Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package melange for openSUSE:Factory checked in at 2025-07-06 17:14:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/melange (Old) and /work/SRC/openSUSE:Factory/.melange.new.1903 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "melange" Sun Jul 6 17:14:09 2025 rev:101 rq:1290571 version:0.29.0 Changes: -------- --- /work/SRC/openSUSE:Factory/melange/melange.changes 2025-06-30 14:00:35.680963345 +0200 +++ /work/SRC/openSUSE:Factory/.melange.new.1903/melange.changes 2025-07-06 17:18:05.656236399 +0200 @@ -1,0 +2,8 @@ +Fri Jul 04 05:07:34 UTC 2025 - Johannes Kastl <opensuse_buildserv...@ojkastl.de> + +- Update to version 0.29.0: + * feat: allow symlinks in workspaces (#2064) + * scan: Return an error instead of os.Exit(1) (#2065) + * scan: Add namespace flag (#2063) + +------------------------------------------------------------------- Old: ---- melange-0.28.0.obscpio New: ---- melange-0.29.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ melange.spec ++++++ --- /var/tmp/diff_new_pack.Ln1kDu/_old 2025-07-06 17:18:06.724280564 +0200 +++ /var/tmp/diff_new_pack.Ln1kDu/_new 2025-07-06 17:18:06.724280564 +0200 @@ -17,7 +17,7 @@ Name: melange -Version: 0.28.0 +Version: 0.29.0 Release: 0 Summary: Build APKs from source code License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.Ln1kDu/_old 2025-07-06 17:18:06.756281887 +0200 +++ /var/tmp/diff_new_pack.Ln1kDu/_new 2025-07-06 17:18:06.760282052 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/melange</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.28.0</param> + <param name="revision">v0.29.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.Ln1kDu/_old 2025-07-06 17:18:06.780282879 +0200 +++ /var/tmp/diff_new_pack.Ln1kDu/_new 2025-07-06 17:18:06.784283045 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/melange</param> - <param name="changesrevision">5425a36a8e8b21197e45a4f5e019a4963d585970</param></service></servicedata> + <param name="changesrevision">75ee8c561e307394b4b565e6e7b23ce7cf059245</param></service></servicedata> (No newline at EOF) ++++++ melange-0.28.0.obscpio -> melange-0.29.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.github/PULL_REQUEST_TEMPLATE.md new/melange-0.29.0/.github/PULL_REQUEST_TEMPLATE.md --- old/melange-0.28.0/.github/PULL_REQUEST_TEMPLATE.md 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.github/PULL_REQUEST_TEMPLATE.md 1970-01-01 01:00:00.000000000 +0100 @@ -1,30 +0,0 @@ -## Melange Pull Request Template - -<!-- -*** PULL REQUEST CHECKLIST: PLEASE START HERE *** - -The single most important feature of melange is that we can build Wolfi. - -Many changes to melange introduce a risk of breaking the build, and sometimes -these are not flushed out until a package is changed (much) later. This -pertains to basic execution, SCA changes, linter changes, and more. ---> - -### Functional Changes - -- [ ] This change can build all of Wolfi without errors (describe results in notes) - -Notes: - -### SCA Changes - -- [ ] Examining several representative APKs show no regression / the desired effect (details in notes) - -Notes: - -### Linter - -- [ ] The new check is clean across Wolfi -- [ ] The new check is opt-in or a warning - -Notes: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.github/actions/setup-bubblewrap/action.yaml new/melange-0.29.0/.github/actions/setup-bubblewrap/action.yaml --- old/melange-0.28.0/.github/actions/setup-bubblewrap/action.yaml 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.github/actions/setup-bubblewrap/action.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,38 +0,0 @@ -# Copyright 2025 Chainguard, Inc. -# SPDX-License-Identifier: Apache-2.0 - -name: 'Setup Bubblewrap' -description: 'Make bubblewrap work on ubuntu-latest' -# See https://github.com/chainguard-dev/melange/issues/1508 - -inputs: - path: - description: 'Path to the program that needs to run bubblewrap' - required: true - default: '/usr/bin/melange' - -runs: - using: "composite" - steps: - - name: Disable apparmor userns restrictions - shell: bash - run: | - sudo bash -c "mkdir -p /etc/sysctl.d - echo 'kernel.apparmor_restrict_unprivileged_userns = 0' >> /etc/sysctl.d/60-apparmor-namespace.conf" - - - name: Allow bubblewrap to use unprivileged user namespaces independent of who calls it - shell: bash - run: | - sudo bash -c "cat << EOF > /etc/apparmor.d/local-bwrap - abi <abi/4.0>, - include <tunables/global> - - profile local-bwrap /usr/bin/bwrap flags=(unconfined) { - userns, - - # Site-specific additions and overrides. See local/README for details. - include if exists <local/bwrap> - } - EOF - - systemctl reload apparmor" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.github/dependabot.yml new/melange-0.29.0/.github/dependabot.yml --- old/melange-0.28.0/.github/dependabot.yml 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.github/dependabot.