Merge branch 'main' into wolfictl-999ebf2b-0180-4269-bce1-988e422048de

.github/workflows/build-world.yaml

@@ -24,7 +24,7 @@ jobs:
     # permissions:
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -46,6 +46,8 @@ jobs:
       - name: 'Build Wolfi World'
         run: |
           wolfictl build \
+              -k local-melange.rsa.pub \
+              -r ./packages \
               -k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub \
               -r https://packages.wolfi.dev/bootstrap/stage3 \
               --arch=${{ matrix.arch }} \

.github/workflows/build.yaml

@@ -29,7 +29,7 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -142,7 +142,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
 
     steps:
       - uses: actions/checkout@v4
@@ -254,7 +254,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/ci-build.yaml

@@ -33,7 +33,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2 -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9 -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this
@@ -70,7 +70,7 @@ jobs:
       group: wolfi-builder-${{ matrix.arch }}
     needs: changes
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
     outputs:
@@ -147,6 +147,7 @@ jobs:
           else
             echo "exists=false" >> $GITHUB_OUTPUT
           fi
+          touch packages.log
 
       - name: Check diff
         if: steps.file_check.outputs.exists == 'true'
@@ -192,7 +193,7 @@ jobs:
     name: "ABI Compatibility check"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
     needs: build
     if: needs.build.outputs.packages_were_built == 'true'
 
@@ -231,7 +232,7 @@ jobs:
     name: "Scan packages for CVEs"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
     needs: build
     if: needs.build.outputs.packages_were_built == 'true'
 

.github/workflows/lint-world.yaml

@@ -29,7 +29,7 @@ jobs:
       group: wolfi-os-builder-${{ matrix.arch }}
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/withdraw-packages.yaml

@@ -24,7 +24,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2 -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9 -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf

.github/workflows/wolfictl-check-update.yaml

@@ -2,7 +2,8 @@ name: Wolfictl Check Updates
 
 on:
   pull_request:
-    branches: ['main']
+    branches:
+      - 'main'
   push:
     branches:
       - gh-readonly-queue/main/**
@@ -28,10 +29,8 @@ jobs:
 
     - name: Check
       id: check
+      uses: wolfi-dev/actions/wolfictl-check-updates@main
       if: ${{ steps.files.outputs.all_changed_files != '' }}
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:b4e251fddf75847e3d93abcd0a9d7edd401a8eb7efde555c48a9ebd9d2c077a8
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
-        entrypoint: wolfictl
-        args: check update ${{ steps.files.outputs.all_changed_files }}
+        token: ${{ secrets.GITHUB_TOKEN }}
+        changed_files: ${{ steps.files.outputs.all_changed_files }}

Makefile

@@ -186,7 +186,7 @@ dev-container:
 	    -v "${PWD}:${PWD}" \
 	    -w "${PWD}" \
 	    -e SOURCE_DATE_EPOCH=0 \
-	    ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2
+	    ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
 
 PACKAGES_CONTAINER_FOLDER ?= /work/packages
 TMP_REPOSITORIES_DIR := $(shell mktemp -d)
@@ -251,6 +251,6 @@ dev-container-wolfi:
 		--mount type=bind,source="${PWD}/local-melange.rsa.pub",destination="/etc/apk/keys/local-melange.rsa.pub",readonly \
 		--mount type=bind,source="$(TMP_REPOSITORIES_FILE)",destination="/etc/apk/repositories",readonly \
 		-w "$(PACKAGES_CONTAINER_FOLDER)" \
-		ghcr.io/wolfi-dev/sdk:latest@sha256:a9d17b7ff316f0001eef03fb6a69fa3fc6ef5bdc097a9b2a0ca7a56938f145d2
+		ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
 	@rm "$(TMP_REPOSITORIES_FILE)"
 	@rmdir "$(TMP_REPOSITORIES_DIR)"

aws-cli.yaml

@@ -1,6 +1,6 @@
 package:
   name: aws-cli
-  version: 1.32.47
+  version: 1.32.49
   epoch: 0
   description: "Universal Command Line Interface for Amazon Web Services"
   copyright:
@@ -33,7 +33,7 @@ pipeline:
   - uses: fetch
     with:
       uri: https://github.com/aws/aws-cli/archive/${{package.version}}.tar.gz
-      expected-sha256: 4c2241a8b13a3ff488ce67b3759d2900d154266884b603f79bb50803cfc46fad
+      expected-sha256: 68643326e9e060ddbd4deea32c1ac3ed5b60d0ed6496e3660b23b951ee385e54
 
