Merge branch 'main' into wolfictl-999ebf2b-0180-4269-bce1-988e422048de

.github/workflows/build-world.yaml

@@ -24,7 +24,7 @@ jobs:
     # permissions:
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined

.github/workflows/build.yaml

@@ -29,7 +29,7 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -142,7 +142,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254
 
     steps:
       - uses: actions/checkout@v4
@@ -254,7 +254,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/ci-build.yaml

@@ -33,7 +33,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9 -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254 -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this
@@ -70,7 +70,7 @@ jobs:
       group: wolfi-builder-${{ matrix.arch }}
     needs: changes
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
     outputs:
@@ -193,7 +193,7 @@ jobs:
     name: "ABI Compatibility check"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254
     needs: build
     if: needs.build.outputs.packages_were_built == 'true'
 
@@ -232,7 +232,7 @@ jobs:
     name: "Scan packages for CVEs"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254
     needs: build
     if: needs.build.outputs.packages_were_built == 'true'
 

.github/workflows/lint-world.yaml

@@ -29,7 +29,7 @@ jobs:
       group: wolfi-os-builder-${{ matrix.arch }}
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/withdraw-packages.yaml

@@ -21,11 +21,7 @@ jobs:
           fetch-depth: 0 # We want the full history for uploading withdrawn-packages.txt to GCS. If this takes too long, we look at merging both files.
 
       - name: "Install wolfictl onto PATH"
-        run: |
-          # Copy wolfictl out of the wolfictl image and onto PATH
-          TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9 -c "cp /usr/bin/wolfictl /out"
-          echo "$TMP" >> $GITHUB_PATH
+        uses: wolfi-dev/actions/install-wolfictl@main
 
       # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
       - uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1

Makefile

@@ -34,6 +34,7 @@ MELANGE_TEST_OPTS += --arch ${ARCH}
 MELANGE_TEST_OPTS += --pipeline-dirs ./pipelines/
 MELANGE_TEST_OPTS += --repository-append https://packages.wolfi.dev/os
 MELANGE_TEST_OPTS += --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+MELANGE_TEST_OPTS += --test-package-append wolfi-base
 MELANGE_TEST_OPTS += --debug
 MELANGE_TEST_OPTS += ${MELANGE_EXTRA_OPTS}
 
@@ -186,7 +187,7 @@ dev-container:
 	    -v "${PWD}:${PWD}" \
 	    -w "${PWD}" \
 	    -e SOURCE_DATE_EPOCH=0 \
-	    ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
+	    ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254
 
 PACKAGES_CONTAINER_FOLDER ?= /work/packages
 TMP_REPOSITORIES_DIR := $(shell mktemp -d)
@@ -251,6 +252,6 @@ dev-container-wolfi:
 		--mount type=bind,source="${PWD}/local-melange.rsa.pub",destination="/etc/apk/keys/local-melange.rsa.pub",readonly \
 		--mount type=bind,source="$(TMP_REPOSITORIES_FILE)",destination="/etc/apk/repositories",readonly \
 		-w "$(PACKAGES_CONTAINER_FOLDER)" \
-		ghcr.io/wolfi-dev/sdk:latest@sha256:7c1012eb43ee829351f3b33eb0f150ca2d2e176545bd58a398a7427f5645d9c9
+		ghcr.io/wolfi-dev/sdk:latest@sha256:c7c6d703bfe60307bc982bf0b5437775e4cf6545def97ae94cd3f5cfc2212254
 	@rm "$(TMP_REPOSITORIES_FILE)"
 	@rmdir "$(TMP_REPOSITORIES_DIR)"

actions-runner-controller.yaml

@@ -1,7 +1,7 @@
 package:
   name: actions-runner-controller
-  version: 0.8.2
-  epoch: 1
+  version: 0.8.3
+  epoch: 0
   description: Kubernetes controller for GitHub Actions self-hosted runners
   copyright:
     - license: Apache-2.0
@@ -18,7 +18,7 @@ pipeline:
     with:
       repository: https://github.com/actions/actions-runner-controller
       tag: gha-runner-scale-set-${{package.version}}
-      expected-commit: d72774753c1ac24f927cac68b368f2abc9f65f40
+      expected-commit: 309b53143e55d4ff7b1777561c20a70bc09c8da1
 
   # Ref: https://github.com/actions/actions-runner-controller/blob/gha-runner-scale-set-0.5.0/Dockerfile#L35
   - uses: go/bump

atuin.yaml

@@ -1,6 +1,6 @@
 package:
   name: atuin
-  version: 18.0.1
+  version: 18.0.2
   epoch: 0
   description: Magical shell history
   copyright:
@@ -19,7 +19,7 @@ pipeline:
     with:
       repository: https://github.com/atuinsh/atuin
       tag: v${{package.version}}
-      expected-commit: 1464cb657a47e7b5705194302532f3ecf37c7649
+      expected-commit: a78aaa78e487b2499ffd7eed86bac15aa3df0960
 
   - runs: |
       cargo build --locked --release
@@ -44,10 +44,6 @@ update:
     strip-prefix: v
 
 test:
-  environment:
-    contents:
-      packages:
-        - wolfi-base
   pipeline:
     - runs: |
         atuin -V

aws-c-mqtt.yaml

@@ -1,6 +1,6 @@
 package:
   name: aws-c-mqtt
-  version: 0.10.2
+  version: 0.10.3
   epoch: 0
   description: AWS C99 implementation of the MQTT 3.1.1 specification
   copyright:
@@ -25,7 +25,7 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha256: 0ac61e2ce08395e36598584222280b053d455429b26bfb5de057f91358bb3d25
+      expected-sha256: bb938d794b0757d669b5877526363dc6f6f0e43869ca19fc196ffd0f7a35f5b9
       uri: https://github.com/awslabs/aws-c-mqtt/archive/refs/tags/v${{package.version}}.tar.gz
 
   - runs: |

aws-c-s3.yaml

@@ -1,6 +1,6 @@
 package:
   name: aws-c-s3
-  version: 0.5.1
+  version: 0.5.2
   epoch: 0
   description: "AWS C99 library implementation for communicating with the S3 service"
   copyright:
@@ -36,7 +36,7 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha256: b8737af410b66d20890bf446de3724722f7916f6a66114b1f79892dc83884ffb
+      expected-sha256: 57f048d850673587aa29960eb3227121c18baf2ab8efd720bc93b2ae54386604
       uri: https://github.com/awslabs/aws-c-s3/archive/refs/tags/v${{package.version}}.tar.gz
 
   - runs: |

aws-cli.yaml

@@ -1,6 +1,6 @@
 package:
   name: aws-cli
-  version: 1.32.49
+  version: 1.32.52
   epoch: 0
   description: "Universal Command Line Interface for Amazon Web Services"
   copyright:
@@ -33,7 +33,7 @@ pipeline:
   - uses: fetch
     with:
       uri: https://github.com/aws/aws-cli/archive/${{package.version}}.tar.gz
-      expected-sha256: 68643326e9e060ddbd4deea32c1ac3ed5b60d0ed6496e3660b23b951ee385e54
+      expected-sha256: 82e37bc74a7f49787cc8d22d6ab53f595e264f583522ee2805706d5d8b2d0272
 
   - runs: |
       python3 setup.py build

aws-crt-cpp.yaml

@@ -1,6 +1,6 @@
 package:
   name: aws-crt-cpp
-  version: 0.26.1
+  version: 0.26.3
   epoch: 0
   description: "C++ wrapper around the aws-c-* libraries. Provides Cross-Platform Transport Protocols and SSL/TLS implementations for C++"
   copyright:
@@ -32,7 +32,7 @@ pipeline:
     with:
       repository: https://github.com/awslabs/aws-crt-cpp
       tag: v${{package.version}}
-      expected-commit: c499dffd57058c1fe9c28bb56e720f4181ba5a7e
+      expected-commit: 98d68a1be424732ec1128ef2aadbf552ed653ed0
 
   - runs: |
       if [ "$CBUILD" != "$CHOST" ]; then

aws-efs-csi-driver.yaml

@@ -1,6 +1,6 @@
 package:
   name: aws-efs-csi-driver
-  version: 1.7.5
+  version: 1.7.6
   epoch: 0
   description: CSI driver for Amazon EFS.
   copyright:
@@ -30,7 +30,7 @@ pipeline:
     with:
       repository: https://github.com/kubernetes-sigs/aws-efs-csi-driver
       tag: v${{package.version}}
-      expected-commit: 38de3dda862327820eb0a507c3f034697f6204c9
+      expected-commit: 7d87370ef6568d7e35e5645e775e0267ef92889a
 
   - uses: go/bump
     with:

az.yaml

@@ -61,10 +61,6 @@ update:
     strip-prefix: azure-cli-
 
 test:
-  environment:
-    contents:
-      packages:
-        - wolfi-base
   pipeline:
     - runs: |
         az --version

bazel-6.yaml

@@ -52,7 +52,6 @@ test:
   environment:
     contents:
       packages:
-        - wolfi-base
         - openjdk-17
         - openjdk-17-default-jvm
   pipeline:

binaryen.yaml

@@ -1,6 +1,6 @@
 package:
   name: binaryen
-  version: "116"
+  version: "117"
   epoch: 0
   description: Optimizer and compiler/toolchain library for WebAssembly
   copyright:
@@ -22,12 +22,17 @@ pipeline:
     with:
       repository: https://github.com/webassembly/binaryen
       tag: version_${{package.version}}
-      expected-commit: 11dba9b1c2ad988500b329727f39f4d8786918c5
+      expected-commit: c62a0c97168e88f97bca4bd96298a5ffc041844d
 
   - uses: cmake/configure
     with:
       opts: |
-        -DBUILD_TESTS=OFF
+        -DBUILD_TESTS=OFF \
+        -DCMAKE_C_COMPILER=gcc \
+        -DCMAKE_CXX_COMPILER=g++ \
+        -DCMAKE_INSTALL_PREFIX=/usr \
+        -DCMAKE_BUILD_TYPE=Release \
+        -DCMAKE_CXX_STANDARD=20
 
   - uses: cmake/build
 
@@ -46,3 +51,22 @@ update:
   github:
     identifier: webassembly/binaryen
     strip-prefix: version_
+
+test:
+  pipeline:
+    - runs: |
+        cat > hello_world.wat <<'EOF'
+        (module
+        (type $i32_i32_=>_i32 (func (param i32 i32) (result i32)))
+        (memory $0 256 256)
+        (export "add" (func $add))
+        (func $add (param $x i32) (param $y i32) (result i32)
+          (i32.add
+          (local.get $x)
+          (local.get $y)
+          )
+        )
+        )
+        EOF
+        /usr/bin/wasm2js hello_world.wat -o hello_world.js
+        cat hello_world.js

brew.yaml

@@ -1,6 +1,6 @@
 package:
   name: brew
-  version: 4.2.9
+  version: 4.2.10
   epoch: 0
   description: "The homebrew package manager"
   copyright:
@@ -48,7 +48,7 @@ pipeline:
       repository: https://github.com/Homebrew/brew
       tag: ${{package.version}}
       destination: ./brew
-      expected-commit: e5fefd73cd97cd36ae3af29551f529ae59b333d6
+      expected-commit: c6d959218f143cd17b1fc3e0f10f143cbd273528
 
   - runs: |
       set -x
@@ -75,10 +75,6 @@ update:
     identifier: Homebrew/brew
 
 test:
-  environment:
-    contents:
-      packages:
-        - wolfi-base
   pipeline:
     - runs: |
         . /etc/profile.d/brew.sh

buildkitd.yaml

@@ -67,7 +67,6 @@ test:
   environment:
     contents:
       packages:
-        - busybox
         - runc
   pipeline:
     - runs: |

bun-bootstrap.yaml

@@ -25,10 +25,6 @@ update:
   enabled: false
 
 test:
-  environment:
-    contents:
-      packages:
-        - wolfi-base
   pipeline:
     - runs: |
         bun --version

bun.yaml

@@ -69,10 +69,6 @@ update:
     strip-prefix: bun-v
 
 test:
-  environment:
-    contents:
-      packages:
-        - wolfi-base
   pipeline:
     - runs: |
         bun --version

busybox.yaml

@@ -123,10 +123,6 @@ subpackages:
             done
 
 test:
-  environment:
-    contents:
-      packages:
-        - wolfi-base
   pipeline:
     - runs: |
         busybox --help