Merge branch 'main' into cve-shadowsocks-rust-fcef6f443148b461b264a97…

…5e7c5aa78
wolfi-dev · Dec 27, 2024 · 713da4e · 713da4e
2 parents 250aefb + 6545507
commit 713da4e
Show file tree

Hide file tree

Showing 1,664 changed files with 23,790 additions and 6,917 deletions.
diff --git a/.github/actions/docker-run/action.yaml b/.github/actions/docker-run/action.yaml
@@ -6,7 +6,7 @@ inputs:
     required: true
   image:
     description: "The image to use"
-    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:8b4a75a1e5c423c3182c25a27dd5c2e5d655f0fe360fd5dab90b1c1ec322b7b1"
+    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:6d49f779092c0bfacb2296654376aac5607dd946a5cd077f06e05e89a2341495"
     required: false
   workdir:
     description: "The images working directory"

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -3,9 +3,6 @@ name: Lint
 on:
   pull_request:
     branches: ['main']
-  push:
-    branches:
-      - gh-readonly-queue/main/**
 
 permissions:
   contents: read
@@ -24,18 +21,12 @@ jobs:
       with:
         egress-policy: audit
 
-    # Install wolfictl
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
-      with:
-        repository: wolfi-dev/wolfictl
-        path: wolfictl
-    - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
-      with:
-        go-version-file: 'wolfictl/go.mod'
-    - working-directory: wolfictl
-      run: go install
     # Install yam
+    - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      with:
+        go-version: 1.23
     - run: go install github.com/chainguard-dev/yam@latest
 
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
     - run: ./lint.sh
+    - run: git diff --exit-code
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,7 +1,3 @@
-# Require review by build system owners for workflow and Makefile changes.
-Makefile @wolfi-dev/wolfi-build-maintainers
-/.github/workflows/ @wolfi-dev/wolfi-build-maintainers
-
 # Require review by repo owners of changes to CODEOWNERS
 CODEOWNERS @wolfi-dev/wolfi-owners
 

diff --git a/Makefile b/Makefile
@@ -25,6 +25,7 @@ MELANGE_OPTS += ${MELANGE_EXTRA_OPTS}
 
 # Enter interactive mode on failure for debug
 MELANGE_DEBUG_OPTS += --interactive
+MELANGE_DEBUG_OPTS += --debug
 MELANGE_DEBUG_OPTS += --package-append apk-tools
 MELANGE_DEBUG_OPTS += ${MELANGE_OPTS}
 
@@ -51,12 +52,6 @@ ifeq (${LINT}, yes)
 	MELANGE_OPTS += --fail-on-lint-warning
 endif
 
-# The list of packages to be built. The order matters.
-# wolfictl determines the list and order
-# set only to be called when needed, so make can be instant to run
-# when it is not
-PKGLISTCMD ?= $(WOLFICTL) text --dir . --type name --pipeline-dir=./pipelines/
-
 BOOTSTRAP_REPO ?= https://packages.wolfi.dev/bootstrap/stage3
 BOOTSTRAP_KEY ?= https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub
 WOLFI_REPO ?= https://packages.wolfi.dev/os
@@ -66,38 +61,17 @@ BOOTSTRAP ?= no
 ifeq (${BOOTSTRAP}, yes)
 	MELANGE_OPTS += -k ${BOOTSTRAP_KEY}
 	MELANGE_OPTS += -r ${BOOTSTRAP_REPO}
-	PKGLISTCMD += -k ${BOOTSTRAP_KEY}
-	PKGLISTCMD += -r ${BOOTSTRAP_REPO}
 else
 	MELANGE_OPTS += -k ${WOLFI_KEY}
 	MELANGE_OPTS += -r ${WOLFI_REPO}
-	PKGLISTCMD += -k ${WOLFI_KEY}
-	PKGLISTCMD += -r ${WOLFI_REPO}
-endif
-
-all: ${KEY} .build-packages
-ifeq ($(MAKECMDGOALS),all)
-  PKGLIST := $(addprefix package/,$(shell $(PKGLISTCMD)))
-else
-  PKGLIST :=
 endif
-.build-packages: $(PKGLIST)
 
