Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apko for openSUSE:Factory checked in at 2026-01-17 14:53:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apko (Old) and /work/SRC/openSUSE:Factory/.apko.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apko" Sat Jan 17 14:53:10 2026 rev:87 rq:1327515 version:1.0.3 Changes: -------- --- /work/SRC/openSUSE:Factory/apko/apko.changes 2026-01-14 17:15:30.991108735 +0100 +++ /work/SRC/openSUSE:Factory/.apko.new.1928/apko.changes 2026-01-17 14:54:00.329311580 +0100 @@ -1,0 +2,9 @@ +Fri Jan 16 05:58:44 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.0.3: + * sbom: Make sure sbom packages are connected to the document + root. (#2021) + * build(deps): bump google.golang.org/api from 0.259.0 to 0.260.0 + (#2020) + +------------------------------------------------------------------- Old: ---- apko-1.0.2.obscpio New: ---- apko-1.0.3.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apko.spec ++++++ --- /var/tmp/diff_new_pack.dyVSuD/_old 2026-01-17 14:54:01.637366110 +0100 +++ /var/tmp/diff_new_pack.dyVSuD/_new 2026-01-17 14:54:01.637366110 +0100 @@ -17,7 +17,7 @@ Name: apko -Version: 1.0.2 +Version: 1.0.3 Release: 0 Summary: Build OCI images from APK packages directly without Dockerfile License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.dyVSuD/_old 2026-01-17 14:54:01.681367944 +0100 +++ /var/tmp/diff_new_pack.dyVSuD/_new 2026-01-17 14:54:01.689368277 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/apko</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.0.2</param> + <param name="revision">v1.0.3</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.dyVSuD/_old 2026-01-17 14:54:01.709369111 +0100 +++ /var/tmp/diff_new_pack.dyVSuD/_new 2026-01-17 14:54:01.713369278 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/apko</param> - <param name="changesrevision">89f7c136729d533c74518b174099a1131d5092a9</param></service></servicedata> + <param name="changesrevision">a808e274141f9baebb541dffcb23acfffd0746ba</param></service></servicedata> (No newline at EOF) ++++++ apko-1.0.2.obscpio -> apko-1.0.3.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/go.mod new/apko-1.0.3/go.mod --- old/apko-1.0.2/go.mod 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/go.mod 2026-01-15 18:32:56.000000000 +0100 @@ -30,7 +30,7 @@ golang.org/x/sync v0.19.0 golang.org/x/sys v0.40.0 golang.org/x/time v0.14.0 - google.golang.org/api v0.259.0 + google.golang.org/api v0.260.0 gopkg.in/ini.v1 v1.67.1 gopkg.in/yaml.v3 v3.0.1 k8s.io/apimachinery v0.35.0 @@ -82,7 +82,7 @@ github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/google/s2a-go v0.1.9 // indirect github.com/google/uuid v1.6.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.9 // indirect github.com/googleapis/gax-go/v2 v2.16.0 // indirect github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/go.sum new/apko-1.0.3/go.sum --- old/apko-1.0.2/go.sum 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/go.sum 2026-01-15 18:32:56.000000000 +0100 @@ -128,8 +128,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAVrGgAa0f2/R35S4DJwfFaUPFQ= -github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA= +github.com/googleapis/enterprise-certificate-proxy v0.3.9 h1:TOpi/QG8iDcZlkQlGlFUti/ZtyLkliXvHDcyUIMuFrU= +github.com/googleapis/enterprise-certificate-proxy v0.3.9/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA= github.com/googleapis/gax-go/v2 v2.16.0 h1:iHbQmKLLZrexmb0OSsNGTeSTS0HO4YvFOG8g5E4Zd0Y= github.com/googleapis/gax-go/v2 v2.16.0/go.mod h1:o1vfQjjNZn4+dPnRdl/4ZD7S9414Y4xA+a/6Icj6l14= github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 h1:QGLs/O40yoNK9vmy4rhUGBVyMf1lISBGtXRpsu/Qu/o= @@ -370,8 +370,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/api v0.259.0 h1:90TaGVIxScrh1Vn/XI2426kRpBqHwWIzVBzJsVZ5XrQ= -google.golang.org/api v0.259.0/go.mod h1:LC2ISWGWbRoyQVpxGntWwLWN/vLNxxKBK9KuJRI8Te4= +google.golang.org/api