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,22 +0,0 @@ -version: 2 -updates: - - package-ecosystem: gomod - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 10 - groups: - gomod: - update-types: - - "patch" - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 10 - groups: - actions: - update-types: - - "minor" - - "patch" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.github/workflows/build.yaml new/melange-0.29.0/.github/workflows/build.yaml --- old/melange-0.28.0/.github/workflows/build.yaml 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.github/workflows/build.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,44 +0,0 @@ -name: ci - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - -permissions: {} - -jobs: - build: - name: build - runs-on: ubuntu-latest - - permissions: - contents: read - - steps: - - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version-file: './go.mod' - check-latest: true - - - name: build - run: | - make melange - ./melange version - - - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 - with: - version: latest - install-only: true - - - name: snapshot - run: | - make snapshot - ./dist/melange-build_linux_amd64_v1/melange version diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.github/workflows/e2e.yaml new/melange-0.29.0/.github/workflows/e2e.yaml --- old/melange-0.28.0/.github/workflows/e2e.yaml 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.github/workflows/e2e.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,79 +0,0 @@ -name: e2e tests - -on: - push: - branches: ["main"] - pull_request: - branches: ["main"] - -env: - SOURCE_DATE_EPOCH: 1669683910 - -permissions: {} - -jobs: - rebuild: - name: rebuild - runs-on: ubuntu-latest - permissions: - contents: read - - strategy: - fail-fast: false - matrix: - cfg: - # build and rebuild examples - - cargo-build.yaml - - gnu-hello.yaml - - go-build.yaml - - minimal.yaml - - npm-install.yaml - - pnpm-install.yaml - - - melange.yaml # special; builds melange itself - - container: - image: alpine:latest - options: | - --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined - - steps: - - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version-file: "go.mod" - - - name: Fetch dependencies - run: | - apk upgrade -Ua - apk add go build-base git bubblewrap jq - - - name: Build melange - run: | - make melange - ./melange keygen - - - name: Build package - run: | - path=examples/${{matrix.cfg}} - if [ "${{matrix.cfg}}" == "melange.yaml" ]; then - path="melange.yaml" - fi - ./melange build $path --arch=x86_64 --namespace=wolfi - - - name: Rebuild package - run: | - ./melange rebuild ./packages/x86_64/*.apk - - - name: Upload APKs - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: always() - with: - path: | - packages/** - rebuilt-packages/** - name: rebuild-${{matrix.cfg}} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.github/workflows/go-tests.yaml new/melange-0.29.0/.github/workflows/go-tests.yaml --- old/melange-0.28.0/.github/workflows/go-tests.yaml 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.github/workflows/go-tests.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,30 +0,0 @@ -name: Go Tests - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - -permissions: {} - -jobs: - test: - runs-on: ubuntu-latest - - permissions: - contents: read - - steps: - - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version-file: './go.mod' - - - name: Integration and Unit Tests - run: make integration diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.github/workflows/melange-test-pipelines.yaml new/melange-0.29.0/.github/workflows/melange-test-pipelines.yaml --- old/melange-0.28.0/.github/workflows/melange-test-pipelines.yaml 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.github/workflows/melange-test-pipelines.