Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package melange for openSUSE:Factory checked 
in at 2025-07-06 17:14:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/melange (Old)
 and      /work/SRC/openSUSE:Factory/.melange.new.1903 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "melange"

Sun Jul  6 17:14:09 2025 rev:101 rq:1290571 version:0.29.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/melange/melange.changes  2025-06-30 
14:00:35.680963345 +0200
+++ /work/SRC/openSUSE:Factory/.melange.new.1903/melange.changes        
2025-07-06 17:18:05.656236399 +0200
@@ -1,0 +2,8 @@
+Fri Jul 04 05:07:34 UTC 2025 - Johannes Kastl 
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 0.29.0:
+  * feat: allow symlinks in workspaces (#2064)
+  * scan: Return an error instead of os.Exit(1) (#2065)
+  * scan: Add namespace flag (#2063)
+
+-------------------------------------------------------------------

Old:
----
  melange-0.28.0.obscpio

New:
----
  melange-0.29.0.obscpio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ melange.spec ++++++
--- /var/tmp/diff_new_pack.Ln1kDu/_old  2025-07-06 17:18:06.724280564 +0200
+++ /var/tmp/diff_new_pack.Ln1kDu/_new  2025-07-06 17:18:06.724280564 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           melange
-Version:        0.28.0
+Version:        0.29.0
 Release:        0
 Summary:        Build APKs from source code
 License:        Apache-2.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.Ln1kDu/_old  2025-07-06 17:18:06.756281887 +0200
+++ /var/tmp/diff_new_pack.Ln1kDu/_new  2025-07-06 17:18:06.760282052 +0200
@@ -3,7 +3,7 @@
     <param name="url">https://github.com/chainguard-dev/melange</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v0.28.0</param>
+    <param name="revision">v0.29.0</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.Ln1kDu/_old  2025-07-06 17:18:06.780282879 +0200
+++ /var/tmp/diff_new_pack.Ln1kDu/_new  2025-07-06 17:18:06.784283045 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://github.com/chainguard-dev/melange</param>
-              <param 
name="changesrevision">5425a36a8e8b21197e45a4f5e019a4963d585970</param></service></servicedata>
+              <param 
name="changesrevision">75ee8c561e307394b4b565e6e7b23ce7cf059245</param></service></servicedata>
 (No newline at EOF)
 

++++++ melange-0.28.0.obscpio -> melange-0.29.0.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/.github/PULL_REQUEST_TEMPLATE.md 
new/melange-0.29.0/.github/PULL_REQUEST_TEMPLATE.md
--- old/melange-0.28.0/.github/PULL_REQUEST_TEMPLATE.md 2025-06-27 
22:57:23.000000000 +0200
+++ new/melange-0.29.0/.github/PULL_REQUEST_TEMPLATE.md 1970-01-01 
01:00:00.000000000 +0100
@@ -1,30 +0,0 @@
-## Melange Pull Request Template
-
-<!--
-*** PULL REQUEST CHECKLIST: PLEASE START HERE ***
-
-The single most important feature of melange is that we can build Wolfi.
-
-Many changes to melange introduce a risk of breaking the build, and sometimes
-these are not flushed out until a package is changed (much) later.  This
-pertains to basic execution, SCA changes, linter changes, and more.
--->
-
-### Functional Changes
-
-- [ ] This change can build all of Wolfi without errors (describe results in 
notes)
-
-Notes:
-
-### SCA Changes
-
-- [ ] Examining several representative APKs show no regression / the desired 
effect (details in notes)
-
-Notes:
-
-### Linter
-
-- [ ] The new check is clean across Wolfi
-- [ ] The new check is opt-in or a warning
-
-Notes:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/melange-0.28.0/.github/actions/setup-bubblewrap/action.yaml 
new/melange-0.29.0/.github/actions/setup-bubblewrap/action.yaml
--- old/melange-0.28.0/.github/actions/setup-bubblewrap/action.yaml     
2025-06-27 22:57:23.000000000 +0200
+++ new/melange-0.29.0/.github/actions/setup-bubblewrap/action.yaml     
1970-01-01 01:00:00.000000000 +0100
@@ -1,38 +0,0 @@
-# Copyright 2025 Chainguard, Inc.
