Merge branch 'main' into wolfictl-3d92ebf7-03cf-49ba-bbf5-7cdfc8409ebf

Signed-off-by: Jason Hall <[email protected]>
wolfi-dev · Nov 17, 2024 · 18df432 · 18df432
2 parents 19e080c + 33c8735
commit 18df432
Show file tree

Hide file tree

Showing 642 changed files with 7,409 additions and 1,984 deletions.
diff --git a/.github/actions/docker-run/action.yaml b/.github/actions/docker-run/action.yaml
@@ -6,7 +6,7 @@ inputs:
     required: true
   image:
     description: "The image to use"
-    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:5d1156182c94a55ce0fe8c7243ef276d647cd745591092525814c5734247e6aa"
+    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:6328466c08242a4bd5dcf4ddb66a25961271bfd233f5237a3e1a6fae78a78e1b"
     required: false
   workdir:
     description: "The images working directory"

diff --git a/.github/chainguard/ci-diff-report.sts.yaml b/.github/chainguard/ci-diff-report.sts.yaml
@@ -0,0 +1,8 @@
+issuer: https://accounts.google.com
+
+# staging-enforce: ci-diff-report-bz8uqwvcxxpc4kk@staging-enforce-cd1e.iam.gserviceaccount.com (104301860717534032690)
+# prod-enforce: ci-diff-report-7g7cc3gw9zrgnb8@prod-enforce-fabc.iam.gserviceaccount.com (110787029573344269306)
+subject_pattern: "(104301860717534032690|110787029573344269306)"
+
+permissions:
+  checks: write
diff --git a/.github/chainguard/ci-mal-report.sts.yaml b/.github/chainguard/ci-mal-report.sts.yaml
@@ -0,0 +1,8 @@
+issuer: https://accounts.google.com
+
+# staging-enforce: ci-mal-report-le3mjq3jgc92p8dq@staging-enforce-cd1e.iam.gserviceaccount.com (118407883719299185923)
+subject_pattern: "(118407883719299185923)"
+
+permissions:
+  checks: write
+  pull_requests: write  # to add labels
diff --git a/.github/chainguard/ci-so-check.sts.yaml b/.github/chainguard/ci-so-check.sts.yaml
@@ -0,0 +1,8 @@
+issuer: https://accounts.google.com
+
+# staging-enforce: ci-so-check-stvn49i5f66mni64gt@staging-enforce-cd1e.iam.gserviceaccount.com (103377873370411205770)
+# prod-enforce: ci-so-check-pitbc0wzwgefx2btsy@prod-enforce-fabc.iam.gserviceaccount.com (114009508504016091101)
+subject_pattern: "(103377873370411205770|114009508504016091101)"
+
+permissions:
+  checks: write
diff --git a/.github/chainguard/elastic-build.sts.yaml b/.github/chainguard/elastic-build.sts.yaml
@@ -1,14 +1,14 @@
 issuer: https://accounts.google.com
 
 # staging:
-# DISABLED presubmit: 116478844699827634314: ebuild-tho0c6rsknlo655tnyjlifi@staging-enforce-cd1e.iam.gserviceaccount.com
+#  presubmit: 116478844699827634314: ebuild-tho0c6rsknlo655tnyjlifi@staging-enforce-cd1e.iam.gserviceaccount.com
 #  postsubmit: 115457633213442188328: ebuild-m2wshgog0q6xjkbz7j8swed@staging-enforce-cd1e.iam.gserviceaccount.com
 #  world: 118305965159726888964: ebuild-i74lfrzfboxqsa518b5p3qi@staging-enforce-cd1e.iam.gserviceaccount.com
 # prod:
-# DISABLED presubmit: 114870839879105817572: ebuild-zasv64d5x1oc4m3epw39yod@prod-enforce-fabc.iam.gserviceaccount.com
+#  presubmit: 114870839879105817572: ebuild-zasv64d5x1oc4m3epw39yod@prod-enforce-fabc.iam.gserviceaccount.com
 #  postsubmit: 118124811908286464886: ebuild-ckhudf69he6dfl1xy83uuke@prod-enforce-fabc.iam.gserviceaccount.com
 #  world: 100027593799559093519: ebuild-n0ppcbm8uzc6ew2wy4gesfg@prod-enforce-fabc.iam.gserviceaccount.com
-subject_pattern: "(115457633213442188328|118305965159726888964|118124811908286464886|100027593799559093519)"
+subject_pattern: "(116478844699827634314|115457633213442188328|118305965159726888964|114870839879105817572|118124811908286464886|100027593799559093519)"
 