   - runs: |
       python3 setup.py build

c-ares.yaml

@@ -1,6 +1,6 @@
 package:
   name: c-ares
-  version: 1.26.0
+  version: 1.27.0
   epoch: 0
   description: "an asynchronous DNS resolution library"
   copyright:
@@ -18,7 +18,7 @@ pipeline:
   - uses: fetch
     with:
       uri: https://c-ares.haxx.se/download/c-ares-${{package.version}}.tar.gz
-      expected-sha256: bed58c4f02b009080ebda6c2467ba469722ac6aebbf4497dc44a83d8c6194e50
+      expected-sha256: 0a72be66959955c43e2af2fbd03418e82a2bd5464604ec9a62147e37aceb420b
 
   - uses: autoconf/configure
     with:

calico.yaml

@@ -1,7 +1,7 @@
 package:
   name: calico
   version: 3.27.2
-  epoch: 0
+  epoch: 1
   description: "Cloud native networking and network security"
   copyright:
     - license: Apache-2.0
@@ -301,6 +301,7 @@ subpackages:
         - cni-plugins-bandwidth
     pipeline:
       # NOTE: cni is a multicall binary: https://github.com/projectcalico/calico/blob/master/cni-plugin/cmd/calico/calico.go
+      # install is not a part of that multicall binary anymore (as of calico 3.27.1)
       - runs: |
           # On boot (of calico-node) the CNI is installed/copied onto the host
           # node and run when pod network sandboxes are created. Since it runs on
@@ -314,10 +315,17 @@ subpackages:
             -ldflags "$LDFLAGS" \
             -o cni-plugin/out/calico \
             ./cni-plugin/cmd/calico
+
+          CGO_ENABLED=0 \
+            go build -v -buildvcs=false \
+            -ldflags "$LDFLAGS" \
+            -o cni-plugin/out/install \
+            ./cni-plugin/cmd/install
       - runs: |
           install -Dm755 cni-plugin/out/calico "${{targets.subpkgdir}}"/usr/bin/calico
           ln -sf /usr/bin/calico "${{targets.subpkgdir}}"/usr/bin/calico-ipam
-          ln -sf /usr/bin/calico "${{targets.subpkgdir}}"/usr/bin/install
+
+          install -Dm755 cni-plugin/out/install "${{targets.subpkgdir}}"/usr/bin/calico-cni-install
 
   - name: "calico-cni-compat"
     dependencies:
@@ -334,7 +342,7 @@ subpackages:
           mkdir -p "${{targets.subpkgdir}}"/opt/cni/bin
           ln -s /usr/bin/calico "${{targets.subpkgdir}}"/opt/cni/bin/calico
           ln -s /usr/bin/calico "${{targets.subpkgdir}}"/opt/cni/bin/calico-ipam
-          ln -s /usr/bin/calico "${{targets.subpkgdir}}"/opt/cni/bin/install
+          ln -s /usr/bin/calico-cni-install "${{targets.subpkgdir}}"/opt/cni/bin/install
 
   - name: "calico-apiserver"
     dependencies:

capslock.yaml

@@ -1,6 +1,6 @@
 package:
   name: capslock
-  version: 0.2.0
+  version: 0.2.1
   epoch: 0
   description: Capslock is a capability analysis CLI for Go packages that informs users of which privileged operations a given package can access
   copyright:
@@ -17,7 +17,7 @@ pipeline:
     with:
       repository: https://github.com/google/capslock
       tag: v${{package.version}}
-      expected-commit: 160ffccffd5cbe15fe821529eca891b8101cf233
+      expected-commit: cb5ccf7a8715a074d76b23f588a3ae08f1d33992
 
   - uses: go/build
     with:

cassandra-reaper.yaml

@@ -1,7 +1,7 @@
 package:
   name: cassandra-reaper
-  version: 3.4.0
-  epoch: 3
+  version: 3.5.0
+  epoch: 0
   description: Automated Repair Awesomeness for Apache Cassandra
   copyright:
     - license: Apache-2.0
@@ -34,7 +34,7 @@ pipeline:
     with:
       repository: https://github.com/thelastpickle/cassandra-reaper
       tag: ${{package.version}}
-      expected-commit: 3f07be42170edfe4c860339812e1e57331bee35e
+      expected-commit: adabd8d627ec741935c1fc6fd6bfb1f81477e460
 
   - uses: patch
     with:

cert-manager-1.12.yaml

@@ -1,8 +1,8 @@
 package:
   name: cert-manager-1.12
   # See https://cert-manager.io/docs/installation/supported-releases/ for upstream-supported versions
-  version: 1.12.7
-  epoch: 4
+  version: 1.12.8
+  epoch: 0
   description: Automatically provision and manage TLS certificates in Kubernetes
   copyright:
     - license: Apache-2.0
@@ -23,38 +23,16 @@ environment:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: 6d7629ba42b946978e3baaa75348c851f7ef9134
+      expected-commit: 87bc82cb05ee6d98c75eba5a3554c6eb9c0b84bf
       repository: https://github.com/cert-manager/cert-manager
       tag: v${{package.version}}
 
