melange/melange.changes

1215 lines
50 KiB
Plaintext

-------------------------------------------------------------------
Tue Apr 09 06:26:37 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.11:
* build(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0
* build(deps): bump
go.opentelemetry.io/otel/exporters/stdout/stdouttrace
* build(deps): bump golang.org/x/sys from 0.18.0 to 0.19.0
* build(deps): bump go.opentelemetry.io/otel/sdk from 1.24.0 to
1.25.0
* build(deps): bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1
* build(deps): bump github.com/chainguard-dev/yam from 0.0.2 to
0.0.3
* bump docker
* build(deps): bump dagger.io/dagger from 0.10.2 to 0.11.0
* build(deps): bump cloud.google.com/go/storage from 1.39.1 to
1.40.0
* Ensure configuration file is closed
* sca: add go-fips-bin runtime deps
* sca: add go-fips-bin test case
* build(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to
5.12.0
* build(deps): bump google.golang.org/api from 0.171.0 to 0.172.0
-------------------------------------------------------------------
Sat Mar 30 10:14:00 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.10:
* chore: CRAN -> R
* docs(cran): Add build pipeline
* fix(cran): Support passing source dir as package
* chore(cran): Remove (now known) redundant fetch/install
pipelines
* feat(pipelines): Add support for fetching, building, and
installing R packages from CRAN
* Change dependency for python to be python-Maj.Min-base.
* build(deps): bump google.golang.org/api from 0.170.0 to 0.171.0
* build(deps): bump github.com/docker/cli
* build(deps): bump github.com/charmbracelet/log
* skip mounting resolv.conf for the docker runner
* build(deps): bump github.com/docker/docker
* Propagate user from image configuration
* build(deps): bump cloud.google.com/go/storage from 1.39.0 to
1.39.1
* build(deps): bump github.com/google/go-containerregistry
* build(deps): bump docker/login-action from 3.0.0 to 3.1.0
* build(deps): bump actions/checkout from 4.1.1 to 4.1.2
* build(deps): bump github.com/kubescape/go-git-url from 0.0.28
to 0.0.30
* build(deps): bump google.golang.org/api from 0.169.0 to 0.170.0
* build(deps): bump dagger.io/dagger from 0.10.1 to 0.10.2
* Switch to new octo-sts action (#1088)
* Move "executing:" logging to debug
* Keep symbols tables for fips builds
* Fix quotes
* pipelines/go: prefer to use netgo and osusergo by default
* pipelines/go/install: also trimpath like build
* pipelines/go: Strip by default
* pipelines/go: bump GOAMD64 to v2
* pipelines/go: allow setting microarchitecture level settings
* Update pkg/build/pipeline.go
* open debug session in the specific workdir
* Add Harden Runner audit configs
* appease linter
* build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.9.0
to 0.10.0
* build(deps): bump google.golang.org/api from 0.168.0 to 0.169.0
* build(deps): bump github.com/kubescape/go-git-url from 0.0.27
to 0.0.28
* feat(pipelines): Add cargo build for rust packages
* WIP: remove files from SBOM
* Bump apko
* document builtin substitutions
* build(deps): bump gitlab.alpinelinux.org/alpine/go
* fix test.environment jsonschema struct tag
-------------------------------------------------------------------
Sun Mar 17 08:04:49 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.9:
* build(deps): bump google.golang.org/api from 0.166.0 to 0.168.0
* build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0
* build(deps): bump dagger.io/dagger from 0.9.10 to 0.10.1
* Fix the bug in dropping the suffix.
* Drop WaitDelay from bubblewrap
* build(deps): bump actions/download-artifact from 4.1.2 to 4.1.4
* build(deps): bump github.com/stretchr/testify from 1.8.4 to
1.9.0
* build(deps): bump cloud.google.com/go/storage from 1.38.0 to
1.39.0
-------------------------------------------------------------------
Sun Mar 17 08:00:25 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.8:
* Update pombump.yaml
-------------------------------------------------------------------
Sun Mar 17 07:51:04 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.7:
* Rename the default bump file name.
-------------------------------------------------------------------
Sun Mar 17 07:45:18 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.6:
* Add ${{cross.triplet.rust.[glibc,musl]}}
* Add pombump pipeline.
-------------------------------------------------------------------
Sun Mar 17 07:35:28 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.5:
* Fix resource usage in melange
* Fix job control with interactive bubblewrap
* build(deps): bump github.com/chainguard-dev/yam from 0.0.1 to
0.0.2
* build(deps): bump
go.opentelemetry.io/otel/exporters/stdout/stdouttrace
* build(deps): bump go.opentelemetry.io/otel/sdk from 1.23.1 to
1.24.0
* build(deps): bump cloud.google.com/go/storage from 1.37.0 to
1.38.0
* Bump apko
* Fix typo in error message
* build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1
* build(deps): bump actions/download-artifact from 4.1.1 to 4.1.2
* build(deps): bump golangci/golangci-lint-action from 3.7.0 to
4.0.0
-------------------------------------------------------------------
Sat Feb 24 09:01:37 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.4:
* Fix the yaml file so that it actually gets parsed properly.
