melange/melange.changes

1826 lines
74 KiB
Plaintext

-------------------------------------------------------------------
Wed Oct 16 07:52:03 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.13.6:
* run `make generate`
* rename exported GetTagFilterPrefix and GetTagFilterContains
functions to be normalized GetFilterPrefix and GetFilterPrefix
* update config: add version filter prefix and contains to
release monitor config block so implementations can perform the
same behaviour as git and github configs
* build(deps): bump
go.opentelemetry.io/otel/exporters/stdout/stdouttrace
* build(deps): bump google.golang.org/api from 0.199.0 to 0.200.0
* build(deps): bump the actions group with 2 updates
* build(deps): bump go.opentelemetry.io/otel/sdk from 1.30.0 to
1.31.0
* build(deps): bump the gomod group with 4 updates
* pipelines: fix split/debug
-------------------------------------------------------------------
Sun Oct 13 18:08:10 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.13.5:
* Enable pc file dependencies
* generateRuntimePkgConfigDeps: only do so for public .pc, not
vendored
* Improve some config parsing errors
-------------------------------------------------------------------
Fri Oct 11 09:25:44 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.13.4:
* Revert "sca: Properly detect .so files as deps"
* Revert "sca: check if runtime dependencies are vendored"
-------------------------------------------------------------------
Fri Oct 11 09:19:23 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.13.3:
* cmake: switch from MinSizeRel to Release
-------------------------------------------------------------------
Fri Oct 11 09:13:44 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.13.2:
* fix: pc provides
* build(deps): bump golang.org/x/time from 0.6.0 to 0.7.0
-------------------------------------------------------------------
Fri Oct 11 09:11:28 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.13.1:
* tidy
* build(deps): bump cloud.google.com/go/storage from 1.43.0 to
1.44.0
* build(deps): bump golang.org/x/crypto from 0.27.0 to 0.28.0
* build(deps): bump github.com/chainguard-dev/yam in the gomod
group
* build(deps): bump the actions group with 2 updates
* sca: check if runtime dependencies are vendored
-------------------------------------------------------------------
Sun Oct 06 08:01:56 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.13.0:
* Fix typo in README
* test: Fix typo
* Added additional documentation for package version selection
* sca: Properly detect .so files as deps
* Adjust an e2e-test that made a bad assumption.
* update the docs
* add --cleanup flag (default true)
* build(deps): bump github.com/chainguard-dev/yam from 0.1.1 to
0.2.0
* build(deps): bump google.golang.org/api from 0.198.0 to 0.199.0
* build(deps): bump actions/checkout in the actions group
* Support string replacement in ImageContents
* build(deps): bump the gomod group with 5 updates
* git-checkout: support scheduled updates
* sca: never emit libcuda.so.1 runtime dep
* Add table of contents
* Add pipeline markdown reference markdown generator.
* feat(melange): Add sub for output directory
-------------------------------------------------------------------
Sat Sep 21 16:30:34 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.12.1:
* build(deps): bump github.com/docker/cli
* build(deps): bump github.com/docker/docker
* build(deps): bump the gomod group with 2 updates
* build(deps): bump chainguard.dev/apko from 0.18.1 to 0.19.1
* sca: remove set but never used variable
* update_config: expose function to get valid schedule messages
* Add uses and name to slog values
* Include subpackage name in slog values
* Only read the first line for shbang.
* pombump: add flag to display the dependency tree
* build(deps): bump dagger.io/dagger from 0.12.7 to 0.13.0
* build(deps): bump step-security/harden-runner in the actions
group
* build(deps): bump
go.opentelemetry.io/otel/exporters/stdout/stdouttrace
* build(deps): bump the gomod group with 2 updates
* keygen: reject bit size < 4096
* cleanup: remove some direct imports of charm log
-------------------------------------------------------------------
Sat Sep 14 15:42:45 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.12.0:
* Upgrade to new hash-agnostic APIs for sign and verify
* Upgrade to apko v0.18.0
* index: stop writing APKINDEX.json
* update to go1.23.1
* build(deps): bump google.golang.org/api from 0.195.0 to 0.196.0
* build(deps): bump golang.org/x/crypto from 0.26.0 to 0.27.0
* build(deps): bump the gomod group with 2 updates
* pipelines/ruby: remove signing_key by default
* config: Whack more moles for string replacement
* install go
* lint
* upgrade to golang 1.23
-------------------------------------------------------------------
Sat Sep 14 15:36:42 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.11.6:
* adds git checkout fetch,update,test and yams the melange
apkbuild yamls
-------------------------------------------------------------------
Sat Sep 14 15:33:26 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.11.5:
* fix(split pipelines): Don't split lib64 libraries
-------------------------------------------------------------------
Sat Sep 14 15:27:45 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.11.4:
* fix(split pipelines): Check package was defined, not package
directory
* fix(split/dev): Support for /usr/local
* fix(split pipelines): Add support for lib64
* fix(split pipelines): Use package name instead of package dir,
use exact paths
* Update dev.yaml
* feat(pipelines/split): Support overriding source package
directory
* build(deps): bump dagger.io/dagger in the gomod group
* build(deps): bump actions/upload-artifact in the actions group
-------------------------------------------------------------------
Sat Sep 14 15:18:12 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.11.3:
(0.11.2 is the same commit hash as 0.11.1):
* fix(sca): Correctly check for existing Ruby runtime dependency
by @EyeCantCU in #1387
* build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 in the
actions group by @dependabot in #1378
* build(deps): bump google.golang.org/api from 0.187.0 to 0.188.0
by @dependabot in #1382
* build(deps): bump github.com/google/go-containerregistry from
0.19.2 to 0.20.1 by @dependabot in #1392
* build(deps): bump step-security/harden-runner from 2.8.1 to
2.9.0 in the actions group by @dependabot in #1391
* build(deps): bump the gomod group across 1 directory with 2
updates by @dependabot in #1390
* build(deps): bump dagger.io/dagger from 0.11.9 to 0.12.1 by
@dependabot in #1389
* build(deps): bump github.com/docker/cli from
27.0.3+incompatible to 27.1.0+incompatible by @dependabot in
#1397
* Expose ignoreSignatures functionality by @Kevin-Molina in #1375
* build(deps): bump github.com/docker/docker from
27.0.3+incompatible to 27.1.0+incompatible by @dependabot in
#1396
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0 in
the actions group by @dependabot in #1398
* build(deps): bump google.golang.org/api from 0.188.0 to 0.189.0
by @dependabot in #1401
* fix: ignore resource requests for the docker runner by
@imjasonh in #1403
* build(deps): bump dagger.io/dagger from 0.12.1 to 0.12.2 in the
gomod group by @dependabot in #1400
* Bump apko dependency by @mattmoor in #1404
* fix ruby sca by @xnox in #1410
* Add HOME=/root to default test environment. by @smoser in #1408
* build(deps): bump the gomod group with 4 updates by @dependabot
in #1405
* update config: provide configuration to describe polling and
schedules by @rawlingsj in #1412
* build(deps): bump the gomod group with 2 updates by @dependabot
in #1416
* build(deps): bump google.golang.org/api from 0.189.0 to 0.190.0
by @dependabot in #1419
* build(deps): bump the actions group with 2 updates by
@dependabot in #1415
* build(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 by
@dependabot in #1418
* build(deps): bump golang.org/x/time from 0.5.0 to 0.6.0 by
@dependabot in #1417
* build(deps): bump golang.org/x/sys from 0.22.0 to 0.23.0 by
@dependabot in #1420
* update config: replace recently added polling with git struct
by @rawlingsj in #1421
* build(deps): bump github.com/google/go-containerregistry from
0.20.1 to 0.20.2 in the gomod group by @dependabot in #1423
* build(deps): bump golang.org/x/text from 0.16.0 to 0.17.0 by
@dependabot in #1424
* build(deps): bump google.golang.org/api from 0.190.0 to 0.191.0
by @dependabot in #1426
* build(deps): bump golang.org/x/sys from 0.23.0 to 0.24.0 by
@dependabot in #1428
* move 'adding package %q for pipeline %q' to debug logging by
@imjasonh in #1429
* don't depend on apko's custom log package by @imjasonh in #1430
* build(deps): bump github.com/chainguard-dev/yam from 0.0.13 to
0.1.0 by @dependabot in #1431
* Feat/qemu runners by @89luca89 in #1386
* Attempt to fix qemu ci by @jonjohnsonjr in #1434
* build(deps): bump the actions group with 3 updates by
@dependabot in #1432
* Centralize sca options handling by @jonjohnsonjr in #1433
* Add test to catch duplicate package names by @jonjohnsonjr in
#1439
* build(deps): bump the gomod group with 4 updates by @dependabot
in #1437
* build(deps): bump google.golang.org/api from 0.191.0 to 0.192.0
by @dependabot in #1438
* move 'found pipeline' log message to debug by @imjasonh in
#1440
* melange convert python: use normalized names by @pnasrat in
#1441
* Bump apko to get chainctl auth error log by @jonjohnsonjr in
#1442
* Replace "needs" in range pipelines by @jonjohnsonjr in #1445
* docs: Add information on the repository used with the git
update configuration option by @philroche in #1447
* Refactor parts of the ParseConfiguration by @jonjohnsonjr in
#1446
* build(deps): bump
go.opentelemetry.io/otel/exporters/stdout/stdouttrace from
1.28.0 to 1.29.0 by @dependabot in #1455
* build(deps): bump google.golang.org/api from 0.192.0 to 0.194.0
by @dependabot in #1452
* config: Replace pipelines at top level by @jonjohnsonjr in
#1456
* refactor(sbom): cleanup, simplify, and document code by
@luhring in #1458
* More SBOM logic improvements by @luhring in #1459
* build(deps): bump github.com/docker/cli from
27.1.2+incompatible to 27.2.0+incompatible by @dependabot in
#1461
* build(deps): bump google.golang.org/api from 0.194.0 to 0.195.0
by @dependabot in #1463
* build(deps): bump github.com/docker/docker from
27.1.2+incompatible to 27.2.0+incompatible by @dependabot in
#1462
* build(deps): bump dagger.io/dagger from 0.12.5 to 0.12.6 in the
gomod group by @dependabot in #1465
* chore(cargo/build): Allow changing install dir, add busybox by
@EyeCantCU in #1466
* sca: add support for more go fips toolchains by @xnox in #1471
* sca: make pc: provides/vendored use full package version by
@xnox in #1467
-------------------------------------------------------------------
Fri Jul 19 05:38:35 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.11.1:
* feat(sca): Generate dependency on Ruby when building gems
-------------------------------------------------------------------
Tue Jul 16 20:19:17 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.11.0:
* Apply variables to workdir within a range
* Add update.exclude-reason field.
