Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: melange | Distribution: openSUSE Tumbleweed |
Version: 0.15.0 | Vendor: openSUSE |
Release: 1.1 | Build date: Sat Nov 2 09:22:10 2024 |
Group: Unspecified | Build host: reproducible |
Size: 50839141 | Source RPM: melange-0.15.0-1.1.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://github.com/chainguard-dev/melange | |
Summary: Build APKs from source code |
Build apk packages using declarative pipelines. Commonly used to provide custom packages for container images built with apko. The majority of apks are built for use with either the Wolfi or Alpine Linux ecosystems. Key features: * Pipeline-oriented builds. Every step of the build pipeline is defined and controlled by you, unlike traditional package managers which have distinct phases. * Multi-architecture by default. QEMU is used to emulate various architectures, avoiding the need for cross-compilation steps.
Apache-2.0
* Sat Nov 02 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.0: * feat(qemu): fix qemu command on cross-compilation cases * update docs * feat(qemu): add flag to specify cpu model to use, useful for cases where /dev/kvm is not available * fix(qemu): remove ssh ignoreHostKey, set an host-key retrieval step, then use host key verification for all successive commands * fix linting * fix(qemu): improve error when not finding a suitable kernel image * fix(qemu): use net.Listen to find open port, simplify random port logic * fix(qemu): use package go-shellquote and simplify cmd handling * fix(qemu): use package go-shellquote and simplify cmd handling * fix(qemu): specify KVM accelleration on linux, use only if /dev/kvm is present * fix(qemu): fix typos * Tue Oct 29 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.11: * build(deps): bump github.com/chainguard-dev/yam in the gomod group * build(deps): bump the actions group with 2 updates * Sat Oct 26 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.10: * build(deps): bump the gomod group across 1 directory with 2 updates * Fri Oct 25 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.9: * chore: unexport build pkg methods * bump apko to get http key support * go mod tidy * bump apko to pick up chainguard key fix * Thu Oct 24 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.8: * fix(bubblewrap_runner): run as build 1000 by default (#1572) * use --target-dir to target with cargo build * pass --release as default opts * allow passing more than one opts to cargo build * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.7: * fix breakage * go mod tidy * bump apko dep to fix modtime issue * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.6: * fix(build): require build config repo URL * add build base to cargo-build pipeline * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.5 (0.14.4 was not properly released): * fix(sbom): unique package IDs for upstream source * test: (tdd) add failing test for dup spdx IDs * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.3: * fix(build): use fallback values at entrypoint for git info * fix(build): use the config file dir path for git detection * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.2: * ci: add workflow to tag releases daily * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.1: * Do not specify versions during 'melange test' (Revert #1579 and [#1518]) * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.0: * fix(build): make git autodetection best effort * test: use x86_64 for build int tests * move sbom test inside build test * test(build): favor bwrap, fallback to docker * chore: dedup test targets in makefile * docs: run make docs-repo * try qemu runner * test: remove e2e tests for SBOM external refs * unique SPDX IDs for multiple git repo checkouts * chore: add make target for integration tests * test: add integration test for build and SBOMs * chore: bump Go version * feat(sbom): overhaul SBOM generation logic * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.7: * Pin the package version with ~ rather than =. * build(deps): bump google.golang.org/api from 0.200.0 to 0.201.0 * build(deps): bump cloud.google.com/go/storage from 1.44.0 to 1.45.0 * bublewrap_runner: add /sys mount * fix lint finding * pipe it through cli * cleanup glow up * fix(qemu): fix missing pty allocation for debug shell in qemu runners * Do not add a cmd:awk dependency as nothing will ever provide cmd:awk * fix formatting lint * fix(test): update tests to reflect new struct * fix(qemu): fix failing test pipeline when using qemu runner * fix test * Pin the package version used during tests * Wed Oct 16 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.6: * run `make generate` * rename exported GetTagFilterPrefix and GetTagFilterContains functions to be normalized GetFilterPrefix and GetFilterPrefix * update config: add version filter prefix and contains to release monitor config block so implementations can perform the same behaviour as git and github configs * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump google.golang.org/api from 0.199.0 to 0.200.0 * build(deps): bump the actions group with 2 updates * build(deps): bump go.opentelemetry.io/otel/sdk from 1.30.0 to 1.31.0 * build(deps): bump the gomod group with 4 updates * pipelines: fix split/debug * Sun Oct 13 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.5: * Enable pc file dependencies * generateRuntimePkgConfigDeps: only do so for public .pc, not vendored * Improve some config parsing errors * Fri Oct 11 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.4: * Revert "sca: Properly detect .so files as deps" * Revert "sca: check if runtime dependencies are vendored" * Fri Oct 11 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.3: * cmake: switch from MinSizeRel to Release * Fri Oct 11 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.2: * fix: pc provides * build(deps): bump golang.org/x/time from 0.6.0 to 0.7.0 * Fri Oct 11 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.1: * tidy * build(deps): bump cloud.google.com/go/storage from 1.43.0 to 1.44.0 * build(deps): bump golang.org/x/crypto from 0.27.0 to 0.28.0 * build(deps): bump github.com/chainguard-dev/yam in the gomod group * build(deps): bump the actions group with 2 updates * sca: check if runtime dependencies are vendored * Sun Oct 06 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.0: * Fix typo in README * test: Fix typo * Added additional documentation for package version selection * sca: Properly detect .so files as deps * Adjust an e2e-test that made a bad assumption. * update the docs * add --cleanup flag (default true) * build(deps): bump github.com/chainguard-dev/yam from 0.1.1 to 0.2.0 * build(deps): bump google.golang.org/api from 0.198.0 to 0.199.0 * build(deps): bump actions/checkout in the actions group * Support string replacement in ImageContents * build(deps): bump the gomod group with 5 updates * git-checkout: support scheduled updates * sca: never emit libcuda.so.1 runtime dep * Add table of contents * Add pipeline markdown reference markdown generator. * feat(melange): Add sub for output directory * Sat Sep 21 2024 opensuse_buildservice@ojkastl.de - Update to version 0.12.1: * build(deps): bump github.com/docker/cli * build(deps): bump github.com/docker/docker * build(deps): bump the gomod group with 2 updates * build(deps): bump chainguard.dev/apko from 0.18.1 to 0.19.1 * sca: remove set but never used variable * update_config: expose function to get valid schedule messages * Add uses and name to slog values * Include subpackage name in slog values * Only read the first line for shbang. * pombump: add flag to display the dependency tree * build(deps): bump dagger.io/dagger from 0.12.7 to 0.13.0 * build(deps): bump step-security/harden-runner in the actions group * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump the gomod group with 2 updates * keygen: reject bit size < 4096 * cleanup: remove some direct imports of charm log * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.12.0: * Upgrade to new hash-agnostic APIs for sign and verify * Upgrade to apko v0.18.0 * index: stop writing APKINDEX.json * update to go1.23.1 * build(deps): bump google.golang.org/api from 0.195.0 to 0.196.0 * build(deps): bump golang.org/x/crypto from 0.26.0 to 0.27.0 * build(deps): bump the gomod group with 2 updates * pipelines/ruby: remove signing_key by default * config: Whack more moles for string replacement * install go * lint * upgrade to golang 1.23 * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.6: * adds git checkout fetch,update,test and yams the melange apkbuild yamls * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.5: * fix(split pipelines): Don't split lib64 libraries * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.4: * fix(split pipelines): Check package was defined, not package directory * fix(split/dev): Support for /usr/local * fix(split pipelines): Add support for lib64 * fix(split pipelines): Use package name instead of package dir, use exact paths * Update dev.yaml * feat(pipelines/split): Support overriding source package directory * build(deps): bump dagger.io/dagger in the gomod group * build(deps): bump actions/upload-artifact in the actions group * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.3: (0.11.2 is the same commit hash as 0.11.1): * fix(sca): Correctly check for existing Ruby runtime dependency by @EyeCantCU in #1387 * build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 in the actions group by @dependabot in #1378 * build(deps): bump google.golang.org/api from 0.187.0 to 0.188.0 by @dependabot in #1382 * build(deps): bump github.com/google/go-containerregistry from 0.19.2 to 0.20.1 by @dependabot in #1392 * build(deps): bump step-security/harden-runner from 2.8.1 to 2.9.0 in the actions group by @dependabot in #1391 * build(deps): bump the gomod group across 1 directory with 2 updates by @dependabot in #1390 * build(deps): bump dagger.io/dagger from 0.11.9 to 0.12.1 by @dependabot in #1389 * build(deps): bump github.com/docker/cli from 27.0.3+incompatible to 27.1.0+incompatible by @dependabot in [#1397] * Expose ignoreSignatures functionality by @Kevin-Molina in #1375 * build(deps): bump github.com/docker/docker from 27.0.3+incompatible to 27.1.0+incompatible by @dependabot in [#1396] * build(deps): bump docker/login-action from 3.2.0 to 3.3.0 in the actions group by @dependabot in #1398 * build(deps): bump google.golang.org/api from 0.188.0 to 0.189.0 by @dependabot in #1401 * fix: ignore resource requests for the docker runner by @imjasonh in #1403 * build(deps): bump dagger.io/dagger from 0.12.1 to 0.12.2 in the gomod group by @dependabot in #1400 * Bump apko dependency by @mattmoor in #1404 * fix ruby sca by @xnox in #1410 * Add HOME=/root to default test environment. by @smoser in #1408 * build(deps): bump the gomod group with 4 updates by @dependabot in #1405 * update config: provide configuration to describe polling and schedules by @rawlingsj in #1412 * build(deps): bump the gomod group with 2 updates by @dependabot in #1416 * build(deps): bump google.golang.org/api from 0.189.0 to 0.190.0 by @dependabot in #1419 * build(deps): bump the actions group with 2 updates by @dependabot in #1415 * build(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 by @dependabot in #1418 * build(deps): bump golang.org/x/time from 0.5.0 to 0.6.0 by @dependabot in #1417 * build(deps): bump golang.org/x/sys from 0.22.0 to 0.23.0 by @dependabot in #1420 * update config: replace recently added polling with git struct by @rawlingsj in #1421 * build(deps): bump github.com/google/go-containerregistry from 0.20.1 to 0.20.2 in the gomod group by @dependabot in #1423 * build(deps): bump golang.org/x/text from 0.16.0 to 0.17.0 by @dependabot in #1424 * build(deps): bump google.golang.org/api from 0.190.0 to 0.191.0 by @dependabot in #1426 * build(deps): bump golang.org/x/sys from 0.23.0 to 0.24.0 by @dependabot in #1428 * move 'adding package %q for pipeline %q' to debug logging by @imjasonh in #1429 * don't depend on apko's custom log package by @imjasonh in #1430 * build(deps): bump github.com/chainguard-dev/yam from 0.0.13 to 0.1.0 by @dependabot in #1431 * Feat/qemu runners by @89luca89 in #1386 * Attempt to fix qemu ci by @jonjohnsonjr in #1434 * build(deps): bump the actions group with 3 updates by @dependabot in #1432 * Centralize sca options handling by @jonjohnsonjr in #1433 * Add test to catch duplicate package names by @jonjohnsonjr in [#1439] * build(deps): bump the gomod group with 4 updates by @dependabot in #1437 * build(deps): bump google.golang.org/api from 0.191.0 to 0.192.0 by @dependabot in #1438 * move 'found pipeline' log message to debug by @imjasonh in [#1440] * melange convert python: use normalized names by @pnasrat in [#1441] * Bump apko to get chainctl auth error log by @jonjohnsonjr in [#1442] * Replace "needs" in range pipelines by @jonjohnsonjr in #1445 * docs: Add information on the repository used with the git update configuration option by @philroche in #1447 * Refactor parts of the ParseConfiguration by @jonjohnsonjr in [#1446] * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace from 1.28.0 to 1.29.0 by @dependabot in #1455 * build(deps): bump google.golang.org/api from 0.192.0 to 0.194.0 by @dependabot in #1452 * config: Replace pipelines at top level by @jonjohnsonjr in [#1456] * refactor(sbom): cleanup, simplify, and document code by @luhring in #1458 * More SBOM logic improvements by @luhring in #1459 * build(deps): bump github.com/docker/cli from 27.1.2+incompatible to 27.2.0+incompatible by @dependabot in [#1461] * build(deps): bump google.golang.org/api from 0.194.0 to 0.195.0 by @dependabot in #1463 * build(deps): bump github.com/docker/docker from 27.1.2+incompatible to 27.2.0+incompatible by @dependabot in [#1462] * build(deps): bump dagger.io/dagger from 0.12.5 to 0.12.6 in the gomod group by @dependabot in #1465 * chore(cargo/build): Allow changing install dir, add busybox by @EyeCantCU in #1466 * sca: add support for more go fips toolchains by @xnox in #1471 * sca: make pc: provides/vendored use full package version by @xnox in #1467 * Fri Jul 19 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.1: * feat(sca): Generate dependency on Ruby when building gems * Tue Jul 16 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.0: * Apply variables to workdir within a range * Add update.exclude-reason field. * fix(pipelines): Use contextdir instead of destdir in a few places * remove defunct reference to k8s runner * drop extra generate * update Makefile * drop make generate from verify.yaml * drop allowedPrefixes * don't SCA-generate so: provides for libs not directly in lib dirs * drop lima runner * fix bug, test passes * short circuit analyze on no-provides (demonstrate bug?) * fail on diff * go generate in e2e testS * better SCA e2e tests * try this * try this * another fix * default key name * unexport more * drop example * refactor Keygen opts to a struct * fix(cargo/build): test for non-zero length * Wed Jul 10 2024 opensuse_buildservice@ojkastl.de - Update to version 0.10.4: * expose keygen options * build(deps): bump google.golang.org/grpc in the go_modules group * Fix env overrides for interactive builds * python/pipelines - resolve symlink to full path. * python/import pipeline - find python3.7, python3.8, python3.9 * python/import - fix a bug in 'imports', do not require specifying python * var-transforms: support var transform substitions across runtimes and provides and tests * build(deps): bump the gomod group with 2 updates * build(deps): bump the actions group with 2 updates * build(deps): bump cloud.google.com/go/storage from 1.42.0 to 1.43.0 * build(deps): bump chainguard.dev/apko * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump golang.org/x/sys from 0.21.0 to 0.22.0 * build(deps): bump google.golang.org/api from 0.186.0 to 0.187.0 * Wed Jul 10 2024 opensuse_buildservice@ojkastl.de - Update to version 0.10.3: * group dependabot updates * bump golangci-lint to v1.59.x * bump to go1.22.5 * Wed Jul 10 2024 opensuse_buildservice@ojkastl.de - Update to version 0.10.2: * goreleaser: make skip value configurable * goreleaser pipeline: --skip flag refactor * build(deps): bump github.com/chainguard-dev/yam from 0.0.9 to 0.0.10 * build(deps): bump google.golang.org/api from 0.185.0 to 0.186.0 * Wed Jul 03 2024 opensuse_buildservice@ojkastl.de - Update to version 0.10.1: * update unit test * support var-transforms in subpackage names * go mod tidy * no typo * use apko Authenticator * Revert "Use current user's ID when building via Docker" * build(deps): bump github.com/docker/docker * build(deps): bump dagger.io/dagger from 0.11.6 to 0.11.9 * build(deps): bump github.com/docker/cli * Update import.yaml * add tests, fix up script * add tests, fix up script * wolfictl bump : handled mangled vars in updateGitCheckout tags * Fix ${{host.triplet.rust}} default value * Add opts to make-install pipeline * Fail on invalid pipeline inputs * python/import pipeline allow setting python binary * Wed Jul 03 2024 opensuse_buildservice@ojkastl.de - Update to version 0.10.0: * debug: Populate history file via mounts * Add git-cherry-pick pipeline (#1278) * convert some Infofs to Warnfs * log it real good * log the world-writeable file * update docs * enforce some more lint checks * fix stupid bug in linter logging * Restore signalcontext * feat - add flag to go/build to run go mod tidy (#1303) * prevent nil pointer * update schema.json * stable sorted defaults * fix lint findings * prevent nil pointer * fix test * fix tests * review feedback * some small improvements * rewrite linting * build(deps): bump github.com/chainguard-dev/yam from 0.0.8 to 0.0.9 * build(deps): bump ko-build/setup-ko from 0.6 to 0.7 * fix tempdir