 ${KEY}:
 	${MELANGE} keygen ${KEY}
 
 clean:
 	rm -rf packages/${ARCH}
 
-.PHONY: list list-yaml
-list:
-	$(info $(shell $(PKGLISTCMD)))
-	@printf ''
-
-list-yaml:
-	$(info $(addsuffix .yaml,$(shell $(PKGLISTCMD))))
-	@printf ''
-
 fetch-kernel:
 	$(eval KERNEL_PKG := $(shell curl -sL https://dl-cdn.alpinelinux.org/alpine/edge/main/$(ARCH)/APKINDEX.tar.gz | tar -Oxz APKINDEX | awk -F':' '$$1 == "P" {printf "%s-", $$2} $$1 == "V" {printf "%s.apk\n", $$2}' | grep "linux-virt" | grep -v dev))
 	@curl -s -LSo linux-virt.apk "https://dl-cdn.alpinelinux.org/alpine/edge/main/$(ARCH)/$(KERNEL_PKG)"
@@ -167,7 +141,7 @@ dev-container:
 	    -v "${PWD}:${PWD}" \
 	    -w "${PWD}" \
 	    -e SOURCE_DATE_EPOCH=0 \
-	    ghcr.io/wolfi-dev/sdk:latest@sha256:8b4a75a1e5c423c3182c25a27dd5c2e5d655f0fe360fd5dab90b1c1ec322b7b1
+	    ghcr.io/wolfi-dev/sdk:latest@sha256:6d49f779092c0bfacb2296654376aac5607dd946a5cd077f06e05e89a2341495
 
 PACKAGES_CONTAINER_FOLDER ?= /work/packages
 # This target spins up a docker container that is helpful for testing local
@@ -235,6 +209,12 @@ dev-container-wolfi:
 		--mount type=bind,source="${PWD}/local-melange.rsa.pub",destination="/etc/apk/keys/local-melange.rsa.pub",readonly \
 		--mount type=bind,source="$(TMP_REPOS_FILE)",destination="/etc/apk/repositories",readonly \
 		-w "$(PACKAGES_CONTAINER_FOLDER)" \
-		ghcr.io/wolfi-dev/sdk:latest@sha256:8b4a75a1e5c423c3182c25a27dd5c2e5d655f0fe360fd5dab90b1c1ec322b7b1
+		ghcr.io/wolfi-dev/sdk:latest@sha256:6d49f779092c0bfacb2296654376aac5607dd946a5cd077f06e05e89a2341495
 	@rm "$(TMP_REPOS_FILE)"
 	@rmdir "$(TMP_REPOS_DIR)"
+
+# Checks that the repo can be built in order from bootstrap packages.
+check-bootstrap:
+	$(WOLFICTL) text --dir . --type name --pipeline-dir=./pipelines/ \
+		-k ${BOOTSTRAP_KEY} \
+		-r ${BOOTSTRAP_REPO}
diff --git a/aactl.yaml b/aactl.yaml
@@ -1,7 +1,7 @@
 package:
   name: aactl
   version: 0.4.12
-  epoch: 19
+  epoch: 21
   description: Google Container Analysis data import utility, supports OSS vulnerability scanner reports, SLSA provenance and sigstore attestations.
   copyright:
     - license: Apache-2.0
@@ -23,7 +23,7 @@ pipeline:
 
   - uses: go/bump
     with:
-      deps: github.com/docker/distribution@v2.8.2-beta.1 github.com/sigstore/rekor@v1.2.0 github.com/cloudflare/circl@v1.3.7 golang.org/x/crypto@v0.17.0 gopkg.in/go-jose/go-jose.v2@v2.6.3 google.golang.org/grpc@v1.56.3 google.golang.org/protobuf@v1.33.0 github.com/sigstore/cosign/v2@v2.2.4 golang.org/x/net@v0.23.0 github.com/hashicorp/go-retryablehttp@v0.7.7 github.com/docker/docker@v26.1.5 github.com/golang-jwt/jwt/v4@v4.5.1
+      deps: github.com/docker/distribution@v2.8.2-beta.1 github.com/sigstore/rekor@v1.2.0 github.com/cloudflare/circl@v1.3.7 gopkg.in/go-jose/go-jose.v2@v2.6.3 google.golang.org/grpc@v1.56.3 google.golang.org/protobuf@v1.33.0 github.com/sigstore/cosign/v2@v2.2.4 github.com/hashicorp/go-retryablehttp@v0.7.7 github.com/docker/docker@v26.1.5 github.com/golang-jwt/jwt/v4@v4.5.1 golang.org/x/crypto@v0.31.0 golang.org/x/net@v0.33.0
       replaces: github.com/go-jose/go-jose/v3=github.com/go-jose/go-jose/v3@v3.0.3 github.com/sigstore/cosign/v2=github.com/sigstore/cosign/v2@v2.2.4
 
   - runs: |

diff --git a/ack.yaml b/ack.yaml
@@ -1,7 +1,7 @@
 package:
   name: ack
-  version: 3.7.0
-  epoch: 1
+  version: 3.8.0
+  epoch: 0
   description: A Perl-powered replacement for grep
   copyright:
     - license: Artistic-2.0
@@ -21,7 +21,7 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha256: ea7caa14f757de083310ed2cba298661ddcca5dee06ec8f18043ea625a79df20
+      expected-sha256: 640b1a1b36ca15a4d1d1792f2a44e69aeae58391cf0d21fa8a29665a8895f718
       uri: https://cpan.metacpan.org/authors/id/P/PE/PETDANCE/ack-v${{package.version}}.tar.gz
 
   - runs: PERL_MM_USE_DEFAULT=1 perl Makefile.PL INSTALLDIRS=vendor

diff --git a/actions-runner-controller.yaml b/actions-runner-controller.yaml
@@ -1,7 +1,7 @@
 package:
   name: actions-runner-controller
-  version: 0.9.3
-  epoch: 3
+  version: 0.10.1
+  epoch: 1
   description: Kubernetes controller for GitHub Actions self-hosted runners
   copyright:
     - license: Apache-2.0
@@ -18,49 +18,44 @@ pipeline:
     with:
       repository: https://github.com/actions/actions-runner-controller
       tag: gha-runner-scale-set-${{package.version}}
-      expected-commit: 80d848339e5eeaa6b2cda3c4a5393dfcb4614794
+      expected-commit: 1e10417be8341df564a11abc970fe8f41a3b102c
 
   - uses: go/bump
     with:
-      deps: github.com/golang-jwt/jwt/v4@v4.5.1
+      deps: golang.org/x/net@v0.33.0
 
   - uses: go/build
     with:
       packages: .
       output: manager
-      ldflags: -s -w -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
+      ldflags: -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
 
   - uses: go/build
     with:
       packages: ./cmd/githubrunnerscalesetlistener
       output: github-runnerscaleset-listener
-      ldflags: -s -w -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
+      ldflags: -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
 
   - uses: go/build
     with:
       packages: ./cmd/ghalistener
       output: ghalistener
-      ldflags: -s -w -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
+      ldflags: -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
 
   - uses: go/build
     with:
       packages: ./cmd/githubwebhookserver
       output: github-webhook-server
-      ldflags: -s -w
 
   - uses: go/build
     with:
       packages: ./cmd/actionsmetricsserver
       output: actions-metrics-server
-      ldflags: -s -w
 
   - uses: go/build
     with:
       packages: ./cmd/sleep
       output: sleep
-      ldflags: -s -w
-
-  - uses: strip
 
 subpackages:
   - name: "${{package.name}}-compat"

diff --git a/addon-resizer.yaml b/addon-resizer.yaml
@@ -1,7 +1,7 @@
 package:
   name: addon-resizer
   version: 1.8.22
-  epoch: 2
+  epoch: 4
   description: Autoscaling components for Kubernetes
   copyright:
     - license: Apache-2.0
@@ -23,16 +23,19 @@ pipeline:
       tag: addon-resizer-${{package.version}}
       expected-commit: f36bbcd9008f37ce6fbd0c2b4fcb13e827b52737
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/net@v0.33.0
+      modroot: addon-resizer
+
   - uses: go/build
     with:
       modroot: addon-resizer
       packages: nanny/main/pod_nanny.go
-      ldflags: -s -w -X k8s.io/autoscaler/addon-resizer/nanny.AddonResizerVersion=${{package.name}}
+      ldflags: -X k8s.io/autoscaler/addon-resizer/nanny.AddonResizerVersion=${{package.name}}
       output: pod_nanny
       vendor: true
 
-  - uses: strip
-
 subpackages:
   - name: "${{package.name}}-compat"
     description: "Compatibility package to place binaries in the location expected by upstream Dockerfile"

diff --git a/age.yaml b/age.yaml
@@ -1,7 +1,7 @@
 package:
   name: age
-  version: 1.2.0
-  epoch: 2
+  version: 1.2.1
+  epoch: 0
   description: A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
   copyright:
     - license: BSD-3-Clause
@@ -11,7 +11,11 @@ pipeline:
     with:
       repository: https://github.com/FiloSottile/age.git
       tag: v${{package.version}}
-      expected-commit: bbe6ce5eeb1bb70cfc705d0961c943f0dd637ffd
+      expected-commit: 482cf6fc9babd3ab06f6606762aac10447222201
+
+  - uses: go/bump
+    with:
+      deps: golang.org/x/crypto@v0.31.0
 
   - uses: go/build
     with: