Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: melange | Distribution: openSUSE Tumbleweed |
Version: 0.31.8 | Vendor: openSUSE |
Release: 1.1 | Build date: Fri Oct 17 08:21:42 2025 |
Group: Unspecified | Build host: reproducible |
Size: 35249770 | Source RPM: melange-0.31.8-1.1.src.rpm |
Packager: http://bugs.opensuse.org | |
Url: https://github.com/chainguard-dev/melange | |
Summary: Build APKs from source code |
Build apk packages using declarative pipelines. Commonly used to provide custom packages for container images built with apko. The majority of apks are built for use with either the Wolfi or Alpine Linux ecosystems. Key features: * Pipeline-oriented builds. Every step of the build pipeline is defined and controlled by you, unlike traditional package managers which have distinct phases. * Multi-architecture by default. QEMU is used to emulate various architectures, avoiding the need for cross-compilation steps.
Apache-2.0
* Fri Oct 17 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.31.8: * Revert "Fail build when var-transforms produce empty or non-matching results" (#2185) * Fri Oct 10 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.31.7: * Fail build when var-transforms produce empty or non-matching results * qemu runner: open permissions on melange cache upper overlay * build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 (#2141) * build(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#2144) * build(deps): bump the actions group across 1 directory with 3 updates (#2158) * build(deps): bump the gomod group across 1 directory with 12 updates (#2167) * Tue Oct 07 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.31.6: * Set $TERM when entering debug shell (#2166) * Mon Sep 29 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.31.5: * R build pipeline improvements (#2160) * Thu Sep 18 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.31.4: * Update README.md (#1888) * fix(user accounts): don't crash if user without gid is specified * Qemu runner: debug initial connection (#2154) * Thu Sep 18 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.31.3: * sca: fix SCA for go-fips-1.25 (#2153) * docs/BUILD-FILE.md: improve formatting * docs/BUILD-FILE.md: expand information about enviroments * docs/BUILD-FILE.md: add information about defining accounts * e2e-tests: add check for default user in builds/tests * qemu runner: add control connection on ssh build port * qemu runner: rename SSH connection info * bubblewrap: when running as custom UID, use corrsponding GID * tests: add checks for run-as root and non-root users * Thu Sep 18 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.31.2: * qemu runner: strip newline from kernel version (#2149) * qemu runner: report kernel version (#2132) * chore: bump apko to v0.30.8 (#2148) * Propagate environment between uses and pipelines (#2139) * pipelines/go/build: Add ignore-untracked-files to prevent some +dirty builds (#2146) * Tue Sep 02 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.31.1: * config.go: Remove no-vendored-cross-package-deps stanza by @sergiodj in #2145 * Mon Aug 25 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.31.0: * qemu_runner: Identify as qemu intentionally * Download alpine kernel for local testing * qemu_runner: An hour is far too long for qemu to get networking working by defualt * .gitignore: ignore the kernel directory * feat: go bump - go work vendor (#2136) * More summarize output info. (#2124) * build(deps): bump the gomod group with 8 updates (#2126) * Tue Aug 19 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.30.6: * Remove 'melange convert' (#2117) * Fri Aug 08 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.30.5: * Fix and improve file permission linters; update tests to mirror actual usage (#2118) * Mon Aug 04 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.30.4: * linter.go/linter_test.go: Added `maninfo` linter (#2105) * source: copy package contents when fetching source (#2106) * ci: make the vuln scan simpler (#2113) * Fri Aug 01 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.30.3: * Revert "SCA: Generate depends for shlibs ending in .so" and related commits (#2116) * Fri Aug 01 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.30.2: * Use https://mirrors.ocf.berkeley.edu whenever applicable for GNU programs by @sergiodj in #2073 * build(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible in the go_modules group by @dependabot[bot] in #2108 * Don't --require-zero in CI scan by @jonjohnsonjr in #2112 * Improve SCA handling of bogus shlib dependencies by @sergiodj in #2109 * Bump apko to v0.30.2 and handle field rename by @kevinmdavis in [#2111] * Mon Jul 28 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.30.1: * sbom: populate supplier for operating system package (#2101) * Do not require .so files to be executable (#2099) * SCA: Generate "depends" for shlibs ending in ".so" (#2072) * Expand check for libraries provided by the host (#2077) * Fri Jul 25 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.30.0: * Use session.Run instead of session.Shell with session.Stdin (#2100) * feat(sbom): Include the distro qualifier as part of the APK PURL (#2078) * Fri Jul 18 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.29.7: * Revert changes related to "avoid SSH lockups, use script for tests" (#2096) * build(deps): bump sigs.k8s.io/release-utils from 0.11.1 to 0.12.0 (#2095) * Fri Jul 18 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.29.6: * build(deps): bump mvdan.cc/sh/v3 from 3.11.0 to 3.12.0 (#2090) * build(deps): bump github.com/moby/moby (#2091) * build(deps): bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0 (#2089) * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace (#2092) * build(deps): bump github.com/docker/docker (#2088) * build(deps): bump the gomod group across 1 directory with 6 updates (#2087) * build(deps): bump the actions group across 1 directory with 2 updates (#2054) * Upgrade apko to v0.29.4 (#2084) * Thu Jul 17 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.29.5: * fix: tighten up permissions for written SBOM files and signature tarballs (#2086) * Thu Jul 17 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.29.4: * Revert "Use os.DirFS over apkofs.DirFS (#2079)" (#2085) * chore(pipelines/cargo): add parallel jobs input (#2083) * Thu Jul 17 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.29.3: * Use os.DirFS over apkofs.DirFS (#2079) * Include top-level environment variables in tests (#2080) * config: use supplier for namespace for unknown gits (#2081) * Tue Jul 15 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.29.2: * Do not allow packages to provide libcuda.so.1 (#2074) * license-check: fix --format=simple (#2076) * license-check: allow relative paths for extracted-source paths (#2068) * Wed Jul 09 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.29.1: * Revert "feat: allow symlinks in workspaces (#2064)" (#2071) * fix: avoid running cachedir mount commands via script (#2070) * Add comment about PATH vs the qemu runner (#2069) * SCA: Generate provides for shlibs ending with ".so" (#2067) * licensing: default to concatenating with AND, add simple mode for license-check --fix (#2057) * Fri Jul 04 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.29.0: * feat: allow symlinks in workspaces (#2064) * scan: Return an error instead of os.Exit(1) (#2065) * scan: Add namespace flag (#2063) * Mon Jun 30 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.28.0: * logstash-8 is no more (#2059) * feat: add SLSA provenance generation for package builds (#2051) * Mon Jun 30 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.27.0: * Fix issues introduced by the qemu_runner changes to os-release (#2058) * SBOM: add a OperatingSystem package to each apk SBOM (#2016) * fix: avoid SSH lockups, use script for tests (#2049) * feat(pkg/build/pipelines): add xcover pipelines (#1996) * Add usrmerge linter failure on files in /lib and /lib64 (#2053) * Mon Jun 23 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.13: * SCA: Implement feature flag for versioned shlib depends * SCA: Improve determineShlibVersion to handle corner cases * SCA: Implement "no-versioned-shlib-deps" package option * sca_test: Adjust expected output of Provides/Depends * sca_test.go: Implement InstalledPackages and PkgResolver methods * SCA: Implement versioned shared library "depends:" * SCA: Implement determineShlibVersion * SCA: Implement InstalledPackages and PkgResolver methods * build.go: Add PkgResolver field to Build struct * Implement versioned "provides" for shared libraries * fix: avoid fetching hardlinks in licenses (#2052) * Fix integration tests and then enable them. (#2042) * test(e2e/pipelines): run tests on qemu runner (#1999) * fix: make checkout expected-commit bump less greedy (#2008) * Mon Jun 16 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.12: * Update RELEASE.md (#2046) * docs: Regenerate to get rid of --guest-dir and --overlay-binsh * bubblewrap: Rename guest dir pattern to "bubblewrap-guest-*" * Replace apko.DirFS with tarfs; remove GuestDir concept * Get rid of overlayBinSh * Fri Jun 13 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.11: * fix: avoid sending huge command when fetching extra files from workspace (#2043) * Better clarify that owner vars are IDs (#2040) * Fri Jun 13 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.10: * Error if a package version is not parseable by apk.ParseVersion (#2039) * Fix ownership when retrieving workspace (#2038) * fix: pass cap add/drop to ssh session (#2032) * manpages.yaml: Move directory contents to avoid errors and clean up afterwards (#2037) * Thu Jun 12 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.9: * Add a linter for CUDA driver-specific libraries (#2033) * Wed Jun 11 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.8: * Delete named pipes instead of broadly excluding fifo files (#2035) * bump containerd dep; disable ipset-build-test e2e test (#2034) * qemu runner: fix embedded authorized key when debugging (#2031) * Add split/bin pipeline (#2030) * split/manpages: Manpage path expansion for better lookup (#2029) * Sat Jun 07 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.7: * sbom: generate downloadLocations for unknown gits (#2028) * Wed Jun 04 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.6: * qemu: ensure CacheDir exists when specified (#2025) * build(deps): bump the actions group across 1 directory with 4 updates (#1980) * Upgrade everything (#2020) * Tue Jun 03 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.5: * Update mount paths to use DefaultCacheDir instead of cfg.CacheDir (#2022) * qemu runner: define static mount tag for mount_cache (#2023) * Mon Jun 02 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.4: * [StepSecurity] Apply security best practices (#2019) * fix: handle CACHEDIR properly (#2021) * Add rust-src directories to ignoredPaths (#2017) * Sat May 31 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.3: * linter: usrmerge add trailing '/' to denote directory for prefix check (#2014) * Sat May 31 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.2: * fix: fallback to aio=threads for macos (#2012) * qemu: do some little CPU and IO optimization (#2011) * fix: try to fix weird MacOS sizing (#2010) * Fix/respect additional mounts (#2009) * Fix detection of available memory. (#2005) * fix: improve SSH command handling (#2006) * Mon May 26 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.1: * e2e-tests/run-tests: Invoke melange using $MELANGE (#2004) * linter:usrmerge: Improve error message to list files (#1863) * fix: add ignore paths to license files (#2000) * Thu May 22 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.26.0: * sbom/direct download git locations (#1992) * Fix/cpio multiarch (#1997) * fix: better handling key string (#1995) * feat: use user's SSH keys to talk to QEMU runner (#1994) * Fri May 16 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.25.1: * sbom: pass SHA512 not SHA256 when in use. (#1993) * Fri May 16 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.25.0: * license-check: fix running checks for builds using qemu (#1989) * fix: improve QEMU resource limits handling (#1990) * Fix/random port pwd shell (#1988) * sbom: Populate downloadLocation and checksums (#1983) * feat: use unsafe IO on QEMU, improve performance (#1987) * Fix/metapackage builds (#1986) * fix: ensure make parent dirs when unpacking files from workspace (#1985) * Fix test user permissions for logstash-8 (#1984) * Wed May 14 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.24.0: * feat: avoid adding additional packages on QEMU runners (#1982) * license-check: tweaks to license display and renovate (#1976) * Mon May 12 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.17: * experiment: on the fly disk for melange QEMU runner (#1977) * Mon May 12 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.16: * test: add --ignore-signatures (#1965) * Drop the `isBuildLess` optimization. (#1975) * fix: exclude fifos in WorkspaceTar (#1973) * Fix typo in license reporting re: ignored results. (#1972) * Wed May 07 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.15: * Fix absolute path handling. (#1967) * bump apko to v0.27.2 (#1966) * Improve QEMU logging. (#1968) * QEMU runner tweaks (#1957) * Tue May 06 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.14: * Add a test leg to cover license-path (#1963) * Tue May 06 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.13: * Turn relative working-dir into absolute paths. (#1962) * Retrieve the full workspace. (#1961) * Mon May 05 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.12: * Add license checks to package builds and an external license-check command (#1905) * remove GCS-based cache-dir support (#1955) * build: drop dagger runner (#1952) * Tue Apr 29 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.11: * bump apko (#1948) * Fixed command melange completion panicking by adding error handling (#1933) * Fri Apr 25 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.10: * Use virtconsole for stdout, and serial in microvm. (#1947) * Add config/env var support for microVM usage; display boot logs in debug (#1945) * Re-add xattr allowlist from readlinkFS (#1942) * Update declarative capabilities; add functionality to set within QEMU (#1944) * Revert "fix: propagate Range field of subpackages (#1939)" (#1941) * Thu Apr 24 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.9: * If the install location is customized at all, these find commands will fail and cause the build to exit. Wrapping it in a validifity check is a simple way to prevent this from failing outright. (#1943) * Add support for declarative file capabilities (#1938) * fix: propagate Range field of subpackages (#1939) * Fri Apr 18 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.8: * config.go: Update optional annotations for schema.json generation (#1929) * move EnablePreReleaseTags to the correct place in Update not Configuration (#1923) * pipelines/ruby/clean: remove build logs (#1925) * Fix mode bit persistence for bind mounts (#1926) * Fri Apr 18 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.7: * Bump apko, deal with package restructure (#1922) * Mon Apr 14 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.6: * pipelines: cmake/build: Use verbose mode by default (#1910) * Include /usr/local paths in generateShbangDeps; drop /bin (#1909) * fix(pipelines/git-checkout): preserve ownership of existing files (#1893) * sbin-merge: reorder default pipeline path (#1907) * Move apko's tarball package into melange (#1906) * Upgrade golangci-lint to 1.64.8 (#1904) * build(deps): bump the gomod group across 1 directory with 6 updates (#1879) * build(deps): bump the actions group across 1 directory with 5 updates (#1895) * deprecate goreleaser build pipeline (#1892) * test.go: Invoke apkofs.DirFS with option to create dir if missing (#1897) * github: fixup presubmit workflow (#1900) * fix random issue with package.full-version (#1898) * Improve failure message for usrmerge linter (#1894) * Mon Apr 07 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.5: * rebuild: support passing --signing-key (#1890) * Thu Apr 03 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.4: * rebuild: don't require original file to rebuild (#1889) * linter: update usrmerge to include /usr/sbin (#1886) * Mon Mar 31 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 0.23.3: * rebuild: handle pipelines originally passed via `--pipeline-dir` (#1884) * fix: bug with target-architecture (#1883) * setup-bubblewrap: allow anyone to call bwrap (#1882) * rebuild: support subpackages (#1880) * switch to ubuntu-latest (#1877) * Thu Mar 27 2025 opensuse_buildservice@ojkastl.de - Update to version 0.23.2: * check diff after rebuilding (#1878) * npm/install: allow using pnpm instead (#1875) * Add `directory` parameter for `fetch` to be passed to `tar -C` (#1862) * e2e test: rebuild go- cargo- and gcc-built packages (#1869) * Store and apply xattrs correctly for all builds (#1867) * git-checkout - set depth=-1 when checking out a branch with commit. (#1868) * drop dep on k8s.io for sets (#1870) * Mon Mar 24 2025 opensuse_buildservice@ojkastl.de - Update to version 0.23.1: * fix(qemu): improve debug shell to instantiate a proper terminal (#1861) * build(deps): bump github.com/containerd/containerd/v2 (#1859) * pkg/sca/sca_test.go et al: Implement test for getLdSoConfDLibPaths * pkg/sca/sca.go: Implement getLdSoConfDLibPaths * Mon Mar 17 2025 opensuse_buildservice@ojkastl.de - Update to version 0.23.0: * fix(sca): Don't generate dependency on luajit (#1854) * Persist workspace filesystem throughout package builds (#1836) * build(deps): bump cloud.google.com/go/storage from 1.50.0 to 1.51.0 (#1855) * build(deps): bump mvdan.cc/sh/v3 from 3.10.0 to 3.11.0 (#1847) * build(deps): bump google.golang.org/api from 0.223.0 to 0.225.0 (#1853) * build(deps): bump the gomod group with 8 updates (#1851) * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace (#1846) * linter: update usrmerge and make it required (#1839) * feat: store --namespace as APK maintainer field (#1751) * Expand the sample yaml in README (#1838) * Mon Mar 10 2025 opensuse_buildservice@ojkastl.de - Update to version 0.22.2: * Ldd check linter (#1834) * fix(pkg/build/pipelines/go/covdata.yaml): add jq dep (#1833) * build(deps): bump github.com/docker/docker from 27.5.1+incompatible to 28.0.1+incompatible (#1830) * build(deps): bump dagger.io/dagger from 0.15.3 to 0.16.2 (#1832) * build(deps): bump github.com/go-git/go-git/v5 from 5.13.2 to 5.14.0 (#1831) * build(deps): bump actions/download-artifact in the actions group (#1828) * build(deps): bump the gomod group with 2 updates (#1829) * Wed Mar 05 2025 opensuse_buildservice@ojkastl.de - Update to version 0.22.1: * sign: drop support for creating SHA-1 signatures (#1748) * Fri Feb 28 2025 opensuse_buildservice@ojkastl.de - Update to version 0.22.0: * feat(build/pipelines): add llvm/covreport (#1822) * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace (#1797) * build(deps): bump github.com/moby/moby (#1820) * build(deps): bump github.com/go-jose/go-jose/v3 in the go_modules group (#1815) * chore(docs): automatic generate pipeline docs (#1699) * feat(build/pipelines): add go/covdata pipeline (#1821) * Thu Feb 27 2025 opensuse_buildservice@ojkastl.de - Update to version 0.21.2: * bump apko, check repro with --repo-append (#1812) * feat: build config can specify package CPE (#1768) * rebuild: populate Config directly without file (#1813) * Improve cmake build verbosity (#1806) * build(deps): bump the gomod group across 1 directory with 3 updates (#1809) * build(deps): bump the actions group across 1 directory with 5 updates (#1808) * build(deps): bump github.com/go-jose/go-jose/v4 in the go_modules group (#1811) * Add ${{context.name}} string substitution (#1810) * Add support in e2e-tests for melange build and then test. (#1801) * Mon Feb 24 2025 opensuse_buildservice@ojkastl.de - Update to version 0.21.1: * Give better names for invalid pipelines errors (#1805) * Fix pkgconf lint (#1802) * Thu Feb 20 2025 opensuse_buildservice@ojkastl.de - Update to version 0.21.0: * feat(pipelines/go/build): add extra-args input variable by @maxgio92 in #1792 * rebuild: add e2e test by @imjasonh in #1789 * Add annotations field map[string]string by @jvanzyl in #1793 * Mon Feb 17 2025 opensuse_buildservice@ojkastl.de - Update to version 0.20.1: * rebuild: make SBOM more reproducible * hide 'melange rebuild' * fix unit test * regen docs * fix lint finding * new command: rebuild * config: Add option to allow udpates to common prerelease tags * Thu Feb 13 2025 opensuse_buildservice@ojkastl.de - Update to version 0.20.0: * bump to latest apko * fix lint finding * bump apko to get quieter logs * build(deps): bump the gomod group across 1 directory with 5 updates * move unnecessary logs from info to debug or error (#1781) * build(deps): bump the actions group across 1 directory with 4 updates * build(deps): bump cloud.google.com/go/storage from 1.49.0 to 1.50.0 * Mon Feb 10 2025 opensuse_buildservice@ojkastl.de - Update to version 0.19.5: * Move buildUser to existing const block * Consolidate build user/group strings * Pass GID pointer to apko_types.GID in test_test.go * Add build user to test pipeline environments (#1747) * keep using /usr as prefix * add npm and update prefix location * Fri Feb 07 2025 opensuse_buildservice@ojkastl.de - Update to version 0.19.4: * patch: expose fuzz flag value * sbom: update copyrightText from "/n" to "NOASSERTION" * Fix some white space issues * Add ${{subpkg.name}} string substitution * lint: Add linter for usrmerge * Fix documentation update * Update the documentation for the new linter * Fix a linting error * Add a linter which checks for pkgconfig files * patch: add --verbose flag to patch pipeline * Mon Jan 27 2025 opensuse_buildservice@ojkastl.de - Update to version 0.19.3: * disallow uses: with a nested pipeline * Mon Jan 20 2025 opensuse_buildservice@ojkastl.de - Update to version 0.19.2: * move some spammy logs to debug * docs * fix lint, use 22.04 where needed * try ubuntu-22.04 * remove 'melange convert gem' * remove 'melange convert python' * Fri Jan 17 2025 opensuse_buildservice@ojkastl.de - Update to version 0.19.1: * Update pkg/build/build.go * Update pkg/build/build.go * sbom: switch SPDX namespace from SHA1 to FNV-1a * Compress the initrd to workaround issue (#1745) * stop generation homebrew update as melange in in homebrew core * build(deps): bump the actions group with 2 updates * build: Write a GCC specs file into workspace * Sat Jan 11 2025 opensuse_buildservice@ojkastl.de - Update to version 0.19.0: * feat: add support to add and drop linux capabilities (#1702) * Update pkg/build/pipeline.go * Update pkg/build/pipeline.go * build(deps): bump golang.org/x/time from 0.8.0 to 0.9.0 * build(deps): bump github.com/invopop/jsonschema from 0.12.0 to 0.13.0 * build(deps): bump golang.org/x/sys from 0.28.0 to 0.29.0 * build(deps): bump github.com/go-git/go-git/v5 from 5.12.0 to 5.13.1 * minor go cleanup * minor go cleanup * build(deps): bump sigs.k8s.io/release-utils from 0.8.5 to 0.9.0 * Fix(piepline): use correct comment systax * fix: Move the go mod tidy after cd to modrootfeat: Check if go.mod file exiest in modroot dir to ensure modroot is set correctly * Mon Dec 30 2024 opensuse_buildservice@ojkastl.de - Update to version 0.18.3: * build(deps): bump actions/upload-artifact in the actions group * Mon Dec 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.18.2: * update apko to 0.22.4 * build(deps): bump cloud.google.com/go/storage from 1.48.0 to 1.49.0 * build(deps): bump google.golang.org/api from 0.211.0 to 0.214.0 * build(deps): bump the gomod group with 2 updates * Fix numpy-test to work across python 3.12 to 3.13 transition. (#1715) * fix(qemu): remove redundant check * bump: double-quote bumped version strings, avoid trailing newline * build(deps): bump actions/setup-go in the actions group * build(deps): bump the gomod group with 2 updates * fix linting * respect ctx error * fix(qemu): improve logging, make connection check less spammy * Mon Dec 16 2024 opensuse_buildservice@ojkastl.de - Update to version 0.18.1: * fix error * also drop util.RightJoinMap * undo whitespace change * remove unnecessary util.Dedup method * Sat Dec 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.18.0: * build(deps): bump chainguard.dev/apko from 0.21.0 to 0.22.1 * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump dagger.io/dagger in the gomod group * upgrade to 3.13 * sign: switch to SHA2-256 signature by default * feat(pipelines/cargo): add support for rustflags (#1698) * pipelines/split/dev - grab files in /usr/share/cmake * Thu Dec 12 2024 opensuse_buildservice@ojkastl.de - Update to version 0.17.7: * Bump apko and fix the thing I broke * Handle WalkDir errors * build(deps): bump dagger.io/dagger from 0.14.0 to 0.15.0 * Thu Dec 12 2024 opensuse_buildservice@ojkastl.de - Update to version 0.17.6: * Bump apko to v0.20.2 * Thu Dec 12 2024 opensuse_buildservice@ojkastl.de - Update to version 0.17.5: * drop spammy slog attributes * build(deps): bump cloud.google.com/go/storage from 1.47.0 to 1.48.0 * Tue Dec 10 2024 opensuse_buildservice@ojkastl.de - Update to version 0.17.4: * build(deps): bump golang.org/x/crypto from 0.29.0 to 0.30.0 * build(deps): bump github.com/chainguard-dev/clog * build(deps): bump github.com/chainguard-dev/yam in the gomod group * melange/update block: provide config option to indicate that automated pull requests should be merged in order rather than superseding and closing previous unmerged PRs * Sun Dec 08 2024 opensuse_buildservice@ojkastl.de - Update to version 0.17.3: * fix(sca): Revert recent SCA changes for Ruby * Sun Dec 08 2024 opensuse_buildservice@ojkastl.de - Update to version 0.17.2: * fix(qemu): fix MacOS crosscompile path (#1678) * fix(sca): Don't generate ruby dep when found in shebang * fix(sca_test): Check for ruby-base * fix(sca): Generate dependency for ruby-*-base instead of ruby-* * Improve comment stripping errors * Add package.srcdir substitution to README * Mon Dec 02 2024 opensuse_buildservice@ojkastl.de - Update to version 0.17.1: * test(compile): basic tests for stripComments * fix(compile): label when compile error is for test pipeline * Fri Nov 29 2024 opensuse_buildservice@ojkastl.de - Update to version 0.17.0: * feat: add project.srcdir variable (#1666) * Wed Nov 27 2024 opensuse_buildservice@ojkastl.de - Update to version 0.16.0: * Include locked melange config in control section * build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 * build(deps): bump the gomod group with 2 updates * build(deps): bump step-security/harden-runner in the actions group * Tue Nov 26 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.14: * fix(pipeline): validate expected commit before passing to git-checkout pipeline (#1667) * Add git version to Summarize output * RELEASE.md update, add statement that tags and releases will update * Fri Nov 22 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.13: * Consider symlinks as potential provides for so: * drop ntia e2e test * Wed Nov 20 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.12: * pipelines/cargo: ability to override output-dir * fix(pipeline): check also checksum length * fix(pipeline): do preliminary checks for checksum invalid chars * docs: re-add release documentation markdown file * hack: remove release.md * docs: update automatic release interval * add a dependency on texinfo or man-db as appropriate * Tue Nov 19 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.11: * build(deps): bump cloud.google.com/go/storage from 1.46.0 to 1.47.0 * Tue Nov 19 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.10: * release: check for both tag and release * Tue Nov 19 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.9: * change release frequency to weekly * review feedback * docs(release): update release.md based on new workflow design * fix(releases): more reliable releases * Bump apko to v0.20.0 * Clean up workspace dir from inside runner to avoid permission errors. (#1648) * Fri Nov 15 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.8: * Create sub-package directories in WorkDir before building subpackage * Thu Nov 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.7: * build(deps): bump golang.org/x/text from 0.19.0 to 0.20.0 * Wed Nov 13 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.6: * build(deps): bump golang.org/x/time from 0.7.0 to 0.8.0 * build(deps): bump golang.org/x/sync from 0.8.0 to 0.9.0 * Give a pointer to solution if bubblewrap runner cannot use user namespace. * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump dagger.io/dagger from 0.13.7 to 0.14.0 * Tue Nov 12 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.5: * anotha one * qemu: reduce logspam for qemu runner * build(deps): bump google.golang.org/api from 0.204.0 to 0.205.0 * build(deps): bump go.opentelemetry.io/otel from 1.31.0 to 1.32.0 * build(deps): bump chainguard.dev/apko in the gomod group * build(deps): bump goreleaser/goreleaser-action in the actions group * cleanup: remove unnecessary utils * chore(pipelines/fetch): Print expected and found checksums * Tue Nov 12 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.4: * fix(qemu): use proper machine type and cpu model based on host arch (#1627) * Switch the copy to pick up hidden files. (#1624) * Tue Nov 12 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.3: * Add man-db for doc packages * Tue Nov 12 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.2: * check ReplacesPriority if it is an integer * Tue Nov 12 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.1: * build(deps): bump the gomod group with 2 updates * build(deps): bump google.golang.org/api from 0.203.0 to 0.204.0 * build(deps): bump cloud.google.com/go/storage from 1.45.0 to 1.46.0 * Sat Nov 02 2024 opensuse_buildservice@ojkastl.de - Update to version 0.15.0: * feat(qemu): fix qemu command on cross-compilation cases * update docs * feat(qemu): add flag to specify cpu model to use, useful for cases where /dev/kvm is not available * fix(qemu): remove ssh ignoreHostKey, set an host-key retrieval step, then use host key verification for all successive commands * fix linting * fix(qemu): improve error when not finding a suitable kernel image * fix(qemu): use net.Listen to find open port, simplify random port logic * fix(qemu): use package go-shellquote and simplify cmd handling * fix(qemu): use package go-shellquote and simplify cmd handling * fix(qemu): specify KVM accelleration on linux, use only if /dev/kvm is present * fix(qemu): fix typos * Tue Oct 29 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.11: * build(deps): bump github.com/chainguard-dev/yam in the gomod group * build(deps): bump the actions group with 2 updates * Sat Oct 26 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.10: * build(deps): bump the gomod group across 1 directory with 2 updates * Fri Oct 25 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.9: * chore: unexport build pkg methods * bump apko to get http key support * go mod tidy * bump apko to pick up chainguard key fix * Thu Oct 24 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.8: * fix(bubblewrap_runner): run as build 1000 by default (#1572) * use --target-dir to target with cargo build * pass --release as default opts * allow passing more than one opts to cargo build * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.7: * fix breakage * go mod tidy * bump apko dep to fix modtime issue * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.6: * fix(build): require build config repo URL * add build base to cargo-build pipeline * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.5 (0.14.4 was not properly released): * fix(sbom): unique package IDs for upstream source * test: (tdd) add failing test for dup spdx IDs * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.3: * fix(build): use fallback values at entrypoint for git info * fix(build): use the config file dir path for git detection * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.2: * ci: add workflow to tag releases daily * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.1: * Do not specify versions during 'melange test' (Revert #1579 and [#1518]) * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.14.0: * fix(build): make git autodetection best effort * test: use x86_64 for build int tests * move sbom test inside build test * test(build): favor bwrap, fallback to docker * chore: dedup test targets in makefile * docs: run make docs-repo * try qemu runner * test: remove e2e tests for SBOM external refs * unique SPDX IDs for multiple git repo checkouts * chore: add make target for integration tests * test: add integration test for build and SBOMs * chore: bump Go version * feat(sbom): overhaul SBOM generation logic * Wed Oct 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.7: * Pin the package version with ~ rather than =. * build(deps): bump google.golang.org/api from 0.200.0 to 0.201.0 * build(deps): bump cloud.google.com/go/storage from 1.44.0 to 1.45.0 * bublewrap_runner: add /sys mount * fix lint finding * pipe it through cli * cleanup glow up * fix(qemu): fix missing pty allocation for debug shell in qemu runners * Do not add a cmd:awk dependency as nothing will ever provide cmd:awk * fix formatting lint * fix(test): update tests to reflect new struct * fix(qemu): fix failing test pipeline when using qemu runner * fix test * Pin the package version used during tests * Wed Oct 16 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.6: * run `make generate` * rename exported GetTagFilterPrefix and GetTagFilterContains functions to be normalized GetFilterPrefix and GetFilterPrefix * update config: add version filter prefix and contains to release monitor config block so implementations can perform the same behaviour as git and github configs * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump google.golang.org/api from 0.199.0 to 0.200.0 * build(deps): bump the actions group with 2 updates * build(deps): bump go.opentelemetry.io/otel/sdk from 1.30.0 to 1.31.0 * build(deps): bump the gomod group with 4 updates * pipelines: fix split/debug * Sun Oct 13 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.5: * Enable pc file dependencies * generateRuntimePkgConfigDeps: only do so for public .pc, not vendored * Improve some config parsing errors * Fri Oct 11 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.4: * Revert "sca: Properly detect .so files as deps" * Revert "sca: check if runtime dependencies are vendored" * Fri Oct 11 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.3: * cmake: switch from MinSizeRel to Release * Fri Oct 11 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.2: * fix: pc provides * build(deps): bump golang.org/x/time from 0.6.0 to 0.7.0 * Fri Oct 11 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.1: * tidy * build(deps): bump cloud.google.com/go/storage from 1.43.0 to 1.44.0 * build(deps): bump golang.org/x/crypto from 0.27.0 to 0.28.0 * build(deps): bump github.com/chainguard-dev/yam in the gomod group * build(deps): bump the actions group with 2 updates * sca: check if runtime dependencies are vendored * Sun Oct 06 2024 opensuse_buildservice@ojkastl.de - Update to version 0.13.0: * Fix typo in README * test: Fix typo * Added additional documentation for package version selection * sca: Properly detect .so files as deps * Adjust an e2e-test that made a bad assumption. * update the docs * add --cleanup flag (default true) * build(deps): bump github.com/chainguard-dev/yam from 0.1.1 to 0.2.0 * build(deps): bump google.golang.org/api from 0.198.0 to 0.199.0 * build(deps): bump actions/checkout in the actions group * Support string replacement in ImageContents * build(deps): bump the gomod group with 5 updates * git-checkout: support scheduled updates * sca: never emit libcuda.so.1 runtime dep * Add table of contents * Add pipeline markdown reference markdown generator. * feat(melange): Add sub for output directory * Sat Sep 21 2024 opensuse_buildservice@ojkastl.de - Update to version 0.12.1: * build(deps): bump github.com/docker/cli * build(deps): bump github.com/docker/docker * build(deps): bump the gomod group with 2 updates * build(deps): bump chainguard.dev/apko from 0.18.1 to 0.19.1 * sca: remove set but never used variable * update_config: expose function to get valid schedule messages * Add uses and name to slog values * Include subpackage name in slog values * Only read the first line for shbang. * pombump: add flag to display the dependency tree * build(deps): bump dagger.io/dagger from 0.12.7 to 0.13.0 * build(deps): bump step-security/harden-runner in the actions group * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump the gomod group with 2 updates * keygen: reject bit size < 4096 * cleanup: remove some direct imports of charm log * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.12.0: * Upgrade to new hash-agnostic APIs for sign and verify * Upgrade to apko v0.18.0 * index: stop writing APKINDEX.json * update to go1.23.1 * build(deps): bump google.golang.org/api from 0.195.0 to 0.196.0 * build(deps): bump golang.org/x/crypto from 0.26.0 to 0.27.0 * build(deps): bump the gomod group with 2 updates * pipelines/ruby: remove signing_key by default * config: Whack more moles for string replacement * install go * lint * upgrade to golang 1.23 * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.6: * adds git checkout fetch,update,test and yams the melange apkbuild yamls * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.5: * fix(split pipelines): Don't split lib64 libraries * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.4: * fix(split pipelines): Check package was defined, not package directory * fix(split/dev): Support for /usr/local * fix(split pipelines): Add support for lib64 * fix(split pipelines): Use package name instead of package dir, use exact paths * Update dev.yaml * feat(pipelines/split): Support overriding source package directory * build(deps): bump dagger.io/dagger in the gomod group * build(deps): bump actions/upload-artifact in the actions group * Sat Sep 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.3: (0.11.2 is the same commit hash as 0.11.1): * fix(sca): Correctly check for existing Ruby runtime dependency by @EyeCantCU in #1387 * build(deps): bump actions/setup-go from 5.0.1 to 5.0.2 in the actions group by @dependabot in #1378 * build(deps): bump google.golang.org/api from 0.187.0 to 0.188.0 by @dependabot in #1382 * build(deps): bump github.com/google/go-containerregistry from 0.19.2 to 0.20.1 by @dependabot in #1392 * build(deps): bump step-security/harden-runner from 2.8.1 to 2.9.0 in the actions group by @dependabot in #1391 * build(deps): bump the gomod group across 1 directory with 2 updates by @dependabot in #1390 * build(deps): bump dagger.io/dagger from 0.11.9 to 0.12.1 by @dependabot in #1389 * build(deps): bump github.com/docker/cli from 27.0.3+incompatible to 27.1.0+incompatible by @dependabot in [#1397] * Expose ignoreSignatures functionality by @Kevin-Molina in #1375 * build(deps): bump github.com/docker/docker from 27.0.3+incompatible to 27.1.0+incompatible by @dependabot in [#1396] * build(deps): bump docker/login-action from 3.2.0 to 3.3.0 in the actions group by @dependabot in #1398 * build(deps): bump google.golang.org/api from 0.188.0 to 0.189.0 by @dependabot in #1401 * fix: ignore resource requests for the docker runner by @imjasonh in #1403 * build(deps): bump dagger.io/dagger from 0.12.1 to 0.12.2 in the gomod group by @dependabot in #1400 * Bump apko dependency by @mattmoor in #1404 * fix ruby sca by @xnox in #1410 * Add HOME=/root to default test environment. by @smoser in #1408 * build(deps): bump the gomod group with 4 updates by @dependabot in #1405 * update config: provide configuration to describe polling and schedules by @rawlingsj in #1412 * build(deps): bump the gomod group with 2 updates by @dependabot in #1416 * build(deps): bump google.golang.org/api from 0.189.0 to 0.190.0 by @dependabot in #1419 * build(deps): bump the actions group with 2 updates by @dependabot in #1415 * build(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 by @dependabot in #1418 * build(deps): bump golang.org/x/time from 0.5.0 to 0.6.0 by @dependabot in #1417 * build(deps): bump golang.org/x/sys from 0.22.0 to 0.23.0 by @dependabot in #1420 * update config: replace recently added polling with git struct by @rawlingsj in #1421 * build(deps): bump github.com/google/go-containerregistry from 0.20.1 to 0.20.2 in the gomod group by @dependabot in #1423 * build(deps): bump golang.org/x/text from 0.16.0 to 0.17.0 by @dependabot in #1424 * build(deps): bump google.golang.org/api from 0.190.0 to 0.191.0 by @dependabot in #1426 * build(deps): bump golang.org/x/sys from 0.23.0 to 0.24.0 by @dependabot in #1428 * move 'adding package %q for pipeline %q' to debug logging by @imjasonh in #1429 * don't depend on apko's custom log package by @imjasonh in #1430 * build(deps): bump github.com/chainguard-dev/yam from 0.0.13 to 0.1.0 by @dependabot in #1431 * Feat/qemu runners by @89luca89 in #1386 * Attempt to fix qemu ci by @jonjohnsonjr in #1434 * build(deps): bump the actions group with 3 updates by @dependabot in #1432 * Centralize sca options handling by @jonjohnsonjr in #1433 * Add test to catch duplicate package names by @jonjohnsonjr in [#1439] * build(deps): bump the gomod group with 4 updates by @dependabot in #1437 * build(deps): bump google.golang.org/api from 0.191.0 to 0.192.0 by @dependabot in #1438 * move 'found pipeline' log message to debug by @imjasonh in [#1440] * melange convert python: use normalized names by @pnasrat in [#1441] * Bump apko to get chainctl auth error log by @jonjohnsonjr in [#1442] * Replace "needs" in range pipelines by @jonjohnsonjr in #1445 * docs: Add information on the repository used with the git update configuration option by @philroche in #1447 * Refactor parts of the ParseConfiguration by @jonjohnsonjr in [#1446] * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace from 1.28.0 to 1.29.0 by @dependabot in #1455 * build(deps): bump google.golang.org/api from 0.192.0 to 0.194.0 by @dependabot in #1452 * config: Replace pipelines at top level by @jonjohnsonjr in [#1456] * refactor(sbom): cleanup, simplify, and document code by @luhring in #1458 * More SBOM logic improvements by @luhring in #1459 * build(deps): bump github.com/docker/cli from 27.1.2+incompatible to 27.2.0+incompatible by @dependabot in [#1461] * build(deps): bump google.golang.org/api from 0.194.0 to 0.195.0 by @dependabot in #1463 * build(deps): bump github.com/docker/docker from 27.1.2+incompatible to 27.2.0+incompatible by @dependabot in [#1462] * build(deps): bump dagger.io/dagger from 0.12.5 to 0.12.6 in the gomod group by @dependabot in #1465 * chore(cargo/build): Allow changing install dir, add busybox by @EyeCantCU in #1466 * sca: add support for more go fips toolchains by @xnox in #1471 * sca: make pc: provides/vendored use full package version by @xnox in #1467 * Fri Jul 19 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.1: * feat(sca): Generate dependency on Ruby when building gems * Tue Jul 16 2024 opensuse_buildservice@ojkastl.de - Update to version 0.11.0: * Apply variables to workdir within a range * Add update.exclude-reason field. * fix(pipelines): Use contextdir instead of destdir in a few places * remove defunct reference to k8s runner * drop extra generate * update Makefile * drop make generate from verify.yaml * drop allowedPrefixes * don't SCA-generate so: provides for libs not directly in lib dirs * drop lima runner * fix bug, test passes * short circuit analyze on no-provides (demonstrate bug?) * fail on diff * go generate in e2e testS * better SCA e2e tests * try this * try this * another fix * default key name * unexport more * drop example * refactor Keygen opts to a struct * fix(cargo/build): test for non-zero length * Wed Jul 10 2024 opensuse_buildservice@ojkastl.de - Update to version 0.10.4: * expose keygen options * build(deps): bump google.golang.org/grpc in the go_modules group * Fix env overrides for interactive builds * python/pipelines - resolve symlink to full path. * python/import pipeline - find python3.7, python3.8, python3.9 * python/import - fix a bug in 'imports', do not require specifying python * var-transforms: support var transform substitions across runtimes and provides and tests * build(deps): bump the gomod group with 2 updates * build(deps): bump the actions group with 2 updates * build(deps): bump cloud.google.com/go/storage from 1.42.0 to 1.43.0 * build(deps): bump chainguard.dev/apko * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump golang.org/x/sys from 0.21.0 to 0.22.0 * build(deps): bump google.golang.org/api from 0.186.0 to 0.187.0 * Wed Jul 10 2024 opensuse_buildservice@ojkastl.de - Update to version 0.10.3: * group dependabot updates * bump golangci-lint to v1.59.x * bump to go1.22.5 * Wed Jul 10 2024 opensuse_buildservice@ojkastl.de - Update to version 0.10.2: * goreleaser: make skip value configurable * goreleaser pipeline: --skip flag refactor * build(deps): bump github.com/chainguard-dev/yam from 0.0.9 to 0.0.10 * build(deps): bump google.golang.org/api from 0.185.0 to 0.186.0 * Wed Jul 03 2024 opensuse_buildservice@ojkastl.de - Update to version 0.10.1: * update unit test * support var-transforms in subpackage names * go mod tidy * no typo * use apko Authenticator * Revert "Use current user's ID when building via Docker" * build(deps): bump github.com/docker/docker * build(deps): bump dagger.io/dagger from 0.11.6 to 0.11.9 * build(deps): bump github.com/docker/cli * Update import.yaml * add tests, fix up script * add tests, fix up script * wolfictl bump : handled mangled vars in updateGitCheckout tags * Fix ${{host.triplet.rust}} default value * Add opts to make-install pipeline * Fail on invalid pipeline inputs * python/import pipeline allow setting python binary * Wed Jul 03 2024 opensuse_buildservice@ojkastl.de - Update to version 0.10.0: * debug: Populate history file via mounts * Add git-cherry-pick pipeline (#1278) * convert some Infofs to Warnfs * log it real good * log the world-writeable file * update docs * enforce some more lint checks * fix stupid bug in linter logging * Restore signalcontext * feat - add flag to go/build to run go mod tidy (#1303) * prevent nil pointer * update schema.json * stable sorted defaults * fix lint findings * prevent nil pointer * fix test * fix tests * review feedback * some small improvements * rewrite linting * build(deps): bump github.com/chainguard-dev/yam from 0.0.8 to 0.0.9 * build(deps): bump ko-build/setup-ko from 0.6 to 0.7 * fix tempdir linter * git-checkout - do not allow both branch and tag to be specified. * build(deps): bump google.golang.org/api from 0.184.0 to 0.185.0 * build(deps): bump github.com/github/go-spdx/v2 from 2.2.0 to 2.3.1 * build(deps): bump github.com/chainguard-dev/clog from 1.3.1 to 1.4.0 * lint: support linting existence of info dirs * Make melange-test-pipelines call make test-e2e * Make running the git-checkout via melange not emit WARN messages. * Clean up git-checkout-build-test.yaml, fix depth test. * create-git-repo more standalone config, do not write to stderr * Rename test-git-checkout and put create-git-repo in test-fixtures. * Add test-e2e target to Makefile * Run make docs-repo * compile: Fix miscompilation of subpkg tests * Pipelines should inherit workdir from parents * git-checkout: fix recurse='true' does nothing * Use current user's ID when building via Docker * Add test for PreserveBaseURI * Add flag to preserve original PyPi URIs * Wed Jun 19 2024 opensuse_buildservice@ojkastl.de - Update to version 0.9.0: * Quote issues when evaluating the depth condition by @dakaneye in #1268 * build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.11 to 2.5.14 in the go_modules group by @dependabot in #1271 * test: Drop seemingly useless mkdir -p by @jonjohnsonjr in #1276 * Remove dead tarfilter code by @jonjohnsonjr in #1279 * Add build flag to override host libc flavor by @jonjohnsonjr in [#1270] * Separate compilation from execution by @jonjohnsonjr in #1267 * Remove build.PipelineBuild as a concept by @jonjohnsonjr in [#1280] * Remove ability to set logging policy by @krishjainx in #1274 * unbreak build at head from log policy removal by @k4leung4 in [#1288] * build(deps): bump chainguard.dev/apko from 0.14.8 to 0.14.9 by @dependabot in #1282 * build(deps): bump github.com/klauspost/compress from 1.17.8 to 1.17.9 by @dependabot in #1286 * build(deps): bump k8s.io/apimachinery from 0.30.1 to 0.30.2 by @dependabot in #1287 * build(deps): bump google.golang.org/api from 0.183.0 to 0.184.0 by @dependabot in #1285 * build(deps): bump cloud.google.com/go/storage from 1.41.0 to 1.42.0 by @dependabot in #1284 * Populate history for --interactive builds by @jonjohnsonjr in [#1289] * chore(autoconf/configure): Generate configuration with autoreconf when configuration doesn't exist by @EyeCantCU in [#1290] * Check for nil everywhere in Compile by @jonjohnsonjr in #1292 * stop using deprecated flags for goreleaser by @k4leung4 in [#1269] * git-checkout - try harder if getting hash from tag fails. by @smoser in #1277 * build(deps): bump actions/checkout from 4.1.6 to 4.1.7 by @dependabot in #1293 * build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot in #1294 * build(deps): bump github.com/chainguard-dev/yam from 0.0.7 to 0.0.8 by @dependabot in #1295 * build(deps): bump github.com/google/go-containerregistry from 0.19.1 to 0.19.2 by @dependabot in #1296 * Fix missing commit in ranged subpackages by @jonjohnsonjr in [#1304] * melange numpy test include python-3.12 by @pnasrat in #1308 * add go/bump as a default pipeline by @willswire in #1058 * Bump apko to v0.15.0 by @jonjohnsonjr in #1309 * Tue Jun 11 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.6: * build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 * Add ${{build.goarch}} substitution * fix: error out when pipeline contains with but no uses * Remove depth option from git clone if inputs.depth is set to -1 * Fri Jun 07 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.5: * Add a new property that defaults to pom.xml and allows an override so we can call multiple uses: maven/pombump and pass in the somewhere-else/pom.xml * go/build: remove subpackage input * Fri Jun 07 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.4: * build(deps): bump chainguard.dev/apko * Drop go-apk to pull in faster pkginfo access * build(deps): bump google.golang.org/api from 0.182.0 to 0.183.0 * build(deps): bump golang.org/x/sys from 0.20.0 to 0.21.0 * build(deps): bump golang.org/x/text from 0.15.0 to 0.16.0 * update schema * support HTTP auth * order * fix * doc * ordering * bump go and lint * build(deps): bump chainguard.dev/apko from 0.14.3 to 0.14.7 * build(deps): bump dagger.io/dagger from 0.11.4 to 0.11.6 * build(deps): bump google.golang.org/api from 0.181.0 to 0.182.0 * build(deps): bump docker/login-action from 3.1.0 to 3.2.0 * Drop version from .PKGINFO * Speed up presubmit * Add --env-file to melange test * Thu May 30 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.3: * Disallow duplicate subpackage names * Thu May 30 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.2: * build(deps): bump chainguard.dev/apko * build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.10.0 to 0.10.1 * tests: add range priority replacement tests * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump actions/checkout from 4.1.4 to 4.1.6 * build(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 * schmea: validate priority integer strings, and update schema comment * Add ReplacesPriroity like ProviderPriority, and allow substitutions * Wed May 22 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.1: * Avoid panic if no external config file ref * Verify wolfictl scan works * githuib: Fixup melange configfile test case * sbom: add support for generic git-checkout urls * github: add SBOM external ref checks * sbom: add external ref ConfigFile itself * lint * externalRefs: implement github git-checkout * Generate fully qualified and normalized PURLs straight away * Style review comments * sbom: include external refs for fetched tarballs in SPDX * Wed May 22 2024 opensuse_buildservice@ojkastl.de - Update to version 0.8.0: * Fix typo in README * build(deps): bump actions/checkout from 4.1.4 to 4.1.6 * generate * gofmt * upgrade to new apko * Fix camel-case after review * kill k8s e2e test * delete k8s runner impl * copyright: allow custom license texts * go.mod: upgrade everything * build(deps): bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 * build(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 * Tue May 14 2024 opensuse_buildservice@ojkastl.de - Update to version 0.7.0: * Find shbangs to generate depends by @smoser in #1110 * presubmit: remove gdk-pixbuf by @imjasonh in #1143 * Revert "presubmit: remove gdk-pixbuf" by @imjasonh in #1147 * verify SPDX SBOMs using spdx-tools-java by @imjasonh in #1146 * Fix sca detection case for env with multiple arguments. by @dlorenc in #1148 * Update shbang collection to ignore 'python' and support simple 'env -S'. by @smoser in #1159 * ensure shbang check only checks valid shbangs by @joshrwolf in [#1160] * config: allow scriplets in subpackages with range replacements by @xnox in #1165 * Drop -release from pc versions by @jonjohnsonjr in #1173 * fix(cargo): Install all built binaries if output isn't defined by @EyeCantCU in #1174 * sbom: set supplier in addition to originator by @imjasonh in [#1184] * Add melange scan by @jonjohnsonjr in #1175 * Bump go-apk by @jonjohnsonjr in #1185 * add global --gcplog flag to emit GCP-compatible JSON logs by @imjasonh in #1186 * pipelines/go: add back symbols tables by @xnox in #1142 * Only consider that are in a PATH dir from generateCmdProviders by @smoser in #1164 * Allow symlinks to provide cmd: by @smoser in #1188 * Extract melange sign to a library by @tcnghia in #1198 * Revert "Allow symlinks to provide cmd:" by @joshrwolf in #1200 * Bump apko by @jonjohnsonjr in #1201 * Make unit tests faster by @jonjohnsonjr in #1202 * Add buildmode to go/build by @jonjohnsonjr in #1210 * lots of updates for build dependencies * Tue Apr 09 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.11: * build(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump golang.org/x/sys from 0.18.0 to 0.19.0 * build(deps): bump go.opentelemetry.io/otel/sdk from 1.24.0 to 1.25.0 * build(deps): bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1 * build(deps): bump github.com/chainguard-dev/yam from 0.0.2 to 0.0.3 * bump docker * build(deps): bump dagger.io/dagger from 0.10.2 to 0.11.0 * build(deps): bump cloud.google.com/go/storage from 1.39.1 to 1.40.0 * Ensure configuration file is closed * sca: add go-fips-bin runtime deps * sca: add go-fips-bin test case * build(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 * build(deps): bump google.golang.org/api from 0.171.0 to 0.172.0 * Sat Mar 30 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.10: * chore: CRAN -> R * docs(cran): Add build pipeline * fix(cran): Support passing source dir as package * chore(cran): Remove (now known) redundant fetch/install pipelines * feat(pipelines): Add support for fetching, building, and installing R packages from CRAN * Change dependency for python to be python-Maj.Min-base. * build(deps): bump google.golang.org/api from 0.170.0 to 0.171.0 * build(deps): bump github.com/docker/cli * build(deps): bump github.com/charmbracelet/log * skip mounting resolv.conf for the docker runner * build(deps): bump github.com/docker/docker * Propagate user from image configuration * build(deps): bump cloud.google.com/go/storage from 1.39.0 to 1.39.1 * build(deps): bump github.com/google/go-containerregistry * build(deps): bump docker/login-action from 3.0.0 to 3.1.0 * build(deps): bump actions/checkout from 4.1.1 to 4.1.2 * build(deps): bump github.com/kubescape/go-git-url from 0.0.28 to 0.0.30 * build(deps): bump google.golang.org/api from 0.169.0 to 0.170.0 * build(deps): bump dagger.io/dagger from 0.10.1 to 0.10.2 * Switch to new octo-sts action (#1088) * Move "executing:" logging to debug * Keep symbols tables for fips builds * Fix quotes * pipelines/go: prefer to use netgo and osusergo by default * pipelines/go/install: also trimpath like build * pipelines/go: Strip by default * pipelines/go: bump GOAMD64 to v2 * pipelines/go: allow setting microarchitecture level settings * Update pkg/build/pipeline.go * open debug session in the specific workdir * Add Harden Runner audit configs * appease linter * build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.9.0 to 0.10.0 * build(deps): bump google.golang.org/api from 0.168.0 to 0.169.0 * build(deps): bump github.com/kubescape/go-git-url from 0.0.27 to 0.0.28 * feat(pipelines): Add cargo build for rust packages * WIP: remove files from SBOM * Bump apko * document builtin substitutions * build(deps): bump gitlab.alpinelinux.org/alpine/go * fix test.environment jsonschema struct tag * Sun Mar 17 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.9: * build(deps): bump google.golang.org/api from 0.166.0 to 0.168.0 * build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0 * build(deps): bump dagger.io/dagger from 0.9.10 to 0.10.1 * Fix the bug in dropping the suffix. * Drop WaitDelay from bubblewrap * build(deps): bump actions/download-artifact from 4.1.2 to 4.1.4 * build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 * build(deps): bump cloud.google.com/go/storage from 1.38.0 to 1.39.0 * Sun Mar 17 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.8: * Update pombump.yaml * Sun Mar 17 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.7: * Rename the default bump file name. * Sun Mar 17 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.6: * Add ${{cross.triplet.rust.[glibc,musl]}} * Add pombump pipeline. * Sun Mar 17 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.5: * Fix resource usage in melange * Fix job control with interactive bubblewrap * build(deps): bump github.com/chainguard-dev/yam from 0.0.1 to 0.0.2 * build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace * build(deps): bump go.opentelemetry.io/otel/sdk from 1.23.1 to 1.24.0 * build(deps): bump cloud.google.com/go/storage from 1.37.0 to 1.38.0 * Bump apko * Fix typo in error message * build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 * build(deps): bump actions/download-artifact from 4.1.1 to 4.1.2 * build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 * Sat Feb 24 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.4: * Fix the yaml file so that it actually gets parsed properly. * Propagate SourceDateEpoch from Build * Sat Feb 24 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.3: * Don't write APK to temp file during signing * Tue Feb 20 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.2: * Add --package-append flag to build * apply package substitutions in test.emvironment.contents.packages * change docker runner labels * label containers created by docker runner for easier external management * Add a --trace flag to melange build * Add dagger runner * Thu Feb 15 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.1: * omit arch log key when building one arch * Remove breakpoint labels * Clean up apko-temp dirs * Remove images even with cancelled ctx * Fix context.Background use * Allow substitutions in dependencies.replaces * doc: add diff pr * docs: add version-transform doc and other example to var-transform * Sat Feb 10 2024 opensuse_buildservice@ojkastl.de - Update to version 0.6.0: * Split pkg/container up into smaller packages * Mostly fix interactive interrupt signal handling * Do more cleanup with --rm * Continue interactive execution on exit 0 * go fmt * update dario/mergo * move runner determination to pkg/cli * Make debugging melange builds less terrible * fix go-build example * Make it easier to find docs-repo on ci failure * Thu Feb 08 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.10: * Add --die-with-parent to bwrap flags * fix bug with needs * move some logs to debug * Update build.yaml * Update install.yaml * Add GOEXPERIMENT to go/build * Wed Feb 07 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.9: * use apko@main * WIP: use charm logger * Add WaitDelay to bubblewrap cmd * Split options into separate files * Cancel context on interrupt signal * build(deps): bump github.com/docker/docker * build(deps): bump cloud.google.com/go/storage from 1.36.0 to 1.37.0 * build(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 * Tue Feb 06 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.8: * Add --rm flag (and options) to Build * Respond to cancelled context while streaming logs * Don't use goroutines for monitoring logs * If arch is not specified, test all. * Add Close() method to container runners * use slogtest * eliminate some more logger invocations * Fix race condition in log monitoring * Exclude "com.docker.grpcfuse.ownership" xattr * Sat Feb 03 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.7: * Pass the correct env.env to the container. * test: skip when executing on an unsupported arch * melamge bump: only update expected commit shas for the main git-checkout * stop logging tons of "detected git commit for build configuration" when parsing melage config * Embed melange version in .PKGINFO * Fix missing no-depends check * build(deps): bump google.golang.org/api from 0.154.0 to 0.161.0 * build(deps): bump github.com/kubescape/go-git-url from 0.0.26 to 0.0.27 * build(deps): bump github.com/chainguard-dev/yam * Bump apko to v0.14.0 * Update CODE_OF_CONDUCT.md * Update CODE_OF_CONDUCT.md * Switch to octo-sts-action (#968) * build(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 * warn on invalid license, log SCA findings * unexport some methods in pkg/sbom * Fix aws-c-s3 SCA * Don't include libexec directories in SCA includes * tidy * drop the lima runner * Take advantage of Octo STS to publish homebrew updates. (#956) * Pin to digest for setup-go in melange * build(deps): bump actions/download-artifact from 4.1.0 to 4.1.1 * Tue Jan 23 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.6: * sort with key/values * Fail if unknown variable is used in substitution * revert simple-hello, keep it alpine * fix simple-hello again * fix simple-hello * fix wolfi e2e test * also test wolfi built packages * update examples * migrate examples to