Comparing changes

The QEMU runner broke the ability to have non-root builds, and the bubblewrap runner fails when the group ID does not match the user ID of the run-as user. v2: add tests to ensure numeric versions of user ids as specified in the `run-as:` statement correctly function as the intended user. v3: add check-accounts pipeline and use that in the accounts tests. v4: add checks that tests for subpackages can run as different users than the parent package Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev> MR: #2138

When running a build with a non-standard UID, lookup and use the effective GID that corresponds to that User/UID as configured. Without this, under bubblewrap it would default to using the UID of the runas user, which is not necessarily a valid group. v2: fall back to using GID == UID if GID is not specified, and fix up unit tests to test for both situations. Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev> MR: #2138

Rename the variables around handling SSH connections with the build guest to make it clearer which ones are intended to handle the build actions and which ones handle controlling the guest, and what has privileges. Essentially, the following transitions: SSHWorkspaceAddress -> SSHControlAddress sshWorkspacePort -> sshControlPort SSHClient -> SSHBuildClient WorkspaceClient -> SSHControlClient This is purely a renaming change, there should be no functional changes as a result. v2: update ssh session in added getGuestKernelVersion() from 4df0da8 ("qemu runner: report kernel version (#2132)") Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev> MR: #2138

Some of the operations for setting up the build environment are performed in the chroot'ed build environment; separate these out into their own ssh client config SSHControlBuildClient because they (often) need privileged permissions, with the intent that the SSHBuildClient can be an unprivileged connection and set of operations, unless the build itself specifically needs to perform a privileged operation. Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev> MR: #2138

Add a check for the default user / group the build runs under during builds and tests. Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev> MR: #2138

Add documentation outlining the basic structure of the environment.accounts definitions, with a brief discussion on using different users for the build. Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev>

Expand information about the subtleties of the environment section definition, including how it can differ in subpackage tests but not in subpackage builds. Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev>

Improve the formatting for non-github markdown renderers (like pandoc or retext). Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev>

Ensure that Melange SCA generates depends for packages that use the new go-msft-1.25 toolchain. Tried to create a test case for this, but failed in: - #2152 It would require enterprise-packages access which is not great. Separately test cases are available as, currently: - 1.24 works chainguard-dev/enterprise-packages#33090 - 1.25 doesn't chainguard-dev/enterprise-packages#33091 And with this PR both should start working again. Suggestions on how to make test cases work are welcomed to catch this. My plan is to add SCA check to go-msft packages themselves, such that it breaks when there are changes to build-info in the future: - chainguard-dev/enterprise-packages#32952 Also note that libssl.so is unused, and only libcrypto is dlopened.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Comparing changes

Open a pull request

Commits on Sep 8, 2025

This comparison is taking too long to generate.

Uh oh!