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,102 +0,0 @@ -name: Test melange test command - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - -permissions: {} - -jobs: - build-melange: - name: Build melange and add to artifact cache - runs-on: ubuntu-latest - - permissions: - contents: read - - steps: - - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version-file: './go.mod' - check-latest: true - - - name: build - run: | - make melange - - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: melange-${{ github.run_id }} - path: ${{ github.workspace }}/melange - retention-days: 1 - - test-packages: - name: Test packages - needs: - - build-melange - runs-on: ubuntu-latest-8-core - - permissions: - contents: read - - steps: - - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # Grab the melange we uploaded above, and install it. - - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 - with: - name: melange-${{ github.run_id }} - path: ${{ github.workspace }}/.melange-dir - run-id: ${{ github.run_id }} - - - run: | - sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange - sudo chmod a+x /usr/bin/melange - melange version - - - run: | - sudo apt-get -y install bubblewrap - - uses: ./.github/actions/setup-bubblewrap - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version-file: './go.mod' - check-latest: true - - - name: Download kernel for VMs - run: | - KERNEL_PKG="$(curl -sL https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | tar -Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf "%s.apk\n", $2}' | grep "linux-virt" | grep -v dev)" - curl -LSo linux-virt.apk "https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/$KERNEL_PKG" - mkdir -p /tmp/kernel - tar -xf ./linux-virt.apk -C /tmp/kernel/ - - - name: Install QEMU/KVM - run: | - sudo apt-get update - sudo apt-get -y install qemu-system-x86-64 qemu-kvm - - - name: Enable KVM group perms - run: | - echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules - sudo udevadm control --reload-rules - sudo udevadm trigger --name-match=kvm - - - name: Run e2e-tests - run: | - make \ - QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \ - QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \ - test-e2e diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.github/workflows/release.yaml new/melange-0.29.0/.github/workflows/release.yaml --- old/melange-0.28.0/.github/workflows/release.yaml 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.github/workflows/release.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,82 +0,0 @@ -name: Release - -on: - schedule: - - cron: '0 0 * * 1' # every Monday at 00:00 UTC - workflow_dispatch: - -permissions: {} - -jobs: - release: - name: Release - runs-on: ubuntu-latest - - # https://docs.github.com/en/actions/reference/authentication-in-a-workflow - permissions: - id-token: write - contents: write - - steps: - - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Check if any changes since last release - id: check - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git fetch --tags - TAG=$(git tag --points-at HEAD) - if [ -z "$TAG" ]; then - echo "No tag points at HEAD, so we need a new tag and then a new release." - echo "need_release=yes" >> $GITHUB_OUTPUT - else - RELEASE=$(gh release view "$TAG" --json tagName --jq '.tagName' || echo "none") - if [ "$RELEASE" == "$TAG" ]; then - echo "A release exists for tag $TAG, which has the latest changes, so no need for a new tag or release." - echo "need_release=no" >> $GITHUB_OUTPUT - else - echo "Tag $TAG exists, but no release is associated. Need a new release." - echo "need_release=yes" >> $GITHUB_OUTPUT - echo "existing_tag=$TAG" >> $GITHUB_OUTPUT - fi - fi - - - name: Bump version and push tag - id: create_tag - uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 - if: steps.check.outputs.need_release == 'yes' && steps.check.outputs.existing_tag == '' - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - if: steps.check.outputs.need_release == 'yes' - with: - ref: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }} - - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - if: steps.check.outputs.need_release == 'yes' - with: - go-version-file: './go.mod' - check-latest: true - - # Cosign is used by goreleaser to sign release artifacts. - - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 - if: steps.check.outputs.need_release == 'yes' - - - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 - if: steps.check.outputs.need_release == 'yes' - with: - version: latest - install-only: true - - - name: Release - if: steps.check.outputs.need_release == 'yes' - run: make release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - TAG: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.github/workflows/verify.yaml new/melange-0.29.0/.github/workflows/verify.yaml --- old/melange-0.28.0/.github/workflows/verify.yaml 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.github/workflows/verify.