* fix(pipelines): Use contextdir instead of destdir in a few
places
* remove defunct reference to k8s runner
* drop extra generate
* update Makefile
* drop make generate from verify.yaml
* drop allowedPrefixes
* don't SCA-generate so: provides for libs not directly in lib
dirs
* drop lima runner
* fix bug, test passes
* short circuit analyze on no-provides (demonstrate bug?)
* fail on diff
* go generate in e2e testS
* better SCA e2e tests
* try this
* try this
* another fix
* default key name
* unexport more
* drop example
* refactor Keygen opts to a struct
* fix(cargo/build): test for non-zero length
-------------------------------------------------------------------
Wed Jul 10 16:55:40 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.10.4:
* expose keygen options
* build(deps): bump google.golang.org/grpc in the go_modules
group
* Fix env overrides for interactive builds
* python/pipelines - resolve symlink to full path.
* python/import pipeline - find python3.7, python3.8, python3.9
* python/import - fix a bug in 'imports', do not require
specifying python
* var-transforms: support var transform substitions across
runtimes and provides and tests
* build(deps): bump the gomod group with 2 updates
* build(deps): bump the actions group with 2 updates
* build(deps): bump cloud.google.com/go/storage from 1.42.0 to
1.43.0
* build(deps): bump chainguard.dev/apko
* build(deps): bump
go.opentelemetry.io/otel/exporters/stdout/stdouttrace
* build(deps): bump golang.org/x/sys from 0.21.0 to 0.22.0
* build(deps): bump google.golang.org/api from 0.186.0 to 0.187.0
-------------------------------------------------------------------
Wed Jul 10 07:28:05 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.10.3:
* group dependabot updates
* bump golangci-lint to v1.59.x
* bump to go1.22.5
-------------------------------------------------------------------
Wed Jul 10 07:22:15 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.10.2:
* goreleaser: make skip value configurable
* goreleaser pipeline: --skip flag refactor
* build(deps): bump github.com/chainguard-dev/yam from 0.0.9 to
0.0.10
* build(deps): bump google.golang.org/api from 0.185.0 to 0.186.0
-------------------------------------------------------------------
Wed Jul 03 19:01:03 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.10.1:
* update unit test
* support var-transforms in subpackage names
* go mod tidy
* no typo
* use apko Authenticator
* Revert "Use current user's ID when building via Docker"
* build(deps): bump github.com/docker/docker
* build(deps): bump dagger.io/dagger from 0.11.6 to 0.11.9
* build(deps): bump github.com/docker/cli
* Update import.yaml
* add tests, fix up script
* add tests, fix up script
* wolfictl bump : handled mangled vars in updateGitCheckout tags
* Fix ${{host.triplet.rust}} default value
* Add opts to make-install pipeline
* Fail on invalid pipeline inputs
* python/import pipeline allow setting python binary
-------------------------------------------------------------------
Wed Jul 03 16:33:34 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.10.0:
* debug: Populate history file via mounts
* Add git-cherry-pick pipeline (#1278)
* convert some Infofs to Warnfs
* log it real good
* log the world-writeable file
* update docs
* enforce some more lint checks
* fix stupid bug in linter logging
* Restore signalcontext
* feat - add flag to go/build to run go mod tidy (#1303)
* prevent nil pointer
* update schema.json
* stable sorted defaults
* fix lint findings
* prevent nil pointer
* fix test
* fix tests
* review feedback
* some small improvements
* rewrite linting
* build(deps): bump github.com/chainguard-dev/yam from 0.0.8 to
0.0.9
* build(deps): bump ko-build/setup-ko from 0.6 to 0.7
* fix tempdir linter
* git-checkout - do not allow both branch and tag to be
specified.
* build(deps): bump google.golang.org/api from 0.184.0 to 0.185.0
* build(deps): bump github.com/github/go-spdx/v2 from 2.2.0 to
2.3.1
* build(deps): bump github.com/chainguard-dev/clog from 1.3.1 to
1.4.0
* lint: support linting existence of info dirs
* Make melange-test-pipelines call make test-e2e
* Make running the git-checkout via melange not emit WARN
messages.
* Clean up git-checkout-build-test.yaml, fix depth test.
* create-git-repo more standalone config, do not write to stderr
* Rename test-git-checkout and put create-git-repo in
test-fixtures.