linter * git-checkout - do not allow both branch and tag to be specified. * build(deps): bump google.golang.org/api from 0.184.0 to 0.185.0 * build(deps): bump github.com/github/go-spdx/v2 from 2.2.0 to 2.3.1 * build(deps): bump github.com/chainguard-dev/clog from 1.3.1 to 1.4.0 * lint: support linting existence of info dirs * Make melange-test-pipelines call make test-e2e * Make running the git-checkout via melange not emit WARN messages. * Clean up git-checkout-build-test.yaml, fix depth test. * create-git-repo more standalone config, do not write to stderr * Rename test-git-checkout and put create-git-repo in test-fixtures. * Add test-e2e target to Makefile * Run make docs-repo * compile: Fix miscompilation of subpkg tests * Pipelines should inherit workdir from parents * git-checkout: fix recurse='true' does nothing * Use current user's ID when building via Docker * Add test for PreserveBaseURI * Add flag to preserve original PyPi URIs * Wed Jun 19 2024 opensuse_buildservice@ojkastl.de - Update to version 0.9.0: * Quote issues when evaluating the depth condition by @dakaneye in #1268 * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.11 to 2.5.14 in the go_modules group by @dependabot in #1271 * test: Drop seemingly useless mkdir -p by @jonjohnsonjr in #1276 * Remove dead tarfilter code by @jonjohnsonjr in #1279 * Add build flag to override host libc flavor by @jonjohnsonjr in [#1270] * Separate compilation from execution by @jonjohnsonjr in #1267 * Remove build.PipelineBuild as a concept by @jonjohnsonjr in [#1280] * Remove ability to set logging policy by @krishjainx in #1274 * unbreak build at head from log policy removal by @k4leung4 in [#1288] * build(deps): bump chainguard.dev/apko from 0.14.8 to 0.14.9 by @dependabot in #1282 * build(deps): bump github.com/klauspost/compress from 1.17.8 to 1.17.9 by @dependabot in #1286 * build(deps): bump k8s.io/apimachinery from 0.30.1 to 0.30.2 by @dependabot in #1287 * build(deps): bump google.golang.org/api from 0.183.0 to 0.184.0 by @dependabot in #1285 * build(deps): bump cloud.google.com/go/storage from 1.41.0 to 1.42.0 by @dependabot in #1284 * Populate history for --interactive builds by @jonjohnsonjr in [#1289] * chore(autoconf/configure): Generate configuration with autoreconf when configuration doesn't exist by @EyeCantCU in [#1290] * Check for nil everywhere in Compile by @jonjohnsonjr in #1292 * stop using deprecated flags for goreleaser by @k4leung4 in [#1269] * git-checkout - try harder if getting hash from tag fails. by @smoser in #1277 * build(deps): bump actions/checkout from 4.1.6 to 4.1.7 by @dependabot in #1293 * build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot in #1294 * build(deps): bump github.com/chainguard-dev/yam from 0.0.7 to 0.0.8 by @dependabot in #1295 * build(deps): bump github.com/google/go-containerregistry from 0.19.1 to 0.19.2 by @dependabot in #1296 * Fix missing commit in ranged subpackages by @jonjohnsonjr in [#1304] * melange numpy test include python-3.12 by @pnasrat in #1308 * add go/bump as a default pipeline by @willswire in #1058 * Bump apko to v0.15.0 by @jonjohnsonjr in #1309 * Tue Jun 11 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.6: * build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 * Add ${{build.goarch}} substitution * fix: error out when pipeline contains with but no uses * Remove depth option from git clone if inputs.depth is set to -1 * Fri Jun 07 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.5: * Add a new property that defaults to pom.xml and allows an override so we can call multiple uses: maven/pombump and pass in the somewhere-else/pom.xml * go/build: remove subpackage input * Fri Jun 07 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.4: * build(deps): bump chainguard.dev/apko * Drop go-apk to pull in faster pkginfo access * build(deps): bump google.golang.org/api from 0.182.0 to 0.183.0 * build(deps): bump golang.org/x/sys from 0.20.0 to 0.21.0 * build(deps): bump golang.org/x/text from 0.15.0 to 0.16.0 * update schema * support HTTP auth * order * fix * doc * ordering * bump go and lint * build(deps): bump chainguard.dev/apko from 0.14.3 to 0.14.7 * build(deps): bump dagger.io/dagger from 0.11.4 to 0.11.6 * build(deps): bump google.golang.org/api from 0.181.0 to 0.182.0 * build(deps): bump docker/login-action from 3.1.0 to 3.2.0 * Drop version from .PKGINFO * Speed up presubmit * Add --env-file to melange test * Thu May 30 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.3: * Disallow duplicate subpackage names * Thu May 30 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.2: * build(deps): bump chainguard.dev/apko * build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.10.0 to 0.10.1 * tests: add range priority replacement tests * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump actions/checkout from 4.1.4 to 4.1.6 * build(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 * schmea: validate priority integer strings, and update schema comment * Add ReplacesPriroity like ProviderPriority, and allow substitutions * Wed May 22 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.1: * Avoid panic if no external config file ref * Verify wolfictl scan works * githuib: Fixup melange configfile test case * sbom: add support for generic git-checkout urls * github: add SBOM external ref checks * sbom: add external ref ConfigFile itself * lint * externalRefs: implement github git-checkout * Generate fully qualified and normalized PURLs straight away * Style review comments * sbom: include external refs for fetched tarballs in SPDX * Wed May 22 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.0: * Fix typo in README * build(deps): bump actions/checkout from 4.1.4 to 4.1.6 * generate * gofmt * upgrade to new apko * Fix camel-case after review * kill k8s e2e test * delete k8s runner impl * copyright: allow custom license texts * go.mod: upgrade everything * build(deps): bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 * build(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 * Tue May 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.7.0: * Find shbangs to generate depends by @smoser in #1110 * presubmit: remove gdk-pixbuf by @imjasonh in #1143 * Revert "presubmit: remove gdk-pixbuf" by @imjasonh in #1147 * verify SPDX SBOMs using spdx-tools-java by @imjasonh in #1146 * Fix sca detection case for env with multiple arguments. by @dlorenc in #1148 * Update shbang collection to ignore 'python' and support simple 'env -S'. by @smoser in #1159 * ensure shbang check only checks valid shbangs by @joshrwolf in [#1160] * config: allow scriplets in subpackages with range replacements by @xnox in #1165 * Drop -release from pc versions by @jonjohnsonjr in #1173 * fix(cargo): Install all built binaries if output isn't defined by @EyeCantCU in #1174 * sbom: set supplier in addition to originator by @imjasonh in [#1184] * Add melange scan by @jonjohnsonjr in #1175 * Bump go-apk by @jonjohnsonjr in #1185 * add global --gcplog flag to emit GCP-compatible JSON logs by @imjasonh in #1186 * pipelines/go: add back symbols tables by @xnox in #1142 * Only consider that are in a PATH dir from generateCmdProviders by @smoser in #1164 * Allow symlinks to provide cmd: by @smoser in #1188 * Extract melange sign to a library by @tcnghia in #1198 * Revert "Allow symlinks to provide cmd:" by @joshrwolf in #1200 * Bump apko by @jonjohnsonjr in #1201 * Make unit tests faster by @jonjohnsonjr in #1202 * Add buildmode to go/build by @jonjohnsonjr in #1210 * lots of updates for build dependencies * Tue Apr 09 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.11: * build(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump golang.org/x/sys from 0.18.0 to 0.19.0 * build(deps): bump go.opentelemetry.io/otel/sdk from 1.24.0 to 1.25.0 * build(deps): bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1 * build(deps): bump github.com/chainguard-dev/yam from 0.0.2 to 0.0.3 * bump docker * build(deps): bump dagger.io/dagger from 0.10.2 to 0.11.0 * build(deps): bump cloud.google.com/go/storage from 1.39.1 to 1.40.0 * Ensure configuration file is closed * sca: add go-fips-bin runtime deps * sca: add go-fips-bin test case * build(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 * build(deps): bump google.golang.org/api from 0.171.0 to 0.172.0 * Sat Mar 30 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.10: * chore: CRAN -> R * docs(cran): Add build pipeline * fix(cran): Support passing source dir as package * chore(cran): Remove (now known) redundant fetch/install pipelines * feat(pipelines): Add support for fetching, building, and installing R packages from CRAN * Change dependency for python to be python-Maj.Min-base. * build(deps): bump google.golang.org/api from 0.170.0 to 0.171.0 * build(deps): bump github.com/docker/cli * build(deps): bump github.com/charmbracelet/log * skip mounting resolv.conf