters for #805 and #804. + * Refactor linting logic and clean things up + * Add SBOM linter + * build(deps): bump github.com/docker/docker + * build(deps): bump chainguard.dev/apko + * build(deps): bump sigs.k8s.io/release-utils from 0.7.5 to 0.7.6 + * Add GID/UID remapping to improve permissions. Fix permission + issues resulting from running with the build user. + * Separate out package and build lints + * Add json tags to melange Configuration. + * Add python/test linter + * util: drop Dedup in favor of golang.org/x/exp/slices.Compact + * sca: fix compile by moving a few things around + * sca: move analyzer invocation into Analyze() function + * sca: implement abstract interface between build engine and sca + engine + * sca: pass FS into dependency generators rather than creating it + on demand + * sca: move out of package.go into sca.go as a first pass + * Rename Python linters to python/* + * readlinkfs: ignore security.selinux xattrs + * Add Python docs linter + * SCA: add python dependency generator + * linter: refactor check block generation in tests + * Improve linter diagnostic output + * Add GID/UID remapping to improve permissions. Fix permission + issues resulting from running with the build user. + * build(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 + * Fixups + * Handle .so files a little smarter + * Ignore all packages starting with _ + * build(deps): bump google.golang.org/api from 0.147.0 to 0.148.0 + * build(deps): bump k8s.io/client-go from 0.28.2 to 0.28.3 + * build(deps): bump github.com/klauspost/compress from 1.17.1 to + 1.17.2 + * build(deps): bump chainguard.dev/apko + * build(deps): bump actions/checkout from 4.1.0 to 4.1.1 + * Centralize SOURCE_DATE_EPOCH parsing. + * Run go fmt + * Exclude docs + * Exclude tests + * drop sync-issues-to-project-board.yaml not used anymore + * Exclude more files from Python multiple package linter + * Improve filtering and diagnostics + * Use the correct path for Python. + * Add multiple Python packages post-linter + * pipelines: add npm-install pipeline + * replace the fetch python url to more friendly URI + * Silence the linter + * Make empty linter work by disregarding directories and SBOM in + package linting + * Really shut up docs linter + * Docs changes/consistency fixes + * Document melange lint + * Module updates + * Resolve circular import + * Small fix + * Update go-apk dep + * Remove redundant package + * Update pkg/config/config.go + * Add basic test for APK linting + * Document the release steps. + * melange bump: move the reset / bump epoch logic up and inline + version + * melange bump: only reset the epoch if version changes, else + increment it + * Add APK linting. + * document full-version, add pointer to docs. + * Fix Typo + +------------------------------------------------------------------- +Thu Oct 19 05:46:49 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.5.1: + * build(deps): bump github.com/klauspost/compress from 1.17.0 to + 1.17.1 + * build(deps): bump google.golang.org/api from 0.146.0 to 0.147.0 + * build(deps): bump github.com/lima-vm/lima from 0.17.2 to 0.18.0 + * build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 + * Fix a bug where substitutions were not done for runtime. + * linter: fix a typo in package linting function + * build(deps): bump google.golang.org/api from 0.143.0 to 0.146.0 + * go mod tidy to shut up linter + * Small cleanup + * Add function to lint APK files. + * build(deps): bump golang.org/x/sync from 0.3.0 to 0.4.0 + * build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 + * Extricate config stuff from linter. + * build(deps): bump sigs.k8s.io/release-utils + * fix release url path + * update deprecated fields + * update with 0.5.0 changes + * Track vendored deps for .PKGINFO + +------------------------------------------------------------------- +Sat Oct 14 06:40:13 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.5.0: + * Enable linters to warn (via callback) instead of just failing. + * build(deps): bump github.com/package-url/packageurl-go + * build(deps): bump go.opentelemetry.io/otel from 1.18.0 to + 1.19.0 + * Add a PR checklist to melange. + * Fix yaml typo in linter docs + * nit: fix mistake in function docs + * Apply suggestions from code review + * Document disabling lints and when to do so. + * Update linter docs + * strip linter: properly close file + * Make improvements/suggestions + * Add stripped file linter + * update alpine-go to latest git to fix indexing + * pipelines: strip: use -g by default when stripping + * build(deps): bump google.golang.org/api from 0.142.0 to 0.143.0 + * do not delete extensions and plugins with ruby/clean + * build(deps): bump k8s.io/api from 0.28.1 to 0.28.2 + * build(deps): bump google.golang.org/api from 0.138.0 to 0.142.0 + * build(deps): bump k8s.io/client-go from 0.28.1 to 0.28.2 + * build(deps): bump github.com/opencontainers/image-spec + * build(deps): bump github.com/docker/docker + * build(deps): bump cloud.google.com/go/storage from 1.32.0 to + 1.33.0 + * build(deps): bump github.com/klauspost/compress from 1.16.7 to + 1.17.0 + * build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 + * build(deps): bump actions/checkout from 4.0.0 to 4.1.0 + * add docs for -compat packages + * Disable empty check on git-checkout + * build: refactor package linter invocation + * Refactor the linter into a submodule. + * Remove no provides check per @kaniini + * Respect subpackage no-provides + * Add post-file walk linting and empty package linting + * exa is dead, use mdbook as a rust CI test instead. + * bump apko to e9722fc + * build: do not run linters on skipped subpackages + * linter: when subpackages are linted use the subpackage name as + the package config name + * Only run worldwrite linter on regular files + * Add worldwrite linter + * Add dev, opt, and srv linters + * fix the arch + * Use Warnf over WARNING + * log and continue when .pc file can't be loaded + * fix the dir name as we already expect dir to be set explicit + * Disable linters on -compat packages + * Update build.yaml + * add goreleaser pipeline + * Unexport linter struct and linterFunc + * Don't export the linter map + * Add tests + * build(deps): bump sigstore/cosign-installer from 3.1.1 to 3.1.2 + * Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 + * Bump docker/login-action from 2.2.0 to 3.0.0 + * chore: remove CODEOWNERS file + * Add more linters + * Appease golint + * Fix tests + * Remove debugging print statement + * Implement subpackage linting + * Add package (but not subpackage) linting + * build(deps): bump golangci/golangci-lint-action from 3.6.0 to + 3.7.0 + * Update golangci-lint to 1.54 + * git-checkout: Allow tags to matched annotated tag SHAs, don't + allow fuzzy matching of refs. + * build(deps): bump actions/checkout from 3.5.3 to 4.0.0 + * Bump k8s test workflows to Go 1.21 + * Bump go to 1.21 + * pipeline: fix downward propagation to referenced external + pipeline nodes + * config: tests: add workdir propagation test + * remove cmake. Signed-off-by: Ville Aikas + + * forgot to remove one -dev + * Remove specifying the php-dev version. + * Add pecl pipelines for phpize & install. Signed-off-by: Ville + Aikas + * package: only constrain library search paths for provides + entries + * Fix some python generation issues: + * Refactor application of pipeline variables to config and add + tests + * Pipeline: make env overrides work recursively + * Add environment var overriding to the pipeline. + * Bump goreleaser/goreleaser-action from 4.3.0 to 4.6.0 + * Bump actions/upload-artifact from 3.1.2 to 3.1.3 + * package: constrain library SCA to library search paths only + * Replace the elements of the subpackage + * construct the package.full-version in higher context than just + pipeline. + * docs: fix link in pkg/build/pipelines/README.md + * docs: add documentation for built-in pipelines + * document / examples for ${{package.full-version}} + Signed-off-by: Ville Aikas + * add ${{package.full-version}} = + ${{package.version}}-r${{package.epoch}} Signed-off-by: Ville + Aikas + * Changes from code review. + * config: copy all subpackage variables when doing a range + expansion + * feat: add output logs for the apkbuild converter + * Fix issue: #658 Signed-off-by: Ville Aikas + + * feat: add new Perl pipelines for install and clean + * package: just skip symlinks for now + * workflows: add ncurses to the presubmit test matrix + * package: dereference symlinks for aliased pkg-config modules + * Fix syntax in maven pipeline (and add test). + * more debug crap. Signed-off-by: Ville Aikas + + * remove debug crap. Signed-off-by: Ville Aikas + + * Environment is required, adjust the tests. + * Change GeneratedMelangeConfig to embed pkg/config/config + instead of redefining it. + * Change default python-version from 3.11 to 3. + * remove extra backtick. + * let's try again. + * update docs + * Bunch of lint fixes. No functional changes. + * Add a maven/configure-mirror pipeline to redirect to GCP. + * yikes, only 2 fatal lints... nice... + * update docs. + * Add flags for resolving git tags, release-monitoring + * Update pkg/build/pipelines/python/build-wheel.yaml + * Update pkg/build/pipelines/python/build-wheel.yaml + * add builtin pipelines for python + * update generated docs. Signed-off-by: Ville Aikas + + * remove unused vars. They do not have short form, so can use + this variant. Signed-off-by: Ville Aikas + + * Add --wolfi-defaults flag, clean up flag handling. + * readlinkfs: ignore some security-module specific xattrs + * feat: support --recurse-submodules in git clone + * Print the path to generated melange config. + * build(deps): bump go.opentelemetry.io/otel from 1.16.0 to + 1.17.0 + * build(deps): bump cloud.google.com/go/storage from 1.31.0 to + 1.32.0 + * build(deps): bump google.golang.org/api from 0.136.0 to 0.138.0 + * build(deps): bump k8s.io/api from 0.28.0 to 0.28.1 + * build(deps): bump github.com/lima-vm/lima from 0.17.0 to 0.17.2 + * build(deps): bump k8s.io/client-go from 0.28.0 to 0.28.1 + * Bump apko and fix everything I broke + * docs: typo in go-build example + * run make docs + * cli: index: add --signing-key, --source and --merge options + * default for github actions is bubblewwrap. + * update lint rule. + * Fix the links to commands, fix the URLs generated. + * sign: do not rename across device boundaries + * add --force option to recreate apk indexes with given + signatures + * pipelines: use ${{targets.contextdir}} where it makes sense + * pipeline: add ${{targets.package.foo}} expansions + * pipeline: add ${{targets.contextdir}}, representing the current + target dir + * Bump pkg-config again to actually pick up the openblas fix. + * Bump pkgconfig to pick up the openblas fix. + * feedback + verbiage from Erika. + * Set reasonable concurrency levels for pgzip + * appease linter + * support substitutions in provides lists + * Start of exhaustively documenting the build filele. + * plumb through SDE to EmitSignature + * add melange sign command, slightly refactor and make public the + signing methods + * add test for substituting needs.packages + * allow override go version for uses: go/build and go/install + * Support for setting context in .melange.k8s.yaml + * Add docs about custom pipelines, defining and using. + * build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 + * Teach melange about the forthcoming version-transform block + * doc and lint revisions (#598) + * build(deps): bump google.golang.org/api from 0.134.0 to 0.136.0 + * container: bubblewrap: do not defer closing files + * build(deps): bump golang.org/x/sys from 0.10.0 to 0.11.0 + * build(deps): bump github.com/lima-vm/lima from 0.16.0 to 0.17.0 + * build(deps): bump github.com/google/go-containerregistry + * build: package: add pkgconf-based SCA to catalog SDKs which use + it + * Docstring typo fixes + * Docstring fixes + * Appease the go fmt Gods + * Test two var transforms at once + * Test var transforms on a basic level + * Add ${{build.arch}} as a possible variable in bump + * Make var transforms work in bump + * remove paralell test for TestKubernetesRunnerConfig + * add fail-fast to false + * update code running goimports + * add goimports + * publish brew formula during release + * update actions to use git hashes + * update golangci-lint to v1.53 series + * Adjust the var substitution stuff a bit + * Move var substitution stuff into config + * config: Change root to a pointer in the config struct, and add + an accessor + * renovate: update to use new config infrastructure + * build: Add root node to the config + * Appease the golangci-lint Gods + * build_test: fix tests in a better way + * Make all tests pass + * build: add parameter where one was missing + * build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to + 5.8.1 + * pipelines: meson/configure: explicitly invoke meson setup + action + * build(deps): bump github.com/docker/docker + * Refactor the config/logging stuff out of build + * build(deps): bump google.golang.org/api from 0.133.0 to 0.134.0 + * build(deps): bump github.com/docker/docker + * Several fixes to k8s runner. + * build(deps): bump github.com/klauspost/pgzip from 1.2.5 to + 1.2.6 + * build(deps): bump google.golang.org/api from 0.129.0 to 0.133.0 + * Remove `wget -q` from `fetch` + * add k8s runner config loading from envvars + * Log errors bundling, enable GGCR Warn/Progress logs + * Tweak the strip pipeline so that it never fails for deleted + files + * convert/python: check if release is found + * Make sure we log errors. + * Fix subpackage SBOM generation + * define constants for runners destination mount paths + * skip the cache mount for kubernetes runner builds + * Add more otel spans to k8s runner + * build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to + 5.8.0 + * build(deps): bump k8s.io/client-go from 0.27.3 to 0.27.4 + * Avoid using pargzip for compression + * add a retryable (tgz) fetcher for the k8s runner + * Pod names must be RFC1123 compliant + * Correct the variable name in the patch pipeline + * pipelines: git-checkout: harden variable expansions + * pipelines: patch: refactor series/patches handling + * pipelines: fetch: harden variable expansions + * add retries to a subset of k8s runner exec failures + * delete builder pod post build by default + * properly pass workspace env/volumes to k8s builder pods + * use go-apk.FullFS for retrieving builder workspaces + * Finally fix python convert tests. + * Comment python test. + * add dir option to ruby pipelines as not all gemspecs live in + the root folder + * fix containerID for lima when tarring up + * lima startup issues fixed + * pull in apko with fix for blank SOURCE_DATE_EPOCH + * Change git-checkout depth default to 1 + * workflows: wolfi-presubmit: use package/ instead of packages/ + for package names + * build: package: forcibly treat libc as a shared library + * docs: explain how build cache works practically + * Bump apko dep to pick up otel spans + * Fix failing test for env var wipeout + * Add failing test for env var wipeout + * add otel spans + * build(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 + * Remove use of deprecated WaitImmediate + * Add ! char to ignore. + * Add missing context propagation + * Rename index.Context to index.Index + * Rename Contexts to Builds + +------------------------------------------------------------------- +Sat Oct 14 06:38:30 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.4.0: + * build(deps): bump github.com/opencontainers/image-spec + * add release notes for Melange 0.4.0 + * build(deps): bump cloud.google.com/go/storage from 1.30.1 to + 1.31.0 + * build(deps): bump google.golang.org/api from 0.128.0 to 0.129.0 + * appease linter for now + * update apko to 0.9.0 + * build(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0 + * some small UX improvements for k8s runner + * build(deps): bump github.com/package-url/packageurl-go + * update apko and go-apk to use pinned deps correctly + * build: scan subpackage pipelines for dependencies + * add a split/debug pipeline + * ensure bundles are rooted correctly + * build(deps): bump google.golang.org/api from 0.125.0 to 0.127.0 + * build(deps): bump actions/checkout from 3.5.2 to 3.5.3 + * add a kubernetes pod runner + * build(deps): bump docker/login-action from 2.1.0 to 2.2.0 + * build(deps): bump golangci/golangci-lint-action from 3.4.0 to + 3.6.0 + * build(deps): bump goreleaser/goreleaser-action from 4.2.0 to + 4.3.0 + * add strip prefix and suffix update config for release monitor + * import apko and go-apk with better debug logging + * Switch from calling Glob to two Stats + * workflows: add wolfi-presubmit + * cli: build: fix destination variable for --apk-cache-dir + * build: PopulateCache: do not populate the cache dir when it is + empty + * fix apk caching directory + * import apko and go-apk with package caching + * Change the default for delete to false. + * pipeline: fetch: optionally delete fetched artifacts after + unpacking + * cond: allow underscores and capitalization in variable + expressions + * run tests with race detector + * warn and fallback to SOURCE_DATE_EPOCH=0 when specified but + empty + * index: use deep copy when loading pre-existing index data + * build(deps): bump github.com/lima-vm/lima from 0.14.2 to 0.16.0 + * build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 + * index: appease linter by moving the deferred close to after the + error check + * build(deps): bump github.com/containerd/containerd from 1.6.15 + to 1.6.18 + * build: generate APKINDEX.json when writing packages index + * index: add WriteJSONIndex function + * index: split out the indexing logic itself to UpdateIndex + * index: WriteArchiveIndex: use destination file path as primary + input + * index: use SourceIndexFile for loading index data rather than + IndexFile + * index: factor out loading of pre-existent indices and index + state management + * index: factor out index writing into WriteArchiveIndex + * Bump apko and fix what that breaks + * add wolfictl + * upgrade alpine-lima to 3.18 + * Allow uppercase and plus, allow numbers as first char + * Validate configuration at the end of parsing + * Remove secfixes and advisories altogether + * include filename when parsing fails + * Require that build config YAML has only known fields + * Refactor tests for configuration load method + * build(deps): bump google.golang.org/api from 0.119.0 to 0.123.0 + * readlinkfs: implement go-apk fs.XattrFS interfaces + * Pull in the latest go-apk for xattrs support + * build(deps): bump github.com/docker/docker + * Pull in index builddate support. + * Install should first build melange binary... + * Make makefile work on Mac and Linux. + * build(deps): bump sigstore/cosign-installer from 3.0.2 to 3.0.5 + * add a boolean so built in melange pipelines can be used in + subpackages as they need to write to a different target folder + * ensure range data replaces `with` options during a pipeline + * Update README.md + * Update distroless references + * default for mac is docker, not bwrap + * add extra logging when runner fails to TestUsability + * Add go vendor support to the go build pipeline. + * add multiple runner options + * use latest version of melange in lima configuration file + * Set `builddate` in our `.PKGINFO` control data. + * add field docs + * build(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 + * pipelines: patch: add support for quilt patch-series files + * Add an optional "deps" paramter to the go/build pipeline. + * chore: signing issues + * chore: corrections in mac instructions + * chore: corrections in mac instructions + * build: package: skip SONAME analysis when ELF interpreter + setting is present + * Add trimpath to the go pipeline. + * update docs + * build: add support for configurable logging policies + * Add name method to build config + * build(deps): bump gitlab.alpinelinux.org/alpine/go + * move signing funcs to rely on external go-apk library + * use go-apk library instead of apko + * update alpine-go to include replaces hotfix + * simplify DataItems to use the builtin marshallable map type + * add `ignore-regex-patterns` update config to indicate you want + to ignore string patterns that match an upstream version + * add a strip-suffix: key to melange update struct to indicate + stripping a suffix from an upstream GitHub version + * bump to latest apko which handles file overwrites + * cli: build: warn when no work to do instead of throwing an + error + * build(deps): bump github.com/docker/docker + * upgrade apko to 20230421 snapshot + * build(deps): bump google.golang.org/api from 0.116.0 to 0.119.0 + * build: update tests to use apko log.Logger + * build: use apko_log.Logger everywhere + * build: logger: conform to apko_log.Logger shape + * adapt to new apko logging framework + * update apko dependency to 20230420 snapshot + * update apko dependency to 20230419 snapshot + * config parsing: fix handling of filesystems + * bump test: fix panic by requiring no error + * Stop repeating errors on build command + * build(deps): bump actions/checkout from 3.5.0 to 3.5.2 + * fix 403 error when melange bumping some packages, + https://www.netfilter.org for example needs it + * update apko to 20230413 snapshot + * Print full uri to debug file download errors + * Do not depend on concrete logger + * pipelines: autoconf/make-install: delete all GNU libtool + metadata files + * remove flawed test + * build: package: append subpackages to build log + * Use formatted YAML encoder from yam + * build: readlinkfs: chase apko ReadlinkFS API break + * upgrade apko snapshot to 20230411 + * build(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 + * build(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.2 + * go mod tidy again + * index: convert to using logrus + * build: package: use logrus.Entry for logging + * update apko for formatting fixes + * build: remove actualArchs variable, no longer used + * fix tests + * container: use warning level for stderr output + * pipeline: downgrade dumpWith() to use debug level + * switch to using logrus + * update to apko git + * feat: send useragent in HTTP requests + * export mutate functions as these are very useful to be called + outside of the build package + * warn if target-architecture:['all'], remove from examples + * feat: respect target-architecture to filter archs + * index: rework architecture filtering + * update docs + * build(deps): bump actions/add-to-project from 0.4.1 to 0.5.0 + * cli: index: add --arch flag + * index: print warning and skip packages which do not match the + expected architecture + * index: add ExpectedArch to index.Context + * add a `update.manual:` key to indicate a package should be + manually updated + * fix: log package new names+versions when regenerating index + * make original test commit sha different from the new expected + sha to ensure test works + * melange bump: optional flag to modify git-checkout pipeline + expected-commit value + * Bump apko to pick up busybox detection fix. + * Fix goreleaser cosign flags + * package: allow any library which has a SONAME to be a provider + * build: fix SBOM language gathering for subpackage pipelines + * package: ensure the package output directories always exist for + scanning + * build: introduce Context.IsBuildLess and skip a lot of + setup/teardown for buildless packages + * build: allow a package to be defined without a pipeline + * Add darwin goreleaser target (macOS) + * fix build + * release image after the binary + * update makefile + * cleanup goreleaser and ko config + * clean up, update version comments for ci jobs + * upgrade to use go1.20 + * upgrade alpine pkgs lima + +------------------------------------------------------------------- +Mon Apr 03 12:43:01 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.3.2: + * Fix goreleaser cosign flags, add NEWS for melange 0.3.2 + * add NEWS for melange 0.3.1 + * package: allow any library which has a SONAME to be a provider + * Add darwin goreleaser target (macOS) + * update NEWS for melange 0.3.0. + * update to apko 0.7.3 release + * pipelines: fetch: use wget quiet mode + * build: check for signing key existence before using it + * build: package: do not add interpreter dependency when + no-depends option is enabled + * docs: fix baseurl for melange reference in generated docs + * directly parse configuration for query + * add query and package-version commands + * build: use realpath to determine cache dir bindmount source + * refresh docs for --cache-source + * cli: add --cache-source option + * build: use CacheSource to define the bucket to pull cached + sources from + * build: change default cache directory to ./melange-cache + * build: add CacheSource option to context + * Hookup user and accounts in the environment. + * build(deps): bump cloud.google.com/go/storage from 1.30.0 to + 1.30.1 + * build(deps): bump google.golang.org/api from 0.113.0 to 0.114.0 + * build(deps): bump actions/checkout from 3.3.0 to 3.5.0 + * refresh docs + * cli: build: add --debug flag + * build: pipeline: if Context.Debug is enabled, add set -x to all + pipelines + * build: add Debug option to Context + * build: use cond.Subst instead of replacers + * cond: subst: variable names can have dashes + * cond: subst: add goparsify-based variable substitution + implementation + * cond: parser: test: add variable lookup with whitespace test + * parser: use newer fork of goparsify + * add codeowners + * add Update struct for identifying how a melange package can be + updated + * add `var-transforms` for manipulation of variables using + regular expressions + * pipelines: git-checkout: use tempdir for doing the initial + clone + * pipelines: git-checkout: mark clone directory as a safe + directory for git + * update ruby pipelines with usability features + * add an optional flag to generate a packages.log containing list + of packages + subpackages that were actuall built by `melange + build` + * Try to fix a strange index generation bug. + * build(deps): bump actions/setup-go from 3.5.0 to 4.0.0 + * container: fixes to handle /sbin/ldconfig not being present, + e.g. on musl + * container: run ldconfig when bringing up a build environment + * update to latest apko git + * build(deps): bump google.golang.org/api from 0.111.0 to 0.113.0 + * build(deps): bump cloud.google.com/go/storage from 1.29.0 to + 1.30.0 + * update apko to latest git + * pipeline: only run mkdir -p if absolutely needed + * build(deps): bump github.com/go-git/go-git/v5 from 5.6.0 to + 5.6.1 + * update docs + * run go mod tidy + * pkg: convert: fix tests to use upstream ImageContents type + * build: package: use internal readlinkFS, old apko fs package + was deprecated + * build: add minimal internal readlinkfs implementation + * convert: use upstream ImageContents type, added in apko 0.7.0 + * build: use normal os.DirFS for filesystem walking + * upgrade to apko 0.7.2 git + * build: remove --use-proot option + * lint + * move convert related packages under convert as subpackages + * container: bubblewrap runner: use --new-session to mitigate + CVE-2017-5226 + * autoconf: always define the GNU host and build triplets in + configure step + * update docs + * add more context for the experimental commands + * add shell completion and move common flags to top level + * move wolfios to its own package + * add same convert options to higher leve + * fix lint and tests + * fix tests + * add convert subcommand + * docs: ensure docs are up to date in CI + * add melange docs + * change --out-dir to not depend on cwd + * accept dependabot's GPG key for commit signing CI check + * package: only use base soname when generating runtime + dependencies across symlinks + * build(deps): bump github.com/stretchr/testify from 1.8.1 to + 1.8.2 + * add omitempty to some fields + * build(deps): bump google.golang.org/api from 0.110.0 to 0.111.0 + * build(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to + 5.6.0 + * build(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1 + * remove self-provided dependencies from the runtime dependency + set + * build(deps): bump github.com/openvex/go-vex + * build: package: dereference symlinks across packages and read + the real DT_SONAME instead of guessing + * build: configuration: add support for variable substitution in + more places + * apply refactoring suggestions from go linter + * build: also apply if-conditionals when generating the package + index + * build: also apply subpkg if-conditionals when emitting packages + and SBOMs + * examples: add example outlining the new option-related features + * build: implement if-conditionals for subpackages + * build: pipeline: add option enabled variables + * build: build option: patch the variables and environment + configuration + * build: use BuildOption.Apply to apply configuration patches + from build options + * build: build_option: add Apply stub + * cli: build: add --build-option to configure the enabled build + options + * build: add WithEnabledBuildOptions context option + * build: add BuildOptions map to Configuration + * build: add BuildOption types + * package: ensure we are operating only on a basename when + generating symlink deps + * package: detect shared library dependencies for .so symlinks + * build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 + * build(deps): bump google.golang.org/api from 0.109.0 to 0.110.0 + * Add ruby pipelines for gem install, build and clean + * build: package: add support for defining "replaces" + relationships + * package: findInterpreter: chop trailing nul from interpBuf + * package: deal with musl interpreter being a symlink back to + itself + * package: ensure PT_INTERP is always added as an explicit + dependency + * build(deps): bump github.com/docker/docker + * build(deps): bump github.com/joho/godotenv from 1.4.0 to 1.5.1 + * build(deps): bump google.golang.org/api from 0.108.0 to 0.109.0 + * build(deps): bump github.com/docker/docker + * git-checkout: fix tags + * use merge option to speed up apkindex generation when build + * just warn if no branch or tag specified + * build(deps): bump goreleaser/goreleaser-action from 4.1.0 to + 4.2.0 + * build(deps): bump github.com/google/go-containerregistry + * Revert "Generate build environment SBOM" + * add expected-commit to git-checkout + * Update README to mention wolfi. + * cli: add --vars-file option to support loading build variables + from an external source + * build: add WithVarsFile and WithVarsFileForParsing options + * examples: add variable substitution example + * pipeline: handle ${{vars}} block as expected + * build: add variables block to build configuration struct + * build(deps): bump cloud.google.com/go/storage from 1.28.1 to + 1.29.0 + * examples: add working-directory example + * pipeline: ensure the working-directory is created before using + it + * pipeline: propagate WorkDir to subpipelines + * pipeline: set working directory when evaluating pipeline "runs" + entries + * build: add Pipeline.WorkDir definition + * build(deps): bump google.golang.org/api from 0.107.0 to 0.108.0 + * build(deps): bump github.com/docker/docker + * build(deps): bump golangci/golangci-lint-action from 3.3.1 to + 3.4.0 + * go mod tidy to drop chainguard/vex + * Switch VEX dependency to openvex + * allow provider priority to be configured + * build(deps): bump google.golang.org/api from 0.106.0 to 0.107.0 + * Wire logger from SBOM generator to impl + * Escape invalid identifier chars + * Fix build sbom name in subpackages + * Fix bug where package verification was wrong + * build sbom: Add relationships to produced SBOMs + * Update protobom to support dl location + * Build SBOM: Generate package with apks + * Trigger build SBOM generation, reuse write + * Passs guest directory to sbom spec + * Refactor SBOM spec for reuse + * Add ReadPackageIndex to gen implementation + * Add GenerateBuildEnvSBOM fn to SBOM generator + * Update Lima link + * update apko dependency to latest + * bump apko dependency + * pipelines: autoconf/configure: fix sysconfdir + * upgrade apko dependency to latest git + * build(deps): bump github.com/go-git/go-git/v5 from 5.5.1 to + 5.5.2 + * build(deps): bump google.golang.org/api from 0.105.0 to 0.106.0 + * build(deps): bump actions/checkout from 3.2.0 to 3.3.0 + * bump apko to latest git again for keyring fix + * fix typo + * index gen: Add loop throttle, mutex + * close lingering file descriptor + * sbom: handle spdxPkg.VerificationCode being a pointer in apko + git + * chase PublishImageFromLayer API change in apko + * update apko dependency to latest git for armv6/armv7 triplet + fixes + * go/install: also require git (#239) + * use lima to use melange on mac + * Advisories: Require pkg version for fixed status (#237) + * Parallel processing of packages. + * Make packageurl-go import direct + * add --namespace option to build subcommand + * SBOM: Generate purls for built packages + * Add namespace and arch fields to SBOM spec + * Drop distro qualifier from purls + * Add Go pipelines documentation + * Revamp go examples to use both pipleines + * New go/install pipeline + * go/build: Support changing module root + * Bump vex (#231) + * Remove extra field + * Add advisories and purls + * Export functionality for config parsing (#229) + * Apko devenv README + * Melange development environment + +------------------------------------------------------------------- +Sun Mar 19 14:09:23 UTC 2023 - Johannes Kastl + +- new package melange: Build APKs from source code diff --git a/melange.obsinfo b/melange.obsinfo new file mode 100644 index 0000000..b07d3b7 --- /dev/null +++ b/melange.obsinfo @@ -0,0 +1,4 @@ +name: melange +version: 0.10.0 +mtime: 1719424159 +commit: b967cbf5d7b2ae37da9a54829f51f7383e5289be diff --git a/melange.spec b/melange.spec new file mode 100644 index 0000000..8374509 --- /dev/null +++ b/melange.spec @@ -0,0 +1,121 @@ +# +# spec file for package melange +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define __arch_install_post export NO_BRP_STRIP_DEBUG=true + +Name: melange +Version: 0.10.0 +Release: 0 +Summary: Build APKs from source code +License: Apache-2.0 +URL: https://github.com/chainguard-dev/melange +Source: melange-%{version}.tar.gz +Source1: vendor.tar.gz +BuildRequires: go >= 1.22 + +%description +Build apk packages using declarative pipelines. + +Commonly used to provide custom packages for container images built with apko. The majority of apks are built for use with either the Wolfi or Alpine Linux ecosystems. + +Key features: + +* Pipeline-oriented builds. Every step of the build pipeline is defined and controlled by you, unlike traditional package managers which have distinct phases. +* Multi-architecture by default. QEMU is used to emulate various architectures, avoiding the need for cross-compilation steps. + +%package -n %{name}-bash-completion +Summary: Bash Completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description -n %{name}-bash-completion +Bash command line completion support for %{name}. + +%package -n %{name}-fish-completion +Summary: Fish Completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Supplements: (%{name} and fish) +BuildArch: noarch + +%description -n %{name}-fish-completion +Fish command line completion support for %{name}. + +%package -n %{name}-zsh-completion +Summary: Zsh Completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description -n %{name}-zsh-completion +zsh command line completion support for %{name}. + +%prep +%autosetup -p 1 -a 1 + +%build +DATE_FMT="+%%Y-%%m-%%dT%%H:%%M:%%SZ" +BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u "${DATE_FMT}") +go build \ + -mod=vendor \ + -buildmode=pie \ + -ldflags="-X sigs.k8s.io/release-utils/version.gitVersion=%{version} \ + -X sigs.k8s.io/release-utils/version.gitCommit=v%{version} \ + -X sigs.k8s.io/release-utils/version.gitTreeState=clean \ + -X sigs.k8s.io/release-utils/version.buildDate=$BUILD_DATE" \ + -o bin/melange ./ + +%install +# Install the binary. +install -D -m 0755 bin/%{name} "%{buildroot}/%{_bindir}/%{name}" + +# create the bash completion file +mkdir -p %{buildroot}%{_datarootdir}/bash-completion/completions/ +%{buildroot}/%{_bindir}/%{name} completion bash > %{buildroot}%{_datarootdir}/bash-completion/completions/%{name} + +# create the fish completion file +mkdir -p %{buildroot}%{_datarootdir}/fish/vendor_completions.d/ +%{buildroot}/%{_bindir}/%{name} completion fish > %{buildroot}%{_datarootdir}/fish/vendor_completions.d/%{name}.fish + +# create the zsh completion file +mkdir -p %{buildroot}%{_datarootdir}/zsh_completion.d/ +%{buildroot}/%{_bindir}/%{name} completion zsh > %{buildroot}%{_datarootdir}/zsh_completion.d/_%{name} + +%files +%doc README.md +%license LICENSE +%{_bindir}/%{name} + +%files -n %{name}-bash-completion +%dir %{_datarootdir}/bash-completion/completions/ +%{_datarootdir}/bash-completion/completions/%{name} + +%files -n %{name}-fish-completion +%dir %{_datarootdir}/fish +%dir %{_datarootdir}/fish/vendor_completions.d +%{_datarootdir}/fish/vendor_completions.d/%{name}.fish + +%files -n %{name}-zsh-completion +%defattr(-,root,root) +%dir %{_datarootdir}/zsh_completion.d/ +%{_datarootdir}/zsh_completion.d/_%{name} + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..d359bbf --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:39a26d38ce4b575b4dc53b52e7acb7e34a20b33fd667474d336361b3c1a8dbad +size 9688627