------------------------------------------------------------------- Wed May 22 19:38:50 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.8.1: * Avoid panic if no external config file ref * Verify wolfictl scan works * githuib: Fixup melange configfile test case * sbom: add support for generic git-checkout urls * github: add SBOM external ref checks * sbom: add external ref ConfigFile itself * lint * externalRefs: implement github git-checkout * Generate fully qualified and normalized PURLs straight away * Style review comments * sbom: include external refs for fetched tarballs in SPDX ------------------------------------------------------------------- Wed May 22 17:35:58 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.8.0: * Fix typo in README * build(deps): bump actions/checkout from 4.1.4 to 4.1.6 * generate * gofmt * upgrade to new apko * Fix camel-case after review * kill k8s e2e test * delete k8s runner impl * copyright: allow custom license texts * go.mod: upgrade everything * build(deps): bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 * build(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 ------------------------------------------------------------------- Tue May 14 19:35:43 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.7.0: * Find shbangs to generate depends by @smoser in #1110 * presubmit: remove gdk-pixbuf by @imjasonh in #1143 * Revert "presubmit: remove gdk-pixbuf" by @imjasonh in #1147 * verify SPDX SBOMs using spdx-tools-java by @imjasonh in #1146 * Fix sca detection case for env with multiple arguments. by @dlorenc in #1148 * Update shbang collection to ignore 'python' and support simple 'env -S'. by @smoser in #1159 * ensure shbang check only checks valid shbangs by @joshrwolf in #1160 * config: allow scriplets in subpackages with range replacements by @xnox in #1165 * Drop -release from pc versions by @jonjohnsonjr in #1173 * fix(cargo): Install all built binaries if output isn't defined by @EyeCantCU in #1174 * sbom: set supplier in addition to originator by @imjasonh in #1184 * Add melange scan by @jonjohnsonjr in #1175 * Bump go-apk by @jonjohnsonjr in #1185 * add global --gcplog flag to emit GCP-compatible JSON logs by @imjasonh in #1186 * pipelines/go: add back symbols tables by @xnox in #1142 * Only consider that are in a PATH dir from generateCmdProviders by @smoser in #1164 * Allow symlinks to provide cmd: by @smoser in #1188 * Extract melange sign to a library by @tcnghia in #1198 * Revert "Allow symlinks to provide cmd:" by @joshrwolf in #1200 * Bump apko by @jonjohnsonjr in #1201 * Make unit tests faster by @jonjohnsonjr in #1202 * Add buildmode to go/build by @jonjohnsonjr in #1210 * lots of updates for build dependencies ------------------------------------------------------------------- Tue Apr 09 06:26:37 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.11: * build(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump golang.org/x/sys from 0.18.0 to 0.19.0 * build(deps): bump go.opentelemetry.io/otel/sdk from 1.24.0 to 1.25.0 * build(deps): bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1 * build(deps): bump github.com/chainguard-dev/yam from 0.0.2 to 0.0.3 * bump docker * build(deps): bump dagger.io/dagger from 0.10.2 to 0.11.0 * build(deps): bump cloud.google.com/go/storage from 1.39.1 to 1.40.0 * Ensure configuration file is closed * sca: add go-fips-bin runtime deps * sca: add go-fips-bin test case * build(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 * build(deps): bump google.golang.org/api from 0.171.0 to 0.172.0 ------------------------------------------------------------------- Sat Mar 30 10:14:00 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.10: * chore: CRAN -> R * docs(cran): Add build pipeline * fix(cran): Support passing source dir as package * chore(cran): Remove (now known) redundant fetch/install pipelines * feat(pipelines): Add support for fetching, building, and installing R packages from CRAN * Change dependency for python to be python-Maj.Min-base. * build(deps): bump google.golang.org/api from 0.170.0 to 0.171.0 * build(deps): bump github.com/docker/cli * build(deps): bump github.com/charmbracelet/log * skip mounting resolv.conf for the docker runner * build(deps): bump github.com/docker/docker * Propagate user from image configuration * build(deps): bump cloud.google.com/go/storage from 1.39.0 to 1.39.1 * build(deps): bump github.com/google/go-containerregistry * build(deps): bump docker/login-action from 3.0.0 to 3.1.0 * build(deps): bump actions/checkout from 4.1.1 to 4.1.2 * build(deps): bump github.com/kubescape/go-git-url from 0.0.28 to 0.0.30 * build(deps): bump google.golang.org/api from 0.169.0 to 0.170.0 * build(deps): bump dagger.io/dagger from 0.10.1 to 0.10.2 * Switch to new octo-sts action (#1088) * Move "executing:" logging to debug * Keep symbols tables for fips builds * Fix quotes * pipelines/go: prefer to use netgo and osusergo by default * pipelines/go/install: also trimpath like build * pipelines/go: Strip by default * pipelines/go: bump GOAMD64 to v2 * pipelines/go: allow setting microarchitecture level settings * Update pkg/build/pipeline.go * open debug session in the specific workdir * Add Harden Runner audit configs * appease linter * build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.9.0 to 0.10.0 * build(deps): bump google.golang.org/api from 0.168.0 to 0.169.0 * build(deps): bump github.com/kubescape/go-git-url from 0.0.27 to 0.0.28 * feat(pipelines): Add cargo build for rust packages * WIP: remove files from SBOM * Bump apko * document builtin substitutions * build(deps): bump gitlab.alpinelinux.org/alpine/go * fix test.environment jsonschema struct tag ------------------------------------------------------------------- Sun Mar 17 08:04:49 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.9: * build(deps): bump google.golang.org/api from 0.166.0 to 0.168.0 * build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0 * build(deps): bump dagger.io/dagger from 0.9.10 to 0.10.1 * Fix the bug in dropping the suffix. * Drop WaitDelay from bubblewrap * build(deps): bump actions/download-artifact from 4.1.2 to 4.1.4 * build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 * build(deps): bump cloud.google.com/go/storage from 1.38.0 to 1.39.0 ------------------------------------------------------------------- Sun Mar 17 08:00:25 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.8: * Update pombump.yaml ------------------------------------------------------------------- Sun Mar 17 07:51:04 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.7: * Rename the default bump file name. ------------------------------------------------------------------- Sun Mar 17 07:45:18 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.6: * Add ${{cross.triplet.rust.[glibc,musl]}} * Add pombump pipeline. ------------------------------------------------------------------- Sun Mar 17 07:35:28 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.5: * Fix resource usage in melange * Fix job control with interactive bubblewrap * build(deps): bump github.com/chainguard-dev/yam from 0.0.1 to 0.0.2 * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump go.opentelemetry.io/otel/sdk from 1.23.1 to 1.24.0 * build(deps): bump cloud.google.com/go/storage from 1.37.0 to 1.38.0 * Bump apko * Fix typo in error message * build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 * build(deps): bump actions/download-artifact from 4.1.1 to 4.1.2 * build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 ------------------------------------------------------------------- Sat Feb 24 09:01:37 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.4: * Fix the yaml file so that it actually gets parsed properly. * Propagate SourceDateEpoch from Build ------------------------------------------------------------------- Sat Feb 24 08:57:02 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.3: * Don't write APK to temp file during signing ------------------------------------------------------------------- Tue Feb 20 20:40:47 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.2: * Add --package-append flag to build * apply package substitutions in test.emvironment.contents.packages * change docker runner labels * label containers created by docker runner for easier external management * Add a --trace flag to melange build * Add dagger runner ------------------------------------------------------------------- Thu Feb 15 06:14:16 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.1: * omit arch log key when building one arch * Remove breakpoint labels * Clean up apko-temp dirs * Remove images even with cancelled ctx * Fix context.Background use * Allow substitutions in dependencies.replaces * doc: add diff pr * docs: add version-transform doc and other example to var-transform ------------------------------------------------------------------- Sat Feb 10 07:07:57 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.6.0: * Split pkg/container up into smaller packages * Mostly fix interactive interrupt signal handling * Do more cleanup with --rm * Continue interactive execution on exit 0 * go fmt * update dario/mergo * move runner determination to pkg/cli * Make debugging melange builds less terrible * fix go-build example * Make it easier to find docs-repo on ci failure ------------------------------------------------------------------- Thu Feb 08 20:06:17 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.5.10: * Add --die-with-parent to bwrap flags * fix bug with needs * move some logs to debug * Update build.yaml * Update install.yaml * Add GOEXPERIMENT to go/build ------------------------------------------------------------------- Wed Feb 07 07:34:17 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.5.9: * use apko@main * WIP: use charm logger * Add WaitDelay to bubblewrap cmd * Split options into separate files * Cancel context on interrupt signal * build(deps): bump github.com/docker/docker * build(deps): bump cloud.google.com/go/storage from 1.36.0 to 1.37.0 * build(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 ------------------------------------------------------------------- Tue Feb 06 17:36:29 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.5.8: * Add --rm flag (and options) to Build * Respond to cancelled context while streaming logs * Don't use goroutines for monitoring logs * If arch is not specified, test all. * Add Close() method to container runners * use slogtest * eliminate some more logger invocations * Fix race condition in log monitoring * Exclude "com.docker.grpcfuse.ownership" xattr ------------------------------------------------------------------- Sat Feb 03 17:40:41 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.5.7: * Pass the correct env.env to the container. * test: skip when executing on an unsupported arch * melamge bump: only update expected commit shas for the main git-checkout * stop logging tons of "detected git commit for build configuration" when parsing melage config * Embed melange version in .PKGINFO * Fix missing no-depends check * build(deps): bump google.golang.org/api from 0.154.0 to 0.161.0 * build(deps): bump github.com/kubescape/go-git-url from 0.0.26 to 0.0.27 * build(deps): bump github.com/chainguard-dev/yam * Bump apko to v0.14.0 * Update CODE_OF_CONDUCT.md * Update CODE_OF_CONDUCT.md * Switch to octo-sts-action (#968) * build(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 * warn on invalid license, log SCA findings * unexport some methods in pkg/sbom * Fix aws-c-s3 SCA * Don't include libexec directories in SCA includes * tidy * drop the lima runner * Take advantage of Octo STS to publish homebrew updates. (#956) * Pin to digest for setup-go in melange * build(deps): bump actions/download-artifact from 4.1.0 to 4.1.1 ------------------------------------------------------------------- Tue Jan 23 18:00:07 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.5.6: * sort with key/values * Fail if unknown variable is used in substitution * revert simple-hello, keep it alpine * fix simple-hello again * fix simple-hello * fix wolfi e2e test * also test wolfi built packages * update examples * migrate examples to wolfi * add e2e test that packages can be installed with apk * Audit the permissions of workflows. * Add test for vendored pkgconfig * Make "unable to detect git commit" a debug message * Allow vendored pkgconfig deps * make docs-repo * update * use apko@main * drop pkg/logger and use slog * Allow execable shared objects if name has ".so." * Fix sbom loopvar issue * Make BuildGuest more similar for Build and Test * Use errgroup over github.com/korovkin/limiter * Replace packages in APKINDEX with same version * Remove some more struct mutating and shadowing * Drop mutable imgRef from build.Build * Move more mutations into parameters * Take an fs as an argument to RetrieveWorkspace * Add a test * Convert some sca code to early return style * build(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 * move test pipelines to where others are. Remove unnecessary test packages. * Add python/import test pipeline, as well as e2e tests for python test pipelines. * how many ways can I really screw this one up... * Try James suggestion. * Fix the filenames. * try with explicit false. * maybe missing a space? * Add --test-package-append that you can specify extra test packages for each test. * move the comment * meson/configure: don't download subprojects by default * Add a python/test pipeline. * Bypass warning about detached head * add `*_config` pattern to split/dev pipeline ------------------------------------------------------------------- Sun Jan 07 18:08:16 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.5.5: * build(deps): bump github.com/google/go-containerregistry * bump upload/download github actions * build(deps): bump google.golang.org/api from 0.152.0 to 0.154.0 * build(deps): bump github.com/lima-vm/lima from 0.18.0 to 0.19.1 * build(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 * build(deps): bump github.com/go-git/go-git/v5 from 5.10.0 to 5.11.0 * build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 * build(deps): bump cloud.google.com/go/storage from 1.35.1 to 1.36.0 * convert: sort packages alphabetically * build(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 * build(deps): bump actions/setup-go from 4 to 5 * build(deps): bump github.com/kubescape/go-git-url from 0.0.25 to 0.0.26 * Set a default env var for GOMODCACHE. * Pull in `go-apk` with `provider_priority` `ini` fix. * Mark update.manual as an optional field. * update release to add some clarification regarding the homebrew ------------------------------------------------------------------- Tue Dec 05 06:06:45 UTC 2023 - kastl@b1-systems.de - Update to version 0.5.4: * build(deps): bump golang.org/x/sys from 0.14.0 to 0.15.0 * build(deps): bump chainguard.dev/apko * build(deps): bump k8s.io/client-go from 0.28.3 to 0.28.4 * schema: update for new test pipeline configuration * build(deps): bump github.com/klauspost/compress from 1.17.2 to 1.17.4 * build(deps): bump google.golang.org/api from 0.150.0 to 0.152.0 * fix issue * cleanup: don't use pkg/errors * fix bad merge. * Default to package.name, but allow overrides, add example docs for specifying which package, and version to test. * argh, fix typo. * Add tests, simplify code. * e2e tests for `test` command. * checkpoint. * Add test command / implementation. * alphabetize commands, add test. * Refactor so can be used with test and build. * config struct changes for test. * Add autogenerated 'test' docs. * make docs-repo * remove unnecessary wait for testing * support resource requests and timeouts * UTC-ify source date epoch when set * Fix capitalization of SBOM originators * Fix the lint warnings in pkg/linter * Fix lints, or ignore safe ones. No functional changes. * prefix should be /usr * Ensure jsonschema is kept up to date. * Add jsonschema generation binary. * build(deps): bump go.opentelemetry.io/otel from 1.20.0 to 1.21.0 * build(deps): bump k8s.io/apimachinery from 0.28.3 to 0.28.4 * build(deps): bump sigs.k8s.io/release-utils from 0.7.6 to 0.7.7 * fix and continuously validate SBOMs * make docs-repo * default --use-github=true * fix docs * convert python: don't overwrite existing files * format manifests with yam * fix docs for --runner * improve 'melange convert python' to remove manual steps ------------------------------------------------------------------- Thu Nov 16 14:23:15 UTC 2023 - kastl@b1-systems.de - Update to version 0.5.3: * Update release.md * build(deps): bump golang.org/x/time from 0.3.0 to 0.4.0 * pipelines: go/build: add support for go.mod overlay files * build(deps): bump cloud.google.com/go/storage from 1.33.0 to 1.35.1 * go mod tidy * update go-apk dependency * build(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 * build(deps): bump go.opentelemetry.io/otel from 1.19.0 to 1.20.0 * apply substitutions to .environment.contents.packages * test runtime replacements * build(deps): bump github.com/sigstore/cosign/v2 from 2.2.0 to 2.2.1 * build(deps): bump google.golang.org/api from 0.149.0 to 0.150.0 * go mod tidy * use merged PR * update dep * use pushed PRs * WIP: use forked alpine-go in go-apk * move spammy logs to debugf ------------------------------------------------------------------- Thu Nov 09 14:56:03 UTC 2023 - kastl@b1-systems.de - Update to version 0.5.2: * Update pkg/config/config.go * GithubReleaseMonitor: add tagprefix and tagcontains to be used in github tags filtering * Plumb check configs through to linters * Delete no-op sbom code * remove unimplemented references to fulcio support * fail if 'with' is used with 'runs' * Error early if uses and runs are both present * Get rid of PackageContext and SubpackageContext * Remove impossible errors * Make loadUse test actually test something * Remove impossible errors * build: use util.Dedup instead of slices.Compact * util: bring back Dedup, slices.Collapse requires sorting * Bump go-apk * Filter out noise opening non-ELF files * Bump go-apk and use faster tarfs implementation * Add a test to ensure that ranges are handled properly. * Add linters for #805 and #804. * Refactor linting logic and clean things up * Add SBOM linter * build(deps): bump github.com/docker/docker * build(deps): bump chainguard.dev/apko * build(deps): bump sigs.k8s.io/release-utils from 0.7.5 to 0.7.6 * Add GID/UID remapping to improve permissions. Fix permission issues resulting from running with the build user. * Separate out package and build lints * Add json tags to melange Configuration. * Add python/test linter * util: drop Dedup in favor of golang.org/x/exp/slices.Compact * sca: fix compile by moving a few things around * sca: move analyzer invocation into Analyze() function * sca: implement abstract interface between build engine and sca engine * sca: pass FS into dependency generators rather than creating it on demand * sca: move out of package.go into sca.go as a first pass * Rename Python linters to python/* * readlinkfs: ignore security.selinux xattrs * Add Python docs linter * SCA: add python dependency generator * linter: refactor check block generation in tests * Improve linter diagnostic output * Add GID/UID remapping to improve permissions. Fix permission issues resulting from running with the build user. * build(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 * Fixups * Handle .so files a little smarter * Ignore all packages starting with _ * build(deps): bump google.golang.org/api from 0.147.0 to 0.148.0 * build(deps): bump k8s.io/client-go from 0.28.2 to 0.28.3 * build(deps): bump github.com/klauspost/compress from 1.17.1 to 1.17.2 * build(deps): bump chainguard.dev/apko * build(deps): bump actions/checkout from 4.1.0 to 4.1.1 * Centralize SOURCE_DATE_EPOCH parsing. * Run go fmt * Exclude docs * Exclude tests * drop sync-issues-to-project-board.yaml not used anymore * Exclude more files from Python multiple package linter * Improve filtering and diagnostics * Use the correct path for Python. * Add multiple Python packages post-linter * pipelines: add npm-install pipeline * replace the fetch python url to more friendly URI * Silence the linter * Make empty linter work by disregarding directories and SBOM in package linting * Really shut up docs linter * Docs changes/consistency fixes * Document melange lint * Module updates * Resolve circular import * Small fix * Update go-apk dep * Remove redundant package * Update pkg/config/config.go * Add basic test for APK linting * Document the release steps. * melange bump: move the reset / bump epoch logic up and inline version * melange bump: only reset the epoch if version changes, else increment it * Add APK linting. * document full-version, add pointer to docs. * Fix Typo ------------------------------------------------------------------- Thu Oct 19 05:46:49 UTC 2023 - kastl@b1-systems.de - Update to version 0.5.1: * build(deps): bump github.com/klauspost/compress from 1.17.0 to 1.17.1 * build(deps): bump google.golang.org/api from 0.146.0 to 0.147.0 * build(deps): bump github.com/lima-vm/lima from 0.17.2 to 0.18.0 * build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 * Fix a bug where substitutions were not done for runtime. * linter: fix a typo in package linting function * build(deps): bump google.golang.org/api from 0.143.0 to 0.146.0 * go mod tidy to shut up linter * Small cleanup * Add function to lint APK files. * build(deps): bump golang.org/x/sync from 0.3.0 to 0.4.0 * build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 * Extricate config stuff from linter. * build(deps): bump sigs.k8s.io/release-utils * fix release url path * update deprecated fields * update with 0.5.0 changes * Track vendored deps for .PKGINFO ------------------------------------------------------------------- Sat Oct 14 06:40:13 UTC 2023 - kastl@b1-systems.de - Update to version 0.5.0: * Enable linters to warn (via callback) instead of just failing. * build(deps): bump github.com/package-url/packageurl-go * build(deps): bump go.opentelemetry.io/otel from 1.18.0 to 1.19.0 * Add a PR checklist to melange. * Fix yaml typo in linter docs * nit: fix mistake in function docs * Apply suggestions from code review * Document disabling lints and when to do so. * Update linter docs * strip linter: properly close file * Make improvements/suggestions * Add stripped file linter * update alpine-go to latest git to fix indexing * pipelines: strip: use -g by default when stripping * build(deps): bump google.golang.org/api from 0.142.0 to 0.143.0 * do not delete extensions and plugins with ruby/clean * build(deps): bump k8s.io/api from 0.28.1 to 0.28.2 * build(deps): bump google.golang.org/api from 0.138.0 to 0.142.0 * build(deps): bump k8s.io/client-go from 0.28.1 to 0.28.2 * build(deps): bump github.com/opencontainers/image-spec * build(deps): bump github.com/docker/docker * build(deps): bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 * build(deps): bump github.com/klauspost/compress from 1.16.7 to 1.17.0 * build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 * build(deps): bump actions/checkout from 4.0.0 to 4.1.0 * add docs for -compat packages * Disable empty check on git-checkout * build: refactor package linter invocation * Refactor the linter into a submodule. * Remove no provides check per @kaniini * Respect subpackage no-provides * Add post-file walk linting and empty package linting * exa is dead, use mdbook as a rust CI test instead. * bump apko to e9722fc * build: do not run linters on skipped subpackages * linter: when subpackages are linted use the subpackage name as the package config name * Only run worldwrite linter on regular files * Add worldwrite linter * Add dev, opt, and srv linters * fix the arch * Use Warnf over WARNING * log and continue when .pc file can't be loaded * fix the dir name as we already expect dir to be set explicit * Disable linters on -compat packages * Update build.yaml * add goreleaser pipeline * Unexport linter struct and linterFunc * Don't export the linter map * Add tests * build(deps): bump sigstore/cosign-installer from 3.1.1 to 3.1.2 * Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 * Bump docker/login-action from 2.2.0 to 3.0.0 * chore: remove CODEOWNERS file * Add more linters * Appease golint * Fix tests * Remove debugging print statement * Implement subpackage linting * Add package (but not subpackage) linting * build(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 * Update golangci-lint to 1.54 * git-checkout: Allow tags to matched annotated tag SHAs, don't allow fuzzy matching of refs. * build(deps): bump actions/checkout from 3.5.3 to 4.0.0 * Bump k8s test workflows to Go 1.21 * Bump go to 1.21 * pipeline: fix downward propagation to referenced external pipeline nodes * config: tests: add workdir propagation test * remove cmake. Signed-off-by: Ville Aikas * forgot to remove one -dev * Remove specifying the php-dev version. * Add pecl pipelines for phpize & install. Signed-off-by: Ville Aikas * package: only constrain library search paths for provides entries * Fix some python generation issues: * Refactor application of pipeline variables to config and add tests * Pipeline: make env overrides work recursively * Add environment var overriding to the pipeline. * Bump goreleaser/goreleaser-action from 4.3.0 to 4.6.0 * Bump actions/upload-artifact from 3.1.2 to 3.1.3 * package: constrain library SCA to library search paths only * Replace the elements of the subpackage * construct the package.full-version in higher context than just pipeline. * docs: fix link in pkg/build/pipelines/README.md * docs: add documentation for built-in pipelines * document / examples for ${{package.full-version}} Signed-off-by: Ville Aikas * add ${{package.full-version}} = ${{package.version}}-r${{package.epoch}} Signed-off-by: Ville Aikas * Changes from code review. * config: copy all subpackage variables when doing a range expansion * feat: add output logs for the apkbuild converter * Fix issue: #658 Signed-off-by: Ville Aikas * feat: add new Perl pipelines for install and clean * package: just skip symlinks for now * workflows: add ncurses to the presubmit test matrix * package: dereference symlinks for aliased pkg-config modules * Fix syntax in maven pipeline (and add test). * more debug crap. Signed-off-by: Ville Aikas * remove debug crap. Signed-off-by: Ville Aikas * Environment is required, adjust the tests. * Change GeneratedMelangeConfig to embed pkg/config/config instead of redefining it. * Change default python-version from 3.11 to 3. * remove extra backtick. * let's try again. * update docs * Bunch of lint fixes. No functional changes. * Add a maven/configure-mirror pipeline to redirect to GCP. * yikes, only 2 fatal lints... nice... * update docs. * Add flags for resolving git tags, release-monitoring * Update pkg/build/pipelines/python/build-wheel.yaml * Update pkg/build/pipelines/python/build-wheel.yaml * add builtin pipelines for python * update generated docs. Signed-off-by: Ville Aikas * remove unused vars. They do not have short form, so can use this variant. Signed-off-by: Ville Aikas * Add --wolfi-defaults flag, clean up flag handling. * readlinkfs: ignore some security-module specific xattrs * feat: support --recurse-submodules in git clone * Print the path to generated melange config. * build(deps): bump go.opentelemetry.io/otel from 1.16.0 to 1.17.0 * build(deps): bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 * build(deps): bump google.golang.org/api from 0.136.0 to 0.138.0 * build(deps): bump k8s.io/api from 0.28.0 to 0.28.1 * build(deps): bump github.com/lima-vm/lima from 0.17.0 to 0.17.2 * build(deps): bump k8s.io/client-go from 0.28.0 to 0.28.1 * Bump apko and fix everything I broke * docs: typo in go-build example * run make docs * cli: index: add --signing-key, --source and --merge options * default for github actions is bubblewwrap. * update lint rule. * Fix the links to commands, fix the URLs generated. * sign: do not rename across device boundaries * add --force option to recreate apk indexes with given signatures * pipelines: use ${{targets.contextdir}} where it makes sense * pipeline: add ${{targets.package.foo}} expansions * pipeline: add ${{targets.contextdir}}, representing the current target dir * Bump pkg-config again to actually pick up the openblas fix. * Bump pkgconfig to pick up the openblas fix. * feedback + verbiage from Erika. * Set reasonable concurrency levels for pgzip * appease linter * support substitutions in provides lists * Start of exhaustively documenting the build filele. * plumb through SDE to EmitSignature * add melange sign command, slightly refactor and make public the signing methods * add test for substituting needs.packages * allow override go version for uses: go/build and go/install * Support for setting context in .melange.k8s.yaml * Add docs about custom pipelines, defining and using. * build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 * Teach melange about the forthcoming version-transform block * doc and lint revisions (#598) * build(deps): bump google.golang.org/api from 0.134.0 to 0.136.0 * container: bubblewrap: do not defer closing files * build(deps): bump golang.org/x/sys from 0.10.0 to 0.11.0 * build(deps): bump github.com/lima-vm/lima from 0.16.0 to 0.17.0 * build(deps): bump github.com/google/go-containerregistry * build: package: add pkgconf-based SCA to catalog SDKs which use it * Docstring typo fixes * Docstring fixes * Appease the go fmt Gods * Test two var transforms at once * Test var transforms on a basic level * Add ${{build.arch}} as a possible variable in bump * Make var transforms work in bump * remove paralell test for TestKubernetesRunnerConfig * add fail-fast to false * update code running goimports * add goimports * publish brew formula during release * update actions to use git hashes * update golangci-lint to v1.53 series * Adjust the var substitution stuff a bit * Move var substitution stuff into config * config: Change root to a pointer in the config struct, and add an accessor * renovate: update to use new config infrastructure * build: Add root node to the config * Appease the golangci-lint Gods * build_test: fix tests in a better way * Make all tests pass * build: add parameter where one was missing * build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.1 * pipelines: meson/configure: explicitly invoke meson setup action * build(deps): bump github.com/docker/docker * Refactor the config/logging stuff out of build * build(deps): bump google.golang.org/api from 0.133.0 to 0.134.0 * build(deps): bump github.com/docker/docker * Several fixes to k8s runner. * build(deps): bump github.com/klauspost/pgzip from 1.2.5 to 1.2.6 * build(deps): bump google.golang.org/api from 0.129.0 to 0.133.0 * Remove `wget -q` from `fetch` * add k8s runner config loading from envvars * Log errors bundling, enable GGCR Warn/Progress logs * Tweak the strip pipeline so that it never fails for deleted files * convert/python: check if release is found * Make sure we log errors. * Fix subpackage SBOM generation * define constants for runners destination mount paths * skip the cache mount for kubernetes runner builds * Add more otel spans to k8s runner * build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 * build(deps): bump k8s.io/client-go from 0.27.3 to 0.27.4 * Avoid using pargzip for compression * add a retryable (tgz) fetcher for the k8s runner * Pod names must be RFC1123 compliant * Correct the variable name in the patch pipeline * pipelines: git-checkout: harden variable expansions * pipelines: patch: refactor series/patches handling * pipelines: fetch: harden variable expansions * add retries to a subset of k8s runner exec failures * delete builder pod post build by default * properly pass workspace env/volumes to k8s builder pods * use go-apk.FullFS for retrieving builder workspaces * Finally fix python convert tests. * Comment python test. * add dir option to ruby pipelines as not all gemspecs live in the root folder * fix containerID for lima when tarring up * lima startup issues fixed * pull in apko with fix for blank SOURCE_DATE_EPOCH * Change git-checkout depth default to 1 * workflows: wolfi-presubmit: use package/ instead of packages/ for package names * build: package: forcibly treat libc as a shared library * docs: explain how build cache works practically * Bump apko dep to pick up otel spans * Fix failing test for env var wipeout * Add failing test for env var wipeout * add otel spans * build(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 * Remove use of deprecated WaitImmediate * Add ! char to ignore. * Add missing context propagation * Rename index.Context to index.Index * Rename Contexts to Builds ------------------------------------------------------------------- Sat Oct 14 06:38:30 UTC 2023 - kastl@b1-systems.de - Update to version 0.4.0: * build(deps): bump github.com/opencontainers/image-spec * add release notes for Melange 0.4.0 * build(deps): bump cloud.google.com/go/storage from 1.30.1 to 1.31.0 * build(deps): bump google.golang.org/api from 0.128.0 to 0.129.0 * appease linter for now * update apko to 0.9.0 * build(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0 * some small UX improvements for k8s runner * build(deps): bump github.com/package-url/packageurl-go * update apko and go-apk to use pinned deps correctly * build: scan subpackage pipelines for dependencies * add a split/debug pipeline * ensure bundles are rooted correctly * build(deps): bump google.golang.org/api from 0.125.0 to 0.127.0 * build(deps): bump actions/checkout from 3.5.2 to 3.5.3 * add a kubernetes pod runner * build(deps): bump docker/login-action from 2.1.0 to 2.2.0 * build(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.6.0 * build(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 * add strip prefix and suffix update config for release monitor * import apko and go-apk with better debug logging * Switch from calling Glob to two Stats * workflows: add wolfi-presubmit * cli: build: fix destination variable for --apk-cache-dir * build: PopulateCache: do not populate the cache dir when it is empty * fix apk caching directory * import apko and go-apk with package caching * Change the default for delete to false. * pipeline: fetch: optionally delete fetched artifacts after unpacking * cond: allow underscores and capitalization in variable expressions * run tests with race detector * warn and fallback to SOURCE_DATE_EPOCH=0 when specified but empty * index: use deep copy when loading pre-existing index data * build(deps): bump github.com/lima-vm/lima from 0.14.2 to 0.16.0 * build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 * index: appease linter by moving the deferred close to after the error check * build(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 * build: generate APKINDEX.json when writing packages index * index: add WriteJSONIndex function * index: split out the indexing logic itself to UpdateIndex * index: WriteArchiveIndex: use destination file path as primary input * index: use SourceIndexFile for loading index data rather than IndexFile * index: factor out loading of pre-existent indices and index state management * index: factor out index writing into WriteArchiveIndex * Bump apko and fix what that breaks * add wolfictl * upgrade alpine-lima to 3.18 * Allow uppercase and plus, allow numbers as first char * Validate configuration at the end of parsing * Remove secfixes and advisories altogether * include filename when parsing fails * Require that build config YAML has only known fields * Refactor tests for configuration load method * build(deps): bump google.golang.org/api from 0.119.0 to 0.123.0 * readlinkfs: implement go-apk fs.XattrFS interfaces * Pull in the latest go-apk for xattrs support * build(deps): bump github.com/docker/docker * Pull in index builddate support. * Install should first build melange binary... * Make makefile work on Mac and Linux. * build(deps): bump sigstore/cosign-installer from 3.0.2 to 3.0.5 * add a boolean so built in melange pipelines can be used in subpackages as they need to write to a different target folder * ensure range data replaces `with` options during a pipeline * Update README.md * Update distroless references * default for mac is docker, not bwrap * add extra logging when runner fails to TestUsability * Add go vendor support to the go build pipeline. * add multiple runner options * use latest version of melange in lima configuration file * Set `builddate` in our `.PKGINFO` control data. * add field docs * build(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 * pipelines: patch: add support for quilt patch-series files * Add an optional "deps" paramter to the go/build pipeline. * chore: signing issues * chore: corrections in mac instructions * chore: corrections in mac instructions * build: package: skip SONAME analysis when ELF interpreter setting is present * Add trimpath to the go pipeline. * update docs * build: add support for configurable logging policies * Add name method to build config * build(deps): bump gitlab.alpinelinux.org/alpine/go * move signing funcs to rely on external go-apk library * use go-apk library instead of apko * update alpine-go to include replaces hotfix * simplify DataItems to use the builtin marshallable map type * add `ignore-regex-patterns` update config to indicate you want to ignore string patterns that match an upstream version * add a strip-suffix: key to melange update struct to indicate stripping a suffix from an upstream GitHub version * bump to latest apko which handles file overwrites * cli: build: warn when no work to do instead of throwing an error * build(deps): bump github.com/docker/docker * upgrade apko to 20230421 snapshot * build(deps): bump google.golang.org/api from 0.116.0 to 0.119.0 * build: update tests to use apko log.Logger * build: use apko_log.Logger everywhere * build: logger: conform to apko_log.Logger shape * adapt to new apko logging framework * update apko dependency to 20230420 snapshot * update apko dependency to 20230419 snapshot * config parsing: fix handling of filesystems * bump test: fix panic by requiring no error * Stop repeating errors on build command * build(deps): bump actions/checkout from 3.5.0 to 3.5.2 * fix 403 error when melange bumping some packages, https://www.netfilter.org for example needs it * update apko to 20230413 snapshot * Print full uri to debug file download errors * Do not depend on concrete logger * pipelines: autoconf/make-install: delete all GNU libtool metadata files * remove flawed test * build: package: append subpackages to build log * Use formatted YAML encoder from yam * build: readlinkfs: chase apko ReadlinkFS API break * upgrade apko snapshot to 20230411 * build(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 * build(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.2 * go mod tidy again * index: convert to using logrus * build: package: use logrus.Entry for logging * update apko for formatting fixes * build: remove actualArchs variable, no longer used * fix tests * container: use warning level for stderr output * pipeline: downgrade dumpWith() to use debug level * switch to using logrus * update to apko git * feat: send useragent in HTTP requests * export mutate functions as these are very useful to be called outside of the build package * warn if target-architecture:['all'], remove from examples * feat: respect target-architecture to filter archs * index: rework architecture filtering * update docs * build(deps): bump actions/add-to-project from 0.4.1 to 0.5.0 * cli: index: add --arch flag * index: print warning and skip packages which do not match the expected architecture * index: add ExpectedArch to index.Context * add a `update.manual:` key to indicate a package should be manually updated * fix: log package new names+versions when regenerating index * make original test commit sha different from the new expected sha to ensure test works * melange bump: optional flag to modify git-checkout pipeline expected-commit value * Bump apko to pick up busybox detection fix. * Fix goreleaser cosign flags * package: allow any library which has a SONAME to be a provider * build: fix SBOM language gathering for subpackage pipelines * package: ensure the package output directories always exist for scanning * build: introduce Context.IsBuildLess and skip a lot of setup/teardown for buildless packages * build: allow a package to be defined without a pipeline * Add darwin goreleaser target (macOS) * fix build * release image after the binary * update makefile * cleanup goreleaser and ko config * clean up, update version comments for ci jobs * upgrade to use go1.20 * upgrade alpine pkgs lima ------------------------------------------------------------------- Mon Apr 03 12:43:01 UTC 2023 - kastl@b1-systems.de - Update to version 0.3.2: * Fix goreleaser cosign flags, add NEWS for melange 0.3.2 * add NEWS for melange 0.3.1 * package: allow any library which has a SONAME to be a provider * Add darwin goreleaser target (macOS) * update NEWS for melange 0.3.0. * update to apko 0.7.3 release * pipelines: fetch: use wget quiet mode * build: check for signing key existence before using it * build: package: do not add interpreter dependency when no-depends option is enabled * docs: fix baseurl for melange reference in generated docs * directly parse configuration for query * add query and package-version commands * build: use realpath to determine cache dir bindmount source * refresh docs for --cache-source * cli: add --cache-source option * build: use CacheSource to define the bucket to pull cached sources from * build: change default cache directory to ./melange-cache * build: add CacheSource option to context * Hookup user and accounts in the environment. * build(deps): bump cloud.google.com/go/storage from 1.30.0 to 1.30.1 * build(deps): bump google.golang.org/api from 0.113.0 to 0.114.0 * build(deps): bump actions/checkout from 3.3.0 to 3.5.0 * refresh docs * cli: build: add --debug flag * build: pipeline: if Context.Debug is enabled, add set -x to all pipelines * build: add Debug option to Context * build: use cond.Subst instead of replacers * cond: subst: variable names can have dashes * cond: subst: add goparsify-based variable substitution implementation * cond: parser: test: add variable lookup with whitespace test * parser: use newer fork of goparsify * add codeowners * add Update struct for identifying how a melange package can be updated * add `var-transforms` for manipulation of variables using regular expressions * pipelines: git-checkout: use tempdir for doing the initial clone * pipelines: git-checkout: mark clone directory as a safe directory for git * update ruby pipelines with usability features * add an optional flag to generate a packages.log containing list of packages + subpackages that were actuall built by `melange build` * Try to fix a strange index generation bug. * build(deps): bump actions/setup-go from 3.5.0 to 4.0.0 * container: fixes to handle /sbin/ldconfig not being present, e.g. on musl * container: run ldconfig when bringing up a build environment * update to latest apko git * build(deps): bump google.golang.org/api from 0.111.0 to 0.113.0 * build(deps): bump cloud.google.com/go/storage from 1.29.0 to 1.30.0 * update apko to latest git * pipeline: only run mkdir -p if absolutely needed * build(deps): bump github.com/go-git/go-git/v5 from 5.6.0 to 5.6.1 * update docs * run go mod tidy * pkg: convert: fix tests to use upstream ImageContents type * build: package: use internal readlinkFS, old apko fs package was deprecated * build: add minimal internal readlinkfs implementation * convert: use upstream ImageContents type, added in apko 0.7.0 * build: use normal os.DirFS for filesystem walking * upgrade to apko 0.7.2 git * build: remove --use-proot option * lint * move convert related packages under convert as subpackages * container: bubblewrap runner: use --new-session to mitigate CVE-2017-5226 * autoconf: always define the GNU host and build triplets in configure step * update docs * add more context for the experimental commands * add shell completion and move common flags to top level * move wolfios to its own package * add same convert options to higher leve * fix lint and tests * fix tests * add convert subcommand * docs: ensure docs are up to date in CI * add melange docs * change --out-dir to not depend on cwd * accept dependabot's GPG key for commit signing CI check * package: only use base soname when generating runtime dependencies across symlinks * build(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 * add omitempty to some fields * build(deps): bump google.golang.org/api from 0.110.0 to 0.111.0 * build(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.0 * build(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1 * remove self-provided dependencies from the runtime dependency set * build(deps): bump github.com/openvex/go-vex * build: package: dereference symlinks across packages and read the real DT_SONAME instead of guessing * build: configuration: add support for variable substitution in more places * apply refactoring suggestions from go linter * build: also apply if-conditionals when generating the package index * build: also apply subpkg if-conditionals when emitting packages and SBOMs * examples: add example outlining the new option-related features * build: implement if-conditionals for subpackages * build: pipeline: add option enabled variables * build: build option: patch the variables and environment configuration * build: use BuildOption.Apply to apply configuration patches from build options * build: build_option: add Apply stub * cli: build: add --build-option to configure the enabled build options * build: add WithEnabledBuildOptions context option * build: add BuildOptions map to Configuration * build: add BuildOption types * package: ensure we are operating only on a basename when generating symlink deps * package: detect shared library dependencies for .so symlinks * build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 * build(deps): bump google.golang.org/api from 0.109.0 to 0.110.0 * Add ruby pipelines for gem install, build and clean * build: package: add support for defining "replaces" relationships * package: findInterpreter: chop trailing nul from interpBuf * package: deal with musl interpreter being a symlink back to itself * package: ensure PT_INTERP is always added as an explicit dependency * build(deps): bump github.com/docker/docker * build(deps): bump github.com/joho/godotenv from 1.4.0 to 1.5.1 * build(deps): bump google.golang.org/api from 0.108.0 to 0.109.0 * build(deps): bump github.com/docker/docker * git-checkout: fix tags * use merge option to speed up apkindex generation when build * just warn if no branch or tag specified * build(deps): bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 * build(deps): bump github.com/google/go-containerregistry * Revert "Generate build environment SBOM" * add expected-commit to git-checkout * Update README to mention wolfi. * cli: add --vars-file option to support loading build variables from an external source * build: add WithVarsFile and WithVarsFileForParsing options * examples: add variable substitution example * pipeline: handle ${{vars}} block as expected * build: add variables block to build configuration struct * build(deps): bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 * examples: add working-directory example * pipeline: ensure the working-directory is created before using it * pipeline: propagate WorkDir to subpipelines * pipeline: set working directory when evaluating pipeline "runs" entries * build: add Pipeline.WorkDir definition * build(deps): bump google.golang.org/api from 0.107.0 to 0.108.0 * build(deps): bump github.com/docker/docker * build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 * go mod tidy to drop chainguard/vex * Switch VEX dependency to openvex * allow provider priority to be configured * build(deps): bump google.golang.org/api from 0.106.0 to 0.107.0 * Wire logger from SBOM generator to impl * Escape invalid identifier chars * Fix build sbom name in subpackages * Fix bug where package verification was wrong * build sbom: Add relationships to produced SBOMs * Update protobom to support dl location * Build SBOM: Generate package with apks * Trigger build SBOM generation, reuse write * Passs guest directory to sbom spec * Refactor SBOM spec for reuse * Add ReadPackageIndex to gen implementation * Add GenerateBuildEnvSBOM fn to SBOM generator * Update Lima link * update apko dependency to latest * bump apko dependency * pipelines: autoconf/configure: fix sysconfdir * upgrade apko dependency to latest git * build(deps): bump github.com/go-git/go-git/v5 from 5.5.1 to 5.5.2 * build(deps): bump google.golang.org/api from 0.105.0 to 0.106.0 * build(deps): bump actions/checkout from 3.2.0 to 3.3.0 * bump apko to latest git again for keyring fix * fix typo * index gen: Add loop throttle, mutex * close lingering file descriptor * sbom: handle spdxPkg.VerificationCode being a pointer in apko git * chase PublishImageFromLayer API change in apko * update apko dependency to latest git for armv6/armv7 triplet fixes * go/install: also require git (#239) * use lima to use melange on mac * Advisories: Require pkg version for fixed status (#237) * Parallel processing of packages. * Make packageurl-go import direct * add --namespace option to build subcommand * SBOM: Generate purls for built packages * Add namespace and arch fields to SBOM spec * Drop distro qualifier from purls * Add Go pipelines documentation * Revamp go examples to use both pipleines * New go/install pipeline * go/build: Support changing module root * Bump vex (#231) * Remove extra field * Add advisories and purls * Export functionality for config parsing (#229) * Apko devenv README * Melange development environment ------------------------------------------------------------------- Sun Mar 19 14:09:23 UTC 2023 - Johannes Kastl - new package melange: Build APKs from source code