 permissions:
   contents: read

diff --git a/.github/chainguard/lifecycle-build-failures.sts.yaml b/.github/chainguard/lifecycle-build-failures.sts.yaml
@@ -0,0 +1,9 @@
+issuer: https://accounts.google.com
+
+# staging: ai-build-failure0b6i89pk2j7u2f@staging-enforce-cd1e.iam.gserviceaccount.com
+# prod: ai-build-failurexiszcy26s41ogv@prod-enforce-fabc.iam.gserviceaccount.com
+subject_pattern: "(117815286528662951292|110160732638115110864)"
+
+permissions:
+  contents: read
+  pull_requests: write
diff --git a/.github/chainguard/lifecycle-gpt.sts.yaml b/.github/chainguard/lifecycle-gpt.sts.yaml
diff --git a/.github/workflows/backfill.yaml b/.github/workflows/backfill.yaml
@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
+      - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: "[email protected]"
@@ -24,7 +24,7 @@ jobs:
         with:
           project_id: "prod-images-c6e5"
 
-      - uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3
+      - uses: chainguard-dev/setup-chainctl@8d93dcbef466d3cf3533f67084f52eb74ef9d262 # v0.2.4
         with:
             # Managed here:
             # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -29,7 +29,7 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:5d1156182c94a55ce0fe8c7243ef276d647cd745591092525814c5734247e6aa
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:6328466c08242a4bd5dcf4ddb66a25961271bfd233f5237a3e1a6fae78a78e1b
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -175,7 +175,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:5d1156182c94a55ce0fe8c7243ef276d647cd745591092525814c5734247e6aa
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:6328466c08242a4bd5dcf4ddb66a25961271bfd233f5237a3e1a6fae78a78e1b
 
     steps:
       - name: Harden Runner
@@ -210,7 +210,7 @@ jobs:
           name: packages-aarch64
 
       # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
-      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
+      - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
         id: auth
         with:
           workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
@@ -257,7 +257,7 @@ jobs:
       - run: rm ./wolfi-signing.rsa
 
       # We use a different GSA for our interaction with GCS.
-      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
+      - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: "[email protected]"
@@ -303,7 +303,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:5d1156182c94a55ce0fe8c7243ef276d647cd745591092525814c5734247e6aa
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:6328466c08242a4bd5dcf4ddb66a25961271bfd233f5237a3e1a6fae78a78e1b
 
     steps:
       - name: Harden Runner
@@ -321,7 +321,7 @@ jobs:
 
       - id: auth
         name: 'Authenticate to Google Cloud'
-        uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
+        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: "[email protected]"
@@ -397,7 +397,7 @@ jobs:
           done
 
       # use public chainguard provider.
-      - uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3
+      - uses: chainguard-dev/setup-chainctl@8d93dcbef466d3cf3533f67084f52eb74ef9d262 # v0.2.4
         with:
           # Managed here:
           # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf

diff --git a/.github/workflows/update-cache.yaml b/.github/workflows/update-cache.yaml
@@ -33,7 +33,7 @@ jobs:
 
       - uses: chainguard-dev/actions/setup-melange@2cadca168a422313df94f6169691a86498ae51b1 # main
 
-      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
+      - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: ${{env.FQ_SERVICE_ACCOUNT}}

diff --git a/.github/workflows/withdraw-packages.yaml b/.github/workflows/withdraw-packages.yaml
@@ -33,7 +33,7 @@ jobs:
         uses: wolfi-dev/actions/install-wolfictl@main # main
 
       # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
-      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
+      - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
         id: auth
         with:
           workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
@@ -55,7 +55,7 @@ jobs:
           sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub
 
       # We use a different GSA for our interaction with GCS.
-      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
+      - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
         with:
           workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
           service_account: "[email protected]"
@@ -110,7 +110,7 @@ jobs:
           done
 
       # use public chainguard provider.
-      - uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3
+      - uses: chainguard-dev/setup-chainctl@8d93dcbef466d3cf3533f67084f52eb74ef9d262 # v0.2.4
         with:
           # Managed here:
           # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf

diff --git a/Makefile b/Makefile
@@ -167,7 +167,7 @@ dev-container:
 	    -v "${PWD}:${PWD}" \
 	    -w "${PWD}" \
 	    -e SOURCE_DATE_EPOCH=0 \
-	    ghcr.io/wolfi-dev/sdk:latest@sha256:5d1156182c94a55ce0fe8c7243ef276d647cd745591092525814c5734247e6aa
+	    ghcr.io/wolfi-dev/sdk:latest@sha256:6328466c08242a4bd5dcf4ddb66a25961271bfd233f5237a3e1a6fae78a78e1b
 
 PACKAGES_CONTAINER_FOLDER ?= /work/packages
 # This target spins up a docker container that is helpful for testing local
@@ -234,6 +234,6 @@ dev-container-wolfi:
 		--mount type=bind,source="${PWD}/local-melange.rsa.pub",destination="/etc/apk/keys/local-melange.rsa.pub",readonly \
 		--mount type=bind,source="$(TMP_REPOS_FILE)",destination="/etc/apk/repositories",readonly \
 		-w "$(PACKAGES_CONTAINER_FOLDER)" \
-		ghcr.io/wolfi-dev/sdk:latest@sha256:5d1156182c94a55ce0fe8c7243ef276d647cd745591092525814c5734247e6aa
+		ghcr.io/wolfi-dev/sdk:latest@sha256:6328466c08242a4bd5dcf4ddb66a25961271bfd233f5237a3e1a6fae78a78e1b
 	@rm "$(TMP_REPOS_FILE)"
 	@rmdir "$(TMP_REPOS_DIR)"
diff --git a/R-sf.yaml b/R-sf.yaml
@@ -1,6 +1,6 @@
 package:
   name: R-sf
-  version: 1.0.18
+  version: 1.0.19
   epoch: 1
   description: Simple Features for R
   copyright:
@@ -49,7 +49,7 @@ pipeline:
     with:
       repository: https://github.com/cran/sf
       tag: ${{vars.mangled-package-version}}
-      expected-commit: 5de2e6893c6c7d84702a781f5368035ecbbf15cc
+      expected-commit: 146bdea6d359abe64517217675966bf765785d8a
 
   - uses: R/build
     with:

diff --git a/R.yaml b/R.yaml
@@ -1,8 +1,8 @@
 # Generated from https://git.alpinelinux.org/aports/plain/community/R/APKBUILD
 package:
   name: R
-  version: 4.3.1
-  epoch: 6
+  version: 4.4.2
+  epoch: 0
   description: Language and environment for statistical computing
   copyright:
     - license: ( GPL-2.0-only OR GPL-3.0-only ) AND LGPL-2.1-or-later
@@ -80,7 +80,7 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha256: 8dd0bf24f1023c6f618c3b317383d291b4a494f40d73b983ac22ffea99e4ba99
+      expected-sha256: 1578cd603e8d866b58743e49d8bf99c569e81079b6a60cf33cdf7bdffeb817ec
       uri: https://cloud.r-project.org/src/base/R-4/R-${{package.version}}.tar.gz
 
   - runs: |
@@ -167,6 +167,7 @@ subpackages:
     description: R manpages
 
 update:
+  enabled: true
   release-monitor:
     identifier: 4150
 

diff --git a/aactl.yaml b/aactl.yaml
@@ -1,7 +1,7 @@
 package:
   name: aactl
   version: 0.4.12
-  epoch: 18
+  epoch: 19
   description: Google Container Analysis data import utility, supports OSS vulnerability scanner reports, SLSA provenance and sigstore attestations.
   copyright:
     - license: Apache-2.0
@@ -23,7 +23,7 @@ pipeline:
 
   - uses: go/bump
     with:
-      deps: github.com/docker/[email protected] github.com/sigstore/[email protected] github.com/cloudflare/[email protected] golang.org/x/[email protected] gopkg.in/go-jose/[email protected] google.golang.org/[email protected] google.golang.org/[email protected] github.com/sigstore/cosign/[email protected] golang.org/x/[email protected] github.com/hashicorp/[email protected] github.com/docker/[email protected]
+      deps: github.com/docker/[email protected] github.com/sigstore/[email protected] github.com/cloudflare/[email protected] golang.org/x/[email protected] gopkg.in/go-jose/[email protected] google.golang.org/[email protected] google.golang.org/[email protected] github.com/sigstore/cosign/[email protected] golang.org/x/[email protected] github.com/hashicorp/[email protected] github.com/docker/[email protected] github.com/golang-jwt/jwt/[email protected]
       replaces: github.com/go-jose/go-jose/v3=github.com/go-jose/go-jose/[email protected] github.com/sigstore/cosign/v2=github.com/sigstore/cosign/[email protected]
 
   - runs: |

diff --git a/actions-runner-controller.yaml b/actions-runner-controller.yaml
@@ -1,7 +1,7 @@
 package:
   name: actions-runner-controller
   version: 0.9.3
-  epoch: 2
+  epoch: 3
   description: Kubernetes controller for GitHub Actions self-hosted runners
   copyright:
     - license: Apache-2.0
@@ -20,6 +20,10 @@ pipeline:
       tag: gha-runner-scale-set-${{package.version}}
       expected-commit: 80d848339e5eeaa6b2cda3c4a5393dfcb4614794
 
+  - uses: go/bump
+    with:
+      deps: github.com/golang-jwt/jwt/[email protected]
+
   - uses: go/build
     with:
       packages: .

diff --git a/airflow.yaml b/airflow.yaml
@@ -1,7 +1,7 @@
 package:
   name: airflow
-  version: 2.10.2
-  epoch: 1
+  version: 2.10.3
+  epoch: 0
   description: Platform to programmatically author, schedule, and monitor workflows
   options:
     #  There is a dependency on libarrow.so although it
@@ -39,7 +39,7 @@ pipeline:
     with:
       repository: https://github.com/apache/airflow
       tag: ${{package.version}}
-      expected-commit: 35087d7d10714130cc3e9e9730e34b07fc56938d
+      expected-commit: c99887ec11ce3e1a43f2794fcf36d27555140f00
 
   - runs: |
       # by default airflow celery provider is not built,but running the upstream helm chart requires it

diff --git a/alsa-lib.yaml b/alsa-lib.yaml
@@ -1,7 +1,7 @@
 package:
   name: alsa-lib
-  version: 1.2.12
-  epoch: 2
+  version: 1.2.13
+  epoch: 0
   description: Advanced Linux Sound Architecture (ALSA) library
   copyright:
     - license: LGPL-2.1-or-later
@@ -23,7 +23,7 @@ pipeline:
     with:
       repository: https://github.com/alsa-project/alsa-lib.git
       tag: v${{package.version}}
-      expected-commit: 34422861f5549aee3e9df9fd8240d10b530d9abd
+      expected-commit: 785fd327ada6fc1778a2bb21176cb66705eb6b33
 
   - runs: |
       libtoolize --force --copy --automake

diff --git a/amazon-cloudwatch-agent-operator.yaml b/amazon-cloudwatch-agent-operator.yaml
@@ -1,6 +1,6 @@
 package:
   name: amazon-cloudwatch-agent-operator
-  version: 1.6.0
+  version: 1.9.0
   epoch: 0
   description: Software developed to manage the CloudWatch Agent on kubernetes.
   copyright:
@@ -9,13 +9,13 @@ package:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: e4fd9a62a095b26e58fdc09cc59a0e9f10b0e333
+      expected-commit: 8e78c016b614b62c0d5770e0f95f2012526f51cd
       repository: https://github.com/aws/amazon-cloudwatch-agent-operator
       tag: v${{package.version}}
 
   - uses: go/bump
     with:
-      deps: golang.org/x/[email protected] github.com/hashicorp/[email protected] github.com/Azure/azure-sdk-for-go/sdk/[email protected] github.com/docker/[email protected]
+      deps: github.com/hashicorp/[email protected] github.com/Azure/azure-sdk-for-go/sdk/[email protected] github.com/docker/[email protected]
 
   - uses: go/build
     with:
@@ -47,6 +47,8 @@ update:
   github:
     identifier: aws/amazon-cloudwatch-agent-operator
     strip-prefix: v
+    tag-filter: v
+    use-tag: true
 
 test:
   environment:

diff --git a/amazon-cloudwatch-agent.yaml b/amazon-cloudwatch-agent.yaml
@@ -1,6 +1,6 @@
 package:
   name: amazon-cloudwatch-agent
-  version: 1.300048.1
+  version: 1.300049.1
   epoch: 0
   description: CloudWatch Agent enables you to collect and export host-level metrics and logs on instances running Linux or Windows server.
   copyright:
@@ -19,7 +19,7 @@ pipeline:
     with:
       repository: https://github.com/aws/amazon-cloudwatch-agent
       tag: v${{package.version}}
-      expected-commit: bde3bd9775ae1d4e4f8a2fdb92d7b6fdd5186fba
+      expected-commit: 8ac5454dd18dc136bfa0238a394abf12bf4649d5
 
   - uses: go/bump
     with:
@@ -64,6 +64,7 @@ update:
     identifier: aws/amazon-cloudwatch-agent
     strip-prefix: v
     tag-filter: v
+    use-tag: true
 
 test:
   pipeline: