Merge branch 'main' into cve-sonarqube-10-30ff6ed6d179866ac3bbeac75e6…

…db4ec Signed-off-by: Mark McCormick <[email protected]>
wolfi-dev · Oct 9, 2024 · 6b00208 · 6b00208
2 parents c8cdddb + c40b1bb
commit 6b00208
Show file tree

Hide file tree

Showing 1,575 changed files with 291,244 additions and 98,616 deletions.
diff --git a/.github/actions/docker-run/action.yaml b/.github/actions/docker-run/action.yaml
@@ -6,7 +6,7 @@ inputs:
     required: true
   image:
     description: "The image to use"
-    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:e8c9680e3262d27b28c38e84f51f8a8587c84dc192b0f198b96b11de27aafc34"
+    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:41afbe0864023cc9fb7dda378e831fcb4ae56b88fb36475a4e28a5555c0f71a5"
     required: false
   workdir:
     description: "The images working directory"

diff --git a/.github/chainguard/ci-cve-scan.sts.yaml b/.github/chainguard/ci-cve-scan.sts.yaml
@@ -0,0 +1,8 @@
+issuer: https://accounts.google.com
+
+# staging-enforce: ci-cve-scan-y3p1d12mopp7me1maq@staging-enforce-cd1e.iam.gserviceaccount.com (116393215694983881739)
+# prod-enforce: ci-cve-scan-cx5c42601jke3uut5d@prod-enforce-fabc.iam.gserviceaccount.com (106196350728716637481)
+subject_pattern: "(116393215694983881739|106196350728716637481)"
+
+permissions:
+  checks: write
diff --git a/.github/chainguard/elastic-build.sts.yaml b/.github/chainguard/elastic-build.sts.yaml
@@ -1,8 +1,5 @@
 issuer: https://accounts.google.com
 
-# kleung:
-#  presubmit: 105781252305943073984: ebuild-3h3fcv7148ndkb1du0lh8em@kleung-chainguard.iam.gserviceaccount.com
-#  postsubmit: 111049397066380373510: ebuild-3wz7mtw8h8jh7yadef2hwri@kleung-chainguard.iam.gserviceaccount.com
 # staging:
 #  presubmit: 116478844699827634314: ebuild-tho0c6rsknlo655tnyjlifi@staging-enforce-cd1e.iam.gserviceaccount.com
 #  postsubmit: 115457633213442188328: ebuild-m2wshgog0q6xjkbz7j8swed@staging-enforce-cd1e.iam.gserviceaccount.com
@@ -11,7 +8,7 @@ issuer: https://accounts.google.com
 #  presubmit: 114870839879105817572: ebuild-zasv64d5x1oc4m3epw39yod@prod-enforce-fabc.iam.gserviceaccount.com
 #  postsubmit: 118124811908286464886: ebuild-ckhudf69he6dfl1xy83uuke@prod-enforce-fabc.iam.gserviceaccount.com
 #  world: 100027593799559093519: ebuild-n0ppcbm8uzc6ew2wy4gesfg@prod-enforce-fabc.iam.gserviceaccount.com
-subject_pattern: "(105781252305943073984|111049397066380373510|116478844699827634314|115457633213442188328|118305965159726888964|114870839879105817572|118124811908286464886|100027593799559093519)"
+subject_pattern: "(116478844699827634314|115457633213442188328|118305965159726888964|114870839879105817572|118124811908286464886|100027593799559093519)"
 
 permissions:
   contents: read

diff --git a/.github/workflows/auto-approve.yaml b/.github/workflows/auto-approve.yaml
@@ -23,7 +23,7 @@ jobs:
           egress-policy: audit
 
       - name: Check out repository code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - run: |
           ./scripts/auto-approve-pr.sh ${{ github.repository }}

diff --git a/.github/workflows/backfill.yaml b/.github/workflows/backfill.yaml
@@ -13,9 +13,9 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
-      - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
+      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: "[email protected]"
@@ -24,7 +24,7 @@ jobs:
         with:
           project_id: "prod-images-c6e5"
 