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,44 +0,0 @@ -name: verify - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - -permissions: {} - -jobs: - golangci: - name: lint - runs-on: ubuntu-latest - - permissions: - contents: read - - steps: - - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version-file: go.mod - check-latest: true - - - name: golangci-lint - uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0 - with: - version: v1.64.8 - args: --timeout=5m - - - run: | - make docs-repo - make docs-pipeline - git diff --exit-code - - - run: | - go mod tidy - git diff --exit-code diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.github/workflows/wolfi-presubmit.yaml new/melange-0.29.0/.github/workflows/wolfi-presubmit.yaml --- old/melange-0.28.0/.github/workflows/wolfi-presubmit.yaml 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.github/workflows/wolfi-presubmit.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,225 +0,0 @@ -name: ci - -on: - push: - branches: ["main"] - pull_request: - branches: ["main"] - -permissions: {} - -jobs: - build-melange: - name: Build melange and add to artifact cache - runs-on: ubuntu-latest - - permissions: - contents: read - - steps: - - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version-file: "./go.mod" - check-latest: true - - - name: build - run: | - make melange - - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: melange-${{ github.run_id }} - path: ${{ github.workspace }}/melange - retention-days: 1 - - build-packages: - name: Build packages - needs: - - build-melange - runs-on: ubuntu-latest-8-core - - permissions: - contents: read - - # This is a list of packages which covers basic and exotic uses of - # the built-in pipelines. Goal is to balance efficiency while also - # exercising Melange with real-world package builds. - # Feel free to add additional packages to this matrix which exercise - # Melange in new ways (e.g. new pipelines, etc.) - strategy: - fail-fast: false - matrix: - runner: - - bubblewrap - - qemu - package: - - hello-wolfi - - glibc - - tini - - lzo - - bubblewrap - - dpkg - #- gdk-pixbuf # Looks like this is broken again, see: https://gitlab.gnome.org/GNOME/gobject-introspection/-/issues/515 - - gitsign - - grafana-image-renderer - - guac - - mdbook - - s3cmd - - py3-pyelftools # Uses license-path - - cadvisor # uses cgroups - - fping # uses get/setcaps - - fixuid # uses a diff test user - - fluent-operator # uses background& process - - perl-yaml-syck - - postfix - - ncurses - - subversion - - sudo - - py3-supported-python - - rust-1.86 - # TODO: https://github.com/wolfi-dev/os/issues/26442 - #- xmlto - - steps: - - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - repository: wolfi-dev/os - - - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 - with: - name: melange-${{ github.run_id }} - path: ${{ github.workspace }}/.melange-dir - run-id: ${{ github.run_id }} - - - run: | - sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange - sudo chmod a+x /usr/bin/melange - melange version - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - - run: | - wolfictl bump ${{ matrix.package }} - - - if: matrix.runner == 'bubblewrap' - run: | - sudo apt-get -y install bubblewrap - - if: matrix.runner == 'bubblewrap' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - path: melange-src - - if: matrix.runner == 'bubblewrap' - uses: ./melange-src/.github/actions/setup-bubblewrap - - if: matrix.runner == 'bubblewrap' - run: | - make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" MELANGE_EXTRA_OPTS="--generate-provenance" package/${{ matrix.package }} - - - name: Download kernel for VMs - if: matrix.runner == 'qemu' - run: | - KERNEL_PKG="$(curl -sL https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | tar -Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf "%s.apk\n", $2}' | grep "linux-virt" | grep -v dev)" - curl -LSo linux-virt.apk "https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/$KERNEL_PKG" - mkdir -p /tmp/kernel - tar -xf ./linux-virt.apk -C /tmp/kernel/ - - - name: Install QEMU/KVM - if: matrix.runner == 'qemu' - run: | - sudo apt-get update - sudo apt-get -y install qemu-system-x86-64 qemu-kvm - - - name: Enable KVM group perms - if: matrix.runner == 'qemu' - run: | - echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules - sudo udevadm control --reload-rules - sudo udevadm trigger --name-match=kvm - - - name: Make package ${{matrix.package}} with QEMU Runner - if: matrix.runner == 'qemu' - run: | - make \ - SHELL="/bin/bash" \ - QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \ - QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \ - MELANGE="/usr/bin/melange" \ - MELANGE_EXTRA_OPTS="--runner qemu --generate-provenance" \ - package/${{ matrix.package }} - - - name: Output SLSA provenance - run: | - for pkg in packages/x86_64/*.attest.tar.gz; do - dir="$(basename "${pkg}" .attest.tar.gz)" - sudo mkdir -p packages/x86_64/"${dir}" - sudo tar --xattrs --xattrs-include='*.*' -xf "${pkg}" -C packages/x86_64/"${dir}" - jq . packages/x86_64/"${dir}"/"${dir}.attestation" - done - - - name: Run tests to verify xattrs with bubblewrap runner - if: matrix.runner == 'bubblewrap' && matrix.package == 'fping' - run: | - make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" test/${{ matrix.package }} - - - name: Run tests with QEMU runner - if: matrix.runner == 'qemu' - run: | - make \ - SHELL="/bin/bash" \ - QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \ - QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \ - MELANGE="/usr/bin/melange" \ - MELANGE_EXTRA_OPTS="--runner qemu" \ - test/${{ matrix.package }} - - - name: Check package ${{ matrix.package }} xattrs for QEMU-built package - if: matrix.runner == 'qemu' && matrix.package == 'fping' - run: | - for pkg in packages/x86_64/*.apk; do - sudo tar --xattrs --xattrs-include='*.*' -xf "${pkg}" -C packages/x86_64/ - done - getcap packages/x86_64/usr/sbin/fping - - - name: Check package ${{ matrix.package }} for mode bits - if: matrix.package == 'sudo' - run: | - for pkg in packages/x86_64/*.apk; do - sudo tar --xattrs --xattrs-include='*.*' -xf "${pkg}" -C packages/x86_64/ - done - ls -hal packages/x86_64/usr/bin/sudo - - - name: "Retrieve Wolfi advisory data" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - repository: "wolfi-dev/advisories" - path: "data/wolfi-advisories" - - - name: Test installable and Scan for CVEs - run: | - if [[ "${{ matrix.package }}" == "fping" ]]; then - docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk; apk add libcap-utils; getcap /usr/sbin/fping" - elif [[ "${{ matrix.package }}" == "sudo" ]]; then - docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk; ls -hal /usr/bin/sudo" - elif [[ "${{ matrix.package }}" == "postfix" ]]; then - docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk; ls -hal /var/spool/postfix; ls -hal /var/lib/postfix" - else - docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk" - fi - # There is a huge fixed cost for every wolfictl scan invocation for grype DB init. - # Do this outside of the loop in one invocation with every package. - wolfictl scan \ - --advisories-repo-dir 'data/wolfi-advisories' \ - --advisory-filter 'resolved' \ - --require-zero \ - packages/x86_64/${{ matrix.package }}-*.apk \ - 2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/.gitignore new/melange-0.29.0/.gitignore --- old/melange-0.28.0/.gitignore 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/.gitignore 1970-01-01 01:00:00.000000000 +0100 @@ -1,38 +0,0 @@ -# Binaries for programs and plugins -*.exe -*.exe~ -*.dll -*.so -*.dylib - -# Test binary, built with `go test -c` -*.test - -# Output of the go coverage tool, specifically when used with LiteIDE -*.out - -# Dependency directories (remove the comment below to include it) -# vendor/ -.vscode/* - -local-melange.rsa -local-melange.rsa.pub -melange -melange.rsa -melange.rsa.pub -packages/ -rebuilt-packages/ -.idea/ -bin/ -generated/ -melange.images -/.DS_Store -dist/ -tags -ctags - -.DS_Store - - -x86_64/** -aarch64/** diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/docs/md/melange_scan.md new/melange-0.29.0/docs/md/melange_scan.md --- old/melange-0.28.0/docs/md/melange_scan.md 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/docs/md/melange_scan.md 2025-07-03 19:44:54.000000000 +0200 @@ -29,6 +29,7 @@ --diff show diff output -h, --help help for scan -k, --keyring-append string path to key to include in the build environment keyring (default "local-melange.rsa.pub") + --namespace string namespace to use in package URLs in SBOM (eg wolfi, alpine) (default "unknown") -p, --package string which package's .PKGINFO to print (if there are subpackages) -r, --repository-append string path to repository to include in the build environment (default "./packages") ``` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/e2e-tests/symlinks-in-workspace-build.yaml new/melange-0.29.0/e2e-tests/symlinks-in-workspace-build.yaml --- old/melange-0.28.0/e2e-tests/symlinks-in-workspace-build.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/melange-0.29.0/e2e-tests/symlinks-in-workspace-build.yaml 2025-07-03 19:44:54.000000000 +0200 @@ -0,0 +1,17 @@ +package: + name: symlinks-in-workspace-build + description: Test that symlinks are copied into workspaces + version: 0.1.0 + epoch: 0 + +environment: + contents: + packages: + - busybox + +pipeline: + - name: Test for symlink presence in workspace + runs: | + testdata_linked=$(cat testdata-symlink.txt) + testdata=$(cat testdata.txt) + [ "$testdata" = "$testdata_linked" ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/e2e-tests/test-fixtures/testdata-symlink.txt new/melange-0.29.0/e2e-tests/test-fixtures/testdata-symlink.txt --- old/melange-0.28.0/e2e-tests/test-fixtures/testdata-symlink.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/melange-0.29.0/e2e-tests/test-fixtures/testdata-symlink.txt 2025-07-06 17:18:06.952289992 +0200 @@ -0,0 +1 @@ +symbolic link to testdata.txt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/e2e-tests/test-fixtures/testdata.txt new/melange-0.29.0/e2e-tests/test-fixtures/testdata.txt --- old/melange-0.28.0/e2e-tests/test-fixtures/testdata.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/melange-0.29.0/e2e-tests/test-fixtures/testdata.txt 2025-07-03 19:44:54.000000000 +0200 @@ -0,0 +1 @@ +test data is present diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/pkg/build/build.go new/melange-0.29.0/pkg/build/build.go --- old/melange-0.28.0/pkg/build/build.go 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/pkg/build/build.go 2025-07-03 19:44:54.000000000 +0200 @@ -563,7 +563,25 @@ mode := fi.Mode() if !mode.IsRegular() { - return nil + // If this file is a symlink to a regular file, include it. + // It would be easier to include all symlinks but that breaks + // when the top-level workspace directory is a symlink. + if mode&fs.ModeSymlink != 0 { + targetPath, err := filepath.EvalSymlinks(filepath.Join(b.SourceDir, path)) + if err != nil { + log.Debugf("path %s eval gives err %v", path, err) + return err + } + target, err := os.Stat(targetPath) + if err != nil { + return err + } + if !target.Mode().IsRegular() { + return nil + } + } else { + return nil + } } for _, pat := range ignorePatterns { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.28.0/pkg/cli/scan.go new/melange-0.29.0/pkg/cli/scan.go --- old/melange-0.28.0/pkg/cli/scan.go 2025-06-27 22:57:23.000000000 +0200 +++ new/melange-0.29.0/pkg/cli/scan.go 2025-07-03 19:44:54.000000000 +0200 @@ -45,6 +45,8 @@ archs []string diff bool comments bool + + purlNamespace string } func scan() *cobra.Command { @@ -69,6 +71,8 @@ cmd.Flags().BoolVar(&sc.diff, "diff", false, "show diff output") cmd.Flags().BoolVar(&sc.comments, "comments", false, "include comments in .PKGINFO diff") + cmd.Flags().StringVar(&sc.purlNamespace, "namespace", "unknown", "namespace to use in package URLs in SBOM (eg wolfi, alpine)") + return cmd } @@ -151,6 +155,7 @@ WorkspaceDir: dir, SourceDateEpoch: time.Unix(0, 0), Configuration: cfg, + Namespace: sc.purlNamespace, } pb := build.PackageBuild{ @@ -328,7 +333,7 @@ } if sawDiff { - os.Exit(1) + return fmt.Errorf("saw diff for %s", file) } return nil ++++++ melange.obsinfo ++++++ --- /var/tmp/diff_new_pack.Ln1kDu/_old 2025-07-06 17:18:07.040293631 +0200 +++ /var/tmp/diff_new_pack.Ln1kDu/_new 2025-07-06 17:18:07.044293796 +0200 @@ -1,5 +1,5 @@ name: melange -version: 0.28.0 -mtime: 1751057843 -commit: 5425a36a8e8b21197e45a4f5e019a4963d585970 +version: 0.29.0 +mtime: 1751564694 +commit: 75ee8c561e307394b4b565e6e7b23ce7cf059245 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/melange/vendor.tar.gz /work/SRC/openSUSE:Factory/.melange.new.1903/vendor.tar.gz differ: char 131, line 1