-# SPDX-License-Identifier: Apache-2.0
-
-name: 'Setup Bubblewrap'
-description: 'Make bubblewrap work on ubuntu-latest'
-# See https://github.com/chainguard-dev/melange/issues/1508
-
-inputs:
-  path:
-    description: 'Path to the program that needs to run bubblewrap'
-    required: true
-    default: '/usr/bin/melange'
-
-runs:
-  using: "composite"
-  steps:
-    - name: Disable apparmor userns restrictions
-      shell: bash
-      run: |
-        sudo bash -c "mkdir -p /etc/sysctl.d
-        echo 'kernel.apparmor_restrict_unprivileged_userns = 0' >> 
/etc/sysctl.d/60-apparmor-namespace.conf"
-
-    - name: Allow bubblewrap to use unprivileged user namespaces independent 
of who calls it
-      shell: bash
-      run: |
-        sudo bash -c "cat << EOF > /etc/apparmor.d/local-bwrap
-          abi <abi/4.0>,
-          include <tunables/global>
-
-          profile local-bwrap /usr/bin/bwrap flags=(unconfined) {
-            userns,
-
-            # Site-specific additions and overrides. See local/README for 
details.
-            include if exists <local/bwrap>
-          }
-        EOF
-
-        systemctl reload apparmor"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/.github/dependabot.yml 
new/melange-0.29.0/.github/dependabot.yml
--- old/melange-0.28.0/.github/dependabot.yml   2025-06-27 22:57:23.000000000 
+0200
+++ new/melange-0.29.0/.github/dependabot.yml   1970-01-01 01:00:00.000000000 
+0100
@@ -1,22 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: gomod
-    directory: "/"
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 10
-    groups:
-      gomod:
-        update-types:
-          - "patch"
-
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 10
-    groups:
-      actions:
-        update-types:
-          - "minor"
-          - "patch"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/.github/workflows/build.yaml 
new/melange-0.29.0/.github/workflows/build.yaml
--- old/melange-0.28.0/.github/workflows/build.yaml     2025-06-27 
22:57:23.000000000 +0200
+++ new/melange-0.29.0/.github/workflows/build.yaml     1970-01-01 
01:00:00.000000000 +0100
@@ -1,44 +0,0 @@
-name: ci
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-
-permissions: {}
-
-jobs:
-  build:
-    name: build
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: 
step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # 
v5.5.0
-        with:
-          go-version-file: './go.mod'
-          check-latest: true
-
-      - name: build
-        run: |
-          make melange
-          ./melange version
-
-      - uses: 
goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
-        with:
-          version: latest
-          install-only: true
-
-      - name: snapshot
-        run: |
-          make snapshot
-          ./dist/melange-build_linux_amd64_v1/melange version
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/.github/workflows/e2e.yaml 
new/melange-0.29.0/.github/workflows/e2e.yaml
--- old/melange-0.28.0/.github/workflows/e2e.yaml       2025-06-27 
22:57:23.000000000 +0200
+++ new/melange-0.29.0/.github/workflows/e2e.yaml       1970-01-01 
01:00:00.000000000 +0100
@@ -1,79 +0,0 @@
-name: e2e tests
-
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-
-env:
-  SOURCE_DATE_EPOCH: 1669683910
-
-permissions: {}
-
-jobs:
-  rebuild:
-    name: rebuild
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    strategy:
-      fail-fast: false
-      matrix:
-        cfg:
-          # build and rebuild examples
-          - cargo-build.yaml
-          - gnu-hello.yaml
-          - go-build.yaml
-          - minimal.yaml
-          - npm-install.yaml
-          - pnpm-install.yaml
-
-          - melange.yaml # special; builds melange itself
-
-    container:
-      image: alpine:latest
-      options: |
-        --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt 
seccomp=unconfined --security-opt apparmor:unconfined
-
-    steps:
-      - uses: 
step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # 
v5.5.0
-        with:
-          go-version-file: "go.mod"
-
-      - name: Fetch dependencies
-        run: |
-          apk upgrade -Ua
-          apk add go build-base git bubblewrap jq
-
-      - name: Build melange
-        run: |
-          make melange
-          ./melange keygen
-
-      - name: Build package
-        run: |
-          path=examples/${{matrix.cfg}}
-          if [ "${{matrix.cfg}}" == "melange.yaml" ]; then
-            path="melange.yaml"
-          fi
-          ./melange build $path --arch=x86_64 --namespace=wolfi
-
-      - name: Rebuild package
-        run: |
-          ./melange rebuild ./packages/x86_64/*.apk
-
-      - name: Upload APKs
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 
# v4.6.2
-        if: always()
-        with:
-          path: |
-            packages/**
-            rebuilt-packages/**
-          name: rebuild-${{matrix.cfg}}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/.github/workflows/go-tests.yaml 
new/melange-0.29.0/.github/workflows/go-tests.yaml
--- old/melange-0.28.0/.github/workflows/go-tests.yaml  2025-06-27 
22:57:23.000000000 +0200
+++ new/melange-0.29.0/.github/workflows/go-tests.yaml  1970-01-01 
01:00:00.000000000 +0100
@@ -1,30 +0,0 @@
-name: Go Tests
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-
-permissions: {}
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: 
step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # 
v5.5.0
-        with:
-          go-version-file: './go.mod'
-
-      - name: Integration and Unit Tests
-        run: make integration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/melange-0.28.0/.github/workflows/melange-test-pipelines.yaml 
new/melange-0.29.0/.github/workflows/melange-test-pipelines.yaml
--- old/melange-0.28.0/.github/workflows/melange-test-pipelines.yaml    
2025-06-27 22:57:23.000000000 +0200
+++ new/melange-0.29.0/.github/workflows/melange-test-pipelines.yaml    
1970-01-01 01:00:00.000000000 +0100
@@ -1,102 +0,0 @@
-name: Test melange test command
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-
-permissions: {}
-
-jobs:
-  build-melange:
-    name: Build melange and add to artifact cache
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: 
step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # 
v5.5.0
-        with:
-          go-version-file: './go.mod'
-          check-latest: true
-
-      - name: build
-        run: |
-          make melange
-
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 
# v4.6.2
-        with:
-          name: melange-${{ github.run_id }}
-          path: ${{ github.workspace }}/melange
-          retention-days: 1
-
-  test-packages:
-    name: Test packages
-    needs:
-      - build-melange
-    runs-on: ubuntu-latest-8-core
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: 
step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-
-      # Grab the melange we uploaded above, and install it.