wolfi * add e2e test that packages can be installed with apk * Audit the permissions of workflows. * Add test for vendored pkgconfig * Make "unable to detect git commit" a debug message * Allow vendored pkgconfig deps * make docs-repo * update * use apko@main * drop pkg/logger and use slog * Allow execable shared objects if name has ".so." * Fix sbom loopvar issue * Make BuildGuest more similar for Build and Test * Use errgroup over github.com/korovkin/limiter * Replace packages in APKINDEX with same version * Remove some more struct mutating and shadowing * Drop mutable imgRef from build.Build * Move more mutations into parameters * Take an fs as an argument to RetrieveWorkspace * Add a test * Convert some sca code to early return style * build(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 * move test pipelines to where others are. Remove unnecessary test packages. * Add python/import test pipeline, as well as e2e tests for python test pipelines. * how many ways can I really screw this one up... * Try James suggestion. * Fix the filenames. * try with explicit false. * maybe missing a space? * Add --test-package-append that you can specify extra test packages for each test. * move the comment * meson/configure: don't download subprojects by default * Add a python/test pipeline. * Bypass warning about detached head * add `*_config` pattern to split/dev pipeline * Sun Jan 07 2024 opensuse_buildservice@ojkastl.de - Update to version 0.5.5: * build(deps): bump github.com/google/go-containerregistry * bump upload/download github actions * build(deps): bump google.golang.org/api from 0.152.0 to 0.154.0 * build(deps): bump github.com/lima-vm/lima from 0.18.0 to 0.19.1 * build(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 * build(deps): bump github.com/go-git/go-git/v5 from 5.10.0 to 5.11.0 * build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 * build(deps): bump cloud.google.com/go/storage from 1.35.1 to 1.36.0 * convert: sort packages alphabetically * build(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 * build(deps): bump actions/setup-go from 4 to 5 * build(deps): bump github.com/kubescape/go-git-url from 0.0.25 to 0.0.26 * Set a default env var for GOMODCACHE. * Pull in `go-apk` with `provider_priority` `ini` fix. * Mark update.manual as an optional field. * update release to add some clarification regarding the homebrew * Tue Dec 05 2023 kastl@b1-systems.de - Update to version 0.5.4: * build(deps): bump golang.org/x/sys from 0.14.0 to 0.15.0 * build(deps): bump chainguard.dev/apko * build(deps): bump k8s.io/client-go from 0.28.3 to 0.28.4 * schema: update for new test pipeline configuration * build(deps): bump github.com/klauspost/compress from 1.17.2 to 1.17.4 * build(deps): bump google.golang.org/api from 0.150.0 to 0.152.0 * fix issue * cleanup: don't use pkg/errors * fix bad merge. * Default to package.name, but allow overrides, add example docs for specifying which package, and version to test. * argh, fix typo. * Add tests, simplify code. * e2e tests for `test` command. * checkpoint. * Add test command / implementation. * alphabetize commands, add test. * Refactor so can be used with test and build. * config struct changes for test. * Add autogenerated 'test' docs. * make docs-repo * remove unnecessary wait for testing * support resource requests and timeouts * UTC-ify source date epoch when set * Fix capitalization of SBOM originators * Fix the lint warnings in pkg/linter * Fix lints, or ignore safe ones. No functional changes. * prefix should be /usr * Ensure jsonschema is kept up to date. * Add jsonschema generation binary. * build(deps): bump go.opentelemetry.io/otel from 1.20.0 to 1.21.0 * build(deps): bump k8s.io/apimachinery from 0.28.3 to 0.28.4 * build(deps): bump sigs.k8s.io/release-utils from 0.7.6 to 0.7.7 * fix and continuously validate SBOMs * make docs-repo * default --use-github=true * fix docs * convert python: don't overwrite existing files * format manifests with yam * fix docs for --runner * improve 'melange convert python' to remove manual steps * Thu Nov 16 2023 kastl@b1-systems.de - Update to version 0.5.3: * Update release.md * build(deps): bump golang.org/x/time from 0.3.0 to 0.4.0 * pipelines: go/build: add support for go.mod overlay files * build(deps): bump cloud.google.com/go/storage from 1.33.0 to 1.35.1 * go mod tidy * update go-apk dependency * build(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 * build(deps): bump go.opentelemetry.io/otel from 1.19.0 to 1.20.0 * apply substitutions to .environment.contents.packages * test runtime replacements * build(deps): bump github.com/sigstore/cosign/v2 from 2.2.0 to 2.2.1 * build(deps): bump google.golang.org/api from 0.149.0 to 0.150.0 * go mod tidy * use merged PR * update dep * use pushed PRs * WIP: use forked alpine-go in go-apk * move spammy logs to debugf * Thu Nov 09 2023 kastl@b1-systems.de - Update to version 0.5.2: * Update pkg/config/config.go * GithubReleaseMonitor: add tagprefix and tagcontains to be used in github tags filtering * Plumb check configs through to linters * Delete no-op sbom code * remove unimplemented references to fulcio support * fail if 'with' is used with 'runs' * Error early if uses and runs are both present * Get rid of PackageContext and SubpackageContext * Remove impossible errors * Make loadUse test actually test something * Remove impossible errors * build: use util.Dedup instead of slices.Compact * util: bring back Dedup, slices.Collapse requires sorting * Bump go-apk * Filter out noise opening non-ELF files * Bump go-apk and use faster tarfs implementation * Add a test to ensure that ranges are handled properly. * Add linters for #805 and #804. * Refactor linting logic and clean things up * Add SBOM linter * build(deps): bump github.com/docker/docker * build(deps): bump chainguard.dev/apko * build(deps): bump sigs.k8s.io/release-utils from 0.7.5 to 0.7.6 * Add GID/UID remapping to improve permissions. Fix permission issues resulting from running with the build user. * Separate out package and build lints * Add json tags to melange Configuration. * Add python/test linter * util: drop Dedup in favor of golang.org/x/exp/slices.Compact * sca: fix compile by moving a few things around * sca: move analyzer invocation into Analyze() function * sca: implement abstract interface between build engine and sca engine * sca: pass FS into dependency generators rather than creating it on demand * sca: move out of package.go into sca.go as a first pass * Rename Python linters to python/* * readlinkfs: ignore security.selinux xattrs * Add Python docs linter * SCA: add python dependency generator * linter: refactor check block generation in tests * Improve linter diagnostic output * Add GID/UID remapping to improve permissions. Fix permission issues resulting from running with the build user. * build(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 * Fixups * Handle .so files a little smarter * Ignore all packages starting with _ * build(deps): bump google.golang.org/api from 0.147.0 to 0.148.0 * build(deps): bump k8s.io/client-go from 0.28.2 to 0.28.3 * build(deps): bump github.com/klauspost/compress from 1.17.1 to 1.17.2 * build(deps): bump chainguard.dev/apko * build(deps): bump actions/checkout from 4.1.0 to 4.1.1 * Centralize SOURCE_DATE_EPOCH parsing. * Run go fmt * Exclude docs * Exclude tests * drop sync-issues-to-project-board.yaml not used anymore * Exclude more files from Python multiple package linter * Improve filtering and diagnostics * Use the correct path for Python. * Add multiple Python packages post-linter * pipelines: add npm-install pipeline * replace the fetch python url to more friendly URI * Silence the linter * Make empty linter work by disregarding directories and SBOM in package linting * Really shut up docs linter * Docs changes/consistency fixes * Document melange lint * Module updates * Resolve circular import * Small fix * Update go-apk dep * Remove redundant package * Update pkg/config/config.go * Add basic test for APK linting * Document the release steps. * melange bump: move the reset / bump epoch logic up and inline version * melange bump: only reset the epoch if version changes, else increment it * Add APK linting. * document full-version, add pointer to docs. * Fix Typo * Thu Oct 19 2023 kastl@b1-systems.de - Update to version 0.5.1: * build(deps): bump github.com/klauspost/compress from 1.17.0 to 1.17.1 * build(deps): bump google.golang.org/api from 0.146.0 to 0.147.0 * build(deps): bump github.com/lima-vm/lima from 0.17.2 to 0.18.0 * build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 * Fix a bug where substitutions were not done for runtime. * linter: fix a typo in package linting function * build(deps): bump google.golang.org/api from 0.143.0 to 0.146.0 * go mod tidy to shut up linter * Small cleanup * Add function to lint APK files. * build(deps): bump golang.org/x/sync from 0.3.0 to 0.4.0 * build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 * Extricate config stuff from linter. * build(deps): bump sigs.k8s.io/release-utils * fix release url path * update deprecated fields * update with 0.5.0 changes * Track vendored deps for .PKGINFO * Sat Oct 14 2023 kastl@b1-systems.de - Update to version 0.5.0: * Enable linters to warn (via callback) instead of just failing. * build(deps): bump github.com/package-url/packageurl-go * build(deps): bump go.opentelemetry.io/otel from 1.18.0 to 1.19.0 * Add a PR checklist to melange. * Fix yaml typo in linter docs * nit: fix mistake in function docs * Apply suggestions from code review * Document disabling lints and when to do so. * Update linter docs * strip linter: properly close file * Make improvements/suggestions * Add stripped file linter * update alpine-go to latest git to fix indexing * pipelines: strip: use -g by default when stripping * build(deps): bump google.golang.org/api from 0.142.0 to 0.143.0 * do not delete extensions and plugins with ruby/clean * build(deps): bump k8s.io/api from 0.28.1 to 0.28.2 * build(deps): bump google.golang.org/api from 0.138.0 to 0.142.0 * build(deps): bump k8s.io/client-go from 0.28.1 to 0.28.2 * build(deps): bump github.com/opencontainers/image-spec * build(deps): bump github.com/docker/docker * build(deps): bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 * build(deps): bump github.com/klauspost/compress from 1.16.7 to 1.17.0 * build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 * build(deps): bump actions/checkout from 4.0.0 to 4.1.0 * add docs for -compat packages * Disable empty check on git-checkout * build: refactor package linter invocation * Refactor the linter into a submodule. * Remove no provides check per @kaniini * Respect subpackage no-provides * Add post-file walk linting and empty package linting * exa is dead, use mdbook as a rust CI test instead. * bump apko to e9722fc * build: do not run linters on skipped subpackages * linter: when subpackages are linted use the subpackage name as the package config name * Only run worldwrite linter on regular files * Add worldwrite linter * Add dev, opt, and srv linters * fix the arch * Use Warnf over WARNING * log and continue when .pc file can't be loaded * fix the dir name as we already expect dir to be set explicit * Disable linters on -compat packages * Update build.yaml * add goreleaser pipeline * Unexport linter struct and linterFunc * Don't export the linter map * Add tests * build(deps): bump sigstore/cosign-installer from 3.1.1 to 3.1.2 * Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 * Bump docker/login-action from 2.2.0 to 3.0.0 * chore: remove CODEOWNERS file * Add more linters * Appease golint * Fix tests * Remove debugging print statement * Implement subpackage linting * Add package (but not subpackage) linting * build(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 * Update golangci-lint to 1.54 * git-checkout: Allow tags to matched annotated tag SHAs, don't allow fuzzy matching of refs. * build(deps): bump actions/checkout from 3.5.3 to 4.0.0 * Bump k8s test workflows to Go 1.21 * Bump go to 1.21 * pipeline: fix downward propagation to referenced external pipeline nodes * config: tests: add workdir propagation test * remove cmake. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * forgot to remove one -dev * Remove specifying the php-dev version. * Add pecl pipelines for phpize & install. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * package: only constrain library search paths for provides entries * Fix some python generation issues: * Refactor application of pipeline variables to config and add tests * Pipeline: make env overrides work recursively * Add environment var overriding to the pipeline. * Bump goreleaser/goreleaser-action from 4.3.0 to 4.6.0 * Bump actions/upload-artifact from 3.1.2 to 3.1.3 * package: constrain library SCA to library search paths only * Replace the elements of the subpackage * construct the package.full-version in higher context than just pipeline. * docs: fix link in pkg/build/pipelines/README.md * docs: add documentation for built-in pipelines * document / examples for ${{package.full-version}} Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * add ${{package.full-version}} = ${{package.version}}-r${{package.epoch}} Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Changes from code review. * config: copy all subpackage variables when doing a range expansion * feat: add output logs for the apkbuild converter * Fix issue: #658 Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * feat: add new Perl pipelines for install and clean * package: just skip symlinks for now * workflows: add ncurses to the presubmit test matrix * package: dereference symlinks for aliased pkg-config modules * Fix syntax in maven pipeline (and add test). * more debug crap. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * remove debug crap. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Environment is required, adjust the tests. * Change GeneratedMelangeConfig to embed pkg/config/config instead of redefining it. * Change default python-version from 3.11 to 3. * remove extra backtick. * let's try again. * update docs * Bunch of lint fixes. No functional changes. * Add a maven/configure-mirror pipeline to redirect to GCP. * yikes, only 2 fatal lints... nice... * update docs. * Add flags for resolving git tags, release-monitoring * Update pkg/build/pipelines/python/build-wheel.yaml * Update pkg/build/pipelines/python/build-wheel.yaml * add builtin pipelines for python * update generated docs. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * remove unused vars. They do not have short form, so can use this variant. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add --wolfi-defaults flag, clean up flag handling. * readlinkfs: ignore some security-module specific xattrs * feat: support --recurse-submodules in git clone * Print the path to generated melange config. * build(deps): bump go.opentelemetry.io/otel from 1.16.0 to 1.17.0 * build(deps): bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 * build(deps): bump google.golang.org/api from 0.136.0 to 0.138.0 * build(deps): bump k8s.io/api from 0.28.0 to 0.28.1 * build(deps): bump github.com/lima-vm/lima from 0.17.0 to 0.17.2 * build(deps): bump k8s.io/client-go from 0.28.0 to 0.28.1 * Bump apko and fix everything I broke * docs: typo in go-build example * run make docs * cli: index: add --signing-key, --source and --merge options * default for github actions is bubblewwrap. * update lint rule. * Fix the links to commands, fix the URLs generated. * sign: do not rename across device boundaries * add --force option to recreate apk indexes with given signatures * pipelines: use ${{targets.contextdir}} where it makes sense * pipeline: add ${{targets.package.foo}} expansions * pipeline: add ${{targets.contextdir}}, representing the current target dir * Bump pkg-config again to actually pick up the openblas fix. * Bump pkgconfig to pick up the openblas fix. * feedback + verbiage from Erika. * Set reasonable concurrency levels for pgzip * appease linter * support substitutions in provides lists * Start of exhaustively documenting the build filele. * plumb through SDE to EmitSignature * add melange sign command, slightly refactor and make public the signing methods * add test for substituting needs.packages * allow override go version for uses: go/build and go/install * Support for setting context in .melange.k8s.yaml * Add docs about custom pipelines, defining and using. * build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 * Teach melange about the forthcoming version-transform block * doc and lint revisions (#598) * build(deps): bump google.golang.org/api from 0.134.0 to 0.136.0 * container: bubblewrap: do not defer closing files * build(deps): bump golang.org/x/sys from 0.10.0 to 0.11.0 * build(deps): bump github.com/lima-vm/lima from 0.16.0 to 0.17.0 * build(deps): bump github.com/google/go-containerregistry * build: package: add pkgconf-based SCA to catalog SDKs which use it * Docstring typo fixes * Docstring fixes * Appease the go fmt Gods * Test two var transforms at once * Test var transforms on a basic level * Add ${{build.arch}} as a possible variable in bump * Make var transforms work in bump * remove paralell test for TestKubernetesRunnerConfig * add fail-fast to false * update code running goimports * add goimports * publish brew formula during release * update actions to use git hashes * update golangci-lint to v1.53 series * Adjust the var substitution stuff a bit * Move var substitution stuff into config * config: Change root to a pointer in the config struct, and add an accessor * renovate: update to use new config infrastructure * build: Add root node to the config * Appease the golangci-lint Gods * build_test: fix tests in a better way * Make all tests pass * build: add parameter where one was missing * build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.1 * pipelines: meson/configure: explicitly invoke meson setup action * build(deps): bump github.com/docker/docker * Refactor the config/logging stuff out of build * build(deps): bump google.golang.org/api from 0.133.0 to 0.134.0 * build(deps): bump github.com/docker/docker * Several fixes to k8s runner. * build(deps): bump github.com/klauspost/pgzip from 1.2.5 to 1.2.6 * build(deps): bump google.golang.org/api from 0.129.0 to 0.133.0 * Remove `wget -q` from `fetch` * add k8s runner config loading from envvars * Log errors bundling, enable GGCR Warn/Progress logs * Tweak the strip pipeline so that it never fails for deleted files * convert/python: check if release is found * Make sure we log errors. * Fix subpackage SBOM generation * define constants for runners destination mount paths * skip the cache mount for kubernetes runner builds * Add more otel spans to k8s runner * build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 * build(deps): bump k8s.io/client-go from 0.27.3 to 0.27.4 * Avoid using pargzip for compression * add a retryable (tgz) fetcher for the k8s runner * Pod names must be RFC1123 compliant * Correct the variable name in the patch pipeline * pipelines: git-checkout: harden variable expansions * pipelines: patch: refactor series/patches handling * pipelines: fetch: harden variable expansions * add retries to a subset of k8s runner exec failures * delete builder pod post build by default * properly pass workspace env/volumes to k8s builder pods * use go-apk.FullFS for retrieving builder workspaces * Finally fix python convert tests. * Comment python test. * add dir option to ruby pipelines as not all gemspecs live in the root folder * fix containerID for lima when tarring up * lima startup issues fixed * pull in apko with fix for blank SOURCE_DATE_EPOCH * Change git-checkout depth default to 1 * workflows: wolfi-presubmit: use package/ instead of packages/ for package names * build: package: forcibly treat libc as a shared library * docs: explain how build cache works practically * Bump apko dep to pick up otel spans * Fix failing test for env var wipeout * Add failing test for env var wipeout * add otel spans * build(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 * Remove use of deprecated WaitImmediate * Add ! char to ignore. * Add missing context propagation * Rename index.Context to index.Index * Rename Contexts to Builds * Sat Oct 14 2023 kastl@b1-systems.de - Update to version 0.4.0: * build(deps): bump github.com/opencontainers/image-spec * add release notes for Melange 0.4.0 * build(deps): bump cloud.google.com/go/storage from 1.30.1 to 1.31.0 * build(deps): bump google.golang.org/api from 0.128.0 to 0.129.0 * appease linter for now * update apko to 0.9.0 * build(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0 * some small UX improvements for k8s runner * build(deps): bump github.com/package-url/packageurl-go * update apko and go-apk to use pinned deps correctly * build: scan subpackage pipelines for dependencies * add a split/debug pipeline * ensure bundles are rooted correctly * build(deps): bump google.golang.org/api from 0.125.0 to 0.127.0 * build(deps): bump actions/checkout from 3.5.2 to 3.5.3 * add a kubernetes pod runner * build(deps): bump docker/login-action from 2.1.0 to 2.2.0 * build(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.6.0 * build(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 * add strip prefix and suffix update config for release monitor * import apko and go-apk with better debug logging * Switch from calling Glob to two Stats * workflows: add wolfi-presubmit * cli: build: fix destination variable for --apk-cache-dir * build: PopulateCache: do not populate the cache dir when it is empty * fix apk caching directory * import apko and go-apk with package caching * Change the default for delete to false. * pipeline: fetch: optionally delete fetched artifacts after unpacking * cond: allow underscores and capitalization in variable expressions * run tests with race detector * warn and fallback to SOURCE_DATE_EPOCH=0 when specified but empty * index: use deep copy when loading pre-existing index data * build(deps): bump github.com/lima-vm/lima from 0.14.2 to 0.16.0 * build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 * index: appease linter by moving the deferred close to after the error check * build(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 * build: generate APKINDEX.json when writing packages index * index: add WriteJSONIndex function * index: split out the indexing logic itself to UpdateIndex * index: WriteArchiveIndex: use destination file path as primary input * index: use SourceIndexFile for loading index data rather than IndexFile * index: factor out loading of pre-existent indices and index state management * index: factor out index writing into WriteArchiveIndex * Bump apko and fix what that breaks * add wolfictl * upgrade alpine-lima to 3.18 * Allow uppercase and plus, allow numbers as first char * Validate configuration at the end of parsing * Remove secfixes and advisories altogether * include filename when parsing fails * Require that build config YAML has only known fields * Refactor tests for configuration load method * build(deps): bump google.golang.org/api from 0.119.0 to 0.123.0 * readlinkfs: implement go-apk fs.XattrFS interfaces * Pull in the latest go-apk for xattrs support * build(deps): bump github.com/docker/docker * Pull in index builddate support. * Install should first build melange binary... * Make makefile work on Mac and Linux. * build(deps): bump sigstore/cosign-installer from 3.0.2 to 3.0.5 * add a boolean so built in melange pipelines can be used in subpackages as they need to write to a different target folder * ensure range data replaces `with` options during a pipeline * Update README.md * Update distroless references * default for mac is docker, not bwrap * add extra logging when runner fails to TestUsability * Add go vendor support to the go build pipeline. * add multiple runner options * use latest version of melange in lima configuration file * Set `builddate` in our `.PKGINFO` control data. * add field docs * build(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 * pipelines: patch: add support for quilt patch-series files * Add an optional "deps" paramter to the go/build pipeline. * chore: signing issues * chore: corrections in mac instructions * chore: corrections in mac instructions * build: package: skip SONAME analysis when ELF interpreter setting is present * Add trimpath to the go pipeline. * update docs * build: add support for configurable logging policies * Add name method to build config * build(deps): bump gitlab.alpinelinux.org/alpine/go * move signing funcs to rely on external go-apk library * use go-apk library instead of apko * update alpine-go to include replaces hotfix * simplify DataItems to use the builtin marshallable map type * add `ignore-regex-patterns` update config to indicate you want to ignore string patterns that match an upstream version * add a strip-suffix: key to melange update struct to indicate stripping a suffix from an upstream GitHub version * bump to latest apko which handles file overwrites * cli: build: warn when no work to do instead of throwing an error * build(deps): bump github.com/docker/docker * upgrade apko to 20230421 snapshot * build(deps): bump google.golang.org/api from 0.116.0 to 0.119.0 * build: update tests to use apko log.Logger * build: use apko_log.Logger everywhere * build: logger: conform to apko_log.Logger shape * adapt to new apko logging framework * update apko dependency to 20230420 snapshot * update apko dependency to 20230419 snapshot * config parsing: fix handling of filesystems * bump test: fix panic by requiring no error * Stop repeating errors on build command * build(deps): bump actions/checkout from 3.5.0 to 3.5.2 * fix 403 error when melange bumping some packages, https://www.netfilter.org for example needs it * update apko to 20230413 snapshot * Print full uri to debug file download errors * Do not depend on concrete logger * pipelines: autoconf/make-install: delete all GNU libtool metadata files * remove flawed test * build: package: append subpackages to build log * Use formatted YAML encoder from yam * build: readlinkfs: chase apko ReadlinkFS API break * upgrade apko snapshot to 20230411 * build(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 * build(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.2 * go mod tidy again * index: convert to using logrus * build: package: use logrus.Entry for logging * update apko for formatting fixes * build: remove actualArchs variable, no longer used * fix tests * container: use warning level for stderr output * pipeline: downgrade dumpWith() to use debug level * switch to using logrus * update to apko git * feat: send useragent in HTTP requests * export mutate functions as these are very useful to be called outside of the build package * warn if target-architecture:['all'], remove from examples * feat: respect target-architecture to filter archs * index: rework architecture filtering * update docs * build(deps): bump actions/add-to-project from 0.4.1 to 0.5.0 * cli: index: add --arch flag * index: print warning and skip packages which do not match the expected architecture * index: add ExpectedArch to index.Context * add a `update.manual:` key to indicate a package should be manually updated * fix: log package new names+versions when regenerating index * make original test commit sha different from the new expected sha to ensure test works * melange bump: optional flag to modify git-checkout pipeline expected-commit value * Bump apko to pick up busybox detection fix. * Fix goreleaser cosign flags * package: allow any library which has a SONAME to be a provider * build: fix SBOM language gathering for subpackage pipelines * package: ensure the package output directories always exist for scanning * build: introduce Context.IsBuildLess and skip a lot of setup/teardown for buildless packages * build: allow a package to be defined without a pipeline * Add darwin goreleaser target (macOS) * fix build * release image after the binary * update makefile * cleanup goreleaser and ko config * clean up, update version comments for ci jobs * upgrade to use go1.20 * upgrade alpine pkgs lima * Mon Apr 03 2023 kastl@b1-systems.de - Update to version 0.3.2: * Fix goreleaser cosign flags, add NEWS for melange 0.3.2 * add NEWS for melange 0.3.1 * package: allow any library which has a SONAME to be a provider * Add darwin goreleaser target (macOS) * update NEWS for melange 0.3.0. * update to apko 0.7.3 release * pipelines: fetch: use wget quiet mode * build: check for signing key existence before using it * build: package: do not add interpreter dependency when no-depends option is enabled * docs: fix baseurl for melange reference in generated docs * directly parse configuration for query * add query and package-version commands * build: use realpath to determine cache dir bindmount source * refresh docs for --cache-source * cli: add --cache-source option * build: use CacheSource to define the bucket to pull cached sources from * build: change default cache directory to ./melange-cache * build: add CacheSource option to context * Hookup user and accounts in the environment. * build(deps): bump cloud.google.com/go/storage from 1.30.0 to 1.30.1 * build(deps): bump google.golang.org/api from 0.113.0 to 0.114.0 * build(deps): bump actions/checkout from 3.3.0 to 3.5.0 * refresh docs * cli: build: add --debug flag * build: pipeline: if Context.Debug is enabled, add set -x to all pipelines * build: add Debug option to Context * build: use cond.Subst instead of replacers * cond: subst: variable names can have dashes * cond: subst: add goparsify-based variable substitution implementation * cond: parser: test: add variable lookup with whitespace test * parser: use newer fork of goparsify * add codeowners * add Update struct for identifying how a melange package can be updated * add `var-transforms` for manipulation of variables using regular expressions * pipelines: git-checkout: use tempdir for doing the initial clone * pipelines: git-checkout: mark clone directory as a safe directory for git * update ruby pipelines with usability features * add an optional flag to generate a packages.log containing list of packages + subpackages that were actuall built by `melange build` * Try to fix a strange index generation bug. * build(deps): bump actions/setup-go from 3.5.0 to 4.0.0 * container: fixes to handle /sbin/ldconfig not being present, e.g. on musl * container: run ldconfig when bringing up a build environment * update to latest apko git * build(deps): bump google.golang.org/api from 0.111.0 to 0.113.0 * build(deps): bump cloud.google.com/go/storage from 1.29.0 to 1.30.0 * update apko to latest git * pipeline: only run mkdir -p if absolutely needed * build(deps): bump github.com/go-git/go-git/v5 from 5.6.0 to 5.6.1 * update docs * run go mod tidy * pkg: convert: fix tests to use upstream ImageContents type * build: package: use internal readlinkFS, old apko fs package was deprecated * build: add minimal internal readlinkfs implementation * convert: use upstream ImageContents type, added in apko 0.7.0 * build: use normal os.DirFS for filesystem walking * upgrade to apko 0.7.2 git * build: remove --use-proot option * lint * move convert related packages under convert as subpackages * container: bubblewrap runner: use --new-session to mitigate CVE-2017-5226 * autoconf: always define the GNU host and build triplets in configure step * update docs * add more context for the experimental commands * add shell completion and move common flags to top level * move wolfios to its own package * add same convert options to higher leve * fix lint and tests * fix tests * add convert subcommand * docs: ensure docs are up to date in CI * add melange docs * change --out-dir to not depend on cwd * accept dependabot's GPG key for commit signing CI check * package: only use base soname when generating runtime dependencies across symlinks * build(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 * add omitempty to some fields * build(deps): bump google.golang.org/api from 0.110.0 to 0.111.0 * build(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.0 * build(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1 * remove self-provided dependencies from the runtime dependency set * build(deps): bump github.com/openvex/go-vex * build: package: dereference symlinks across packages and read the real DT_SONAME instead of guessing * build: configuration: add support for variable substitution in more places * apply refactoring suggestions from go linter * build: also apply if-conditionals when generating the package index * build: also apply subpkg if-conditionals when emitting packages and SBOMs * examples: add example outlining the new option-related features * build: implement if-conditionals for subpackages * build: pipeline: add option enabled variables * build: build option: patch the variables and environment configuration * build: use BuildOption.Apply to apply configuration patches from build options * build: build_option: add Apply stub * cli: build: add --build-option to configure the enabled build options * build: add WithEnabledBuildOptions context option * build: add BuildOptions map to Configuration * build: add BuildOption types * package: ensure we are operating only on a basename when generating symlink deps * package: detect shared library dependencies for .so symlinks * build(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 * build(deps): bump google.golang.org/api from 0.109.0 to 0.110.0 * Add ruby pipelines for gem install, build and clean * build: package: add support for defining "replaces" relationships * package: findInterpreter: chop trailing nul from interpBuf * package: deal with musl interpreter being a symlink back to itself * package: ensure PT_INTERP is always added as an explicit dependency * build(deps): bump github.com/docker/docker * build(deps): bump github.com/joho/godotenv from 1.4.0 to 1.5.1 * build(deps): bump google.golang.org/api from 0.108.0 to 0.109.0 * build(deps): bump github.com/docker/docker * git-checkout: fix tags * use merge option to speed up apkindex generation when build * just warn if no branch or tag specified * build(deps): bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 * build(deps): bump github.com/google/go-containerregistry * Revert "Generate build environment SBOM" * add expected-commit to git-checkout * Update README to mention wolfi. * cli: add --vars-file option to support loading build variables from an external source * build: add WithVarsFile and WithVarsFileForParsing options * examples: add variable substitution example * pipeline: handle ${{vars}} block as expected * build: add variables block to build configuration struct * build(deps): bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 * examples: add working-directory example * pipeline: ensure the working-directory is created before using it * pipeline: propagate WorkDir to subpipelines * pipeline: set working directory when evaluating pipeline "runs" entries * build: add Pipeline.WorkDir definition * build(deps): bump google.golang.org/api from 0.107.0 to 0.108.0 * build(deps): bump github.com/docker/docker * build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 * go mod tidy to drop chainguard/vex * Switch VEX dependency to openvex * allow provider priority to be configured * build(deps): bump google.golang.org/api from 0.106.0 to 0.107.0 * Wire logger from SBOM generator to impl * Escape invalid identifier chars * Fix build sbom name in subpackages * Fix bug where package verification was wrong * build sbom: Add relationships to produced SBOMs * Update protobom to support dl location * Build SBOM: Generate package with apks * Trigger build SBOM generation, reuse write * Passs guest directory to sbom spec * Refactor SBOM spec for reuse * Add ReadPackageIndex to gen implementation * Add GenerateBuildEnvSBOM fn to SBOM generator * Update Lima link * update apko dependency to latest * bump apko dependency * pipelines: autoconf/configure: fix sysconfdir * upgrade apko dependency to latest git * build(deps): bump github.com/go-git/go-git/v5 from 5.5.1 to 5.5.2 * build(deps): bump google.golang.org/api from 0.105.0 to 0.106.0 * build(deps): bump actions/checkout from 3.2.0 to 3.3.0 * bump apko to latest git again for keyring fix * fix typo * index gen: Add loop throttle, mutex * close lingering file descriptor * sbom: handle spdxPkg.VerificationCode being a pointer in apko git * chase PublishImageFromLayer API change in apko * update apko dependency to latest git for armv6/armv7 triplet fixes * go/install: also require git (#239) * use lima to use melange on mac * Advisories: Require pkg version for fixed status (#237) * Parallel processing of packages. * Make packageurl-go import direct * add --namespace option to build subcommand * SBOM: Generate purls for built packages * Add namespace and arch fields to SBOM spec * Drop distro qualifier from purls * Add Go pipelines documentation * Revamp go examples to use both pipleines * New go/install pipeline * go/build: Support changing module root * Bump vex (#231) * Remove extra field * Add advisories and purls * Export functionality for config parsing (#229) * Apko devenv README * Melange development environment * Sun Mar 19 2023 Johannes Kastl <kastl@b1-systems.de> - new package melange: Build APKs from source code
/usr/bin/melange /usr/share/doc/packages/melange /usr/share/doc/packages/melange/README.md /usr/share/licenses/melange /usr/share/licenses/melange/LICENSE
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Oct 23 23:06:42 2025