   - uses: go/bump
     with:
-      deps: golang.org/x/[email protected]
-      replaces: github.com/containerd/containerd=github.com/containerd/[email protected]
-      go-version: 1.21
-      modroot: .
-
-  - uses: go/bump
-    with:
-      deps: golang.org/x/[email protected]
-      replaces: github.com/containerd/containerd=github.com/containerd/[email protected]
-      go-version: 1.21
-      modroot: cmd/controller
-
-  - uses: go/bump
-    with:
-      deps: golang.org/x/[email protected] helm.sh/helm/[email protected]
-      replaces: github.com/containerd/containerd=github.com/containerd/[email protected]
+      deps: helm.sh/helm/[email protected]
       go-version: 1.21
       modroot: cmd/ctl
 
-  - uses: go/bump
-    with:
-      deps: golang.org/x/[email protected]
-      replaces: github.com/containerd/containerd=github.com/containerd/[email protected]
-      go-version: 1.21
-      modroot: cmd/webhook
-
   # the makefile hardcodes the requirement for some container runtime (CTR), even when we don't need it
   # to workaround, set CTR to anything $(command -v)able
   - runs: |

cert-manager-1.13.yaml

@@ -1,8 +1,8 @@
 package:
   name: cert-manager-1.13
   # See https://cert-manager.io/docs/installation/supported-releases/ for upstream-supported versions
-  version: 1.13.3
-  epoch: 2
+  version: 1.13.4
+  epoch: 0
   description: Automatically provision and manage TLS certificates in Kubernetes
   copyright:
     - license: Apache-2.0
@@ -25,32 +25,13 @@ pipeline:
     with:
       repository: https://github.com/cert-manager/cert-manager
       tag: v${{package.version}}
-      expected-commit: 876e386ee905aa86e2466c287e654613b0426927
+      expected-commit: 6df6131dcc03789e0240a29cd533223923f3f02c
 
   - uses: go/bump
     with:
-      deps: golang.org/x/[email protected]
-      replaces: github.com/containerd/containerd=github.com/containerd/[email protected]
-      modroot: .
-
-  - uses: go/bump
-    with:
-      deps: golang.org/x/[email protected]
-      replaces: github.com/containerd/containerd=github.com/containerd/[email protected]
-      modroot: cmd/controller
-
-  - uses: go/bump
-    with:
-      deps: golang.org/x/[email protected]
-      replaces: github.com/containerd/containerd=github.com/containerd/[email protected]
+      deps: helm.sh/helm/[email protected]
       modroot: cmd/ctl
 
-  - uses: go/bump
-    with:
-      deps: golang.org/x/[email protected]
-      replaces: github.com/containerd/containerd=github.com/containerd/[email protected]
-      modroot: cmd/webhook
-
   # the makefile hardcodes the requirement for some container runtime (CTR), even when we don't need it
   # to workaround, set CTR to anything $(command -v)able
   - runs: |

cert-manager-1.14.yaml

@@ -2,7 +2,7 @@ package:
   name: cert-manager-1.14
   # See https://cert-manager.io/docs/installation/supported-releases/ for upstream-supported versions
   version: 1.14.2
-  epoch: 1
+  epoch: 2
   description: Automatically provision and manage TLS certificates in Kubernetes
   copyright:
     - license: Apache-2.0
@@ -29,7 +29,7 @@ pipeline:
 
   - uses: go/bump
     with:
-      deps: helm.sh/helm/[email protected].1
+      deps: helm.sh/helm/[email protected].2
       modroot: ./cmd/ctl
 
   # the makefile hardcodes the requirement for some container runtime (CTR), even when we don't need it

chartmuseum.yaml

@@ -1,7 +1,7 @@
 package:
   name: chartmuseum
   version: 0.16.1
-  epoch: 2
+  epoch: 3
   description: helm chart repository server
   copyright:
     - license: Apache-2.0
@@ -27,7 +27,7 @@ pipeline:
 
   - uses: go/bump
     with:
-      deps: golang.org/x/[email protected] google.golang.org/[email protected] golang.org/x/[email protected] github.com/containerd/[email protected] github.com/docker/[email protected] helm.sh/helm/[email protected].1
+      deps: golang.org/x/[email protected] google.golang.org/[email protected] golang.org/x/[email protected] github.com/containerd/[email protected] github.com/docker/[email protected] helm.sh/helm/[email protected].2
       replaces: oras.land/oras-go=oras.land/[email protected]
       go-version: 1.21