for the docker runner * build(deps): bump github.com/docker/docker * Propagate user from image configuration * build(deps): bump cloud.google.com/go/storage from 1.39.0 to 1.39.1 * build(deps): bump github.com/google/go-containerregistry * build(deps): bump docker/login-action from 3.0.0 to 3.1.0 * build(deps): bump actions/checkout from 4.1.1 to 4.1.2 * build(deps): bump github.com/kubescape/go-git-url from 0.0.28 to 0.0.30 * build(deps): bump google.golang.org/api from 0.169.0 to 0.170.0 * build(deps): bump dagger.io/dagger from 0.10.1 to 0.10.2 * Switch to new octo-sts action (#1088) * Move "executing:" logging to debug * Keep symbols tables for fips builds * Fix quotes * pipelines/go: prefer to use netgo and osusergo by default * pipelines/go/install: also trimpath like build * pipelines/go: Strip by default * pipelines/go: bump GOAMD64 to v2 * pipelines/go: allow setting microarchitecture level settings * Update pkg/build/pipeline.go * open debug session in the specific workdir * Add Harden Runner audit configs * appease linter * build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.9.0 to 0.10.0 * build(deps): bump google.golang.org/api from 0.168.0 to 0.169.0 * build(deps): bump github.com/kubescape/go-git-url from 0.0.27 to 0.0.28 * feat(pipelines): Add cargo build for rust packages * WIP: remove files from SBOM * Bump apko * document builtin substitutions * build(deps): bump gitlab.alpinelinux.org/alpine/go * fix test.environment jsonschema struct tag * Sun Mar 17 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.9: * build(deps): bump google.golang.org/api from 0.166.0 to 0.168.0 * build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0 * build(deps): bump dagger.io/dagger from 0.9.10 to 0.10.1 * Fix the bug in dropping the suffix. * Drop WaitDelay from bubblewrap * build(deps): bump actions/download-artifact from 4.1.2 to 4.1.4 * build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 * build(deps): bump cloud.google.com/go/storage from 1.38.0 to 1.39.0 * Sun Mar 17 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.8: * Update pombump.yaml * Sun Mar 17 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.7: * Rename the default bump file name. * Sun Mar 17 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.6: * Add ${{cross.triplet.rust.[glibc,musl]}} * Add pombump pipeline. * Sun Mar 17 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.5: * Fix resource usage in melange * Fix job control with interactive bubblewrap * build(deps): bump github.com/chainguard-dev/yam from 0.0.1 to 0.0.2 * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump go.opentelemetry.io/otel/sdk from 1.23.1 to 1.24.0 * build(deps): bump cloud.google.com/go/storage from 1.37.0 to 1.38.0 * Bump apko * Fix typo in error message * build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 * build(deps): bump actions/download-artifact from 4.1.1 to 4.1.2 * build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 * Sat Feb 24 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.4: * Fix the yaml file so that it actually gets parsed properly. * Propagate SourceDateEpoch from Build * Sat Feb 24 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.3: * Don't write APK to temp file during signing * Tue Feb 20 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.2: * Add --package-append flag to build * apply package substitutions in test.emvironment.contents.packages * change docker runner labels * label containers created by docker runner for easier external management * Add a --trace flag to melange build * Add dagger runner * Thu Feb 15 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.1: * omit arch log key when building one arch * Remove breakpoint labels * Clean up apko-temp dirs * Remove images even with cancelled ctx * Fix context.Background use * Allow substitutions in dependencies.replaces * doc: add diff pr * docs: add version-transform doc and other example to var-transform * Sat Feb 10 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.0: * Split pkg/container up into smaller packages * Mostly fix interactive interrupt signal handling * Do more cleanup with --rm * Continue interactive execution on exit 0 * go fmt * update dario/mergo * move runner determination to pkg/cli * Make debugging melange builds less terrible * fix go-build example * Make it easier to find docs-repo on ci failure * Thu Feb 08 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.10: * Add --die-with-parent to bwrap flags * fix bug with needs * move some logs to debug * Update build.yaml * Update install.yaml * Add GOEXPERIMENT to go/build * Wed Feb 07 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.9: * use apko@main * WIP: use charm logger * Add WaitDelay to bubblewrap cmd * Split options into separate files * Cancel context on interrupt signal * build(deps): bump github.com/docker/docker * build(deps): bump cloud.google.com/go/storage from 1.36.0 to 1.37.0 * build(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 * Tue Feb 06 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.8: * Add --rm flag (and options) to Build * Respond to cancelled context while streaming logs * Don't use goroutines for monitoring logs * If arch is not specified, test all. * Add Close() method to container runners * use slogtest * eliminate some more logger invocations * Fix race condition in log monitoring * Exclude "com.docker.grpcfuse.ownership" xattr * Sat Feb 03 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.7: * Pass the correct env.env to the container. * test: skip when executing on an unsupported arch * melamge bump: only update expected commit shas for the main git-checkout * stop logging tons of "detected git commit for build configuration" when parsing melage config * Embed melange version in .PKGINFO * Fix missing no-depends check * build(deps): bump google.golang.org/api from 0.154.0 to 0.161.0 * build(deps): bump github.com/kubescape/go-git-url from 0.0.26 to 0.0.27 * build(deps): bump github.com/chainguard-dev/yam * Bump apko to v0.14.0 * Update CODE_OF_CONDUCT.md * Update CODE_OF_CONDUCT.md * Switch to octo-sts-action (#968) * build(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 * warn on invalid license, log SCA findings * unexport some methods in pkg/sbom * Fix aws-c-s3 SCA * Don't include libexec directories in SCA includes * tidy * drop the lima runner * Take advantage of Octo STS to publish homebrew updates. (#956) * Pin to digest for setup-go in melange * build(deps): bump actions/download-artifact from 4.1.0 to 4.1.1 * Tue Jan 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.6: * sort with key/values * Fail if unknown variable is used in substitution * revert simple-hello, keep it alpine * fix simple-hello again * fix simple-hello * fix wolfi e2e test * also test wolfi built packages * update examples * migrate examples to wolfi * add e2e test that packages can be installed with apk * Audit the permissions of workflows. * Add test for vendored pkgconfig * Make "unable to detect git commit" a debug message * Allow vendored pkgconfig deps * make docs-repo * update * use apko@main * drop pkg/logger and use slog * Allow execable shared objects if name has ".so." * Fix sbom loopvar issue * Make BuildGuest more similar for Build and Test * Use errgroup over github.com/korovkin/limiter * Replace packages in APKINDEX with same version * Remove some more struct mutating and shadowing * Drop mutable imgRef from build.Build * Move more mutations into parameters * Take an fs as an argument to RetrieveWorkspace * Add a test * Convert some sca code to early return style * build(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 * move test pipelines to where others are. Remove unnecessary test packages. * Add python/import test pipeline, as well as e2e tests for python test pipelines. * how many ways can I really screw this one up... * Try James suggestion. * Fix the filenames. * try with explicit false. * maybe missing a space? * Add --test-package-append that you can specify extra test packages for each test. * move the comment * meson/configure: don't download subprojects by default * Add a python/test pipeline. * Bypass warning about detached head * add `*_config` pattern to split/dev pipeline * Sun Jan 07 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.5: * build(deps): bump github.com/google/go-containerregistry * bump upload/download github actions * build(deps): bump google.golang.org/api from 0.152.0 to 0.154.0 * build(deps): bump github.com/lima-vm/lima from 0.18.0 to 0.19.1 * build(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 * build(deps): bump github.com/go-git/go-git/v5 from 5.10.0 to 5.11.0 * build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 * build(deps): bump cloud.google.com/go/storage from 1.35.1 to 1.36.0 * convert: sort packages alphabetically * build(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 * build(deps): bump actions/setup-go from 4 to 5 * build(deps): bump github.com/kubescape/go-git-url from 0.0.25 to 0.0.26 * Set a default env var for GOMODCACHE. * Pull in `go-apk` with `provider_priority` `ini` fix. * Mark update.manual as an optional field. * update release to add some clarification regarding the homebrew * Tue Dec 05 2023 kastl@b1-systems.de - Update to version 0.5.4: * build(deps): bump golang.org/x/sys from 0.14.0 to 0.15.0 * build(deps): bump chainguard.dev/apko * build(deps): bump k8s.io/client-go from 0.28.3 to 0.28.4 * schema: update for new test pipeline configuration * build(deps): bump github.com/klauspost/compress from 1.17.2 to 1.17.4 * build(deps): bump google.golang.org/api from 0.150.0 to 0.152.0 * fix issue * cleanup: don't use pkg/errors * fix bad merge. * Default to package.name, but allow overrides, add example docs for specifying which package, and version to test. * argh, fix typo. * Add tests, simplify code. * e2e tests for `test` command. * checkpoint. * Add test command / implementation. * alphabetize commands, add test. * Refactor so can be used with test and build. * config struct changes for test. * Add autogenerated 'test' docs. * make docs-repo * remove unnecessary wait for testing * support resource requests and timeouts * UTC-ify source date epoch when set * Fix capitalization of SBOM originators * Fix the lint warnings in pkg/linter * Fix lints, or ignore safe ones. No functional changes. * prefix should be /usr * Ensure jsonschema is kept up to date. * Add jsonschema generation binary. * build(deps): bump go.opentelemetry.io/otel from 1.20.0 to 1.21.0 * build(deps): bump k8s.io/apimachinery from 0.28.3 to 0.28.4 * build(deps): bump sigs.k8s.io/release-utils from 0.7.6 to 0.7.7 * fix and continuously validate SBOMs * make docs-repo * default --use-github=true * fix docs * convert python: don't overwrite existing files * format manifests with yam * fix docs for --runner * improve 'melange convert python' to remove manual steps * Thu Nov 16 2023 kastl@b1-systems.de - Update to version 0.5.3: * Update release.md * build(deps): bump golang.org/x/time from 0.3.0 to 0.4.0 * pipelines: go/build: add support for go.mod overlay files * build(deps): bump cloud.google.com/go/storage from 1.33.0 to 1.35.1 * go mod tidy * update go-apk dependency * build(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 * build(deps): bump go.opentelemetry.io/otel from 1.19.0 to 1.20.0 * apply substitutions to .environment.contents.packages * test runtime replacements * build(deps): bump github.com/sigstore/cosign/v2 from 2.2.0 to 2.2.1 * build(deps): bump google.golang.org/api from 0.149.0 to 0.150.0 * go mod tidy * use merged PR * update dep * use pushed PRs * WIP: use forked alpine-go in go-apk * move spammy logs to debugf * Thu Nov 09 2023 kastl@b1-systems.de - Update to version 0.5.2: * Update pkg/config/config.go * GithubReleaseMonitor: add tagprefix and tagcontains to be used in github tags filtering * Plumb check configs through to linters * Delete no-op sbom code * remove unimplemented references to fulcio support * fail if 'with' is used with 'runs' * Error early if uses and runs are both present * Get rid of PackageContext and SubpackageContext * Remove impossible errors * Make loadUse test actually test something * Remove impossible errors * build: use util.Dedup instead of slices.Compact * util: bring back Dedup, slices.Collapse requires sorting * Bump go-apk * Filter out noise opening non-ELF files * Bump go-apk and use faster tarfs implementation * Add a test to ensure that ranges are handled properly. * Add linters for #805 and #804. * Refactor linting logic and clean things up * Add SBOM linter * build(deps): bump github.com/docker/docker * build(deps): bump chainguard.dev/apko * build(deps): bump sigs.k8s.io/release-utils from 0.7.5 to 0.7.6 * Add GID/UID remapping to improve permissions. Fix permission issues resulting from running with the build user. * Separate out package and build lints * Add json tags to melange Configuration. * Add python/test linter * util: drop Dedup in favor of golang.org/x/exp/slices.Compact * sca: fix compile by moving a few things around * sca: move analyzer invocation into Analyze() function * sca: implement abstract interface between build engine and sca engine * sca: pass FS into dependency generators rather than creating it on demand * sca: move out of package.go into sca.go as a first pass * Rename Python linters to python/* * readlinkfs: ignore security.selinux xattrs * Add Python docs linter * SCA: add python dependency generator * linter: refactor check block generation in tests * Improve linter diagnostic output * Add GID/UID remapping to improve permissions. Fix permission issues resulting from running with the build user. * build(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 * Fixups * Handle .so files a little smarter * Ignore all packages starting with _ * build(deps): bump google.golang.org/api from 0.147.0 to 0.148.0 * build(deps): bump k8s.io/client-go from 0.28.2 to 0.28.3 * build(deps): bump github.com/klauspost/compress from 1.17.1 to 1.17.2 * build(deps): bump chainguard.dev/apko * build(deps): bump actions/checkout from 4.1.0 to 4.1.1 * Centralize SOURCE_DATE_EPOCH parsing. * Run go fmt * Exclude docs * Exclude tests * drop sync-issues-to-project-board.yaml not used anymore * Exclude more files from Python multiple package linter * Improve filtering and diagnostics * Use the correct path for Python. * Add multiple Python packages post-linter * pipelines: add npm-install pipeline * replace the fetch python url to more friendly URI * Silence the linter * Make empty linter work by disregarding directories and SBOM in package linting * Really shut up docs linter * Docs changes/consistency fixes * Document melange lint * Module updates * Resolve circular import * Small fix * Update go-apk dep * Remove redundant package * Update pkg/config/config.go * Add basic test for APK linting * Document the release steps. * melange bump: move the reset / bump epoch logic up and inline version * melange bump: only reset the epoch if version changes, else increment it * Add APK linting. * document full-version, add pointer to docs. * Fix Typo * Thu Oct 19 2023 kastl@b1-systems.de - Update to version 0.5.1: * build(deps): bump github.com/klauspost/compress from 1.17.0 to 1.17.1 * build(deps): bump google.golang.org/api from 0.146.0 to 0.147.0 * build(deps): bump github.com/lima-vm/lima from 0.17.2 to 0.18.0 * build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 * Fix a bug where substitutions were not done for runtime. * linter: fix a typo in package linting function * build(deps): bump google.golang.org/api from 0.143.0 to 0.146.0 * go mod tidy to shut up linter * Small cleanup * Add function to lint APK files. * build(deps): bump golang.org/x/sync from 0.3.0 to 0.4.0 * build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 * Extricate config stuff from linter. * build(deps): bump sigs.k8s.io/release-utils * fix release url path * update deprecated fields * update with 0.5.0 changes * Track vendored deps for .PKGINFO * Sat Oct 14 2023 kastl@b1-systems.de - Update to version 0.5.0: * Enable linters to warn (via callback) instead of just failing. * build(deps): bump github.com/package-url/packageurl-go * build(deps): bump go.opentelemetry.io/otel from 1.18.0 to 1.19.0 * Add a PR checklist to melange. * Fix yaml typo in linter docs * nit: fix mistake in function docs * Apply suggestions from code review * Document disabling lints and when to do so. * Update linter docs * strip linter: properly close file * Make improvements/suggestions * Add stripped file linter * update alpine-go to latest git to fix indexing * pipelines: strip: use -g by default when stripping * build(deps): bump google.golang.org/api from 0.142.0 to 0.143.0 * do not delete extensions and plugins with ruby/clean * build(deps): bump k8s.io/api from 0.28.1 to 0.28.2 * build(deps): bump google.golang.org/api from 0.138.0 to 0.142.0 * build(deps): bump k8s.io/client-go from 0.28.1 to 0.28.2 * build(deps): bump github.com/opencontainers/image-spec * build(deps): bump github.com/docker/docker * build(deps): bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 * build(deps): bump github.com/klauspost/compress from 1.16.7 to 1.17.0 * build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 * build(deps): bump actions/checkout from 4.0.0 to 4.1.0 * add docs for -compat packages * Disable empty check on git-checkout * build: refactor package linter invocation * Refactor the linter into a submodule. * Remove no provides check per @kaniini * Respect subpackage no-provides * Add post-file walk linting and empty package linting * exa is dead, use mdbook as a rust CI test instead. * bump apko to e9722fc * build: do not run linters on skipped subpackages * linter: when subpackages are linted use the subpackage name as the package config name * Only run worldwrite linter on regular files * Add worldwrite linter * Add dev, opt, and srv linters * fix the arch * Use Warnf over WARNING * log and continue when .pc file can't be loaded * fix the dir name as we already expect dir to be set explicit * Disable linters on -compat packages * Update build.yaml * add goreleaser pipeline * Unexport linter struct and linterFunc * Don't export the linter map * Add tests * build(deps): bump sigstore/cosign-installer from 3.1.1 to 3.1.2 * Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 * Bump docker/login-action from 2.2.0 to 3.0.0 * chore: remove CODEOWNERS file * Add more linters * Appease golint * Fix tests * Remove debugging print statement * Implement subpackage linting * Add package (but not subpackage) linting * build(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 * Update golangci-lint to 1.54 * git-checkout: Allow tags to matched annotated tag SHAs, don't allow fuzzy matching of refs. * build(deps): bump actions/checkout from 3.5.3 to 4.0.0 * Bump k8s test workflows to Go 1.21 * Bump go to 1.21 * pipeline: fix downward propagation to referenced external pipeline nodes * config: tests: add workdir propagation test * remove cmake. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * forgot to remove one -dev * Remove specifying the php-dev version. * Add pecl pipelines for phpize & install. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * package: only constrain library search paths for provides entries * Fix some python generation issues: * Refactor application of pipeline variables to config and add tests * Pipeline: make env overrides work recursively * Add environment var overriding to the pipeline. * Bump goreleaser/goreleaser-action from 4.3.0 to 4.6.0 * Bump actions/upload-artifact from 3.1.2 to 3.1.3 * package: constrain library SCA to library search paths only * Replace the elements of the subpackage * construct the package.full-version in higher context than just pipeline. * docs: fix link in pkg/build/pipelines/README.md * docs: add documentation for built-in pipelines * document / examples for ${{package.full-version}} Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * add ${{package.full-version}} = ${{package.version}}-r${{package.epoch}} Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Changes from code review. * config: copy all subpackage variables when doing a range expansion * feat: add output logs for the apkbuild converter * Fix issue: #658 Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * feat: add new Perl pipelines for install and clean * package: just skip symlinks for now * workflows: add ncurses to the presubmit test matrix * package: dereference symlinks for aliased pkg-config modules * Fix syntax in maven pipeline (and add test). * more debug crap. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * remove debug crap. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Environment is required, adjust the tests. * Change GeneratedMelangeConfig to embed pkg/config/config instead of redefining it. * Change default python-version from 3.11 to 3. * remove extra backtick. * let's try again. * update docs * Bunch of lint fixes. No functional changes. * Add a maven/configure-mirror pipeline to redirect to GCP. * yikes, only 2 fatal lints... nice... * update docs. * Add flags for resolving git tags, release-monitoring * Update pkg/build/pipelines/python/build-wheel.yaml * Update pkg/build/pipelines/python/build-wheel.yaml * add builtin pipelines for python * update generated docs. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * remove unused vars. They do not have short form, so can use this variant. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add --wolfi-defaults flag, clean up flag handling. * readlinkfs: ignore some security-module specific xattrs * feat: support --recurse-submodules in git clone * Print the path to generated melange config. * build(deps): bump go.opentelemetry.io/otel from 1.16.0 to 1.17.0 * build(deps): bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 * build(deps): bump google.golang.org/api from 0.136.0 to 0.138.0 * build(deps): bump k8s.io/api from 0.28.0 to 0.28.1 * build(deps): bump github.com/lima-vm/lima from 0.17.0 to 0.17.2 * build(deps): bump k8s.io/client-go from 0.28.0 to 0.28.1 * Bump apko and fix everything I broke * docs: typo in go-build example * run make docs * cli: index: add --signing-key, --source and --merge options * default for github actions is bubblewwrap. * update lint rule. * Fix the links to commands, fix the URLs generated. * sign: do not rename across device boundaries * add --force option to recreate apk indexes with given signatures * pipelines: use ${{targets.contextdir}} where it makes sense * pipeline: add ${{targets.package.foo}} expansions * pipeline: add ${{targets.contextdir}}, representing the current target dir * Bump pkg-config again to actually pick up the openblas fix. * Bump pkgconfig to pick up the openblas fix. * feedback + verbiage from Erika. * Set reasonable concurrency levels for pgzip * appease linter * support substitutions in provides lists * Start of exhaustively documenting the build filele. * plumb through SDE to EmitSignature * add melange sign command, slightly refactor and make public the signing methods * add test for substituting needs.packages * allow override go version for uses: go/build and go/install * Support for setting context in .melange.k8s.yaml * Add docs about custom pipelines, defining and using. * build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 * Teach melange about the forthcoming version-transform block * doc and lint revisions (#598) * build(deps): bump google.golang.org/api from 0.134.0 to 0.136.0 * container: bubblewrap: do not defer closing files * build(deps): bump golang.org/x/sys from 0.10.0 to 0.11.0 * build(deps): bump github.com/lima-vm/lima from 0.16.0 to 0.17.0 * build(deps): bump github.com/google/go-containerregistry * build: package: add pkgconf-based SCA to catalog SDKs which use it * Docstring typo fixes * Docstring fixes * Appease the go fmt Gods * Test two var transforms at once * Test var transforms on a basic level * Add ${{build.arch}} as a possible variable in bump * Make var transforms work in bump * remove paralell test for TestKubernetesRunnerConfig * add fail-fast to false * update code running goimports * add goimports * publish brew formula during release * update actions to use git hashes * update golangci-lint to v1.53 series * Adjust the var substitution stuff a bit * Move var substitution stuff into config * config: Change root to a pointer in the config struct, and add an accessor * renovate: update to use new config infrastructure * build: Add root node to the config * Appease the golangci-lint Gods * build_test: fix tests in a better way * Make all tests pass * build: add parameter where one was missing * build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.1 * pipelines: meson/configure: explicitly invoke meson setup action * build(deps): bump github.com/docker/docker * Refactor the config/logging stuff out of build * build(deps): bump google.golang.org/api from 0.133.0 to 0.134.0 * build(deps): bump github.com/docker/docker * Several fixes to k8s runner. * build(deps): bump github.com/klauspost/pgzip from 1.2.5 to 1.2.6 * build(deps): bump google.golang.org/api from 0.129.0 to 0.133.0 * Remove `wget -q` from `fetch` * add k8s runner config loading from envvars * Log errors bundling, enable GGCR Warn/Progress logs * Tweak the strip pipeline so that it never fails for deleted files * convert/python: check if release is found * Make sure we log errors. * Fix subpackage SBOM generation * define constants for runners destination mount paths * skip the cache mount for kubernetes runner builds * Add more otel spans to k8s runner * build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 * build(deps): bump k8s.io/client-go from 0.27.3 to 0.27.4 * Avoid using pargzip for compression * add a retryable (tgz) fetcher for the k8s runner * Pod names must be RFC1123 compliant * Correct the variable name in the patch pipeline * pipelines: git-checkout: harden variable expansions * pipelines: patch: refactor series/patches handling * pipelines: fetch: harden variable expansions * add retries to a subset of k8s runner exec failures * delete builder pod post build by default * properly pass workspace env/volumes to k8s builder pods * use go-apk.FullFS for retrieving builder workspaces * Finally fix python convert tests. * Comment python test. * add dir option to ruby pipelines as not all gemspecs live in the root folder * fix containerID for lima when tarring up * lima startup issues fixed * pull in apko with fix for blank SOURCE_DATE_EPOCH * Change git-checkout depth default to 1 * workflows: wolfi-presubmit: use package/ instead of packages/ for package names * build: package: forcibly treat libc as a shared library * docs: explain how build cache works practically * Bump apko dep to pick up otel spans * Fix failing test for env var wipeout * Add failing test for env var wipeout * add otel spans * build(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 * Remove use of deprecated WaitImmediate * Add ! char to ignore. * Add missing context propagation * Rename index.Context to index.Index * Rename Contexts to Builds * Sat Oct 14 2023 kastl@b1-systems.de - Update to version 0.4.0: * build(deps): bump github.com/opencontainers/image-spec * add release notes for Melange 0.4.0 * build(deps): bump cloud.google.com/go/storage from 1.30.1 to 1.31.0 * build(deps): bump google.golang.org/api from 0.128.0 to 0.129.0 * appease linter for now * update apko to 0.9.0 * build(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0 * some small UX improvements for k8s runner * build(deps): bump github.com/package-url/packageurl-go * update apko and go-apk to use pinned deps correctly * build: scan subpackage pipelines for dependencies * add a split/debug pipeline * ensure bundles are rooted correctly * build(deps): bump google.golang.org/api from 0.125.0 to 0.127.0 * build(deps): bump actions/checkout from 3.5.2 to 3.5.3 * add a kubernetes pod runner * build(deps): bump docker/login-action from 2.1.0 to 2.2.0 * build(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.6.0 * build(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 * add strip prefix and suffix update config for release monitor * import apko and go-apk with better debug logging * Switch from calling Glob to two Stats * workflows: add wolfi-presubmit * cli: build: fix destination variable for --apk-cache-dir * build: PopulateCache: do not populate the cache dir when it is empty * fix apk caching directory * import apko and go-apk with package caching * Change the default for delete to false. * pipeline: fetch: optionally delete fetched artifacts after unpacking * cond: allow underscores and capitalization in variable expressions * run tests with race detector * warn and fallback to SOURCE_DATE_EPOCH=0 when specified but empty * index: use deep copy when loading pre-existing index data * build(deps): bump github.com/lima-vm/lima from 0.14.2 to 0.16.0 * build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 * index: appease linter by moving the deferred close to after the error check * build(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 * build: generate APKINDEX.json when writing packages index * index: add WriteJSONIndex function * index: split out the indexing logic itself to UpdateIndex * index: WriteArchiveIndex: use destination file path as primary input * index: use SourceIndexFile for loading index data rather than IndexFile * index: factor out loading of pre-existent indices and index state management * index: factor out index writing into WriteArchiveIndex * Bump apko and fix what that breaks * add wolfictl * upgrade alpine-lima to 3.18 * Allow uppercase and plus, allow numbers as first char * Validate configuration at the end of parsing * Remove secfixes and advisories altogether * include filename when parsing fails * Require that build config YAML has only known fields * Refactor tests for configuration load method * build(deps): bump google.golang.org/api from 0.119.0 to 0.123.0 * readlinkfs: implement go-apk fs.XattrFS interfaces * Pull in the latest go-apk for xattrs support * build(deps): bump github.com/docker/docker * Pull in index builddate support. * Install should first build melange binary... * Make makefile work on Mac and Linux. * build(deps): bump sigstore/cosign-installer from 3.0.2 to 3.0.5 * add a boolean so built in melange pipelines can be used in subpackages as they need to write to a different target folder * ensure range data replaces `with` options during a pipeline * Update README.md * Update distroless references * default for mac is docker, not bwrap * add extra logging when runner fails to TestUsability * Add go vendor support to the go build pipeline. * add multiple runner options * use latest version of melange in lima configuration file * Set `builddate` in our `.PKGINFO` control data. * add field docs * build(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 * pipelines: patch: add support for quilt patch-series files * Add an optional "deps" paramter to the go/build pipeline. * chore: signing issues * chore: corrections in mac instructions * chore: corrections in mac instructions * build: package: skip SONAME analysis when ELF interpreter setting is present * Add trimpath to the go pipeline. * update docs * build: add support for configurable logging policies * Add name method to build config * build(deps): bump gitlab.alpinelinux.org/alpine/go * move signing funcs to rely on external go-apk library * use go-apk library instead of apko * update alpine-go to include replaces hotfix * simplify DataItems to use the builtin marshallable map type * add `ignore-regex-patterns` update config to indicate you want to ignore string patterns that match an upstream version * add a strip-suffix: key to melange update struct to indicate stripping a suffix from an upstream GitHub version * bump to latest apko which handles file overwrites * cli: build: warn when no work to do instead of throwing an error * build(deps): bump github.com/docker/docker * upgrade apko to 20230421 snapshot * build(deps): bump google.golang.org/api from 0.116.0 to 0.119.0 * build: update tests to use apko log.Logger * build: use apko_log.Logger everywhere * build: logger: conform to apko_log.Logger shape * adapt to new apko logging framework * update apko dependency to 20230420 snapshot * update apko dependency to 20230419 snapshot * config parsing: fix handling of filesystems * bump test: fix panic by requiring no error * Stop repeating errors on build command * build(deps): bump actions/checkout from 3.5.0 to 3.5.2 * fix 403 error when melange bumping some packages, https://www.netfilter.org for example needs it * update apko to 20230413 snapshot * Print full uri to debug file download errors * Do not depend on concrete logger * pipelines: autoconf/make-install: delete all GNU libtool metadata files * remove flawed test * build: package: append subpackages to build log * Use formatted YAML encoder from yam * build: readlinkfs: chase apko ReadlinkFS API break * upgrade apko snapshot to 20230411 * build(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 * build(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.2 * go mod tidy again * index: convert to using logrus * build: package: use logrus.Entry for logging * update apko for formatting fixes * build: remove actualArchs variable, no longer used * fix tests * container: use warning level for stderr output * pipeline: downgrade dumpWith() to use debug level * switch to using logrus * update to apko git * feat: send useragent in HTTP requests * export mutate functions as these are very useful to be called outside of the build package * warn if target-architecture:['all'], remove from examples * feat: respect target-architecture to filter archs * index: rework architecture filtering * update docs * build(deps): bump actions/add-to-project from 0.4.1 to 0.5.0 * cli: index: add --arch flag * index: print warning and skip packages which do not match the expected architecture * index: add ExpectedArch to index.Context * add a `update.manual:` key to indicate a package should be manually updated * fix: log package new names+versions when regenerating index * make original test commit sha different from the new expected sha to ensure test works * melange bump: optional flag to modify git-checkout pipeline expected-commit value * Bump apko to pick up busybox detection fix. * Fix goreleaser cosign flags * package: allow any library which has a SONAME to be a provider * build: fix SBOM language gathering for subpackage pipelines * package: ensure the package output directories always exist for scanning * build: introduce Context.IsBuildLess and skip a lot of setup/teardown for buildless packages * build: allow a package to be defined without a pipeline * Add darwin goreleaser target (macOS) * fix build * release image after the binary * update makefile * cleanup goreleaser and ko config * clean up, update version comments for ci jobs * upgrade to use go1.20 * upgrade alpine pkgs lima * Mon Apr 03 2023 kastl@b1-systems.de - Update to version 0.3.2: * Fix goreleaser cosign flags, add NEWS for melange 0.3.2 * add NEWS for melange 0.3.1 * package: allow any library which has a SONAME to be a provider * Add darwin goreleaser target (macOS) * update NEWS for melange 0.3.0. * update to apko 0.7.3 release * pipelines: fetch: use wget quiet mode * build: check for signing key existence before using it * build: package: do not add interpreter dependency when no-depends option is enabled * docs: fix baseurl for melange reference in generated docs * directly parse configuration for query * add query and package-version commands * build: use realpath to determine cache dir bindmount source * refresh docs for --cache-source * cli: add --cache-source option * build: use CacheSource to define the bucket to pull cached sources from * build: change default cache directory to ./melange-cache * build: add CacheSource option to context * Hookup user and accounts in the environment. * build(deps): bump cloud.google.com/go/storage from 1.30.0 to 1.30.1 * build(deps): bump google.golang.org/api from 0.113.0 to 0.114.0 * build(deps): bump actions/checkout from 3.3.0 to 3.5.0 * refresh docs * cli: build: add --debug flag * build: pipeline: if Context.Debug is enabled, add set -x to all pipelines * build: add Debug option to Context * build: use cond.Subst instead of replacers * cond: subst: variable names can have dashes * cond: subst: add goparsify-based variable substitution implementation * cond: parser: test: add variable lookup with whitespace test * parser: use newer fork of goparsify * add codeowners * add Update struct for identifying how a melange package can be updated * add `var-transforms` for manipulation of variables using regular expressions * pipelines: git-checkout: use tempdir for doing the initial clone * pipelines: git-checkout: mark clone directory as a safe directory for git * update ruby pipelines with usability features * add an optional flag to generate a packages.log containing list of packages + subpackages that were actuall built by `melange build` * Try to fix a strange index generation bug. * build(deps): bump actions/setup-go from 3.5.0 to 4.0.0 * container: fixes to handle /sbin/ldconfig not being present, e.g. on musl * container: run ldconfig when bringing up a build environment * update to latest apko git * build(deps): bump google.golang.org/api from 0.111.0 to 0.113.0 * build(deps): bump cloud.google.com/go/storage from 1.29.0 to 1.30.0 * update apko to latest git * pipeline: only run mkdir -p if absolutely needed * build(deps): bump github.com/go-git/go-git/v5 from 5.6.0 to 5.6.1 * update docs * run go mod tidy * pkg: convert: fix tests to use upstream ImageContents type * build: package: use internal readlinkFS, old apko fs package was deprecated * build: add minimal internal readlinkfs implementation * convert: use upstream ImageContents type, added in apko 0.7.0 * build: use normal os.DirFS for filesystem walking * upgrade to apko 0.7.2 git * build: remove --use-proot option * lint * move convert related packages under convert as subpackages * container: bubblewrap runner: use --new-session to mitigate CVE-2017-5226 * autoconf: always define the GNU host and build triplets in configure step * update docs * add more context for the experimental commands * add shell completion and move common flags to top level * move wolfios to its own package * add same convert options to higher leve * fix lint and tests * fix tests * add convert subcommand * docs: ensure docs are up to date in CI * add melange docs * change --out-dir to not depend on cwd * accept dependabot's GPG key for commit signing CI check * package: only use base soname when generating runtime dependencies across symlinks * build(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 * add omitempty to some fields * build(deps): bump google.golang.org/api from 0.110.0 to 0.111.0 * build(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.0 * build(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1 * remove self-provided dependencies from the runtime dependency set * build(deps): bump github.com/openvex/go-vex * build: package: dereference symlinks across packages and read the real DT_SONAME instead of guessing * build: configuration: add support for variable substitution in more places * apply refactoring suggestions from go linter * build: also apply if-conditionals when generating the package index * build: also apply subpkg if-conditionals when emitting packages and SBOMs * examples: add example outlining the new option-related features * build: implement if-conditionals for subpackages * build: pipeline: add option enabled variables * build: build option: patch the variables and environment configuration * build: use BuildOption.Apply to apply configuration patches from build options * build: build_option: add Apply stub * cli: build: add --build-option to configure the enabled build options * build: add WithEnabledBuildOptions context option * build: add BuildOptions map to Configuration * build: add BuildOption types * package: ensure we are operating only on a basename when generating symlink deps * package: detect shared library dependencies for .so symlinks * build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 * build(deps): bump google.golang.org/api from 0.109.0 to 0.110.0 * Add ruby pipelines for gem install, build and clean * build: package: add support for defining "replaces" relationships * package: findInterpreter: chop trailing nul from interpBuf * package: deal with musl interpreter being a symlink back to itself * package: ensure PT_INTERP is always added as an explicit dependency * build(deps): bump github.com/docker/docker * build(deps): bump github.com/joho/godotenv from 1.4.0 to 1.5.1 * build(deps): bump google.golang.org/api from 0.108.0 to 0.109.0 * build(deps): bump github.com/docker/docker * git-checkout: fix tags * use merge option to speed up apkindex generation when build * just warn if no branch or tag specified * build(deps): bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 * build(deps): bump github.com/google/go-containerregistry * Revert "Generate build environment SBOM" * add expected-commit to git-checkout * Update README to mention wolfi. * cli: add --vars-file option to support loading build variables from an external source * build: add WithVarsFile and WithVarsFileForParsing options * examples: add variable substitution example * pipeline: handle ${{vars}} block as expected * build: add variables block to build configuration struct * build(deps): bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 * examples: add working-directory example * pipeline: ensure the working-directory is created before using it * pipeline: propagate WorkDir to subpipelines * pipeline: set working directory when evaluating pipeline "runs" entries * build: add Pipeline.WorkDir definition * build(deps): bump google.golang.org/api from 0.107.0 to 0.108.0 * build(deps): bump github.com/docker/docker * build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 * go mod tidy to drop chainguard/vex * Switch VEX dependency to openvex * allow provider priority to be configured * build(deps): bump google.golang.org/api from 0.106.0 to 0.107.0 * Wire logger from SBOM generator to impl * Escape invalid identifier chars * Fix build sbom name in subpackages * Fix bug where package verification was wrong * build sbom: Add relationships to produced SBOMs * Update protobom to support dl location * Build SBOM: Generate package with apks * Trigger build SBOM generation, reuse write * Passs guest directory to sbom spec * Refactor SBOM spec for reuse * Add ReadPackageIndex to gen implementation * Add GenerateBuildEnvSBOM fn to SBOM generator * Update Lima link * update apko dependency to latest * bump apko dependency * pipelines: autoconf/configure: fix sysconfdir * upgrade apko dependency to latest git * build(deps): bump github.com/go-git/go-git/v5 from 5.5.1 to 5.5.2 * build(deps): bump google.golang.org/api from 0.105.0 to 0.106.0 * build(deps): bump actions/checkout from 3.2.0 to 3.3.0 * bump apko to latest git again for keyring fix * fix typo * index gen: Add loop throttle, mutex * close lingering file descriptor * sbom: handle spdxPkg.VerificationCode being a pointer in apko git * chase PublishImageFromLayer API change in apko * update apko dependency to latest git for armv6/armv7 triplet fixes * go/install: also require git (#239) * use lima to use melange on mac * Advisories: Require pkg version for fixed status (#237) * Parallel processing of packages. * Make packageurl-go import direct * add --namespace option to build subcommand * SBOM: Generate purls for built packages * Add namespace and arch fields to SBOM spec * Drop distro qualifier from purls * Add Go pipelines documentation * Revamp go examples to use both pipleines * New go/install pipeline * go/build: Support changing module root * Bump vex (#231) * Remove extra field * Add advisories and purls * Export functionality for config parsing (#229) * Apko devenv README * Melange development environment * Sun Mar 19 2023 Johannes Kastl <kastl@b1-systems.de> - new package melange: Build APKs from source code
/usr/bin/melange /usr/share/doc/packages/melange /usr/share/doc/packages/melange/README.md /usr/share/licenses/melange /usr/share/licenses/melange/LICENSE
Generated by rpm2html 1.8.1
Fabrice Bellet, Wed Nov 13 00:41:02 2024