* Add test-e2e target to Makefile
* Run make docs-repo
* compile: Fix miscompilation of subpkg tests
* Pipelines should inherit workdir from parents
* git-checkout: fix recurse='true' does nothing
* Use current user's ID when building via Docker
* Add test for PreserveBaseURI
* Add flag to preserve original PyPi URIs
-------------------------------------------------------------------
Wed Jun 19 04:44:58 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.9.0:
* Quote issues when evaluating the depth condition by @dakaneye
in #1268
* build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.11 to
2.5.14 in the go_modules group by @dependabot in #1271
* test: Drop seemingly useless mkdir -p by @jonjohnsonjr in #1276
* Remove dead tarfilter code by @jonjohnsonjr in #1279
* Add build flag to override host libc flavor by @jonjohnsonjr in
#1270
* Separate compilation from execution by @jonjohnsonjr in #1267
* Remove build.PipelineBuild as a concept by @jonjohnsonjr in
#1280
* Remove ability to set logging policy by @krishjainx in #1274
* unbreak build at head from log policy removal by @k4leung4 in
#1288
* build(deps): bump chainguard.dev/apko from 0.14.8 to 0.14.9 by
@dependabot in #1282
* build(deps): bump github.com/klauspost/compress from 1.17.8 to
1.17.9 by @dependabot in #1286
* build(deps): bump k8s.io/apimachinery from 0.30.1 to 0.30.2 by
@dependabot in #1287
* build(deps): bump google.golang.org/api from 0.183.0 to 0.184.0
by @dependabot in #1285
* build(deps): bump cloud.google.com/go/storage from 1.41.0 to
1.42.0 by @dependabot in #1284
* Populate history for --interactive builds by @jonjohnsonjr in
#1289
* chore(autoconf/configure): Generate configuration with
autoreconf when configuration doesn't exist by @EyeCantCU in
#1290
* Check for nil everywhere in Compile by @jonjohnsonjr in #1292
* stop using deprecated flags for goreleaser by @k4leung4 in
#1269
* git-checkout - try harder if getting hash from tag fails. by
@smoser in #1277
* build(deps): bump actions/checkout from 4.1.6 to 4.1.7 by
@dependabot in #1293
* build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by
@dependabot in #1294
* build(deps): bump github.com/chainguard-dev/yam from 0.0.7 to
0.0.8 by @dependabot in #1295
* build(deps): bump github.com/google/go-containerregistry from
0.19.1 to 0.19.2 by @dependabot in #1296
* Fix missing commit in ranged subpackages by @jonjohnsonjr in
#1304
* melange numpy test include python-3.12 by @pnasrat in #1308
* add go/bump as a default pipeline by @willswire in #1058
* Bump apko to v0.15.0 by @jonjohnsonjr in #1309
-------------------------------------------------------------------
Tue Jun 11 05:36:09 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.8.6:
* build(deps): bump step-security/harden-runner from 2.8.0 to
2.8.1
* Add ${{build.goarch}} substitution
* fix: error out when pipeline contains with but no uses
* Remove depth option from git clone if inputs.depth is set to -1
-------------------------------------------------------------------
Fri Jun 07 19:34:23 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.8.5:
* Add a new property that defaults to pom.xml and allows an
override so we can call multiple uses: maven/pombump and pass
in the somewhere-else/pom.xml
* go/build: remove subpackage input
-------------------------------------------------------------------
Fri Jun 07 19:30:47 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.8.4:
* build(deps): bump chainguard.dev/apko
* Drop go-apk to pull in faster pkginfo access
* build(deps): bump google.golang.org/api from 0.182.0 to 0.183.0
* build(deps): bump golang.org/x/sys from 0.20.0 to 0.21.0
* build(deps): bump golang.org/x/text from 0.15.0 to 0.16.0
* update schema
* support HTTP auth
* order
* fix
* doc
* ordering
* bump go and lint
* build(deps): bump chainguard.dev/apko from 0.14.3 to 0.14.7
* build(deps): bump dagger.io/dagger from 0.11.4 to 0.11.6
* build(deps): bump google.golang.org/api from 0.181.0 to 0.182.0
* build(deps): bump docker/login-action from 3.1.0 to 3.2.0
* Drop version from .PKGINFO
* Speed up presubmit
* Add --env-file to melange test
-------------------------------------------------------------------
Thu May 30 11:00:34 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.8.3:
* Disallow duplicate subpackage names
-------------------------------------------------------------------
Thu May 30 10:43:53 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.8.2:
* build(deps): bump chainguard.dev/apko
* build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.10.0
to 0.10.1
* tests: add range priority replacement tests
* build(deps): bump
go.opentelemetry.io/otel/exporters/stdout/stdouttrace
* build(deps): bump actions/checkout from 4.1.4 to 4.1.6
* build(deps): bump step-security/harden-runner from 2.7.1 to
2.8.0
* schmea: validate priority integer strings, and update schema
comment
* Add ReplacesPriroity like ProviderPriority, and allow
substitutions
-------------------------------------------------------------------
Wed May 22 19:38:50 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.8.1:
* Avoid panic if no external config file ref
* Verify wolfictl scan works
* githuib: Fixup melange configfile test case
* sbom: add support for generic git-checkout urls
* github: add SBOM external ref checks
* sbom: add external ref ConfigFile itself
* lint
* externalRefs: implement github git-checkout
* Generate fully qualified and normalized PURLs straight away
* Style review comments
* sbom: include external refs for fetched tarballs in SPDX
-------------------------------------------------------------------
Wed May 22 17:35:58 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.8.0:
* Fix typo in README
* build(deps): bump actions/checkout from 4.1.4 to 4.1.6
* generate
* gofmt
* upgrade to new apko
* Fix camel-case after review
* kill k8s e2e test
* delete k8s runner impl
* copyright: allow custom license texts
* go.mod: upgrade everything
* build(deps): bump goreleaser/goreleaser-action from 5.0.0 to
5.1.0
* build(deps): bump golangci/golangci-lint-action from 5.3.0 to
6.0.1
-------------------------------------------------------------------
Tue May 14 19:35:43 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.7.0:
* Find shbangs to generate depends by @smoser in #1110
* presubmit: remove gdk-pixbuf by @imjasonh in #1143
* Revert "presubmit: remove gdk-pixbuf" by @imjasonh in #1147
* verify SPDX SBOMs using spdx-tools-java by @imjasonh in #1146
* Fix sca detection case for env with multiple arguments. by
@dlorenc in #1148
* Update shbang collection to ignore 'python' and support simple
'env -S'. by @smoser in #1159
* ensure shbang check only checks valid shbangs by @joshrwolf in
#1160
* config: allow scriplets in subpackages with range replacements
by @xnox in #1165
* Drop -release from pc versions by @jonjohnsonjr in #1173
* fix(cargo): Install all built binaries if output isn't defined
by @EyeCantCU in #1174
* sbom: set supplier in addition to originator by @imjasonh in
#1184
* Add melange scan by @jonjohnsonjr in #1175
* Bump go-apk by @jonjohnsonjr in #1185
* add global --gcplog flag to emit GCP-compatible JSON logs by
@imjasonh in #1186
* pipelines/go: add back symbols tables by @xnox in #1142
* Only consider that are in a PATH dir from generateCmdProviders
by @smoser in #1164
* Allow symlinks to provide cmd: by @smoser in #1188
* Extract melange sign to a library by @tcnghia in #1198
* Revert "Allow symlinks to provide cmd:" by @joshrwolf in #1200
* Bump apko by @jonjohnsonjr in #1201
* Make unit tests faster by @jonjohnsonjr in #1202
* Add buildmode to go/build by @jonjohnsonjr in #1210
* lots of updates for build dependencies
-------------------------------------------------------------------
Tue Apr 09 06:26:37 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.11:
* build(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0
* build(deps): bump
go.opentelemetry.io/otel/exporters/stdout/stdouttrace
* build(deps): bump golang.org/x/sys from 0.18.0 to 0.19.0
* build(deps): bump go.opentelemetry.io/otel/sdk from 1.24.0 to
1.25.0
* build(deps): bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1
* build(deps): bump github.com/chainguard-dev/yam from 0.0.2 to
0.0.3
* bump docker
* build(deps): bump dagger.io/dagger from 0.10.2 to 0.11.0
* build(deps): bump cloud.google.com/go/storage from 1.39.1 to
1.40.0
* Ensure configuration file is closed
* sca: add go-fips-bin runtime deps
* sca: add go-fips-bin test case
* build(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to
5.12.0
* build(deps): bump google.golang.org/api from 0.171.0 to 0.172.0
-------------------------------------------------------------------
Sat Mar 30 10:14:00 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.10:
* chore: CRAN -> R
* docs(cran): Add build pipeline
* fix(cran): Support passing source dir as package
* chore(cran): Remove (now known) redundant fetch/install
pipelines
* feat(pipelines): Add support for fetching, building, and
installing R packages from CRAN
* Change dependency for python to be python-Maj.Min-base.
* build(deps): bump google.golang.org/api from 0.170.0 to 0.171.0
* build(deps): bump github.com/docker/cli
* build(deps): bump github.com/charmbracelet/log
* skip mounting resolv.conf for the docker runner
* build(deps): bump github.com/docker/docker
* Propagate user from image configuration
* build(deps): bump cloud.google.com/go/storage from 1.39.0 to
1.39.1
* build(deps): bump github.com/google/go-containerregistry
* build(deps): bump docker/login-action from 3.0.0 to 3.1.0
* build(deps): bump actions/checkout from 4.1.1 to 4.1.2
* build(deps): bump github.com/kubescape/go-git-url from 0.0.28
to 0.0.30
* build(deps): bump google.golang.org/api from 0.169.0 to 0.170.0
* build(deps): bump dagger.io/dagger from 0.10.1 to 0.10.2
* Switch to new octo-sts action (#1088)
* Move "executing:" logging to debug
* Keep symbols tables for fips builds
* Fix quotes
* pipelines/go: prefer to use netgo and osusergo by default
* pipelines/go/install: also trimpath like build
* pipelines/go: Strip by default
* pipelines/go: bump GOAMD64 to v2
* pipelines/go: allow setting microarchitecture level settings
* Update pkg/build/pipeline.go
* open debug session in the specific workdir
* Add Harden Runner audit configs
* appease linter
* build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.9.0
to 0.10.0
* build(deps): bump google.golang.org/api from 0.168.0 to 0.169.0
* build(deps): bump github.com/kubescape/go-git-url from 0.0.27
to 0.0.28
* feat(pipelines): Add cargo build for rust packages
* WIP: remove files from SBOM
* Bump apko
* document builtin substitutions
* build(deps): bump gitlab.alpinelinux.org/alpine/go
* fix test.environment jsonschema struct tag
-------------------------------------------------------------------
Sun Mar 17 08:04:49 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.9:
* build(deps): bump google.golang.org/api from 0.166.0 to 0.168.0
* build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0
* build(deps): bump dagger.io/dagger from 0.9.10 to 0.10.1
* Fix the bug in dropping the suffix.
* Drop WaitDelay from bubblewrap
* build(deps): bump actions/download-artifact from 4.1.2 to 4.1.4
* build(deps): bump github.com/stretchr/testify from 1.8.4 to
1.9.0
* build(deps): bump cloud.google.com/go/storage from 1.38.0 to
1.39.0
-------------------------------------------------------------------
Sun Mar 17 08:00:25 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.8:
* Update pombump.yaml
-------------------------------------------------------------------
Sun Mar 17 07:51:04 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.7:
* Rename the default bump file name.
-------------------------------------------------------------------
Sun Mar 17 07:45:18 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.6:
* Add ${{cross.triplet.rust.[glibc,musl]}}
* Add pombump pipeline.
-------------------------------------------------------------------
Sun Mar 17 07:35:28 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.5:
* Fix resource usage in melange
* Fix job control with interactive bubblewrap
* build(deps): bump github.com/chainguard-dev/yam from 0.0.1 to
0.0.2
* build(deps): bump
go.opentelemetry.io/otel/exporters/stdout/stdouttrace
* build(deps): bump go.opentelemetry.io/otel/sdk from 1.23.1 to
1.24.0
* build(deps): bump cloud.google.com/go/storage from 1.37.0 to
1.38.0
* Bump apko
* Fix typo in error message
* build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1
* build(deps): bump actions/download-artifact from 4.1.1 to 4.1.2
* build(deps): bump golangci/golangci-lint-action from 3.7.0 to
4.0.0
-------------------------------------------------------------------
Sat Feb 24 09:01:37 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.4:
* Fix the yaml file so that it actually gets parsed properly.
* Propagate SourceDateEpoch from Build
-------------------------------------------------------------------
Sat Feb 24 08:57:02 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.3:
* Don't write APK to temp file during signing
-------------------------------------------------------------------
Tue Feb 20 20:40:47 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.2:
* Add --package-append flag to build
* apply package substitutions in
test.emvironment.contents.packages
* change docker runner labels
* label containers created by docker runner for easier external
management
* Add a --trace flag to melange build
* Add dagger runner
-------------------------------------------------------------------
Thu Feb 15 06:14:16 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.1:
* omit arch log key when building one arch
* Remove breakpoint labels
* Clean up apko-temp dirs
* Remove images even with cancelled ctx
* Fix context.Background use
* Allow substitutions in dependencies.replaces
* doc: add diff pr
* docs: add version-transform doc and other example to
var-transform
-------------------------------------------------------------------
Sat Feb 10 07:07:57 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.6.0:
* Split pkg/container up into smaller packages
* Mostly fix interactive interrupt signal handling
* Do more cleanup with --rm
* Continue interactive execution on exit 0
* go fmt
* update dario/mergo
* move runner determination to pkg/cli
* Make debugging melange builds less terrible
* fix go-build example
* Make it easier to find docs-repo on ci failure
-------------------------------------------------------------------
Thu Feb 08 20:06:17 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.10:
* Add --die-with-parent to bwrap flags
* fix bug with needs
* move some logs to debug
* Update build.yaml
* Update install.yaml
* Add GOEXPERIMENT to go/build
-------------------------------------------------------------------
Wed Feb 07 07:34:17 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.9:
* use apko@main
* WIP: use charm logger
* Add WaitDelay to bubblewrap cmd
* Split options into separate files
* Cancel context on interrupt signal
* build(deps): bump github.com/docker/docker
* build(deps): bump cloud.google.com/go/storage from 1.36.0 to
1.37.0
* build(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0
-------------------------------------------------------------------
Tue Feb 06 17:36:29 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.8:
* Add --rm flag (and options) to Build
* Respond to cancelled context while streaming logs
* Don't use goroutines for monitoring logs
* If arch is not specified, test all.
* Add Close() method to container runners
* use slogtest
* eliminate some more logger invocations
* Fix race condition in log monitoring
* Exclude "com.docker.grpcfuse.ownership" xattr
-------------------------------------------------------------------
Sat Feb 03 17:40:41 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.7:
* Pass the correct env.env to the container.
* test: skip when executing on an unsupported arch
* melamge bump: only update expected commit shas for the main
git-checkout
* stop logging tons of "detected git commit for build
configuration" when parsing melage config
* Embed melange version in .PKGINFO
* Fix missing no-depends check
* build(deps): bump google.golang.org/api from 0.154.0 to 0.161.0
* build(deps): bump github.com/kubescape/go-git-url from 0.0.26
to 0.0.27
* build(deps): bump github.com/chainguard-dev/yam
* Bump apko to v0.14.0
* Update CODE_OF_CONDUCT.md
* Update CODE_OF_CONDUCT.md
* Switch to octo-sts-action (#968)
* build(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0
* warn on invalid license, log SCA findings
* unexport some methods in pkg/sbom
* Fix aws-c-s3 SCA
* Don't include libexec directories in SCA includes
* tidy
* drop the lima runner
* Take advantage of Octo STS to publish homebrew updates. (#956)
* Pin to digest for setup-go in melange
* build(deps): bump actions/download-artifact from 4.1.0 to 4.1.1
-------------------------------------------------------------------
Tue Jan 23 18:00:07 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.6:
* sort with key/values
* Fail if unknown variable is used in substitution
* revert simple-hello, keep it alpine
* fix simple-hello again
* fix simple-hello
* fix wolfi e2e test
* also test wolfi built packages
* update examples
* migrate examples to wolfi
* add e2e test that packages can be installed with apk
* Audit the permissions of workflows.
* Add test for vendored pkgconfig
* Make "unable to detect git commit" a debug message
* Allow vendored pkgconfig deps
* make docs-repo
* update
* use apko@main
* drop pkg/logger and use slog
* Allow execable shared objects if name has ".so."
* Fix sbom loopvar issue
* Make BuildGuest more similar for Build and Test
* Use errgroup over github.com/korovkin/limiter
* Replace packages in APKINDEX with same version
* Remove some more struct mutating and shadowing
* Drop mutable imgRef from build.Build
* Move more mutations into parameters
* Take an fs as an argument to RetrieveWorkspace
* Add a test
* Convert some sca code to early return style
* build(deps): bump github.com/cloudflare/circl from 1.3.6 to
1.3.7
* move test pipelines to where others are. Remove unnecessary
test packages.
* Add python/import test pipeline, as well as e2e tests for
python test pipelines.
* how many ways can I really screw this one up...
* Try James suggestion.
* Fix the filenames.
* try with explicit false.
* maybe missing a space?
* Add --test-package-append that you can specify extra test
packages for each test.
* move the comment
* meson/configure: don't download subprojects by default
* Add a python/test pipeline.
* Bypass warning about detached head
* add `*_config` pattern to split/dev pipeline
-------------------------------------------------------------------
Sun Jan 07 18:08:16 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.5.5:
* build(deps): bump github.com/google/go-containerregistry
* bump upload/download github actions
* build(deps): bump google.golang.org/api from 0.152.0 to 0.154.0
* build(deps): bump github.com/lima-vm/lima from 0.18.0 to 0.19.1
* build(deps): bump github.com/containerd/containerd from 1.7.7
to 1.7.11
* build(deps): bump github.com/go-git/go-git/v5 from 5.10.0 to
5.11.0
* build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0
* build(deps): bump cloud.google.com/go/storage from 1.35.1 to
1.36.0
* convert: sort packages alphabetically
* build(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0
* build(deps): bump actions/setup-go from 4 to 5
* build(deps): bump github.com/kubescape/go-git-url from 0.0.25
to 0.0.26
* Set a default env var for GOMODCACHE.
* Pull in `go-apk` with `provider_priority` `ini` fix.
* Mark update.manual as an optional field.
