Wolfi packages are kept up-to-date with the latest upstream releases.
A melange package config can contain an update: section which you can read about more by visiting the related melange docs
The Wolfi project itself has built automation that fetches the latest package versions from a variety of backend APIs and will create an automated pull request on Wolfi when a new version is available. You can read more about this automation at the wolfictl update docs
When contributing a new package decide which backend the Wolfi Bot should use to discover latest release versions. The two currently available are
update.release-monitorusing https://release-monitoring.orgupdate.githubusing GitHub's Graphql API https://api.github.com/graphql
To help you decide here are a few things to consider:
- Latest Package versions returned do not always represent the real latest version. For example GitHub projects that don't use GitHub releases or publish patch releases for previous versions after a newer version.
Examples of these are kustomize and jenkins
- The Wolfi Bot uses the Release Monitor REST API to query for new versions rather than subscribing to the Topic queue. This is to reduce infrastructure needs for Wolfi as we can query the REST API in a GitHub Action. A single request is sent for each package we want to check, to avoid DoS'ing the Release Monitor API we do this once per day.
In comparison to the drawbacks described above with Release Monitor, configuring a GitHub backend in the melange config gives greater control and flexibility. For example GitHub projects that don't use GitHub releases are supported as well as projects like Kustomize and Jenkins which create releases in a different way to other projects.
The GitHub backend implementation uses GitHub's GraphQL API and so we can send a single request which returns the latest versions for many projects. This means the CRON job runs once per hour.
If your project is not listed in Release Monitor, you can sign up for a free account and add the project you are interested in.