* Propagate SourceDateEpoch from Build
-------------------------------------------------------------------
Sat Feb 24 08:57:02 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.3:
* Don't write APK to temp file during signing
-------------------------------------------------------------------
Tue Feb 20 20:40:47 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.2:
* Add --package-append flag to build
* apply package substitutions in
test.emvironment.contents.packages
* change docker runner labels
* label containers created by docker runner for easier external
management
* Add a --trace flag to melange build
* Add dagger runner
-------------------------------------------------------------------
Thu Feb 15 06:14:16 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.1:
* omit arch log key when building one arch
* Remove breakpoint labels
* Clean up apko-temp dirs
* Remove images even with cancelled ctx
* Fix context.Background use
* Allow substitutions in dependencies.replaces
* doc: add diff pr
* docs: add version-transform doc and other example to
var-transform
-------------------------------------------------------------------
Sat Feb 10 07:07:57 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.0:
* Split pkg/container up into smaller packages
* Mostly fix interactive interrupt signal handling
* Do more cleanup with --rm
* Continue interactive execution on exit 0
* go fmt
* update dario/mergo
* move runner determination to pkg/cli
* Make debugging melange builds less terrible
* fix go-build example
* Make it easier to find docs-repo on ci failure
-------------------------------------------------------------------
Thu Feb 08 20:06:17 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.10:
* Add --die-with-parent to bwrap flags
* fix bug with needs
* move some logs to debug
* Update build.yaml
* Update install.yaml
* Add GOEXPERIMENT to go/build
-------------------------------------------------------------------
Wed Feb 07 07:34:17 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.9:
* use apko@main
* WIP: use charm logger
* Add WaitDelay to bubblewrap cmd
* Split options into separate files
* Cancel context on interrupt signal
* build(deps): bump github.com/docker/docker
* build(deps): bump cloud.google.com/go/storage from 1.36.0 to
1.37.0
* build(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0
-------------------------------------------------------------------
Tue Feb 06 17:36:29 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.8:
* Add --rm flag (and options) to Build
* Respond to cancelled context while streaming logs
* Don't use goroutines for monitoring logs
* If arch is not specified, test all.
* Add Close() method to container runners
* use slogtest
* eliminate some more logger invocations
* Fix race condition in log monitoring
* Exclude "com.docker.grpcfuse.ownership" xattr
-------------------------------------------------------------------
Sat Feb 03 17:40:41 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.7:
* Pass the correct env.env to the container.
* test: skip when executing on an unsupported arch
* melamge bump: only update expected commit shas for the main
git-checkout
* stop logging tons of "detected git commit for build
configuration" when parsing melage config
* Embed melange version in .PKGINFO
* Fix missing no-depends check
* build(deps): bump google.golang.org/api from 0.154.0 to 0.161.0
* build(deps): bump github.com/kubescape/go-git-url from 0.0.26
to 0.0.27
* build(deps): bump github.com/chainguard-dev/yam
* Bump apko to v0.14.0
* Update CODE_OF_CONDUCT.md
* Update CODE_OF_CONDUCT.md
* Switch to octo-sts-action (#968)
* build(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0
* warn on invalid license, log SCA findings
* unexport some methods in pkg/sbom
* Fix aws-c-s3 SCA
* Don't include libexec directories in SCA includes
* tidy
* drop the lima runner
* Take advantage of Octo STS to publish homebrew updates. (#956)
* Pin to digest for setup-go in melange
* build(deps): bump actions/download-artifact from 4.1.0 to 4.1.1
-------------------------------------------------------------------
Tue Jan 23 18:00:07 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.6:
* sort with key/values
* Fail if unknown variable is used in substitution
* revert simple-hello, keep it alpine
* fix simple-hello again
* fix simple-hello
* fix wolfi e2e test
* also test wolfi built packages
* update examples
* migrate examples to wolfi
* add e2e test that packages can be installed with apk
* Audit the permissions of workflows.
* Add test for vendored pkgconfig
* Make "unable to detect git commit" a debug message
* Allow vendored pkgconfig deps
* make docs-repo
* update
* use apko@main
* drop pkg/logger and use slog
* Allow execable shared objects if name has ".so."
* Fix sbom loopvar issue
* Make BuildGuest more similar for Build and Test
* Use errgroup over github.com/korovkin/limiter
* Replace packages in APKINDEX with same version
* Remove some more struct mutating and shadowing
* Drop mutable imgRef from build.Build
* Move more mutations into parameters
* Take an fs as an argument to RetrieveWorkspace
* Add a test
* Convert some sca code to early return style
* build(deps): bump github.com/cloudflare/circl from 1.3.6 to
1.3.7
* move test pipelines to where others are. Remove unnecessary
test packages.
* Add python/import test pipeline, as well as e2e tests for
python test pipelines.
* how many ways can I really screw this one up...
* Try James suggestion.
* Fix the filenames.
* try with explicit false.
* maybe missing a space?
* Add --test-package-append that you can specify extra test
packages for each test.
* move the comment
* meson/configure: don't download subprojects by default
* Add a python/test pipeline.
* Bypass warning about detached head
* add `*_config` pattern to split/dev pipeline
-------------------------------------------------------------------
Sun Jan 07 18:08:16 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.5:
* build(deps): bump github.com/google/go-containerregistry
* bump upload/download github actions
* build(deps): bump google.golang.org/api from 0.152.0 to 0.154.0
* build(deps): bump github.com/lima-vm/lima from 0.18.0 to 0.19.1
* build(deps): bump github.com/containerd/containerd from 1.7.7
to 1.7.11
* build(deps): bump github.com/go-git/go-git/v5 from 5.10.0 to
5.11.0
* build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0
* build(deps): bump cloud.google.com/go/storage from 1.35.1 to
1.36.0
* convert: sort packages alphabetically
* build(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0
* build(deps): bump actions/setup-go from 4 to 5
* build(deps): bump github.com/kubescape/go-git-url from 0.0.25
to 0.0.26
* Set a default env var for GOMODCACHE.
* Pull in `go-apk` with `provider_priority` `ini` fix.
* Mark update.manual as an optional field.
* update release to add some clarification regarding the homebrew
-------------------------------------------------------------------
Tue Dec 05 06:06:45 UTC 2023 - kastl@b1-systems.de
- Update to version 0.5.4:
* build(deps): bump golang.org/x/sys from 0.14.0 to 0.15.0
* build(deps): bump chainguard.dev/apko
* build(deps): bump k8s.io/client-go from 0.28.3 to 0.28.4
* schema: update for new test pipeline configuration
* build(deps): bump github.com/klauspost/compress from 1.17.2 to
1.17.4
* build(deps): bump google.golang.org/api from 0.150.0 to 0.152.0
* fix issue
* cleanup: don't use pkg/errors
* fix bad merge.
* Default to package.name, but allow overrides, add example docs
for specifying which package, and version to test.
* argh, fix typo.
* Add tests, simplify code.
* e2e tests for `test` command.
* checkpoint.
* Add test command / implementation.
* alphabetize commands, add test.
* Refactor so can be used with test and build.
* config struct changes for test.
* Add autogenerated 'test' docs.
* make docs-repo
* remove unnecessary wait for testing
* support resource requests and timeouts
* UTC-ify source date epoch when set
* Fix capitalization of SBOM originators
* Fix the lint warnings in pkg/linter
* Fix lints, or ignore safe ones. No functional changes.
* prefix should be /usr
* Ensure jsonschema is kept up to date.
* Add jsonschema generation binary.
* build(deps): bump go.opentelemetry.io/otel from 1.20.0 to
1.21.0
* build(deps): bump k8s.io/apimachinery from 0.28.3 to 0.28.4
* build(deps): bump sigs.k8s.io/release-utils from 0.7.6 to 0.7.7
* fix and continuously validate SBOMs
* make docs-repo
* default --use-github=true
* fix docs
* convert python: don't overwrite existing files
* format manifests with yam
* fix docs for --runner
* improve 'melange convert python' to remove manual steps
-------------------------------------------------------------------
Thu Nov 16 14:23:15 UTC 2023 - kastl@b1-systems.de
- Update to version 0.5.3:
* Update release.md
* build(deps): bump golang.org/x/time from 0.3.0 to 0.4.0
* pipelines: go/build: add support for go.mod overlay files
* build(deps): bump cloud.google.com/go/storage from 1.33.0 to
1.35.1
* go mod tidy
* update go-apk dependency
* build(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0
* build(deps): bump go.opentelemetry.io/otel from 1.19.0 to
1.20.0
* apply substitutions to .environment.contents.packages
* test runtime replacements
* build(deps): bump github.com/sigstore/cosign/v2 from 2.2.0 to
2.2.1
* build(deps): bump google.golang.org/api from 0.149.0 to 0.150.0
* go mod tidy
* use merged PR
* update dep
* use pushed PRs
* WIP: use forked alpine-go in go-apk
* move spammy logs to debugf
-------------------------------------------------------------------
Thu Nov 09 14:56:03 UTC 2023 - kastl@b1-systems.de
- Update to version 0.5.2:
* Update pkg/config/config.go
* GithubReleaseMonitor: add tagprefix and tagcontains to be used
in github tags filtering
* Plumb check configs through to linters
* Delete no-op sbom code
* remove unimplemented references to fulcio support
* fail if 'with' is used with 'runs'
* Error early if uses and runs are both present
* Get rid of PackageContext and SubpackageContext
* Remove impossible errors
* Make loadUse test actually test something
* Remove impossible errors
* build: use util.Dedup instead of slices.Compact
* util: bring back Dedup, slices.Collapse requires sorting
* Bump go-apk
* Filter out noise opening non-ELF files
* Bump go-apk and use faster tarfs implementation
* Add a test to ensure that ranges are handled properly.
* Add linters for #805 and #804.
* Refactor linting logic and clean things up
* Add SBOM linter
* build(deps): bump github.com/docker/docker
* build(deps): bump chainguard.dev/apko
* build(deps): bump sigs.k8s.io/release-utils from 0.7.5 to 0.7.6
* Add GID/UID remapping to improve permissions. Fix permission
issues resulting from running with the build user.
* Separate out package and build lints
* Add json tags to melange Configuration.
* Add python/test linter
* util: drop Dedup in favor of golang.org/x/exp/slices.Compact
* sca: fix compile by moving a few things around
* sca: move analyzer invocation into Analyze() function
* sca: implement abstract interface between build engine and sca
engine
* sca: pass FS into dependency generators rather than creating it
on demand
* sca: move out of package.go into sca.go as a first pass
* Rename Python linters to python/*
* readlinkfs: ignore security.selinux xattrs
* Add Python docs linter
* SCA: add python dependency generator
* linter: refactor check block generation in tests
* Improve linter diagnostic output
* Add GID/UID remapping to improve permissions. Fix permission
issues resulting from running with the build user.
* build(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0
* Fixups
* Handle .so files a little smarter
* Ignore all packages starting with _
* build(deps): bump google.golang.org/api from 0.147.0 to 0.148.0
* build(deps): bump k8s.io/client-go from 0.28.2 to 0.28.3
* build(deps): bump github.com/klauspost/compress from 1.17.1 to
1.17.2
* build(deps): bump chainguard.dev/apko
* build(deps): bump actions/checkout from 4.1.0 to 4.1.1
* Centralize SOURCE_DATE_EPOCH parsing.
* Run go fmt
* Exclude docs
* Exclude tests
* drop sync-issues-to-project-board.yaml not used anymore
* Exclude more files from Python multiple package linter
* Improve filtering and diagnostics
* Use the correct path for Python.
* Add multiple Python packages post-linter
* pipelines: add npm-install pipeline
* replace the fetch python url to more friendly URI
* Silence the linter
* Make empty linter work by disregarding directories and SBOM in
package linting
* Really shut up docs linter
* Docs changes/consistency fixes
* Document melange lint
* Module updates
* Resolve circular import
* Small fix
* Update go-apk dep
* Remove redundant package
* Update pkg/config/config.go
* Add basic test for APK linting
* Document the release steps.
* melange bump: move the reset / bump epoch logic up and inline
version
* melange bump: only reset the epoch if version changes, else
increment it
* Add APK linting.
* document full-version, add pointer to docs.
* Fix Typo
-------------------------------------------------------------------
Thu Oct 19 05:46:49 UTC 2023 - kastl@b1-systems.de
- Update to version 0.5.1:
* build(deps): bump github.com/klauspost/compress from 1.17.0 to
1.17.1
* build(deps): bump google.golang.org/api from 0.146.0 to 0.147.0
* build(deps): bump github.com/lima-vm/lima from 0.17.2 to 0.18.0
* build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0
* Fix a bug where substitutions were not done for runtime.
* linter: fix a typo in package linting function
* build(deps): bump google.golang.org/api from 0.143.0 to 0.146.0
* go mod tidy to shut up linter
* Small cleanup
* Add function to lint APK files.
* build(deps): bump golang.org/x/sync from 0.3.0 to 0.4.0
* build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0
* Extricate config stuff from linter.
* build(deps): bump sigs.k8s.io/release-utils
* fix release url path
* update deprecated fields
* update with 0.5.0 changes
* Track vendored deps for .PKGINFO
-------------------------------------------------------------------
Sat Oct 14 06:40:13 UTC 2023 - kastl@b1-systems.de
- Update to version 0.5.0:
* Enable linters to warn (via callback) instead of just failing.
* build(deps): bump github.com/package-url/packageurl-go
* build(deps): bump go.opentelemetry.io/otel from 1.18.0 to
1.19.0
* Add a PR checklist to melange.
* Fix yaml typo in linter docs
* nit: fix mistake in function docs
* Apply suggestions from code review
* Document disabling lints and when to do so.
* Update linter docs
* strip linter: properly close file
* Make improvements/suggestions
* Add stripped file linter
* update alpine-go to latest git to fix indexing
* pipelines: strip: use -g by default when stripping
* build(deps): bump google.golang.org/api from 0.142.0 to 0.143.0
* do not delete extensions and plugins with ruby/clean
* build(deps): bump k8s.io/api from 0.28.1 to 0.28.2
* build(deps): bump google.golang.org/api from 0.138.0 to 0.142.0
* build(deps): bump k8s.io/client-go from 0.28.1 to 0.28.2
* build(deps): bump github.com/opencontainers/image-spec
* build(deps): bump github.com/docker/docker
* build(deps): bump cloud.google.com/go/storage from 1.32.0 to
1.33.0
* build(deps): bump github.com/klauspost/compress from 1.16.7 to
1.17.0
* build(deps): bump actions/setup-go from 4.0.1 to 4.1.0
* build(deps): bump actions/checkout from 4.0.0 to 4.1.0
* add docs for -compat packages
* Disable empty check on git-checkout
* build: refactor package linter invocation
* Refactor the linter into a submodule.
* Remove no provides check per @kaniini
* Respect subpackage no-provides
* Add post-file walk linting and empty package linting
* exa is dead, use mdbook as a rust CI test instead.
* bump apko to e9722fc
* build: do not run linters on skipped subpackages
* linter: when subpackages are linted use the subpackage name as
the package config name
* Only run worldwrite linter on regular files
* Add worldwrite linter
* Add dev, opt, and srv linters
* fix the arch
* Use Warnf over WARNING
* log and continue when .pc file can't be loaded
* fix the dir name as we already expect dir to be set explicit
* Disable linters on -compat packages
* Update build.yaml
* add goreleaser pipeline
* Unexport linter struct and linterFunc
* Don't export the linter map
* Add tests
* build(deps): bump sigstore/cosign-installer from 3.1.1 to 3.1.2
* Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0
* Bump docker/login-action from 2.2.0 to 3.0.0
* chore: remove CODEOWNERS file
* Add more linters
* Appease golint
* Fix tests
* Remove debugging print statement
* Implement subpackage linting
* Add package (but not subpackage) linting
* build(deps): bump golangci/golangci-lint-action from 3.6.0 to
3.7.0
* Update golangci-lint to 1.54
* git-checkout: Allow tags to matched annotated tag SHAs, don't
allow fuzzy matching of refs.
* build(deps): bump actions/checkout from 3.5.3 to 4.0.0
* Bump k8s test workflows to Go 1.21
* Bump go to 1.21
* pipeline: fix downward propagation to referenced external
pipeline nodes
* config: tests: add workdir propagation test
* remove cmake. Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* forgot to remove one -dev
* Remove specifying the php-dev version.
* Add pecl pipelines for phpize & install. Signed-off-by: Ville
Aikas <vaikas@chainguard.dev>
* package: only constrain library search paths for provides
entries
* Fix some python generation issues:
* Refactor application of pipeline variables to config and add
tests
* Pipeline: make env overrides work recursively
* Add environment var overriding to the pipeline.
* Bump goreleaser/goreleaser-action from 4.3.0 to 4.6.0
* Bump actions/upload-artifact from 3.1.2 to 3.1.3
* package: constrain library SCA to library search paths only
* Replace the elements of the subpackage
* construct the package.full-version in higher context than just
pipeline.
* docs: fix link in pkg/build/pipelines/README.md
* docs: add documentation for built-in pipelines
* document / examples for ${{package.full-version}}
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
* add ${{package.full-version}} =
${{package.version}}-r${{package.epoch}} Signed-off-by: Ville
Aikas <vaikas@chainguard.dev>
* Changes from code review.