v0.260.0 h1:XbNi5E6bOVEj/uLXQRlt6TKuEzMD7zvW/6tNwltE4P4= +google.golang.org/api v0.260.0/go.mod h1:Shj1j0Phr/9sloYrKomICzdYgsSDImpTxME8rGLaZ/o= google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b h1:Mv8VFug0MP9e5vUxfBcE3vUkV6CImK3cMNMIDFjmzxU= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json new/apko-1.0.3/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json --- old/apko-1.0.2/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json 2026-01-15 18:32:56.000000000 +0100 @@ -152,9 +152,19 @@ "relatedSpdxElement": "SPDXRef-Package-pretend-baselayout.melange.yaml-8e7230fc2d8afd47a5341ca0ba9b63f93bda5491" }, { + "spdxElementId": "SPDXRef-Package-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-pretend-baselayout-1.0.0-r0" + }, + { "spdxElementId": "SPDXRef-Package-replayout-1.0.0-r0", "relationshipType": "DESCRIBED_BY", "relatedSpdxElement": "SPDXRef-Package-replayout.melange.yaml-8e7230fc2d8afd47a5341ca0ba9b63f93bda5491" + }, + { + "spdxElementId": "SPDXRef-Package-sha256-462b8caeb0369dd5ec14eb4f698cddd327f26ba65720561497217ffad2e96d6a", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-replayout-1.0.0-r0" } ] } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json new/apko-1.0.3/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json --- old/apko-1.0.2/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json 2026-01-15 18:32:56.000000000 +0100 @@ -152,9 +152,19 @@ "relatedSpdxElement": "SPDXRef-Package-pretend-baselayout.melange.yaml-8e7230fc2d8afd47a5341ca0ba9b63f93bda5491" }, { + "spdxElementId": "SPDXRef-Package-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-pretend-baselayout-1.0.0-r0" + }, + { "spdxElementId": "SPDXRef-Package-replayout-1.0.0-r0", "relationshipType": "DESCRIBED_BY", "relatedSpdxElement": "SPDXRef-Package-replayout.melange.yaml-8e7230fc2d8afd47a5341ca0ba9b63f93bda5491" + }, + { + "spdxElementId": "SPDXRef-Package-sha256-3fa87a64fb699f65953caad1adcba9f5d3f25134bfff43f92a1ed097712cd79a", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-replayout-1.0.0-r0" } ] } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/pkg/sbom/generator/spdx/spdx.go new/apko-1.0.3/pkg/sbom/generator/spdx/spdx.go --- old/apko-1.0.2/pkg/sbom/generator/spdx/spdx.go 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/pkg/sbom/generator/spdx/spdx.go 2026-01-15 18:32:56.000000000 +0100 @@ -264,6 +264,19 @@ return fmt.Errorf("merging LicensingInfos: %w", err) } + // Add CONTAINS relationships from the document root package to all top-level elements from the internal SBOM. + // This ensures they are reachable from the document root for tools that traverse the SBOM graph. + if len(doc.DocumentDescribes) > 0 { + rootPkgID := doc.DocumentDescribes[0] + for elementID := range targetElementIDs { + doc.Relationships = append(doc.Relationships, Relationship{ + Element: rootPkgID, + Type: "CONTAINS", + Related: elementID, + }) + } + } + return nil } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json --- old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json 2026-01-15 18:32:56.000000000 +0100 @@ -101,6 +101,11 @@ "spdxElementId": "SPDXRef-Package-test-pkg-both-1.0.0-r0", "relationshipType": "DEPENDS_ON", "relatedSpdxElement": "SPDXRef-Package-dep-from-relationship-2.0.0" + }, + { + "spdxElementId": "SPDXRef-Package-", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-test-pkg-both-1.0.0-r0" } ] } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json --- old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json 2026-01-15 18:32:56.000000000 +0100 @@ -62,7 +62,13 @@ ] } ], - "relationships": [], + "relationships": [ + { + "spdxElementId": "SPDXRef-Package-", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-font-ubuntu-0.869-r1" + } + ], "hasExtractedLicensingInfos": [ { "licenseId": "LicenseRef-ubuntu-font", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json --- old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json 2026-01-15 18:32:56.000000000 +0100 @@ -124,6 +124,11 @@ "spdxElementId": "SPDXRef-Package-test-pkg-describes-1.0.0-r0", "relationshipType": "DEPENDS_ON", "relatedSpdxElement": "SPDXRef-Package-npm-lodash" + }, + { + "spdxElementId": "SPDXRef-Package-", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-test-pkg-describes-1.0.0-r0" } ] } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json --- old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json 2026-01-15 18:32:56.000000000 +0100 @@ -62,5 +62,11 @@ ] } ], - "relationships": [] + "relationships": [ + { + "spdxElementId": "SPDXRef-Package-", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-libattr1-2.5.1-r2" + } + ] } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json --- old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json 2026-01-15 18:32:56.000000000 +0100 @@ -129,6 +129,11 @@ "relatedSpdxElement": "SPDXRef-Package-github.com-elastic-logstash-v8.15.3-8364c8e89cfb113e38ec3f966df7eb1e9abe9d33-0" }, { + "spdxElementId": "SPDXRef-Package-", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-logstash-8-8.15.3-r4" + }, + { "spdxElementId": "SPDXRef-Package-logstash-8-compat-8.15.3-r4", "relationshipType": "DESCRIBED_BY", "relatedSpdxElement": "SPDXRef-Package-logstash-8.yaml-c7d40faa38ddffa98700cfa4c2f9bde196acc504" @@ -137,6 +142,11 @@ "spdxElementId": "SPDXRef-Package-logstash-8-compat-8.15.3-r4", "relationshipType": "GENERATED_FROM", "relatedSpdxElement": "SPDXRef-Package-github.com-elastic-logstash-v8.15.3-8364c8e89cfb113e38ec3f966df7eb1e9abe9d33-0" + }, + { + "spdxElementId": "SPDXRef-Package-", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-logstash-8-compat-8.15.3-r4" } ] } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json --- old/apko-1.0.2/pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json 2026-01-14 11:10:27.000000000 +0100 +++ new/apko-1.0.3/pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json 2026-01-15 18:32:56.000000000 +0100 @@ -148,6 +148,11 @@ "relatedSpdxElement": "SPDXRef-Package-github.com-NLnetLabs-unbound-release-1.23.0-30c13d0351abd2edc3d6dc76365f576c87b9736e-0" }, { + "spdxElementId": "SPDXRef-Package-", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-unbound-libs-1.23.0-r0" + }, + { "spdxElementId": "SPDXRef-Package-unbound-1.23.0-r0", "relationshipType": "DESCRIBED_BY", "relatedSpdxElement": "SPDXRef-Package-unbound.yaml-23e8ff8479b39f3f2e97fdca28d814f0c434c39b" @@ -158,6 +163,11 @@ "relatedSpdxElement": "SPDXRef-Package-github.com-NLnetLabs-unbound-release-1.23.0-30c13d0351abd2edc3d6dc76365f576c87b9736e-0" }, { + "spdxElementId": "SPDXRef-Package-", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-unbound-1.23.0-r0" + }, + { "spdxElementId": "SPDXRef-Package-unbound-config-1.23.0-r0", "relationshipType": "DESCRIBED_BY", "relatedSpdxElement": "SPDXRef-Package-unbound.yaml-23e8ff8479b39f3f2e97fdca28d814f0c434c39b" @@ -166,6 +176,11 @@ "spdxElementId": "SPDXRef-Package-unbound-config-1.23.0-r0", "relationshipType": "GENERATED_FROM", "relatedSpdxElement": "SPDXRef-Package-github.com-NLnetLabs-unbound-release-1.23.0-30c13d0351abd2edc3d6dc76365f576c87b9736e-0" + }, + { + "spdxElementId": "SPDXRef-Package-", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package-unbound-config-1.23.0-r0" } ] } ++++++ apko.obsinfo ++++++ --- /var/tmp/diff_new_pack.dyVSuD/_old 2026-01-17 14:54:02.405398127 +0100 +++ /var/tmp/diff_new_pack.dyVSuD/_new 2026-01-17 14:54:02.417398628 +0100 @@ -1,5 +1,5 @@ name: apko -version: 1.0.2 -mtime: 1768385427 -commit: 89f7c136729d533c74518b174099a1131d5092a9 +version: 1.0.3 +mtime: 1768498376 +commit: a808e274141f9baebb541dffcb23acfffd0746ba ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/apko/vendor.tar.gz /work/SRC/openSUSE:Factory/.apko.new.1928/vendor.tar.gz differ: char 93, line 3