* update release to add some clarification regarding the homebrew
-------------------------------------------------------------------
Tue Dec 05 06:06:45 UTC 2023 - kastl@b1-systems.de
- Update to version 0.5.4:
* build(deps): bump golang.org/x/sys from 0.14.0 to 0.15.0
* build(deps): bump chainguard.dev/apko
* build(deps): bump k8s.io/client-go from 0.28.3 to 0.28.4
* schema: update for new test pipeline configuration
* build(deps): bump github.com/klauspost/compress from 1.17.2 to
1.17.4
* build(deps): bump google.golang.org/api from 0.150.0 to 0.152.0
* fix issue
* cleanup: don't use pkg/errors
* fix bad merge.
* Default to package.name, but allow overrides, add example docs
for specifying which package, and version to test.
* argh, fix typo.
* Add tests, simplify code.
* e2e tests for `test` command.
* checkpoint.
* Add test command / implementation.
* alphabetize commands, add test.
* Refactor so can be used with test and build.
* config struct changes for test.
* Add autogenerated 'test' docs.
* make docs-repo
* remove unnecessary wait for testing
* support resource requests and timeouts
* UTC-ify source date epoch when set
* Fix capitalization of SBOM originators
* Fix the lint warnings in pkg/linter
* Fix lints, or ignore safe ones. No functional changes.
* prefix should be /usr
* Ensure jsonschema is kept up to date.
* Add jsonschema generation binary.
* build(deps): bump go.opentelemetry.io/otel from 1.20.0 to
1.21.0
* build(deps): bump k8s.io/apimachinery from 0.28.3 to 0.28.4
* build(deps): bump sigs.k8s.io/release-utils from 0.7.6 to 0.7.7
* fix and continuously validate SBOMs
* make docs-repo
* default --use-github=true
* fix docs
* convert python: don't overwrite existing files
* format manifests with yam
* fix docs for --runner
* improve 'melange convert python' to remove manual steps
-------------------------------------------------------------------
Thu Nov 16 14:23:15 UTC 2023 - kastl@b1-systems.de
- Update to version 0.5.3:
* Update release.md
* build(deps): bump golang.org/x/time from 0.3.0 to 0.4.0
* pipelines: go/build: add support for go.mod overlay files
* build(deps): bump cloud.google.com/go/storage from 1.33.0 to
1.35.1
* go mod tidy
* update go-apk dependency
* build(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0
* build(deps): bump go.opentelemetry.io/otel from 1.19.0 to
1.20.0
* apply substitutions to .environment.contents.packages
* test runtime replacements
* build(deps): bump github.com/sigstore/cosign/v2 from 2.2.0 to
2.2.1
* build(deps): bump google.golang.org/api from 0.149.0 to 0.150.0
* go mod tidy
* use merged PR
* update dep
* use pushed PRs
* WIP: use forked alpine-go in go-apk
* move spammy logs to debugf
-------------------------------------------------------------------
Thu Nov 09 14:56:03 UTC 2023 - kastl@b1-systems.de
- Update to version 0.5.2:
* Update pkg/config/config.go
* GithubReleaseMonitor: add tagprefix and tagcontains to be used
in github tags filtering
* Plumb check configs through to linters
* Delete no-op sbom code
* remove unimplemented references to fulcio support
* fail if 'with' is used with 'runs'
* Error early if uses and runs are both present
* Get rid of PackageContext and SubpackageContext
* Remove impossible errors
* Make loadUse test actually test something
* Remove impossible errors
* build: use util.Dedup instead of slices.Compact
* util: bring back Dedup, slices.Collapse requires sorting
* Bump go-apk
* Filter out noise opening non-ELF files
* Bump go-apk and use faster tarfs implementation
* Add a test to ensure that ranges are handled properly.
* Add linters for #805 and #804.
* Refactor linting logic and clean things up
* Add SBOM linter
* build(deps): bump github.com/docker/docker
* build(deps): bump chainguard.dev/apko
* build(deps): bump sigs.k8s.io/release-utils from 0.7.5 to 0.7.6
* Add GID/UID remapping to improve permissions. Fix permission
issues resulting from running with the build user.
* Separate out package and build lints
* Add json tags to melange Configuration.
* Add python/test linter
* util: drop Dedup in favor of golang.org/x/exp/slices.Compact
* sca: fix compile by moving a few things around
* sca: move analyzer invocation into Analyze() function
* sca: implement abstract interface between build engine and sca
engine
* sca: pass FS into dependency generators rather than creating it
on demand
* sca: move out of package.go into sca.go as a first pass
* Rename Python linters to python/*
* readlinkfs: ignore security.selinux xattrs
* Add Python docs linter
* SCA: add python dependency generator
* linter: refactor check block generation in tests
* Improve linter diagnostic output
* Add GID/UID remapping to improve permissions. Fix permission
issues resulting from running with the build user.
* build(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0
* Fixups
* Handle .so files a little smarter
* Ignore all packages starting with _
* build(deps): bump google.golang.org/api from 0.147.0 to 0.148.0
* build(deps): bump k8s.io/client-go from 0.28.2 to 0.28.3
* build(deps): bump github.com/klauspost/compress from 1.17.1 to
1.17.2
* build(deps): bump chainguard.dev/apko
* build(deps): bump actions/checkout from 4.1.0 to 4.1.1
* Centralize SOURCE_DATE_EPOCH parsing.
* Run go fmt
* Exclude docs
* Exclude tests
* drop sync-issues-to-project-board.yaml not used anymore
* Exclude more files from Python multiple package linter
* Improve filtering and diagnostics
* Use the correct path for Python.
* Add multiple Python packages post-linter
* pipelines: add npm-install pipeline
* replace the fetch python url to more friendly URI
* Silence the linter
* Make empty linter work by disregarding directories and SBOM in
package linting
* Really shut up docs linter
* Docs changes/consistency fixes
* Document melange lint
* Module updates
* Resolve circular import
* Small fix
* Update go-apk dep
* Remove redundant package
* Update pkg/config/config.go
* Add basic test for APK linting
* Document the release steps.
* melange bump: move the reset / bump epoch logic up and inline
version
* melange bump: only reset the epoch if version changes, else
increment it
* Add APK linting.
* document full-version, add pointer to docs.
* Fix Typo
-------------------------------------------------------------------
Thu Oct 19 05:46:49 UTC 2023 - kastl@b1-systems.de
- Update to version 0.5.1:
* build(deps): bump github.com/klauspost/compress from 1.17.0 to
1.17.1
* build(deps): bump google.golang.org/api from 0.146.0 to 0.147.0
* build(deps): bump github.com/lima-vm/lima from 0.17.2 to 0.18.0
* build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0
* Fix a bug where substitutions were not done for runtime.
* linter: fix a typo in package linting function
* build(deps): bump google.golang.org/api from 0.143.0 to 0.146.0
* go mod tidy to shut up linter
* Small cleanup
* Add function to lint APK files.
* build(deps): bump golang.org/x/sync from 0.3.0 to 0.4.0
* build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0
* Extricate config stuff from linter.
* build(deps): bump sigs.k8s.io/release-utils
* fix release url path
* update deprecated fields
* update with 0.5.0 changes
* Track vendored deps for .PKGINFO
-------------------------------------------------------------------
Sat Oct 14 06:40:13 UTC 2023 - kastl@b1-systems.de
- Update to version 0.5.0:
* Enable linters to warn (via callback) instead of just failing.
* build(deps): bump github.com/package-url/packageurl-go
* build(deps): bump go.opentelemetry.io/otel from 1.18.0 to
1.19.0
* Add a PR checklist to melange.
* Fix yaml typo in linter docs
* nit: fix mistake in function docs
* Apply suggestions from code review
* Document disabling lints and when to do so.
* Update linter docs
* strip linter: properly close file
* Make improvements/suggestions
* Add stripped file linter
* update alpine-go to latest git to fix indexing
* pipelines: strip: use -g by default when stripping
* build(deps): bump google.golang.org/api from 0.142.0 to 0.143.0
* do not delete extensions and plugins with ruby/clean
* build(deps): bump k8s.io/api from 0.28.1 to 0.28.2
* build(deps): bump google.golang.org/api from 0.138.0 to 0.142.0
* build(deps): bump k8s.io/client-go from 0.28.1 to 0.28.2
* build(deps): bump github.com/opencontainers/image-spec
* build(deps): bump github.com/docker/docker
* build(deps): bump cloud.google.com/go/storage from 1.32.0 to
1.33.0
* build(deps): bump github.com/klauspost/compress from 1.16.7 to
1.17.0
* build(deps): bump actions/setup-go from 4.0.1 to 4.1.0
* build(deps): bump actions/checkout from 4.0.0 to 4.1.0
* add docs for -compat packages
* Disable empty check on git-checkout
* build: refactor package linter invocation
* Refactor the linter into a submodule.
* Remove no provides check per @kaniini
* Respect subpackage no-provides
* Add post-file walk linting and empty package linting
* exa is dead, use mdbook as a rust CI test instead.
* bump apko to e9722fc
* build: do not run linters on skipped subpackages
* linter: when subpackages are linted use the subpackage name as
the package config name
* Only run worldwrite linter on regular files
* Add worldwrite linter
* Add dev, opt, and srv linters
* fix the arch
* Use Warnf over WARNING
* log and continue when .pc file can't be loaded
* fix the dir name as we already expect dir to be set explicit
* Disable linters on -compat packages
* Update build.yaml
* add goreleaser pipeline
* Unexport linter struct and linterFunc
* Don't export the linter map
* Add tests
* build(deps): bump sigstore/cosign-installer from 3.1.1 to 3.1.2
* Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0
* Bump docker/login-action from 2.2.0 to 3.0.0
* chore: remove CODEOWNERS file
* Add more linters
* Appease golint
* Fix tests
* Remove debugging print statement
* Implement subpackage linting
* Add package (but not subpackage) linting
* build(deps): bump golangci/golangci-lint-action from 3.6.0 to
3.7.0
* Update golangci-lint to 1.54
* git-checkout: Allow tags to matched annotated tag SHAs, don't
allow fuzzy matching of refs.
* build(deps): bump actions/checkout from 3.5.3 to 4.0.0
* Bump k8s test workflows to Go 1.21
* Bump go to 1.21
* pipeline: fix downward propagation to referenced external
pipeline nodes
* config: tests: add workdir propagation test
* remove cmake. Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* forgot to remove one -dev
* Remove specifying the php-dev version.
* Add pecl pipelines for phpize & install. Signed-off-by: Ville
Aikas <vaikas@chainguard.dev>
* package: only constrain library search paths for provides
entries
* Fix some python generation issues:
* Refactor application of pipeline variables to config and add
tests
* Pipeline: make env overrides work recursively
* Add environment var overriding to the pipeline.
* Bump goreleaser/goreleaser-action from 4.3.0 to 4.6.0
* Bump actions/upload-artifact from 3.1.2 to 3.1.3
* package: constrain library SCA to library search paths only
* Replace the elements of the subpackage
* construct the package.full-version in higher context than just
pipeline.
* docs: fix link in pkg/build/pipelines/README.md
* docs: add documentation for built-in pipelines
* document / examples for ${{package.full-version}}
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
* add ${{package.full-version}} =
${{package.version}}-r${{package.epoch}} Signed-off-by: Ville
Aikas <vaikas@chainguard.dev>
* Changes from code review.
* config: copy all subpackage variables when doing a range
expansion
* feat: add output logs for the apkbuild converter
* Fix issue: #658 Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* feat: add new Perl pipelines for install and clean
* package: just skip symlinks for now
* workflows: add ncurses to the presubmit test matrix
* package: dereference symlinks for aliased pkg-config modules
* Fix syntax in maven pipeline (and add test).
* more debug crap. Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* remove debug crap. Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* Environment is required, adjust the tests.
* Change GeneratedMelangeConfig to embed pkg/config/config
instead of redefining it.
* Change default python-version from 3.11 to 3.
* remove extra backtick.
* let's try again.
* update docs
* Bunch of lint fixes. No functional changes.
* Add a maven/configure-mirror pipeline to redirect to GCP.
* yikes, only 2 fatal lints... nice...
* update docs.
* Add flags for resolving git tags, release-monitoring
* Update pkg/build/pipelines/python/build-wheel.yaml
* Update pkg/build/pipelines/python/build-wheel.yaml
* add builtin pipelines for python
* update generated docs. Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* remove unused vars. They do not have short form, so can use
this variant. Signed-off-by: Ville Aikas
<vaikas@chainguard.dev>
* Add --wolfi-defaults flag, clean up flag handling.
* readlinkfs: ignore some security-module specific xattrs
* feat: support --recurse-submodules in git clone
* Print the path to generated melange config.
* build(deps): bump go.opentelemetry.io/otel from 1.16.0 to
1.17.0
* build(deps): bump cloud.google.com/go/storage from 1.31.0 to
1.32.0
* build(deps): bump google.golang.org/api from 0.136.0 to 0.138.0
* build(deps): bump k8s.io/api from 0.28.0 to 0.28.1
* build(deps): bump github.com/lima-vm/lima from 0.17.0 to 0.17.2
* build(deps): bump k8s.io/client-go from 0.28.0 to 0.28.1
* Bump apko and fix everything I broke
* docs: typo in go-build example
* run make docs
* cli: index: add --signing-key, --source and --merge options
* default for github actions is bubblewwrap.
* update lint rule.
* Fix the links to commands, fix the URLs generated.
* sign: do not rename across device boundaries
* add --force option to recreate apk indexes with given
signatures
* pipelines: use ${{targets.contextdir}} where it makes sense
* pipeline: add ${{targets.package.foo}} expansions
* pipeline: add ${{targets.contextdir}}, representing the current
target dir
* Bump pkg-config again to actually pick up the openblas fix.
* Bump pkgconfig to pick up the openblas fix.
* feedback + verbiage from Erika.
* Set reasonable concurrency levels for pgzip
* appease linter
* support substitutions in provides lists
* Start of exhaustively documenting the build filele.
* plumb through SDE to EmitSignature
* add melange sign command, slightly refactor and make public the
signing methods
* add test for substituting needs.packages
* allow override go version for uses: go/build and go/install
* Support for setting context in .melange.k8s.yaml
* Add docs about custom pipelines, defining and using.
* build(deps): bump actions/setup-go from 4.0.1 to 4.1.0
* Teach melange about the forthcoming version-transform block
* doc and lint revisions (#598)
* build(deps): bump google.golang.org/api from 0.134.0 to 0.136.0
* container: bubblewrap: do not defer closing files
* build(deps): bump golang.org/x/sys from 0.10.0 to 0.11.0
* build(deps): bump github.com/lima-vm/lima from 0.16.0 to 0.17.0
* build(deps): bump github.com/google/go-containerregistry
* build: package: add pkgconf-based SCA to catalog SDKs which use
it
* Docstring typo fixes
* Docstring fixes
* Appease the go fmt Gods
* Test two var transforms at once
* Test var transforms on a basic level
* Add ${{build.arch}} as a possible variable in bump
* Make var transforms work in bump
* remove paralell test for TestKubernetesRunnerConfig
* add fail-fast to false
* update code running goimports
* add goimports
* publish brew formula during release
* update actions to use git hashes
* update golangci-lint to v1.53 series
* Adjust the var substitution stuff a bit
* Move var substitution stuff into config
* config: Change root to a pointer in the config struct, and add
an accessor
* renovate: update to use new config infrastructure
* build: Add root node to the config
* Appease the golangci-lint Gods
* build_test: fix tests in a better way
* Make all tests pass
* build: add parameter where one was missing
* build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to
5.8.1
* pipelines: meson/configure: explicitly invoke meson setup
action
* build(deps): bump github.com/docker/docker
* Refactor the config/logging stuff out of build
* build(deps): bump google.golang.org/api from 0.133.0 to 0.134.0
* build(deps): bump github.com/docker/docker
* Several fixes to k8s runner.
* build(deps): bump github.com/klauspost/pgzip from 1.2.5 to
1.2.6
* build(deps): bump google.golang.org/api from 0.129.0 to 0.133.0
* Remove `wget -q` from `fetch`
* add k8s runner config loading from envvars
* Log errors bundling, enable GGCR Warn/Progress logs
* Tweak the strip pipeline so that it never fails for deleted
files
* convert/python: check if release is found
* Make sure we log errors.
* Fix subpackage SBOM generation
* define constants for runners destination mount paths
* skip the cache mount for kubernetes runner builds
* Add more otel spans to k8s runner
* build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to
5.8.0
* build(deps): bump k8s.io/client-go from 0.27.3 to 0.27.4
* Avoid using pargzip for compression
* add a retryable (tgz) fetcher for the k8s runner
* Pod names must be RFC1123 compliant
* Correct the variable name in the patch pipeline
* pipelines: git-checkout: harden variable expansions
* pipelines: patch: refactor series/patches handling
* pipelines: fetch: harden variable expansions
* add retries to a subset of k8s runner exec failures
* delete builder pod post build by default
* properly pass workspace env/volumes to k8s builder pods
* use go-apk.FullFS for retrieving builder workspaces
* Finally fix python convert tests.
* Comment python test.
* add dir option to ruby pipelines as not all gemspecs live in
the root folder
* fix containerID for lima when tarring up
* lima startup issues fixed
* pull in apko with fix for blank SOURCE_DATE_EPOCH
* Change git-checkout depth default to 1
* workflows: wolfi-presubmit: use package/ instead of packages/
for package names
* build: package: forcibly treat libc as a shared library
* docs: explain how build cache works practically
* Bump apko dep to pick up otel spans
* Fix failing test for env var wipeout
* Add failing test for env var wipeout
* add otel spans
* build(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1
* Remove use of deprecated WaitImmediate
* Add ! char to ignore.
* Add missing context propagation
* Rename index.Context to index.Index
* Rename Contexts to Builds
-------------------------------------------------------------------
Sat Oct 14 06:38:30 UTC 2023 - kastl@b1-systems.de
- Update to version 0.4.0:
* build(deps): bump github.com/opencontainers/image-spec
* add release notes for Melange 0.4.0
* build(deps): bump cloud.google.com/go/storage from 1.30.1 to
1.31.0
* build(deps): bump google.golang.org/api from 0.128.0 to 0.129.0
* appease linter for now
* update apko to 0.9.0
* build(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0
* some small UX improvements for k8s runner
* build(deps): bump github.com/package-url/packageurl-go
* update apko and go-apk to use pinned deps correctly
* build: scan subpackage pipelines for dependencies
* add a split/debug pipeline
* ensure bundles are rooted correctly
* build(deps): bump google.golang.org/api from 0.125.0 to 0.127.0
* build(deps): bump actions/checkout from 3.5.2 to 3.5.3
* add a kubernetes pod runner
* build(deps): bump docker/login-action from 2.1.0 to 2.2.0
* build(deps): bump golangci/golangci-lint-action from 3.4.0 to
3.6.0
* build(deps): bump goreleaser/goreleaser-action from 4.2.0 to
4.3.0
* add strip prefix and suffix update config for release monitor
* import apko and go-apk with better debug logging
* Switch from calling Glob to two Stats
* workflows: add wolfi-presubmit
* cli: build: fix destination variable for --apk-cache-dir
* build: PopulateCache: do not populate the cache dir when it is
empty
* fix apk caching directory
* import apko and go-apk with package caching
* Change the default for delete to false.
* pipeline: fetch: optionally delete fetched artifacts after
unpacking
* cond: allow underscores and capitalization in variable
expressions
* run tests with race detector
* warn and fallback to SOURCE_DATE_EPOCH=0 when specified but
empty
* index: use deep copy when loading pre-existing index data
* build(deps): bump github.com/lima-vm/lima from 0.14.2 to 0.16.0
* build(deps): bump actions/setup-go from 4.0.0 to 4.0.1
* index: appease linter by moving the deferred close to after the
error check
* build(deps): bump github.com/containerd/containerd from 1.6.15
to 1.6.18
* build: generate APKINDEX.json when writing packages index
* index: add WriteJSONIndex function
* index: split out the indexing logic itself to UpdateIndex
* index: WriteArchiveIndex: use destination file path as primary
input
* index: use SourceIndexFile for loading index data rather than
IndexFile
* index: factor out loading of pre-existent indices and index
state management
* index: factor out index writing into WriteArchiveIndex
* Bump apko and fix what that breaks
* add wolfictl
* upgrade alpine-lima to 3.18
* Allow uppercase and plus, allow numbers as first char
* Validate configuration at the end of parsing
* Remove secfixes and advisories altogether
* include filename when parsing fails
* Require that build config YAML has only known fields
* Refactor tests for configuration load method
* build(deps): bump google.golang.org/api from 0.119.0 to 0.123.0
* readlinkfs: implement go-apk fs.XattrFS interfaces
* Pull in the latest go-apk for xattrs support
* build(deps): bump github.com/docker/docker
* Pull in index builddate support.
* Install should first build melange binary...
* Make makefile work on Mac and Linux.
* build(deps): bump sigstore/cosign-installer from 3.0.2 to 3.0.5
* add a boolean so built in melange pipelines can be used in
subpackages as they need to write to a different target folder
* ensure range data replaces `with` options during a pipeline
* Update README.md
* Update distroless references
* default for mac is docker, not bwrap
* add extra logging when runner fails to TestUsability
* Add go vendor support to the go build pipeline.
* add multiple runner options
* use latest version of melange in lima configuration file
* Set `builddate` in our `.PKGINFO` control data.
* add field docs
* build(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0
* pipelines: patch: add support for quilt patch-series files
* Add an optional "deps" paramter to the go/build pipeline.
* chore: signing issues
* chore: corrections in mac instructions
* chore: corrections in mac instructions
* build: package: skip SONAME analysis when ELF interpreter
setting is present
* Add trimpath to the go pipeline.
* update docs
* build: add support for configurable logging policies
* Add name method to build config
* build(deps): bump gitlab.alpinelinux.org/alpine/go
* move signing funcs to rely on external go-apk library
* use go-apk library instead of apko
* update alpine-go to include replaces hotfix
* simplify DataItems to use the builtin marshallable map type
* add `ignore-regex-patterns` update config to indicate you want
to ignore string patterns that match an upstream version
* add a strip-suffix: key to melange update struct to indicate
stripping a suffix from an upstream GitHub version
* bump to latest apko which handles file overwrites
* cli: build: warn when no work to do instead of throwing an
error
* build(deps): bump github.com/docker/docker
* upgrade apko to 20230421 snapshot
* build(deps): bump google.golang.org/api from 0.116.0 to 0.119.0
* build: update tests to use apko log.Logger
* build: use apko_log.Logger everywhere
* build: logger: conform to apko_log.Logger shape
* adapt to new apko logging framework
* update apko dependency to 20230420 snapshot
* update apko dependency to 20230419 snapshot
* config parsing: fix handling of filesystems
* bump test: fix panic by requiring no error
* Stop repeating errors on build command
* build(deps): bump actions/checkout from 3.5.0 to 3.5.2
* fix 403 error when melange bumping some packages,
https://www.netfilter.org for example needs it
* update apko to 20230413 snapshot
* Print full uri to debug file download errors
* Do not depend on concrete logger
* pipelines: autoconf/make-install: delete all GNU libtool
metadata files
* remove flawed test
* build: package: append subpackages to build log
* Use formatted YAML encoder from yam
* build: readlinkfs: chase apko ReadlinkFS API break
* upgrade apko snapshot to 20230411
* build(deps): bump google.golang.org/api from 0.114.0 to 0.116.0
* build(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.2
* go mod tidy again
* index: convert to using logrus
* build: package: use logrus.Entry for logging
* update apko for formatting fixes
* build: remove actualArchs variable, no longer used
* fix tests
* container: use warning level for stderr output
* pipeline: downgrade dumpWith() to use debug level
* switch to using logrus
* update to apko git
* feat: send useragent in HTTP requests
* export mutate functions as these are very useful to be called
outside of the build package
* warn if target-architecture:['all'], remove from examples
* feat: respect target-architecture to filter archs
* index: rework architecture filtering
* update docs
* build(deps): bump actions/add-to-project from 0.4.1 to 0.5.0
* cli: index: add --arch flag
* index: print warning and skip packages which do not match the
expected architecture
* index: add ExpectedArch to index.Context
* add a `update.manual:` key to indicate a package should be
manually updated
* fix: log package new names+versions when regenerating index
* make original test commit sha different from the new expected
sha to ensure test works
* melange bump: optional flag to modify git-checkout pipeline
expected-commit value
* Bump apko to pick up busybox detection fix.
* Fix goreleaser cosign flags
* package: allow any library which has a SONAME to be a provider
* build: fix SBOM language gathering for subpackage pipelines
* package: ensure the package output directories always exist for
scanning
* build: introduce Context.IsBuildLess and skip a lot of
setup/teardown for buildless packages
* build: allow a package to be defined without a pipeline
* Add darwin goreleaser target (macOS)
* fix build
* release image after the binary
* update makefile
* cleanup goreleaser and ko config
* clean up, update version comments for ci jobs
* upgrade to use go1.20
* upgrade alpine pkgs lima
-------------------------------------------------------------------
Mon Apr 03 12:43:01 UTC 2023 - kastl@b1-systems.de
- Update to version 0.3.2:
* Fix goreleaser cosign flags, add NEWS for melange 0.3.2
* add NEWS for melange 0.3.1
* package: allow any library which has a SONAME to be a provider
* Add darwin goreleaser target (macOS)
* update NEWS for melange 0.3.0.
* update to apko 0.7.3 release
* pipelines: fetch: use wget quiet mode
* build: check for signing key existence before using it
* build: package: do not add interpreter dependency when
no-depends option is enabled
* docs: fix baseurl for melange reference in generated docs
* directly parse configuration for query
* add query and package-version commands
* build: use realpath to determine cache dir bindmount source
* refresh docs for --cache-source
* cli: add --cache-source option
* build: use CacheSource to define the bucket to pull cached
sources from
* build: change default cache directory to ./melange-cache
* build: add CacheSource option to context
* Hookup user and accounts in the environment.
* build(deps): bump cloud.google.com/go/storage from 1.30.0 to
1.30.1
* build(deps): bump google.golang.org/api from 0.113.0 to 0.114.0
* build(deps): bump actions/checkout from 3.3.0 to 3.5.0
* refresh docs
* cli: build: add --debug flag
* build: pipeline: if Context.Debug is enabled, add set -x to all
pipelines
* build: add Debug option to Context
* build: use cond.Subst instead of replacers
* cond: subst: variable names can have dashes
* cond: subst: add goparsify-based variable substitution
implementation
* cond: parser: test: add variable lookup with whitespace test
* parser: use newer fork of goparsify
* add codeowners
* add Update struct for identifying how a melange package can be
updated
* add `var-transforms` for manipulation of variables using
regular expressions
* pipelines: git-checkout: use tempdir for doing the initial
clone
* pipelines: git-checkout: mark clone directory as a safe
directory for git
* update ruby pipelines with usability features
* add an optional flag to generate a packages.log containing list
of packages + subpackages that were actuall built by `melange
build`
* Try to fix a strange index generation bug.
* build(deps): bump actions/setup-go from 3.5.0 to 4.0.0
* container: fixes to handle /sbin/ldconfig not being present,
e.g. on musl
* container: run ldconfig when bringing up a build environment
* update to latest apko git
* build(deps): bump google.golang.org/api from 0.111.0 to 0.113.0
* build(deps): bump cloud.google.com/go/storage from 1.29.0 to
1.30.0
* update apko to latest git
* pipeline: only run mkdir -p if absolutely needed
* build(deps): bump github.com/go-git/go-git/v5 from 5.6.0 to
5.6.1
* update docs
* run go mod tidy
* pkg: convert: fix tests to use upstream ImageContents type
* build: package: use internal readlinkFS, old apko fs package
was deprecated
* build: add minimal internal readlinkfs implementation
* convert: use upstream ImageContents type, added in apko 0.7.0
* build: use normal os.DirFS for filesystem walking
* upgrade to apko 0.7.2 git
* build: remove --use-proot option
* lint
* move convert related packages under convert as subpackages
* container: bubblewrap runner: use --new-session to mitigate
CVE-2017-5226
* autoconf: always define the GNU host and build triplets in
configure step
* update docs
* add more context for the experimental commands
* add shell completion and move common flags to top level
* move wolfios to its own package
* add same convert options to higher leve
* fix lint and tests
* fix tests
* add convert subcommand
* docs: ensure docs are up to date in CI
* add melange docs
* change --out-dir to not depend on cwd
* accept dependabot's GPG key for commit signing CI check
* package: only use base soname when generating runtime
dependencies across symlinks
* build(deps): bump github.com/stretchr/testify from 1.8.1 to
1.8.2
* add omitempty to some fields
* build(deps): bump google.golang.org/api from 0.110.0 to 0.111.0
* build(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to
5.6.0
* build(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1
* remove self-provided dependencies from the runtime dependency
set
* build(deps): bump github.com/openvex/go-vex
* build: package: dereference symlinks across packages and read
the real DT_SONAME instead of guessing
* build: configuration: add support for variable substitution in
more places
* apply refactoring suggestions from go linter
* build: also apply if-conditionals when generating the package
index
* build: also apply subpkg if-conditionals when emitting packages
and SBOMs
* examples: add example outlining the new option-related features
* build: implement if-conditionals for subpackages
* build: pipeline: add option enabled variables
* build: build option: patch the variables and environment
configuration
* build: use BuildOption.Apply to apply configuration patches
from build options
* build: build_option: add Apply stub
* cli: build: add --build-option to configure the enabled build
options
* build: add WithEnabledBuildOptions context option
* build: add BuildOptions map to Configuration
* build: add BuildOption types
* package: ensure we are operating only on a basename when
generating symlink deps
* package: detect shared library dependencies for .so symlinks
* build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0
* build(deps): bump google.golang.org/api from 0.109.0 to 0.110.0
* Add ruby pipelines for gem install, build and clean
* build: package: add support for defining "replaces"
relationships
* package: findInterpreter: chop trailing nul from interpBuf
* package: deal with musl interpreter being a symlink back to
itself
* package: ensure PT_INTERP is always added as an explicit
dependency
* build(deps): bump github.com/docker/docker
* build(deps): bump github.com/joho/godotenv from 1.4.0 to 1.5.1
* build(deps): bump google.golang.org/api from 0.108.0 to 0.109.0
* build(deps): bump github.com/docker/docker
* git-checkout: fix tags
* use merge option to speed up apkindex generation when build
* just warn if no branch or tag specified
* build(deps): bump goreleaser/goreleaser-action from 4.1.0 to
4.2.0
* build(deps): bump github.com/google/go-containerregistry
* Revert "Generate build environment SBOM"
* add expected-commit to git-checkout
* Update README to mention wolfi.
* cli: add --vars-file option to support loading build variables
from an external source
* build: add WithVarsFile and WithVarsFileForParsing options
* examples: add variable substitution example
* pipeline: handle ${{vars}} block as expected
* build: add variables block to build configuration struct
* build(deps): bump cloud.google.com/go/storage from 1.28.1 to
1.29.0
* examples: add working-directory example
* pipeline: ensure the working-directory is created before using
it
* pipeline: propagate WorkDir to subpipelines
* pipeline: set working directory when evaluating pipeline "runs"
entries
* build: add Pipeline.WorkDir definition
* build(deps): bump google.golang.org/api from 0.107.0 to 0.108.0
* build(deps): bump github.com/docker/docker
* build(deps): bump golangci/golangci-lint-action from 3.3.1 to
3.4.0
* go mod tidy to drop chainguard/vex
* Switch VEX dependency to openvex
* allow provider priority to be configured
* build(deps): bump google.golang.org/api from 0.106.0 to 0.107.0
* Wire logger from SBOM generator to impl
* Escape invalid identifier chars
* Fix build sbom name in subpackages
* Fix bug where package verification was wrong
* build sbom: Add relationships to produced SBOMs
* Update protobom to support dl location
* Build SBOM: Generate package with apks
* Trigger build SBOM generation, reuse write
* Passs guest directory to sbom spec
* Refactor SBOM spec for reuse
* Add ReadPackageIndex to gen implementation
* Add GenerateBuildEnvSBOM fn to SBOM generator
* Update Lima link
* update apko dependency to latest
* bump apko dependency
* pipelines: autoconf/configure: fix sysconfdir
* upgrade apko dependency to latest git
* build(deps): bump github.com/go-git/go-git/v5 from 5.5.1 to
5.5.2
* build(deps): bump google.golang.org/api from 0.105.0 to 0.106.0
* build(deps): bump actions/checkout from 3.2.0 to 3.3.0
* bump apko to latest git again for keyring fix
* fix typo
* index gen: Add loop throttle, mutex
* close lingering file descriptor
* sbom: handle spdxPkg.VerificationCode being a pointer in apko
git
* chase PublishImageFromLayer API change in apko
* update apko dependency to latest git for armv6/armv7 triplet
fixes
* go/install: also require git (#239)
* use lima to use melange on mac
* Advisories: Require pkg version for fixed status (#237)
* Parallel processing of packages.
* Make packageurl-go import direct
* add --namespace option to build subcommand
* SBOM: Generate purls for built packages
* Add namespace and arch fields to SBOM spec
* Drop distro qualifier from purls
* Add Go pipelines documentation
* Revamp go examples to use both pipleines
* New go/install pipeline
* go/build: Support changing module root
* Bump vex (#231)
* Remove extra field
* Add advisories and purls
* Export functionality for config parsing (#229)
* Apko devenv README
* Melange development environment
-------------------------------------------------------------------
Sun Mar 19 14:09:23 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- new package melange: Build APKs from source code