* config: copy all subpackage variables when doing a range
expansion
* feat: add output logs for the apkbuild converter
* Fix issue: #658 Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* feat: add new Perl pipelines for install and clean
* package: just skip symlinks for now
* workflows: add ncurses to the presubmit test matrix
* package: dereference symlinks for aliased pkg-config modules
* Fix syntax in maven pipeline (and add test).
* more debug crap. Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* remove debug crap. Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* Environment is required, adjust the tests.
* Change GeneratedMelangeConfig to embed pkg/config/config
instead of redefining it.
* Change default python-version from 3.11 to 3.
* remove extra backtick.
* let's try again.
* update docs
* Bunch of lint fixes. No functional changes.
* Add a maven/configure-mirror pipeline to redirect to GCP.
* yikes, only 2 fatal lints... nice...
* update docs.
* Add flags for resolving git tags, release-monitoring
* Update pkg/build/pipelines/python/build-wheel.yaml
* Update pkg/build/pipelines/python/build-wheel.yaml
* add builtin pipelines for python
* update generated docs. Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* remove unused vars. They do not have short form, so can use
this variant. Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* Add --wolfi-defaults flag, clean up flag handling.
* readlinkfs: ignore some security-module specific xattrs
* feat: support --recurse-submodules in git clone
* Print the path to generated melange config.
* build(deps): bump go.opentelemetry.io/otel from 1.16.0 to
1.17.0
* build(deps): bump cloud.google.com/go/storage from 1.31.0 to
1.32.0
* build(deps): bump google.golang.org/api from 0.136.0 to 0.138.0
* build(deps): bump k8s.io/api from 0.28.0 to 0.28.1
* build(deps): bump github.com/lima-vm/lima from 0.17.0 to 0.17.2
* build(deps): bump k8s.io/client-go from 0.28.0 to 0.28.1
* Bump apko and fix everything I broke
* docs: typo in go-build example
* run make docs
* cli: index: add --signing-key, --source and --merge options
* default for github actions is bubblewwrap.
* update lint rule.
* Fix the links to commands, fix the URLs generated.
* sign: do not rename across device boundaries
* add --force option to recreate apk indexes with given
signatures
* pipelines: use ${{targets.contextdir}} where it makes sense
* pipeline: add ${{targets.package.foo}} expansions
* pipeline: add ${{targets.contextdir}}, representing the current
target dir
* Bump pkg-config again to actually pick up the openblas fix.
* Bump pkgconfig to pick up the openblas fix.
* feedback + verbiage from Erika.
* Set reasonable concurrency levels for pgzip
* appease linter
* support substitutions in provides lists
* Start of exhaustively documenting the build filele.
* plumb through SDE to EmitSignature
* add melange sign command, slightly refactor and make public the
signing methods
* add test for substituting needs.packages
* allow override go version for uses: go/build and go/install
* Support for setting context in .melange.k8s.yaml
* Add docs about custom pipelines, defining and using.
* build(deps): bump actions/setup-go from 4.0.1 to 4.1.0
* Teach melange about the forthcoming version-transform block
* doc and lint revisions (#598)
* build(deps): bump google.golang.org/api from 0.134.0 to 0.136.0
* container: bubblewrap: do not defer closing files
* build(deps): bump golang.org/x/sys from 0.10.0 to 0.11.0
* build(deps): bump github.com/lima-vm/lima from 0.16.0 to 0.17.0
* build(deps): bump github.com/google/go-containerregistry
* build: package: add pkgconf-based SCA to catalog SDKs which use
it
* Docstring typo fixes
* Docstring fixes
* Appease the go fmt Gods
* Test two var transforms at once
* Test var transforms on a basic level
* Add ${{build.arch}} as a possible variable in bump
* Make var transforms work in bump
* remove paralell test for TestKubernetesRunnerConfig
* add fail-fast to false
* update code running goimports
* add goimports
* publish brew formula during release
* update actions to use git hashes
* update golangci-lint to v1.53 series
* Adjust the var substitution stuff a bit
* Move var substitution stuff into config
* config: Change root to a pointer in the config struct, and add
an accessor
* renovate: update to use new config infrastructure
* build: Add root node to the config
* Appease the golangci-lint Gods
* build_test: fix tests in a better way
* Make all tests pass
* build: add parameter where one was missing
* build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to
5.8.1
* pipelines: meson/configure: explicitly invoke meson setup
action
* build(deps): bump github.com/docker/docker
* Refactor the config/logging stuff out of build
* build(deps): bump google.golang.org/api from 0.133.0 to 0.134.0
* build(deps): bump github.com/docker/docker
* Several fixes to k8s runner.
* build(deps): bump github.com/klauspost/pgzip from 1.2.5 to
1.2.6
* build(deps): bump google.golang.org/api from 0.129.0 to 0.133.0
* Remove `wget -q` from `fetch`
* add k8s runner config loading from envvars
* Log errors bundling, enable GGCR Warn/Progress logs
* Tweak the strip pipeline so that it never fails for deleted
files
* convert/python: check if release is found
* Make sure we log errors.
* Fix subpackage SBOM generation
* define constants for runners destination mount paths
* skip the cache mount for kubernetes runner builds
* Add more otel spans to k8s runner
* build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to
5.8.0
* build(deps): bump k8s.io/client-go from 0.27.3 to 0.27.4
* Avoid using pargzip for compression
* add a retryable (tgz) fetcher for the k8s runner
* Pod names must be RFC1123 compliant
* Correct the variable name in the patch pipeline
* pipelines: git-checkout: harden variable expansions
* pipelines: patch: refactor series/patches handling
* pipelines: fetch: harden variable expansions
* add retries to a subset of k8s runner exec failures
* delete builder pod post build by default
* properly pass workspace env/volumes to k8s builder pods
* use go-apk.FullFS for retrieving builder workspaces
* Finally fix python convert tests.
* Comment python test.
* add dir option to ruby pipelines as not all gemspecs live in
the root folder
* fix containerID for lima when tarring up
* lima startup issues fixed
* pull in apko with fix for blank SOURCE_DATE_EPOCH
* Change git-checkout depth default to 1
* workflows: wolfi-presubmit: use package/ instead of packages/
for package names
* build: package: forcibly treat libc as a shared library
* docs: explain how build cache works practically
* Bump apko dep to pick up otel spans
* Fix failing test for env var wipeout
* Add failing test for env var wipeout
* add otel spans
* build(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1
* Remove use of deprecated WaitImmediate
* Add ! char to ignore.
* Add missing context propagation
* Rename index.Context to index.Index
* Rename Contexts to Builds
-------------------------------------------------------------------
Sat Oct 14 06:38:30 UTC 2023 - kastl@b1-systems.de
- Update to version 0.4.0:
* build(deps): bump github.com/opencontainers/image-spec
* add release notes for Melange 0.4.0
* build(deps): bump cloud.google.com/go/storage from 1.30.1 to
1.31.0
* build(deps): bump google.golang.org/api from 0.128.0 to 0.129.0
* appease linter for now
* update apko to 0.9.0
* build(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0
* some small UX improvements for k8s runner
* build(deps): bump github.com/package-url/packageurl-go
* update apko and go-apk to use pinned deps correctly
* build: scan subpackage pipelines for dependencies
* add a split/debug pipeline
* ensure bundles are rooted correctly
* build(deps): bump google.golang.org/api from 0.125.0 to 0.127.0
* build(deps): bump actions/checkout from 3.5.2 to 3.5.3
* add a kubernetes pod runner
* build(deps): bump docker/login-action from 2.1.0 to 2.2.0
* build(deps): bump golangci/golangci-lint-action from 3.4.0 to
3.6.0
* build(deps): bump goreleaser/goreleaser-action from 4.2.0 to
4.3.0
* add strip prefix and suffix update config for release monitor
* import apko and go-apk with better debug logging
* Switch from calling Glob to two Stats
* workflows: add wolfi-presubmit
* cli: build: fix destination variable for --apk-cache-dir
* build: PopulateCache: do not populate the cache dir when it is
empty
* fix apk caching directory
* import apko and go-apk with package caching
* Change the default for delete to false.
* pipeline: fetch: optionally delete fetched artifacts after
unpacking
* cond: allow underscores and capitalization in variable
expressions
* run tests with race detector
* warn and fallback to SOURCE_DATE_EPOCH=0 when specified but
empty
* index: use deep copy when loading pre-existing index data
* build(deps): bump github.com/lima-vm/lima from 0.14.2 to 0.16.0
* build(deps): bump actions/setup-go from 4.0.0 to 4.0.1
* index: appease linter by moving the deferred close to after the
error check
* build(deps): bump github.com/containerd/containerd from 1.6.15
to 1.6.18
* build: generate APKINDEX.json when writing packages index
* index: add WriteJSONIndex function
* index: split out the indexing logic itself to UpdateIndex
* index: WriteArchiveIndex: use destination file path as primary
input
* index: use SourceIndexFile for loading index data rather than
IndexFile
* index: factor out loading of pre-existent indices and index
state management
* index: factor out index writing into WriteArchiveIndex
* Bump apko and fix what that breaks
* add wolfictl
* upgrade alpine-lima to 3.18
* Allow uppercase and plus, allow numbers as first char
* Validate configuration at the end of parsing
* Remove secfixes and advisories altogether
* include filename when parsing fails
* Require that build config YAML has only known fields
* Refactor tests for configuration load method
* build(deps): bump google.golang.org/api from 0.119.0 to 0.123.0
* readlinkfs: implement go-apk fs.XattrFS interfaces
* Pull in the latest go-apk for xattrs support
* build(deps): bump github.com/docker/docker
* Pull in index builddate support.
* Install should first build melange binary...
* Make makefile work on Mac and Linux.
* build(deps): bump sigstore/cosign-installer from 3.0.2 to 3.0.5
* add a boolean so built in melange pipelines can be used in
subpackages as they need to write to a different target folder
* ensure range data replaces `with` options during a pipeline
* Update README.md
* Update distroless references
* default for mac is docker, not bwrap
* add extra logging when runner fails to TestUsability
* Add go vendor support to the go build pipeline.
* add multiple runner options
* use latest version of melange in lima configuration file
* Set `builddate` in our `.PKGINFO` control data.
* add field docs
* build(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0
* pipelines: patch: add support for quilt patch-series files
* Add an optional "deps" paramter to the go/build pipeline.
* chore: signing issues
* chore: corrections in mac instructions
* chore: corrections in mac instructions
* build: package: skip SONAME analysis when ELF interpreter
setting is present
* Add trimpath to the go pipeline.
* update docs
* build: add support for configurable logging policies
* Add name method to build config
* build(deps): bump gitlab.alpinelinux.org/alpine/go
* move signing funcs to rely on external go-apk library
* use go-apk library instead of apko
* update alpine-go to include replaces hotfix
* simplify DataItems to use the builtin marshallable map type
* add `ignore-regex-patterns` update config to indicate you want
to ignore string patterns that match an upstream version
* add a strip-suffix: key to melange update struct to indicate
stripping a suffix from an upstream GitHub version
* bump to latest apko which handles file overwrites
* cli: build: warn when no work to do instead of throwing an
error
* build(deps): bump github.com/docker/docker
* upgrade apko to 20230421 snapshot
* build(deps): bump google.golang.org/api from 0.116.0 to 0.119.0
* build: update tests to use apko log.Logger
* build: use apko_log.Logger everywhere
* build: logger: conform to apko_log.Logger shape
* adapt to new apko logging framework
* update apko dependency to 20230420 snapshot
* update apko dependency to 20230419 snapshot
* config parsing: fix handling of filesystems
* bump test: fix panic by requiring no error
* Stop repeating errors on build command
* build(deps): bump actions/checkout from 3.5.0 to 3.5.2
* fix 403 error when melange bumping some packages,
https://www.netfilter.org for example needs it
* update apko to 20230413 snapshot
* Print full uri to debug file download errors
* Do not depend on concrete logger
* pipelines: autoconf/make-install: delete all GNU libtool
metadata files
* remove flawed test
* build: package: append subpackages to build log
* Use formatted YAML encoder from yam
* build: readlinkfs: chase apko ReadlinkFS API break
* upgrade apko snapshot to 20230411
* build(deps): bump google.golang.org/api from 0.114.0 to 0.116.0
* build(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.2
* go mod tidy again
* index: convert to using logrus
* build: package: use logrus.Entry for logging
* update apko for formatting fixes
* build: remove actualArchs variable, no longer used
* fix tests
* container: use warning level for stderr output
* pipeline: downgrade dumpWith() to use debug level
* switch to using logrus
* update to apko git
* feat: send useragent in HTTP requests
* export mutate functions as these are very useful to be called
outside of the build package
* warn if target-architecture:['all'], remove from examples
* feat: respect target-architecture to filter archs
* index: rework architecture filtering
* update docs
* build(deps): bump actions/add-to-project from 0.4.1 to 0.5.0
* cli: index: add --arch flag
* index: print warning and skip packages which do not match the
expected architecture
* index: add ExpectedArch to index.Context
* add a `update.manual:` key to indicate a package should be
manually updated
* fix: log package new names+versions when regenerating index
* make original test commit sha different from the new expected
sha to ensure test works
* melange bump: optional flag to modify git-checkout pipeline
expected-commit value
* Bump apko to pick up busybox detection fix.
* Fix goreleaser cosign flags
* package: allow any library which has a SONAME to be a provider
* build: fix SBOM language gathering for subpackage pipelines
* package: ensure the package output directories always exist for
scanning
* build: introduce Context.IsBuildLess and skip a lot of
setup/teardown for buildless packages
* build: allow a package to be defined without a pipeline
* Add darwin goreleaser target (macOS)
* fix build
* release image after the binary
* update makefile
* cleanup goreleaser and ko config
* clean up, update version comments for ci jobs
* upgrade to use go1.20
* upgrade alpine pkgs lima
-------------------------------------------------------------------
Mon Apr 03 12:43:01 UTC 2023 - kastl@b1-systems.de
- Update to version 0.3.2:
* Fix goreleaser cosign flags, add NEWS for melange 0.3.2
* add NEWS for melange 0.3.1
* package: allow any library which has a SONAME to be a provider
* Add darwin goreleaser target (macOS)
* update NEWS for melange 0.3.0.
* update to apko 0.7.3 release
* pipelines: fetch: use wget quiet mode
* build: check for signing key existence before using it
* build: package: do not add interpreter dependency when
no-depends option is enabled
* docs: fix baseurl for melange reference in generated docs
* directly parse configuration for query
* add query and package-version commands
* build: use realpath to determine cache dir bindmount source
* refresh docs for --cache-source
* cli: add --cache-source option
* build: use CacheSource to define the bucket to pull cached
sources from
* build: change default cache directory to ./melange-cache
* build: add CacheSource option to context
* Hookup user and accounts in the environment.
* build(deps): bump cloud.google.com/go/storage from 1.30.0 to
1.30.1
* build(deps): bump google.golang.org/api from 0.113.0 to 0.114.0
* build(deps): bump actions/checkout from 3.3.0 to 3.5.0
* refresh docs
* cli: build: add --debug flag
* build: pipeline: if Context.Debug is enabled, add set -x to all
pipelines
* build: add Debug option to Context
* build: use cond.Subst instead of replacers
* cond: subst: variable names can have dashes
* cond: subst: add goparsify-based variable substitution
implementation
* cond: parser: test: add variable lookup with whitespace test
* parser: use newer fork of goparsify
* add codeowners
* add Update struct for identifying how a melange package can be
updated
* add `var-transforms` for manipulation of variables using
regular expressions
* pipelines: git-checkout: use tempdir for doing the initial
clone
* pipelines: git-checkout: mark clone directory as a safe
directory for git
* update ruby pipelines with usability features
* add an optional flag to generate a packages.log containing list
of packages + subpackages that were actuall built by `melange
build`
* Try to fix a strange index generation bug.
* build(deps): bump actions/setup-go from 3.5.0 to 4.0.0
* container: fixes to handle /sbin/ldconfig not being present,
e.g. on musl
* container: run ldconfig when bringing up a build environment
* update to latest apko git
* build(deps): bump google.golang.org/api from 0.111.0 to 0.113.0
* build(deps): bump cloud.google.com/go/storage from 1.29.0 to
1.30.0
* update apko to latest git
* pipeline: only run mkdir -p if absolutely needed
* build(deps): bump github.com/go-git/go-git/v5 from 5.6.0 to
5.6.1
* update docs
* run go mod tidy
* pkg: convert: fix tests to use upstream ImageContents type
* build: package: use internal readlinkFS, old apko fs package
was deprecated
* build: add minimal internal readlinkfs implementation
* convert: use upstream ImageContents type, added in apko 0.7.0
* build: use normal os.DirFS for filesystem walking
* upgrade to apko 0.7.2 git
* build: remove --use-proot option
* lint
* move convert related packages under convert as subpackages
* container: bubblewrap runner: use --new-session to mitigate
CVE-2017-5226
* autoconf: always define the GNU host and build triplets in
configure step
* update docs
* add more context for the experimental commands
* add shell completion and move common flags to top level
* move wolfios to its own package
* add same convert options to higher leve
* fix lint and tests
* fix tests
* add convert subcommand
* docs: ensure docs are up to date in CI
* add melange docs
* change --out-dir to not depend on cwd
* accept dependabot's GPG key for commit signing CI check
* package: only use base soname when generating runtime
dependencies across symlinks
* build(deps): bump github.com/stretchr/testify from 1.8.1 to
1.8.2
* add omitempty to some fields
* build(deps): bump google.golang.org/api from 0.110.0 to 0.111.0
* build(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to
5.6.0
* build(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1
* remove self-provided dependencies from the runtime dependency
set
* build(deps): bump github.com/openvex/go-vex
* build: package: dereference symlinks across packages and read
the real DT_SONAME instead of guessing
* build: configuration: add support for variable substitution in
more places
* apply refactoring suggestions from go linter
* build: also apply if-conditionals when generating the package
index
* build: also apply subpkg if-conditionals when emitting packages
and SBOMs
* examples: add example outlining the new option-related features
* build: implement if-conditionals for subpackages
* build: pipeline: add option enabled variables
* build: build option: patch the variables and environment
configuration
* build: use BuildOption.Apply to apply configuration patches
from build options
* build: build_option: add Apply stub
* cli: build: add --build-option to configure the enabled build
options
* build: add WithEnabledBuildOptions context option
* build: add BuildOptions map to Configuration
* build: add BuildOption types
* package: ensure we are operating only on a basename when
generating symlink deps
* package: detect shared library dependencies for .so symlinks
* build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
* build(deps): bump google.golang.org/api from 0.109.0 to 0.110.0
* Add ruby pipelines for gem install, build and clean
* build: package: add support for defining "replaces"
relationships
* package: findInterpreter: chop trailing nul from interpBuf
* package: deal with musl interpreter being a symlink back to
itself
* package: ensure PT_INTERP is always added as an explicit
dependency
* build(deps): bump github.com/docker/docker
* build(deps): bump github.com/joho/godotenv from 1.4.0 to 1.5.1
* build(deps): bump google.golang.org/api from 0.108.0 to 0.109.0
* build(deps): bump github.com/docker/docker
* git-checkout: fix tags
* use merge option to speed up apkindex generation when build
* just warn if no branch or tag specified
* build(deps): bump goreleaser/goreleaser-action from 4.1.0 to
4.2.0
* build(deps): bump github.com/google/go-containerregistry
* Revert "Generate build environment SBOM"
* add expected-commit to git-checkout
* Update README to mention wolfi.
* cli: add --vars-file option to support loading build variables
from an external source
* build: add WithVarsFile and WithVarsFileForParsing options
* examples: add variable substitution example
* pipeline: handle ${{vars}} block as expected
* build: add variables block to build configuration struct
* build(deps): bump cloud.google.com/go/storage from 1.28.1 to
1.29.0
* examples: add working-directory example
* pipeline: ensure the working-directory is created before using
it
* pipeline: propagate WorkDir to subpipelines
* pipeline: set working directory when evaluating pipeline "runs"
entries
* build: add Pipeline.WorkDir definition
* build(deps): bump google.golang.org/api from 0.107.0 to 0.108.0
* build(deps): bump github.com/docker/docker
* build(deps): bump golangci/golangci-lint-action from 3.3.1 to
3.4.0
* go mod tidy to drop chainguard/vex
* Switch VEX dependency to openvex
* allow provider priority to be configured
* build(deps): bump google.golang.org/api from 0.106.0 to 0.107.0
* Wire logger from SBOM generator to impl
* Escape invalid identifier chars
* Fix build sbom name in subpackages
* Fix bug where package verification was wrong
* build sbom: Add relationships to produced SBOMs
* Update protobom to support dl location
* Build SBOM: Generate package with apks
* Trigger build SBOM generation, reuse write
* Passs guest directory to sbom spec
* Refactor SBOM spec for reuse
* Add ReadPackageIndex to gen implementation
* Add GenerateBuildEnvSBOM fn to SBOM generator
* Update Lima link
* update apko dependency to latest
* bump apko dependency
* pipelines: autoconf/configure: fix sysconfdir
* upgrade apko dependency to latest git
* build(deps): bump github.com/go-git/go-git/v5 from 5.5.1 to
5.5.2
* build(deps): bump google.golang.org/api from 0.105.0 to 0.106.0
* build(deps): bump actions/checkout from 3.2.0 to 3.3.0
* bump apko to latest git again for keyring fix
* fix typo
* index gen: Add loop throttle, mutex
* close lingering file descriptor
* sbom: handle spdxPkg.VerificationCode being a pointer in apko
git
* chase PublishImageFromLayer API change in apko
* update apko dependency to latest git for armv6/armv7 triplet
fixes
* go/install: also require git (#239)
* use lima to use melange on mac
* Advisories: Require pkg version for fixed status (#237)
* Parallel processing of packages.
* Make packageurl-go import direct
* add --namespace option to build subcommand
* SBOM: Generate purls for built packages
* Add namespace and arch fields to SBOM spec
* Drop distro qualifier from purls
* Add Go pipelines documentation
* Revamp go examples to use both pipleines
* New go/install pipeline
* go/build: Support changing module root
* Bump vex (#231)
* Remove extra field
* Add advisories and purls
* Export functionality for config parsing (#229)
* Apko devenv README
* Melange development environment
-------------------------------------------------------------------
Sun Mar 19 14:09:23 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- new package melange: Build APKs from source code