-      - uses: chainguard-dev/setup-chainctl@f52718d822dc73d21a04ef2082822c4a203163b3 # v0.2.2
+      - uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3
         with:
             # Managed here:
             # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf

diff --git a/.github/workflows/build-beta.yaml b/.github/workflows/build-beta.yaml
@@ -38,7 +38,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Setup Docker
         run: |
@@ -59,7 +59,7 @@ jobs:
           sudo apt-get install acl
           sudo setfacl --modify user:$USER:rw /var/run/docker.sock
 
-      - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
+      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: ${{ env.FQ_SERVICE_ACCOUNT }}
@@ -118,21 +118,21 @@ jobs:
       # Always run these steps for https://github.com/wolfi-dev/os/issues/8698
       - if: ${{ always() }}
         name: 'Upload logs archive to GitHub Artifacts'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: logs-${{ matrix.arch }}
           path: /tmp/buildlogs/
           if-no-files-found: warn
       - if: ${{ always() }}
         name: 'Upload trace to GitHub Artifacts'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: trace-${{ matrix.arch }}
           path: /tmp/trace.json
           if-no-files-found: warn
       - if: ${{ always() }}
         name: 'Upload built packages archive to GitHub Artifacts'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: packages-${{ matrix.arch }}
           path: /tmp/packages-${{ matrix.arch }}.tar.gz
@@ -152,15 +152,15 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:e8c9680e3262d27b28c38e84f51f8a8587c84dc192b0f198b96b11de27aafc34
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:41afbe0864023cc9fb7dda378e831fcb4ae56b88fb36475a4e28a5555c0f71a5
 
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Free up runner disk space
         run: |
@@ -207,7 +207,7 @@ jobs:
           tar -cvzf /tmp/indexes.tar.gz --files-from to-include
 
       - name: 'Upload APKINDEX archive to GitHub Artifacts'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: indexes
           path: /tmp/indexes.tar.gz

diff --git a/.github/workflows/build-old.yaml b/.github/workflows/build-old.yaml
@@ -26,13 +26,13 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:e8c9680e3262d27b28c38e84f51f8a8587c84dc192b0f198b96b11de27aafc34
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:41afbe0864023cc9fb7dda378e831fcb4ae56b88fb36475a4e28a5555c0f71a5
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
 
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: 'Trust the github workspace'
         run: |
@@ -119,7 +119,7 @@ jobs:
       # Always run this step for https://github.com/wolfi-dev/os/issues/8698
       - if: ${{ always() }}
         name: 'Upload built packages archive to GitHub Artifacts'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: packages-${{ matrix.arch }}
           path: /tmp/packages-${{ matrix.arch }}.tar.gz
@@ -139,15 +139,15 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:e8c9680e3262d27b28c38e84f51f8a8587c84dc192b0f198b96b11de27aafc34
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:41afbe0864023cc9fb7dda378e831fcb4ae56b88fb36475a4e28a5555c0f71a5
 
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Free up runner disk space
         run: |
@@ -174,7 +174,7 @@ jobs:
           name: packages-aarch64
 
       # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
-      - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
+      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
         id: auth
         with:
           workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
@@ -216,7 +216,7 @@ jobs:
       - run: rm ./wolfi-signing.rsa
 
       # We use a different GSA for our interaction with GCS.
-      - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
+      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: "[email protected]"
@@ -245,7 +245,7 @@ jobs:
           tar -cvzf /tmp/indexes.tar.gz --files-from to-include
 
       - name: 'Upload APKINDEX archive to GitHub Artifacts'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: indexes
           path: /tmp/indexes.tar.gz
@@ -262,15 +262,15 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:e8c9680e3262d27b28c38e84f51f8a8587c84dc192b0f198b96b11de27aafc34
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:41afbe0864023cc9fb7dda378e831fcb4ae56b88fb36475a4e28a5555c0f71a5
 