-      - uses: 
actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: melange-${{ github.run_id }}
-          path: ${{ github.workspace }}/.melange-dir
-          run-id: ${{ github.run_id }}
-
-      - run: |
-          sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange
-          sudo chmod a+x /usr/bin/melange
-          melange version
-
-      - run: |
-          sudo apt-get -y install bubblewrap
-      - uses: ./.github/actions/setup-bubblewrap
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # 
v5.5.0
-        with:
-          go-version-file: './go.mod'
-          check-latest: true
-
-      - name: Download kernel for VMs
-        run: |
-          KERNEL_PKG="$(curl -sL 
https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | tar 
-Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf 
"%s.apk\n", $2}' | grep "linux-virt" | grep -v dev)"
-          curl -LSo linux-virt.apk 
"https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/$KERNEL_PKG";
-          mkdir -p /tmp/kernel
-          tar -xf ./linux-virt.apk -C /tmp/kernel/
-
-      - name: Install QEMU/KVM
-        run: |
-          sudo apt-get update
-          sudo apt-get -y install qemu-system-x86-64 qemu-kvm
-
-      - name: Enable KVM group perms
-        run: |
-          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", 
OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
-          sudo udevadm control --reload-rules
-          sudo udevadm trigger --name-match=kvm
-
-      - name: Run e2e-tests
-        run: |
-          make \
-            QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \
-            QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \
-            test-e2e
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/.github/workflows/release.yaml 
new/melange-0.29.0/.github/workflows/release.yaml
--- old/melange-0.28.0/.github/workflows/release.yaml   2025-06-27 
22:57:23.000000000 +0200
+++ new/melange-0.29.0/.github/workflows/release.yaml   1970-01-01 
01:00:00.000000000 +0100
@@ -1,82 +0,0 @@
-name: Release
-
-on:
-  schedule:
-    - cron: '0 0 * * 1' # every Monday at 00:00 UTC
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  release:
-    name: Release
-    runs-on: ubuntu-latest
-
-    # https://docs.github.com/en/actions/reference/authentication-in-a-workflow
-    permissions:
-      id-token: write
-      contents: write
-
-    steps:
-      - uses: 
step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-
-      - name: Check if any changes since last release
-        id: check
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git fetch --tags
-          TAG=$(git tag --points-at HEAD)
-          if [ -z "$TAG" ]; then
-            echo "No tag points at HEAD, so we need a new tag and then a new 
release."
-            echo "need_release=yes" >> $GITHUB_OUTPUT
-          else
-            RELEASE=$(gh release view "$TAG" --json tagName --jq '.tagName' || 
echo "none")
-            if [ "$RELEASE" == "$TAG" ]; then
-              echo "A release exists for tag $TAG, which has the latest 
changes, so no need for a new tag or release."
-              echo "need_release=no" >> $GITHUB_OUTPUT
-            else
-              echo "Tag $TAG exists, but no release is associated. Need a new 
release."
-              echo "need_release=yes" >> $GITHUB_OUTPUT
-              echo "existing_tag=$TAG" >> $GITHUB_OUTPUT
-            fi
-          fi
-
-      - name: Bump version and push tag
-        id: create_tag
-        uses: 
mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
-        if: steps.check.outputs.need_release == 'yes' && 
steps.check.outputs.existing_tag == ''
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-        if: steps.check.outputs.need_release == 'yes'
-        with:
-          ref: ${{ steps.check.outputs.existing_tag || 
steps.create_tag.outputs.new_tag }}
-
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # 
v5.5.0
-        if: steps.check.outputs.need_release == 'yes'
-        with:
-          go-version-file: './go.mod'
-          check-latest: true
-
-      # Cosign is used by goreleaser to sign release artifacts.
-      - uses: 
sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
-        if: steps.check.outputs.need_release == 'yes'
-
-      - uses: 
goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
-        if: steps.check.outputs.need_release == 'yes'
-        with:
-          version: latest
-          install-only: true
-
-      - name: Release
-        if: steps.check.outputs.need_release == 'yes'
-        run: make release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TAG: ${{ steps.check.outputs.existing_tag || 
steps.create_tag.outputs.new_tag }}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/.github/workflows/verify.yaml 
new/melange-0.29.0/.github/workflows/verify.yaml
--- old/melange-0.28.0/.github/workflows/verify.yaml    2025-06-27 
22:57:23.000000000 +0200
+++ new/melange-0.29.0/.github/workflows/verify.yaml    1970-01-01 
01:00:00.000000000 +0100
@@ -1,44 +0,0 @@
-name: verify
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-
-permissions: {}
-
-jobs:
-  golangci:
-    name: lint
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: 
step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # 
v5.5.0
-        with:
-          go-version-file: go.mod
-          check-latest: true
-
-      - name: golangci-lint
-        uses: 
golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
-        with:
-          version: v1.64.8
-          args: --timeout=5m
-
-      - run: |
-          make docs-repo
-          make docs-pipeline
-          git diff --exit-code
-
-      - run: |
-          go mod tidy
-          git diff --exit-code
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/melange-0.28.0/.github/workflows/wolfi-presubmit.yaml 
new/melange-0.29.0/.github/workflows/wolfi-presubmit.yaml
--- old/melange-0.28.0/.github/workflows/wolfi-presubmit.yaml   2025-06-27 
22:57:23.000000000 +0200
+++ new/melange-0.29.0/.github/workflows/wolfi-presubmit.yaml   1970-01-01 
01:00:00.000000000 +0100
@@ -1,225 +0,0 @@
-name: ci
-
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-
-permissions: {}
-
-jobs:
-  build-melange:
-    name: Build melange and add to artifact cache
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: 
step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # 
v5.5.0
-        with:
-          go-version-file: "./go.mod"
-          check-latest: true
-
-      - name: build
-        run: |
-          make melange
-
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 
# v4.6.2
-        with:
-          name: melange-${{ github.run_id }}
-          path: ${{ github.workspace }}/melange
-          retention-days: 1
-
-  build-packages:
-    name: Build packages
-    needs:
-      - build-melange
-    runs-on: ubuntu-latest-8-core
-
-    permissions:
-      contents: read
-
-    # This is a list of packages which covers basic and exotic uses of
-    # the built-in pipelines.  Goal is to balance efficiency while also
-    # exercising Melange with real-world package builds.
-    # Feel free to add additional packages to this matrix which exercise
-    # Melange in new ways (e.g. new pipelines, etc.)
-    strategy:
-      fail-fast: false
-      matrix:
-        runner:
-          - bubblewrap
-          - qemu
-        package:
-          - hello-wolfi
-          - glibc
-          - tini
-          - lzo
-          - bubblewrap
-          - dpkg
-          #- gdk-pixbuf # Looks like this is broken again, see: 
https://gitlab.gnome.org/GNOME/gobject-introspection/-/issues/515
-          - gitsign
-          - grafana-image-renderer
-          - guac
-          - mdbook
-          - s3cmd
-          - py3-pyelftools # Uses license-path
-          - cadvisor # uses cgroups
-          - fping # uses get/setcaps
-          - fixuid # uses a diff test user
-          - fluent-operator # uses background& process
-          - perl-yaml-syck
-          - postfix
-          - ncurses
-          - subversion
-          - sudo
-          - py3-supported-python
-          - rust-1.86
-          # TODO: https://github.com/wolfi-dev/os/issues/26442
-          #- xmlto
-
-    steps:
-      - uses: 
step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-        with:
-          repository: wolfi-dev/os
-
-      - uses: 
actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: melange-${{ github.run_id }}
-          path: ${{ github.workspace }}/.melange-dir
-          run-id: ${{ github.run_id }}
-
-      - run: |
-          sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange
-          sudo chmod a+x /usr/bin/melange
-          melange version
-
-      # this need to point to main to always get the latest action
-      - uses: wolfi-dev/actions/install-wolfictl@main # main
-
-      - run: |
-          wolfictl bump ${{ matrix.package }}
-
-      - if: matrix.runner == 'bubblewrap'
-        run: |
-          sudo apt-get -y install bubblewrap
-      - if: matrix.runner == 'bubblewrap'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-        with:
-          path: melange-src
-      - if: matrix.runner == 'bubblewrap'
-        uses: ./melange-src/.github/actions/setup-bubblewrap
-      - if: matrix.runner == 'bubblewrap'
-        run: |
-          make SHELL="/bin/bash" MELANGE="sudo melange" 
MELANGE_RUNNER="bubblewrap" MELANGE_EXTRA_OPTS="--generate-provenance" 
package/${{ matrix.package }}
-
-      - name: Download kernel for VMs
-        if: matrix.runner == 'qemu'
-        run: |
-          KERNEL_PKG="$(curl -sL 
https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | tar 
-Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf 
"%s.apk\n", $2}' | grep "linux-virt" | grep -v dev)"
-          curl -LSo linux-virt.apk 
"https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/$KERNEL_PKG";
-          mkdir -p /tmp/kernel
-          tar -xf ./linux-virt.apk -C /tmp/kernel/
-
-      - name: Install QEMU/KVM
-        if: matrix.runner == 'qemu'
-        run: |
-          sudo apt-get update
-          sudo apt-get -y install qemu-system-x86-64 qemu-kvm
-
-      - name: Enable KVM group perms
-        if: matrix.runner == 'qemu'
-        run: |
-          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", 
OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
-          sudo udevadm control --reload-rules
-          sudo udevadm trigger --name-match=kvm
-
-      - name: Make package ${{matrix.package}} with QEMU Runner
-        if: matrix.runner == 'qemu'
-        run: |
-          make \
-            SHELL="/bin/bash" \
-            QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \
-            QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \
-            MELANGE="/usr/bin/melange" \
-            MELANGE_EXTRA_OPTS="--runner qemu --generate-provenance" \
-            package/${{ matrix.package }}
-
-      - name: Output SLSA provenance
-        run: |
-          for pkg in packages/x86_64/*.attest.tar.gz; do
-            dir="$(basename "${pkg}" .attest.tar.gz)"
-            sudo mkdir -p packages/x86_64/"${dir}"
-            sudo tar --xattrs --xattrs-include='*.*' -xf "${pkg}" -C 
packages/x86_64/"${dir}"
-            jq . packages/x86_64/"${dir}"/"${dir}.attestation"
-          done
-
-      - name: Run tests to verify xattrs with bubblewrap runner
-        if: matrix.runner == 'bubblewrap' && matrix.package == 'fping'
-        run: |
-          make SHELL="/bin/bash" MELANGE="sudo melange" 
MELANGE_RUNNER="bubblewrap" test/${{ matrix.package }}
-
-      - name: Run tests with QEMU runner
-        if: matrix.runner == 'qemu'
-        run: |
-          make \
-            SHELL="/bin/bash" \
-            QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \
-            QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \
-            MELANGE="/usr/bin/melange" \
-            MELANGE_EXTRA_OPTS="--runner qemu" \
-            test/${{ matrix.package }}
-
-      - name: Check package ${{ matrix.package }} xattrs for QEMU-built package
-        if: matrix.runner == 'qemu' && matrix.package == 'fping'
-        run: |
-          for pkg in packages/x86_64/*.apk; do
-            sudo tar --xattrs --xattrs-include='*.*' -xf "${pkg}" -C 
packages/x86_64/
-          done
-          getcap packages/x86_64/usr/sbin/fping
-
-      - name: Check package ${{ matrix.package }} for mode bits
-        if: matrix.package == 'sudo'
-        run: |
-          for pkg in packages/x86_64/*.apk; do
-            sudo tar --xattrs --xattrs-include='*.*' -xf "${pkg}" -C 
packages/x86_64/
-          done
-          ls -hal packages/x86_64/usr/bin/sudo
-
-      - name: "Retrieve Wolfi advisory data"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 
v4.2.2
-        with:
-          repository: "wolfi-dev/advisories"
-          path: "data/wolfi-advisories"
-
-      - name: Test installable and Scan for CVEs
-        run: |
-          if [[ "${{ matrix.package }}" == "fping" ]]; then
-            docker run --rm -v $(pwd):/work --workdir /work 
cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk 
add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package 
}}-*.apk; apk add libcap-utils; getcap /usr/sbin/fping"
-          elif [[ "${{ matrix.package }}" == "sudo" ]]; then
-            docker run --rm -v $(pwd):/work --workdir /work 
cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk 
add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package 
}}-*.apk; ls -hal /usr/bin/sudo"
-          elif [[ "${{ matrix.package }}" == "postfix" ]]; then
-            docker run --rm -v $(pwd):/work --workdir /work 
cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk 
add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package 
}}-*.apk; ls -hal /var/spool/postfix; ls -hal /var/lib/postfix"
-          else
-            docker run --rm -v $(pwd):/work --workdir /work 
cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk 
add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package 
}}-*.apk"
-          fi
-          # There is a huge fixed cost for every wolfictl scan invocation for 
grype DB init.
-          # Do this outside of the loop in one invocation with every package.
-          wolfictl scan \
-          --advisories-repo-dir 'data/wolfi-advisories' \
-          --advisory-filter 'resolved' \
-          --require-zero \
-          packages/x86_64/${{ matrix.package }}-*.apk \
-          2> /dev/null # The error message renders strangely on GitHub 
Actions, and the important information is already being sent to stdout.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/.gitignore 
new/melange-0.29.0/.gitignore
--- old/melange-0.28.0/.gitignore       2025-06-27 22:57:23.000000000 +0200
+++ new/melange-0.29.0/.gitignore       1970-01-01 01:00:00.000000000 +0100
@@ -1,38 +0,0 @@
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
-# Test binary, built with `go test -c`
-*.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
-*.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-.vscode/*
-
-local-melange.rsa
-local-melange.rsa.pub
-melange
-melange.rsa
-melange.rsa.pub
-packages/
-rebuilt-packages/
-.idea/
-bin/
-generated/
-melange.images
-/.DS_Store
-dist/
-tags
-ctags
-
-.DS_Store
-
-
-x86_64/**
-aarch64/**
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/docs/md/melange_scan.md 
new/melange-0.29.0/docs/md/melange_scan.md
--- old/melange-0.28.0/docs/md/melange_scan.md  2025-06-27 22:57:23.000000000 
+0200
+++ new/melange-0.29.0/docs/md/melange_scan.md  2025-07-03 19:44:54.000000000 
+0200
@@ -29,6 +29,7 @@
       --diff                       show diff output
   -h, --help                       help for scan
   -k, --keyring-append string      path to key to include in the build 
environment keyring (default "local-melange.rsa.pub")
+      --namespace string           namespace to use in package URLs in SBOM 
(eg wolfi, alpine) (default "unknown")
   -p, --package string             which package's .PKGINFO to print (if there 
are subpackages)
   -r, --repository-append string   path to repository to include in the build 
environment (default "./packages")
 ```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/melange-0.28.0/e2e-tests/symlinks-in-workspace-build.yaml 
new/melange-0.29.0/e2e-tests/symlinks-in-workspace-build.yaml
--- old/melange-0.28.0/e2e-tests/symlinks-in-workspace-build.yaml       
1970-01-01 01:00:00.000000000 +0100
+++ new/melange-0.29.0/e2e-tests/symlinks-in-workspace-build.yaml       
2025-07-03 19:44:54.000000000 +0200
@@ -0,0 +1,17 @@
+package:
+  name: symlinks-in-workspace-build
+  description: Test that symlinks are copied into workspaces
+  version: 0.1.0
+  epoch: 0
+
+environment:
+  contents:
+    packages:
+      - busybox
+
+pipeline:
+  - name: Test for symlink presence in workspace
+    runs: |
+      testdata_linked=$(cat testdata-symlink.txt)
+      testdata=$(cat testdata.txt)
+      [ "$testdata" = "$testdata_linked" ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/melange-0.28.0/e2e-tests/test-fixtures/testdata-symlink.txt 
new/melange-0.29.0/e2e-tests/test-fixtures/testdata-symlink.txt
--- old/melange-0.28.0/e2e-tests/test-fixtures/testdata-symlink.txt     
1970-01-01 01:00:00.000000000 +0100
+++ new/melange-0.29.0/e2e-tests/test-fixtures/testdata-symlink.txt     
2025-07-06 17:18:06.952289992 +0200
@@ -0,0 +1 @@
+symbolic link to testdata.txt
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/e2e-tests/test-fixtures/testdata.txt 
new/melange-0.29.0/e2e-tests/test-fixtures/testdata.txt
--- old/melange-0.28.0/e2e-tests/test-fixtures/testdata.txt     1970-01-01 
01:00:00.000000000 +0100
+++ new/melange-0.29.0/e2e-tests/test-fixtures/testdata.txt     2025-07-03 
19:44:54.000000000 +0200
@@ -0,0 +1 @@
+test data is present
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/pkg/build/build.go 
new/melange-0.29.0/pkg/build/build.go
--- old/melange-0.28.0/pkg/build/build.go       2025-06-27 22:57:23.000000000 
+0200
+++ new/melange-0.29.0/pkg/build/build.go       2025-07-03 19:44:54.000000000 
+0200
@@ -563,7 +563,25 @@
 
                mode := fi.Mode()
                if !mode.IsRegular() {
-                       return nil
+                       // If this file is a symlink to a regular file, include 
it.
+                       // It would be easier to include all symlinks but that 
breaks
+                       // when the top-level workspace directory is a symlink.
+                       if mode&fs.ModeSymlink != 0 {
+                               targetPath, err := 
filepath.EvalSymlinks(filepath.Join(b.SourceDir, path))
+                               if err != nil {
+                                       log.Debugf("path %s eval gives err %v", 
path, err)
+                                       return err
+                               }
+                               target, err := os.Stat(targetPath)
+                               if err != nil {
+                                       return err
+                               }
+                               if !target.Mode().IsRegular() {
+                                       return nil
+                               }
+                       } else {
+                               return nil
+                       }
                }
 
                for _, pat := range ignorePatterns {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/melange-0.28.0/pkg/cli/scan.go 
new/melange-0.29.0/pkg/cli/scan.go
--- old/melange-0.28.0/pkg/cli/scan.go  2025-06-27 22:57:23.000000000 +0200
+++ new/melange-0.29.0/pkg/cli/scan.go  2025-07-03 19:44:54.000000000 +0200
@@ -45,6 +45,8 @@
        archs    []string
        diff     bool
        comments bool
+
+       purlNamespace string
 }
 
 func scan() *cobra.Command {
@@ -69,6 +71,8 @@
        cmd.Flags().BoolVar(&sc.diff, "diff", false, "show diff output")
        cmd.Flags().BoolVar(&sc.comments, "comments", false, "include comments 
in .PKGINFO diff")
 
+       cmd.Flags().StringVar(&sc.purlNamespace, "namespace", "unknown", 
"namespace to use in package URLs in SBOM (eg wolfi, alpine)")
+
        return cmd
 }
 
@@ -151,6 +155,7 @@
                        WorkspaceDir:    dir,
                        SourceDateEpoch: time.Unix(0, 0),
                        Configuration:   cfg,
+                       Namespace:       sc.purlNamespace,
                }
 
                pb := build.PackageBuild{
@@ -328,7 +333,7 @@
        }
 
        if sawDiff {
-               os.Exit(1)
+               return fmt.Errorf("saw diff for %s", file)
        }
 
        return nil

++++++ melange.obsinfo ++++++
--- /var/tmp/diff_new_pack.Ln1kDu/_old  2025-07-06 17:18:07.040293631 +0200
+++ /var/tmp/diff_new_pack.Ln1kDu/_new  2025-07-06 17:18:07.044293796 +0200
@@ -1,5 +1,5 @@
 name: melange
-version: 0.28.0
-mtime: 1751057843
-commit: 5425a36a8e8b21197e45a4f5e019a4963d585970
+version: 0.29.0
+mtime: 1751564694
+commit: 75ee8c561e307394b4b565e6e7b23ce7cf059245
 

++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/melange/vendor.tar.gz 
/work/SRC/openSUSE:Factory/.melange.new.1903/vendor.tar.gz differ: char 131, 
line 1

Reply via email to