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: 'Trust the github workspace'
         run: |
@@ -280,7 +280,7 @@ jobs:
 
       - id: auth
         name: 'Authenticate to Google Cloud'
-        uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
+        uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: "[email protected]"

diff --git a/.github/workflows/build-world.yaml b/.github/workflows/build-world.yaml
@@ -27,13 +27,13 @@ jobs:
     # permissions:
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:e8c9680e3262d27b28c38e84f51f8a8587c84dc192b0f198b96b11de27aafc34
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:41afbe0864023cc9fb7dda378e831fcb4ae56b88fb36475a4e28a5555c0f71a5
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
 
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: 'Trust the github workspace'
         run: |
@@ -60,7 +60,7 @@ jobs:
         # TODO: See how big these get, maybe we only upload failures and shorten the retention, or throw them in GCS
       - name: Upload build logs
         if: always()
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: buildlogs
           path: ./packages/**/buildlogs/*.log

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -29,13 +29,13 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:e8c9680e3262d27b28c38e84f51f8a8587c84dc192b0f198b96b11de27aafc34
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:41afbe0864023cc9fb7dda378e831fcb4ae56b88fb36475a4e28a5555c0f71a5
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
 
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: 'Trust the github workspace'
         run: |
@@ -141,21 +141,21 @@ jobs:
       # Always run these steps for https://github.com/wolfi-dev/os/issues/8698
       - if: ${{ always() }}
         name: 'Upload logs archive to GitHub Artifacts'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: logs-${{ matrix.arch }}
           path: /tmp/buildlogs/
           if-no-files-found: warn
       - if: ${{ always() }}
         name: 'Upload trace to GitHub Artifacts'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: trace-${{ matrix.arch }}
           path: /tmp/trace.json
           if-no-files-found: warn
       - if: ${{ always() }}
         name: 'Upload built packages archive to GitHub Artifacts'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: packages-${{ matrix.arch }}
           path: /tmp/packages-${{ matrix.arch }}.tar.gz
@@ -175,15 +175,15 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:e8c9680e3262d27b28c38e84f51f8a8587c84dc192b0f198b96b11de27aafc34
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:41afbe0864023cc9fb7dda378e831fcb4ae56b88fb36475a4e28a5555c0f71a5
 
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Free up runner disk space
         run: |
@@ -210,7 +210,7 @@ jobs:
           name: packages-aarch64
 
       # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
-      - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
+      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
         id: auth
         with:
           workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
@@ -257,7 +257,7 @@ jobs:
       - run: rm ./wolfi-signing.rsa
 
       # We use a different GSA for our interaction with GCS.
-      - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
+      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: "[email protected]"
@@ -286,7 +286,7 @@ jobs:
           tar -cvzf /tmp/indexes.tar.gz --files-from to-include
 
       - name: 'Upload APKINDEX archive to GitHub Artifacts'
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: indexes
           path: /tmp/indexes.tar.gz
@@ -303,15 +303,15 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:e8c9680e3262d27b28c38e84f51f8a8587c84dc192b0f198b96b11de27aafc34
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:41afbe0864023cc9fb7dda378e831fcb4ae56b88fb36475a4e28a5555c0f71a5
 
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: 'Trust the github workspace'
         run: |
@@ -321,7 +321,7 @@ jobs:
 
       - id: auth
         name: 'Authenticate to Google Cloud'
-        uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
+        uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: "[email protected]"
@@ -367,7 +367,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: 'Trust the github workspace'
         run: |
@@ -397,7 +397,7 @@ jobs:
           done
 
       # use public chainguard provider.
-      - uses: chainguard-dev/setup-chainctl@f52718d822dc73d21a04ef2082822c4a203163b3 # v0.2.2
+      - uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3
         with:
           # Managed here:
           # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf