Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package werf for openSUSE:Factory checked in 
at 2025-04-17 16:08:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/werf (Old)
 and      /work/SRC/openSUSE:Factory/.werf.new.30101 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "werf"

Thu Apr 17 16:08:58 2025 rev:45 rq:1270105 version:2.35.4

Changes:
--------
--- /work/SRC/openSUSE:Factory/werf/werf.changes        2025-04-11 
16:47:13.120333209 +0200
+++ /work/SRC/openSUSE:Factory/.werf.new.30101/werf.changes     2025-04-20 
20:12:05.443483195 +0200
@@ -1,0 +2,39 @@
+Wed Apr 16 18:01:22 UTC 2025 - Johannes Kastl 
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 2.35.4:
+  * chore: release 2.35.4
+  * chore(release): release v2.35.4
+  * Revert "chore: update Nelm module"
+  * Revert "fix(deploy): possible panic in tracking Flux Canary
+    resource"
+  * Revert "fix(deploy): allow `werf.io/sensitive: false` for
+    Secrets"
+  * Revert "fix(deploy): default kubeconfig not used"
+  * chore(channels): revert alpha
+
+-------------------------------------------------------------------
+Wed Apr 16 17:59:20 UTC 2025 - Johannes Kastl 
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 2.35.3:
+  * fix(deploy): default kubeconfig not used
+
+-------------------------------------------------------------------
+Wed Apr 16 17:51:05 UTC 2025 - Johannes Kastl 
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 2.35.2:
+  * chore: release 2.35.2
+  * docs(build, secrets): update example
+  * test(build, secrets): remove from e2e simple test
+  * fix(build, secrets): fix secrets validation error when
+    rendering config
+  * fix(deploy): allow `werf.io/sensitive: false` for Secrets
+  * fix(deploy): possible panic in tracking Flux Canary resource
+  * chore: task format
+  * fix(build, imageSpec): invalidate cache (breaking changes)
+  * fix(build, imageSpec): keep essential werf-stage-content-digest
+    label
+  * chore: update Nelm module
+  * refactor(cleanup): update logging message
+  * chore(release): 2 alpha,beta,ea
+
+-------------------------------------------------------------------

Old:
----
  werf-2.35.1.obscpio

New:
----
  werf-2.35.4.obscpio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ werf.spec ++++++
--- /var/tmp/diff_new_pack.FvlSIC/_old  2025-04-20 20:12:06.543529248 +0200
+++ /var/tmp/diff_new_pack.FvlSIC/_new  2025-04-20 20:12:06.547529415 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           werf
-Version:        2.35.1
+Version:        2.35.4
 Release:        0
 Summary:        CLI for the Werf CI/CD system
 License:        Apache-2.0

++++++ _service ++++++
--- /var/tmp/diff_new_pack.FvlSIC/_old  2025-04-20 20:12:06.583530922 +0200
+++ /var/tmp/diff_new_pack.FvlSIC/_new  2025-04-20 20:12:06.587531090 +0200
@@ -3,7 +3,7 @@
     <param name="url">https://github.com/werf/werf</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v2.35.1</param>
+    <param name="revision">v2.35.4</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.FvlSIC/_old  2025-04-20 20:12:06.611532094 +0200
+++ /var/tmp/diff_new_pack.FvlSIC/_new  2025-04-20 20:12:06.611532094 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/werf/werf</param>
-              <param 
name="changesrevision">efb923c6e24496f497418e529a06f72339f226cd</param></service></servicedata>
+              <param 
name="changesrevision">a878391d9331ee5583e43fbd2ca96a6c5ed67182</param></service></servicedata>
 (No newline at EOF)
 

++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/werf/vendor.tar.gz 
/work/SRC/openSUSE:Factory/.werf.new.30101/vendor.tar.gz differ: char 5, line 1

++++++ werf-2.35.1.obscpio -> werf-2.35.4.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/CHANGELOG.md new/werf-2.35.4/CHANGELOG.md
--- old/werf-2.35.1/CHANGELOG.md        2025-04-10 10:36:10.000000000 +0200
+++ new/werf-2.35.4/CHANGELOG.md        2025-04-16 13:51:13.000000000 +0200
@@ -1,5 +1,30 @@
 # Changelog
 
+### [2.35.4](https://www.github.com/werf/werf/compare/v2.35.3...v2.35.4) 
(2025-04-16)
+
+
+### Miscellaneous Chores
+
+* **release:** release v2.35.4 
([336b284](https://www.github.com/werf/werf/commit/336b284a023a151eaf769d7e2781d4a051220a6e))
+
+### [2.35.3](https://www.github.com/werf/werf/compare/v2.35.2...v2.35.3) 
(2025-04-16)
+
+
+### Bug Fixes
+
+* **deploy:** default kubeconfig not used 
([cbf9f55](https://www.github.com/werf/werf/commit/cbf9f55bd14f60ece0b6c39f611cb14814117479))
+
+### [2.35.2](https://www.github.com/werf/werf/compare/v2.35.1...v2.35.2) 
(2025-04-14)
+
+
+### Bug Fixes
+
+* **build, imageSpec:** invalidate cache (breaking changes) 
([c827491](https://www.github.com/werf/werf/commit/c827491bb77fc410da7591eeac295dd186ccd46a))
+* **build, imageSpec:** keep essential werf-stage-content-digest label 
([73fcd70](https://www.github.com/werf/werf/commit/73fcd70ba3291ae1f20a79ac8c3eb6b3b944f466))
+* **build, secrets:** fix secrets validation error when rendering config 
([94b4333](https://www.github.com/werf/werf/commit/94b433383cc042d6326cd0c95025300477b8959e))
+* **deploy:** allow `werf.io/sensitive: false` for Secrets 
([9d4fcec](https://www.github.com/werf/werf/commit/9d4fcec4a87b56eedf26d042cb30877ceb72a86b))
+* **deploy:** possible panic in tracking Flux Canary resource 
([047fb12](https://www.github.com/werf/werf/commit/047fb12f920b5063cde54daefd4255b1b8c1378e))
+
 ### [2.35.1](https://www.github.com/werf/werf/compare/v2.35.0...v2.35.1) 
(2025-04-10)
 
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/docs/pages_en/usage/build/images.md 
new/werf-2.35.4/docs/pages_en/usage/build/images.md
--- old/werf-2.35.1/docs/pages_en/usage/build/images.md 2025-04-10 
10:36:10.000000000 +0200
+++ new/werf-2.35.4/docs/pages_en/usage/build/images.md 2025-04-16 
13:51:13.000000000 +0200
@@ -165,6 +165,7 @@
   secrets:
     allowEnvVariables:
       - "AWS_ACCESS_KEY_ID"
+      - "AWS_SECRET_ACCESS_KEY"
     allowFiles:
       - "~/.aws/credentials"
     allowValueIds:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/werf-2.35.1/docs/pages_en/usage/build/stapel/instructions.md 
new/werf-2.35.4/docs/pages_en/usage/build/stapel/instructions.md
--- old/werf-2.35.1/docs/pages_en/usage/build/stapel/instructions.md    
2025-04-10 10:36:10.000000000 +0200
+++ new/werf-2.35.4/docs/pages_en/usage/build/stapel/instructions.md    
2025-04-16 13:51:13.000000000 +0200
@@ -373,6 +373,7 @@
   secrets:
     allowEnvVariables:
       - "AWS_ACCESS_KEY_ID"
+      - "AWS_SECRET_ACCESS_KEY"
     allowFiles:
       - "~/.aws/credentials"
     allowValueIds:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/docs/pages_en/usage/deploy/charts.md 
new/werf-2.35.4/docs/pages_en/usage/deploy/charts.md
--- old/werf-2.35.1/docs/pages_en/usage/deploy/charts.md        2025-04-10 
10:36:10.000000000 +0200
+++ new/werf-2.35.4/docs/pages_en/usage/deploy/charts.md        2025-04-16 
13:51:13.000000000 +0200
@@ -205,7 +205,7 @@
 - name: backend
 ```
 
-If you want to connect multiple dependent charts with the same name or connect 
the same dependent chart several times, use the parent chart's 
`dependencies[].alias' directive to add alias for the charts to be included, 
for example:
+If you want to connect multiple dependent charts with the same name or connect 
the same dependent chart several times, use the parent chart's 
`dependencies[].alias` directive to add alias for the charts to be included, 
for example:
 
 ```yaml
 # .helm/Chart.yaml:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/go.mod new/werf-2.35.4/go.mod
--- old/werf-2.35.1/go.mod      2025-04-10 10:36:10.000000000 +0200
+++ new/werf-2.35.4/go.mod      2025-04-16 13:51:13.000000000 +0200
@@ -273,7 +273,7 @@
        github.com/mattn/go-isatty v0.0.20 // indirect
        github.com/mattn/go-runewidth v0.0.15 // indirect
        github.com/mattn/go-shellwords v1.0.12 // indirect
-       github.com/mattn/go-sqlite3 v1.14.22 // indirect
+       github.com/mattn/go-sqlite3 v2.0.1+incompatible // indirect
        github.com/miekg/pkcs11 v1.1.1 // indirect
        github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect
        github.com/mitchellh/go-homedir v1.1.0 // indirect
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/go.sum new/werf-2.35.4/go.sum
--- old/werf-2.35.1/go.sum      2025-04-10 10:36:10.000000000 +0200
+++ new/werf-2.35.4/go.sum      2025-04-16 13:51:13.000000000 +0200
@@ -951,8 +951,8 @@
 github.com/mattn/go-sqlite3 v1.14.0/go.mod 
h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus=
 github.com/mattn/go-sqlite3 v1.14.6/go.mod 
h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/mattn/go-sqlite3 v1.14.7/go.mod 
h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/mattn/go-sqlite3 v1.14.22 
h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
-github.com/mattn/go-sqlite3 v1.14.22/go.mod 
h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v2.0.1+incompatible 
h1:xQ15muvnzGBHpIpdrNi1DA5x0+TcBZzsIDwmw9uTHzw=
+github.com/mattn/go-sqlite3 v2.0.1+incompatible/go.mod 
h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-zglob v0.0.1/go.mod 
h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
 github.com/mattn/go-zglob v0.0.6 
h1:mP8RnmCgho4oaUYDIDn6GNxYk+qJGUs8fJLn+twYj2A=
 github.com/mattn/go-zglob v0.0.6/go.mod 
h1:MxxjyoXXnMxfIpxTK2GAkw1w8glPsQILx3N5wrKakiY=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/build/build_phase.go 
new/werf-2.35.4/pkg/build/build_phase.go
--- old/werf-2.35.1/pkg/build/build_phase.go    2025-04-10 10:36:10.000000000 
+0200
+++ new/werf-2.35.4/pkg/build/build_phase.go    2025-04-16 13:51:13.000000000 
+0200
@@ -860,8 +860,6 @@
                                contentDigest, exist := 
stageDescCopy.Info.Labels[imagePkg.WerfStageContentDigestLabel]
                                if exist {
                                        stg.SetContentDigest(contentDigest)
-                               } else if stg.Name() == stage.ImageSpec { // 
The content digest tag might be missing for the imageSpec stage (removed by the 
user).
-                                       
stg.SetContentDigest(stageDescCopy.Info.GetDigest())
                                } else {
                                        panic(fmt.Sprintf("expected stage %q 
content digest label to be set!", stg.Name()))
                                }
@@ -983,8 +981,6 @@
                contentDigest, exist := 
stageDesc.Info.Labels[imagePkg.WerfStageContentDigestLabel]
                if exist {
                        stageContentSig = contentDigest
-               } else if stg.Name() == stage.ImageSpec { // The content digest 
tag might be missing for the imageSpec stage (removed by the user).
-                       stageContentSig = stageDesc.Info.GetDigest()
                } else {
                        panic(fmt.Sprintf("expected stage %q content digest 
label to be set!", stg.Name()))
                }
@@ -1188,8 +1184,6 @@
                        contentDigest, exist := 
stageDesc.Info.Labels[imagePkg.WerfStageContentDigestLabel]
                        if exist {
                                stg.SetContentDigest(contentDigest)
-                       } else if stg.Name() == stage.ImageSpec { // The 
content digest tag might be missing for the imageSpec stage (removed by the 
user).
-                               stg.SetContentDigest(stageDesc.Info.GetDigest())
                        } else {
                                panic(fmt.Sprintf("expected stage %q content 
digest label to be set!", stg.Name()))
                        }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/build/builder/ansible.go 
new/werf-2.35.4/pkg/build/builder/ansible.go
--- old/werf-2.35.1/pkg/build/builder/ansible.go        2025-04-10 
10:36:10.000000000 +0200
+++ new/werf-2.35.4/pkg/build/builder/ansible.go        2025-04-16 
13:51:13.000000000 +0200
@@ -16,6 +16,7 @@
 
        "github.com/werf/common-go/pkg/util"
        "github.com/werf/logboek"
+       "github.com/werf/werf/v2/pkg/build/secrets"
        "github.com/werf/werf/v2/pkg/config"
        "github.com/werf/werf/v2/pkg/container_backend"
        "github.com/werf/werf/v2/pkg/container_backend/stage_builder"
@@ -247,7 +248,7 @@
 
 func (b *Ansible) addBuildSecretsVolumes(stageHostTmpDir string, fn 
func(string)) error {
        for _, s := range b.secrets {
-               secretPath, err := s.GetMountPath(stageHostTmpDir)
+               secretPath, err := secrets.GetMountPath(s, stageHostTmpDir)
                if err != nil {
                        return err
                }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/build/builder/shell.go 
new/werf-2.35.4/pkg/build/builder/shell.go
--- old/werf-2.35.1/pkg/build/builder/shell.go  2025-04-10 10:36:10.000000000 
+0200
+++ new/werf-2.35.4/pkg/build/builder/shell.go  2025-04-16 13:51:13.000000000 
+0200
@@ -11,6 +11,7 @@
 
        "github.com/werf/common-go/pkg/util"
        "github.com/werf/logboek"
+       "github.com/werf/werf/v2/pkg/build/secrets"
        "github.com/werf/werf/v2/pkg/config"
        "github.com/werf/werf/v2/pkg/container_backend"
        "github.com/werf/werf/v2/pkg/container_backend/stage_builder"
@@ -200,7 +201,7 @@
 
 func (b *Shell) addBuildSecretsVolumes(stageHostTmpDir string, fn 
func(string)) error {
        for _, s := range b.secrets {
-               secretPath, err := s.GetMountPath(stageHostTmpDir)
+               secretPath, err := secrets.GetMountPath(s, stageHostTmpDir)
                if err != nil {
                        return err
                }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/build/image/dockerfile.go 
new/werf-2.35.4/pkg/build/image/dockerfile.go
--- old/werf-2.35.1/pkg/build/image/dockerfile.go       2025-04-10 
10:36:10.000000000 +0200
+++ new/werf-2.35.4/pkg/build/image/dockerfile.go       2025-04-16 
13:51:13.000000000 +0200
@@ -13,6 +13,7 @@
 
        "github.com/werf/common-go/pkg/util"
        "github.com/werf/logboek"
+       "github.com/werf/werf/v2/pkg/build/secrets"
        "github.com/werf/werf/v2/pkg/build/stage"
        stage_instruction "github.com/werf/werf/v2/pkg/build/stage/instruction"
        "github.com/werf/werf/v2/pkg/config"
@@ -86,6 +87,15 @@
                }{WerfImageName: werfImageName, Stage: stage, Level: level})
        }
 
+       buildSecrets := make([]string, 0, len(dockerfileImageConfig.Secrets))
+       for _, s := range dockerfileImageConfig.Secrets {
+               secret, err := secrets.GetSecretStringArg(s)
+               if err != nil {
+                       return nil, fmt.Errorf("unable to get build secrets: 
%w", err)
+               }
+               buildSecrets = append(buildSecrets, secret)
+       }
+
        for len(queue) > 0 {
                item := queue[0]
                queue = queue[1:]
@@ -219,7 +229,7 @@
                        case 
*dockerfile.DockerfileStageInstruction[*instructions.OnbuildCommand]:
                                stg = stage_instruction.NewOnBuild(typedInstr, 
dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions)
                        case 
*dockerfile.DockerfileStageInstruction[*instructions.RunCommand]:
-                               stg = stage_instruction.NewRun(typedInstr, 
dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions, 
dockerfileImageConfig.Secrets, dockerfileImageConfig.SSH)
+                               stg = stage_instruction.NewRun(typedInstr, 
dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions, 
buildSecrets, dockerfileImageConfig.SSH)
                        case 
*dockerfile.DockerfileStageInstruction[*instructions.ShellCommand]:
                                stg = stage_instruction.NewShell(typedInstr, 
dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions)
                        case 
*dockerfile.DockerfileStageInstruction[*instructions.StopSignalCommand]:
@@ -320,6 +330,15 @@
                ProjectName:    opts.ProjectName,
        }
 
+       buildSecrets := make([]string, 0, len(dockerfileImageConfig.Secrets))
+       for _, s := range dockerfileImageConfig.Secrets {
+               secret, err := secrets.GetSecretStringArg(s)
+               if err != nil {
+                       return nil, fmt.Errorf("unable to get build secrets: 
%w", err)
+               }
+               buildSecrets = append(buildSecrets, secret)
+       }
+
        imageCacheVersion := 
option.ValueOrDefault(dockerfileImageConfig.CacheVersion(), 
metaConfig.Build.CacheVersion)
 
        dockerfileStage := 
stage.GenerateFullDockerfileStage(stage.NewDockerRunArgs(
@@ -332,7 +351,7 @@
                dockerfileImageConfig.AddHost,
                dockerfileImageConfig.Network,
                dockerfileImageConfig.SSH,
-               dockerfileImageConfig.Secrets,
+               buildSecrets,
        ), ds, stage.NewContextChecksum(dockerIgnorePathMatcher), 
baseStageOptions, dockerfileImageConfig.Dependencies, imageCacheVersion)
 
        img.stages = append(img.stages, dockerfileStage)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/build/secrets/build_secrets.go 
new/werf-2.35.4/pkg/build/secrets/build_secrets.go
--- old/werf-2.35.1/pkg/build/secrets/build_secrets.go  1970-01-01 
01:00:00.000000000 +0100
+++ new/werf-2.35.4/pkg/build/secrets/build_secrets.go  2025-04-16 
13:51:13.000000000 +0200
@@ -0,0 +1,155 @@
+package secrets
+
+import (
+       "fmt"
+       "math"
+       "math/rand/v2"
+       "os"
+
+       "github.com/werf/common-go/pkg/util"
+       "github.com/werf/werf/v2/pkg/config"
+)
+
+type SecretFromEnv struct {
+       Id    string
+       Value string
+}
+
+type SecretFromSrc struct {
+       Id    string
+       Value string
+}
+
+type SecretFromPlainValue struct {
+       Id    string
+       Value string
+}
+
+type Secret interface {
+       GetSecretStringArg() (string, error)
+       GetMountPath(stageHostTmpDir string) (string, error)
+}
+
+func GetSecretStringArg(secret config.Secret) (string, error) {
+       s, err := parseSecret(secret)
+       if err != nil {
+               return "", fmt.Errorf("error parsing secrets: %w", err)
+       }
+       return s.GetSecretStringArg()
+}
+
+func (s *SecretFromEnv) GetSecretStringArg() (string, error) {
+       return fmt.Sprintf("id=%s,env=%s", s.Id, s.Value), nil
+}
+
+func (s *SecretFromSrc) GetSecretStringArg() (string, error) {
+       return fmt.Sprintf("id=%s,src=%s", s.Id, s.Value), nil
+}
+
+func (s *SecretFromPlainValue) GetSecretStringArg() (string, error) {
+       secret, err := s.setPlainValueAsEnv()
+       if err != nil {
+               return "", err
+       }
+       return secret.GetSecretStringArg()
+}
+
+func (s *SecretFromPlainValue) setPlainValueAsEnv() (*SecretFromEnv, error) {
+       envKey := fmt.Sprintf("tmpbuild%d_%s", rand.IntN(math.MaxInt32), s.Id) 
// generate unique value
+       if _, e := os.LookupEnv(envKey); e {
+               return nil, fmt.Errorf("can't set secret %s: id is not unique", 
s.Id) // should never be here
+       }
+
+       err := os.Setenv(envKey, s.Value)
+       if err != nil {
+               return nil, fmt.Errorf("can't set value")
+       }
+
+       return &SecretFromEnv{
+               Id:    s.Id,
+               Value: envKey,
+       }, nil
+}
+
+func GetMountPath(secret config.Secret, stageHostTmpDir string) (string, 
error) {
+       s, err := parseSecret(secret)
+       if err != nil {
+               return "", fmt.Errorf("unable to get secret mount path: %w", 
err)
+       }
+       return s.GetMountPath(stageHostTmpDir)
+}
+
+func parseSecret(secret config.Secret) (Secret, error) {
+       if secret.ValueFromEnv != "" {
+               return newSecretFromEnv(secret)
+       } else if secret.ValueFromSrc != "" {
+               return newSecretFromSrc(secret)
+       } else if secret.ValueFromPlain != "" {
+               return newSecretFromPlainValue(secret)
+       }
+       return nil, fmt.Errorf("unknown secret type")
+}
+
+func newSecretFromEnv(s config.Secret) (*SecretFromEnv, error) {
+       if _, exists := os.LookupEnv(s.ValueFromEnv); !exists {
+               return nil, fmt.Errorf("specified env variable `%s` is not 
set", s.ValueFromEnv)
+       }
+       return &SecretFromEnv{Id: s.Id, Value: s.ValueFromEnv}, nil
+}
+
+func newSecretFromSrc(s config.Secret) (*SecretFromSrc, error) {
+       absPath, err := util.ExpandPath(s.ValueFromSrc)
+       if err != nil {
+               return nil, fmt.Errorf("error load secret from src: %w", err)
+       }
+
+       if exists, _ := util.FileExists(absPath); !exists {
+               return nil, fmt.Errorf("error load secret from src: path %s 
doesn't exist", absPath)
+       }
+       return &SecretFromSrc{Id: s.Id, Value: absPath}, nil
+}
+
+func newSecretFromPlainValue(s config.Secret) (*SecretFromPlainValue, error) {
+       return &SecretFromPlainValue{Id: s.Id, Value: s.ValueFromPlain}, nil
+}
+
+func (s *SecretFromEnv) GetMountPath(stageHostTmpDir string) (string, error) {
+       data := []byte(os.Getenv(s.Value))
+       return getMountPath(s.Id, stageHostTmpDir, data)
+}
+
+func (s *SecretFromSrc) GetMountPath(stageHostTmpDir string) (string, error) {
+       return generateMountPath(s.Id, s.Value), nil
+}
+
+func (s *SecretFromPlainValue) GetMountPath(stageHostTmpDir string) (string, 
error) {
+       return getMountPath(s.Id, stageHostTmpDir, []byte(s.Value))
+}
+
+func getMountPath(secretId, stageHostTmpDir string, data []byte) (string, 
error) {
+       tmpFile, err := writeToTmpFile(stageHostTmpDir, data)
+       if err != nil {
+               return "", fmt.Errorf("unable to mount secret: %w", err)
+       }
+       return generateMountPath(secretId, tmpFile), nil
+}
+
+func writeToTmpFile(stageHostTmpDir string, data []byte) (string, error) {
+       tmpFile, err := os.CreateTemp(stageHostTmpDir, "stapel*")
+       if err != nil {
+               return "", err
+       }
+
+       tmpFilePath := tmpFile.Name()
+
+       if err := os.WriteFile(tmpFilePath, data, 0o400); err != nil {
+               return "", err
+       }
+
+       return tmpFilePath, nil
+}
+
+func generateMountPath(id, filepath string) string {
+       containerPath := fmt.Sprintf("/run/secrets/%s", id)
+       return fmt.Sprintf("%s:%s:ro", filepath, containerPath)
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/build/stage/image_spec.go 
new/werf-2.35.4/pkg/build/stage/image_spec.go
--- old/werf-2.35.1/pkg/build/stage/image_spec.go       2025-04-10 
10:36:10.000000000 +0200
+++ new/werf-2.35.4/pkg/build/stage/image_spec.go       2025-04-16 
13:51:13.000000000 +0200
@@ -22,7 +22,7 @@
        labelTemplateImage      = "image"
        labelTemplateProject    = "project"
        labelTemplateDelimiter  = "%"
-       werfLabelsGlobalWarning = `The "werf" and "werf-parent-stage-id" labels 
cannot be removed within the imageSpec stage, as they are essential for the 
proper operation of host and container registry cleanup.
+       werfLabelsGlobalWarning = `The "werf", "werf-stage-content-digest" and 
"werf.io/parent-stage-id" labels cannot be removed within the imageSpec stage, 
as they are essential for the proper operation of host and container registry 
cleanup.
 
 If you need to remove all werf labels, use the werf export command. By 
default, this command removes all werf labels and fully detaches images from 
werf control, transferring host and container registry cleanup entirely to the 
user.
 
@@ -111,44 +111,34 @@
        return nil
 }
 
-const imageSpecStageCacheVersion = "2"
-
 func (s *ImageSpecStage) GetDependencies(_ context.Context, _ Conveyor, _ 
container_backend.ContainerBackend, _, _ *StageImage, _ 
container_backend.BuildContextArchiver) (string, error) {
        var args []string
 
-       args = append(args, imageSpecStageCacheVersion)
+       // imageSpec
        args = append(args, s.imageSpec.Author)
        args = append(args, fmt.Sprint(s.imageSpec.ClearHistory))
 
-       args = append(args, fmt.Sprint(s.imageSpec.ClearWerfLabels))
-       args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveLabels)...)
-       args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveVolumes)...)
-       args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveEnv)...)
-
-       args = append(args, sortSliceWithNewSlice(s.imageSpec.Volumes)...)
-       args = append(args, mapToSortedArgs(s.imageSpec.Labels)...)
+       // imageSpec.config
+       args = append(args, strings.Join(s.imageSpec.Cmd, " "))
+       args = append(args, strings.Join(s.imageSpec.Entrypoint, " "))
        args = append(args, mapToSortedArgs(s.imageSpec.Env)...)
        args = append(args, sortSliceWithNewSlice(s.imageSpec.Expose)...)
+       args = append(args, fmt.Sprint(s.imageSpec.Healthcheck))
+       args = append(args, mapToSortedArgs(s.imageSpec.Labels)...)
+       args = append(args, s.imageSpec.StopSignal)
        args = append(args, s.imageSpec.User)
-       args = append(args, strings.Join(s.imageSpec.Cmd, " "))
-       args = append(args, fmt.Sprint(s.imageSpec.ClearCmd))
-       args = append(args, strings.Join(s.imageSpec.Entrypoint, " "))
-       args = append(args, fmt.Sprint(s.imageSpec.ClearEntrypoint))
+       args = append(args, sortSliceWithNewSlice(s.imageSpec.Volumes)...)
        args = append(args, s.imageSpec.WorkingDir)
-       args = append(args, s.imageSpec.StopSignal)
-       args = append(args, fmt.Sprint(s.imageSpec.Healthcheck))
-
-       if s.imageSpec.ClearUser {
-               args = append(args, fmt.Sprint(s.imageSpec.ClearUser))
-       }
 
-       if s.imageSpec.ClearWorkingDir {
-               args = append(args, fmt.Sprint(s.imageSpec.ClearWorkingDir))
-       }
+       args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveLabels)...)
+       args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveVolumes)...)
+       args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveEnv)...)
+       args = append(args, fmt.Sprint(s.imageSpec.KeepEssentialWerfLabels))
 
-       if s.imageSpec.KeepEssentialWerfLabels {
-               args = append(args, 
fmt.Sprint(s.imageSpec.KeepEssentialWerfLabels))
-       }
+       args = append(args, fmt.Sprint(s.imageSpec.ClearCmd))
+       args = append(args, fmt.Sprint(s.imageSpec.ClearEntrypoint))
+       args = append(args, fmt.Sprint(s.imageSpec.ClearUser))
+       args = append(args, fmt.Sprint(s.imageSpec.ClearWorkingDir))
 
        return util.Sha256Hash(args...), nil
 }
@@ -207,7 +197,7 @@
                        continue
                }
 
-               if key == image.WerfLabel || key == image.WerfParentStageID {
+               if key == image.WerfLabel || key == image.WerfParentStageID || 
key == image.WerfStageContentDigestLabel {
                        if !keepEssentialWerfLabels {
                                shouldPrintGlobalWarn = true
                        }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/cleaning/cleanup.go 
new/werf-2.35.4/pkg/cleaning/cleanup.go
--- old/werf-2.35.1/pkg/cleaning/cleanup.go     2025-04-10 10:36:10.000000000 
+0200
+++ new/werf-2.35.4/pkg/cleaning/cleanup.go     2025-04-16 13:51:13.000000000 
+0200
@@ -813,7 +813,7 @@
 
        // skip kept stages and their relatives.
        {
-               logboek.Context(ctx).Default().LogProcess("Skipping relative 
stages for protected stages").Do(func() {
+               logboek.Context(ctx).Default().LogProcess("Processing relative 
stages for saved stages").Do(func() {
                        handledStageDescSet := image.NewStageDescSet()
                        for protectionReason, stageDescToKeepSet := range 
m.stageManager.GetProtectedStageDescSetByReason() {
                                // Git history based policy keeps import 
sources more effectively, other policies do not keep them.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/config/image_from_dockerfile.go 
new/werf-2.35.4/pkg/config/image_from_dockerfile.go
--- old/werf-2.35.1/pkg/config/image_from_dockerfile.go 2025-04-10 
10:36:10.000000000 +0200
+++ new/werf-2.35.4/pkg/config/image_from_dockerfile.go 2025-04-16 
13:51:13.000000000 +0200
@@ -20,7 +20,7 @@
        SSH             string
        Dependencies    []*Dependency
        Staged          bool
-       Secrets         []string
+       Secrets         []Secret
        ImageSpec       *ImageSpec
 
        cacheVersion string
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/config/raw_image_from_dockerfile.go 
new/werf-2.35.4/pkg/config/raw_image_from_dockerfile.go
--- old/werf-2.35.1/pkg/config/raw_image_from_dockerfile.go     2025-04-10 
10:36:10.000000000 +0200
+++ new/werf-2.35.4/pkg/config/raw_image_from_dockerfile.go     2025-04-16 
13:51:13.000000000 +0200
@@ -145,16 +145,7 @@
                return nil, err
        }
 
-       secretsArgs := make([]string, 0, len(secrets))
-       for _, s := range secrets {
-               secret, err := s.GetSecretStringArg()
-               if err != nil {
-                       return nil, err
-               }
-               secretsArgs = append(secretsArgs, secret)
-       }
-
-       image.Secrets = secretsArgs
+       image.Secrets = secrets
 
        if c.RawImageSpec != nil {
                image.ImageSpec = c.RawImageSpec.toDirective()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/werf-2.35.1/pkg/config/raw_image_from_dockerfile_test.go 
new/werf-2.35.4/pkg/config/raw_image_from_dockerfile_test.go
--- old/werf-2.35.1/pkg/config/raw_image_from_dockerfile_test.go        
2025-04-10 10:36:10.000000000 +0200
+++ new/werf-2.35.4/pkg/config/raw_image_from_dockerfile_test.go        
2025-04-16 13:51:13.000000000 +0200
@@ -53,7 +53,7 @@
                                Name:            "image1",
                                ContextAddFiles: []string{},
                                AddHost:         []string{},
-                               Secrets:         []string{},
+                               Secrets:         []Secret{},
 
                                cacheVersion: "docker-cache-version",
                                platform:     []string{},
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/config/raw_secrets.go 
new/werf-2.35.4/pkg/config/raw_secrets.go
--- old/werf-2.35.1/pkg/config/raw_secrets.go   2025-04-10 10:36:10.000000000 
+0200
+++ new/werf-2.35.4/pkg/config/raw_secrets.go   2025-04-16 13:51:13.000000000 
+0200
@@ -59,6 +59,6 @@
        case s.PlainValue != "":
                return newSecretFromPlainValue(s)
        default:
-               return nil, newDetailedConfigError("secret should be defined as 
`env`, `src` or `value`", s, s.parent.getDoc())
+               return Secret{}, newDetailedConfigError("secret should be 
defined as `env`, `src` or `value`", s, s.parent.getDoc())
        }
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/config/secrets.go 
new/werf-2.35.4/pkg/config/secrets.go
--- old/werf-2.35.1/pkg/config/secrets.go       2025-04-10 10:36:10.000000000 
+0200
+++ new/werf-2.35.4/pkg/config/secrets.go       2025-04-16 13:51:13.000000000 
+0200
@@ -2,135 +2,57 @@
 
 import (
        "fmt"
-       "math"
-       "math/rand/v2"
-       "os"
        "path/filepath"
 
-       "github.com/werf/common-go/pkg/util"
-       "github.com/werf/kubedog/pkg/utils"
        "github.com/werf/werf/v2/pkg/giterminism_manager"
 )
 
-type Secret interface {
-       GetSecretStringArg() (string, error)
-       GetSecretId() string
-       InspectByGiterminism(giterminismManager giterminism_manager.Interface) 
error
-       GetMountPath(stageHostTmpDir string) (string, error)
+type Secret struct {
+       Id             string
+       ValueFromEnv   string
+       ValueFromSrc   string
+       ValueFromPlain string
 }
 
-type SecretFromEnv struct {
-       Id    string
-       Value string
-}
-
-type SecretFromSrc struct {
-       Id    string
-       Value string
-}
-
-type SecretFromPlainValue struct {
-       Id    string
-       Value string
-}
-
-func newSecretFromEnv(s *rawSecret) (*SecretFromEnv, error) {
-       if _, exists := os.LookupEnv(s.Env); !exists {
-               return nil, fmt.Errorf("specified env variable `%s` doesn't 
exist", s.Env)
-       }
+func newSecretFromEnv(s *rawSecret) (Secret, error) {
        if s.Id == "" {
                s.Id = s.Env
        }
-       return &SecretFromEnv{
-               Id:    s.Id,
-               Value: s.Env,
+       return Secret{
+               Id:           s.Id,
+               ValueFromEnv: s.Env,
        }, nil
 }
 
-func newSecretFromSrc(s *rawSecret) (*SecretFromSrc, error) {
-       absPath, err := util.ExpandPath(s.Src)
-       if err != nil {
-               return nil, fmt.Errorf("error load secret from src: %w", err)
-       }
-
-       if exists, _ := utils.FileExists(absPath); !exists {
-               return nil, fmt.Errorf("error load secret from src: path %s 
doesn't exist", absPath)
-       }
-
+func newSecretFromSrc(s *rawSecret) (Secret, error) {
        if s.Id == "" {
-               s.Id = filepath.Base(absPath)
+               s.Id = filepath.Base(s.Src)
        }
-       return &SecretFromSrc{
-               Id:    s.Id,
-               Value: absPath,
+       return Secret{
+               Id:           s.Id,
+               ValueFromSrc: s.Src,
        }, nil
 }
 
-func newSecretFromPlainValue(s *rawSecret) (*SecretFromPlainValue, error) {
+func newSecretFromPlainValue(s *rawSecret) (Secret, error) {
        if s.Id == "" {
-               return nil, fmt.Errorf("type value should be used with id 
parameter")
+               return Secret{}, fmt.Errorf("type value should be used with id 
parameter")
        }
-       return &SecretFromPlainValue{
-               Id:    s.Id,
-               Value: s.PlainValue,
+       return Secret{
+               Id:             s.Id,
+               ValueFromPlain: s.PlainValue,
        }, nil
 }
 
-func (s *SecretFromEnv) GetSecretStringArg() (string, error) {
-       return fmt.Sprintf("id=%s,env=%s", s.Id, s.Value), nil
-}
-
-func (s *SecretFromSrc) GetSecretStringArg() (string, error) {
-       return fmt.Sprintf("id=%s,src=%s", s.Id, s.Value), nil
-}
-
-func (s *SecretFromPlainValue) GetSecretStringArg() (string, error) {
-       secret, err := s.setPlainValueAsEnv()
-       if err != nil {
-               return "", err
-       }
-       return secret.GetSecretStringArg()
-}
-
-func (s *SecretFromPlainValue) setPlainValueAsEnv() (*SecretFromEnv, error) {
-       envKey := fmt.Sprintf("tmpbuild%d_%s", rand.IntN(math.MaxInt32), s.Id) 
// generate unique value
-       if _, e := os.LookupEnv(envKey); e {
-               return nil, fmt.Errorf("can't set secret %s: id is not unique", 
s.Id) // should never be here
-       }
-
-       err := os.Setenv(envKey, s.Value)
-       if err != nil {
-               return nil, fmt.Errorf("can't set value")
+func inspectSecretByGiterminism(giterminismManager 
giterminism_manager.Interface, secret Secret) error {
+       if secret.ValueFromEnv != "" {
+               return 
giterminismManager.Inspector().InspectConfigSecretEnvAccepted(secret.ValueFromEnv)
+       } else if secret.ValueFromSrc != "" {
+               return 
giterminismManager.Inspector().InspectConfigSecretSrcAccepted(secret.ValueFromSrc)
+       } else if secret.ValueFromPlain != "" {
+               return 
giterminismManager.Inspector().InspectConfigSecretValueAccepted(secret.Id)
        }
-
-       return &SecretFromEnv{
-               Id:    s.Id,
-               Value: envKey,
-       }, nil
-}
-
-func (s *SecretFromEnv) GetSecretId() string {
-       return s.Id
-}
-
-func (s *SecretFromSrc) GetSecretId() string {
-       return s.Id
-}
-
-func (s *SecretFromPlainValue) GetSecretId() string {
-       return s.Id
-}
-
-func (s *SecretFromEnv) InspectByGiterminism(giterminismManager 
giterminism_manager.Interface) error {
-       return 
giterminismManager.Inspector().InspectConfigSecretEnvAccepted(s.Value)
-}
-
-func (s *SecretFromSrc) InspectByGiterminism(giterminismManager 
giterminism_manager.Interface) error {
-       return 
giterminismManager.Inspector().InspectConfigSecretSrcAccepted(s.Value)
-}
-
-func (s *SecretFromPlainValue) InspectByGiterminism(giterminismManager 
giterminism_manager.Interface) error {
-       return 
giterminismManager.Inspector().InspectConfigSecretValueAccepted(s.Id)
+       return nil
 }
 
 func GetValidatedSecrets(rawSecrets []*rawSecret, giterminismManager 
giterminism_manager.Interface, doc *doc) ([]Secret, error) {
@@ -143,14 +65,14 @@
                        return nil, newDetailedConfigError(fmt.Sprintf("unable 
to load build secrets: %s", err.Error()), s, s.parent.getDoc())
                }
 
-               secretId := secret.GetSecretId()
+               secretId := secret.Id
                if _, ok := secretIds[secretId]; !ok {
                        secretIds[secretId] = struct{}{}
                } else {
                        return nil, 
newDetailedConfigError(fmt.Sprintf("duplicated secret %q", secretId), nil, 
s.parent.getDoc())
                }
 
-               err = secret.InspectByGiterminism(giterminismManager)
+               err = inspectSecretByGiterminism(giterminismManager, secret)
                if err != nil {
                        return nil, err
                }
@@ -160,44 +82,3 @@
 
        return secrets, nil
 }
-
-func (s *SecretFromEnv) GetMountPath(stageHostTmpDir string) (string, error) {
-       data := []byte(os.Getenv(s.Value))
-       return getMountPath(s.Id, stageHostTmpDir, data)
-}
-
-func (s *SecretFromSrc) GetMountPath(stageHostTmpDir string) (string, error) {
-       return generateMountPath(s.Id, s.Value), nil
-}
-
-func (s *SecretFromPlainValue) GetMountPath(stageHostTmpDir string) (string, 
error) {
-       return getMountPath(s.Id, stageHostTmpDir, []byte(s.Value))
-}
-
-func getMountPath(secretId, stageHostTmpDir string, data []byte) (string, 
error) {
-       tmpFile, err := writeToTmpFile(stageHostTmpDir, data)
-       if err != nil {
-               return "", fmt.Errorf("unable to mount secret: %w", err)
-       }
-       return generateMountPath(secretId, tmpFile), nil
-}
-
-func writeToTmpFile(stageHostTmpDir string, data []byte) (string, error) {
-       tmpFile, err := os.CreateTemp(stageHostTmpDir, "stapel*")
-       if err != nil {
-               return "", err
-       }
-
-       tmpFilePath := tmpFile.Name()
-
-       if err := os.WriteFile(tmpFilePath, data, 0o400); err != nil {
-               return "", err
-       }
-
-       return tmpFilePath, nil
-}
-
-func generateMountPath(id, filepath string) string {
-       containerPath := fmt.Sprintf("/run/secrets/%s", id)
-       return fmt.Sprintf("%s:%s:ro", filepath, containerPath)
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/pkg/giterminism_manager/config/config.go 
new/werf-2.35.4/pkg/giterminism_manager/config/config.go
--- old/werf-2.35.1/pkg/giterminism_manager/config/config.go    2025-04-10 
10:36:10.000000000 +0200
+++ new/werf-2.35.4/pkg/giterminism_manager/config/config.go    2025-04-16 
13:51:13.000000000 +0200
@@ -235,7 +235,11 @@
 }
 
 func (s *secrets) IsAllowSecretsFileAccepted(path string) bool {
-       return isAbsPathMatched(s.AllowFiles, path)
+       absPath, err := util.ExpandPath(path)
+       if err != nil {
+               return false
+       }
+       return isAbsPathMatched(s.AllowFiles, absPath)
 }
 
 func (s *secrets) IsValueIdAccepted(name string) bool {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/Dockerfile 
new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/Dockerfile
--- old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/Dockerfile   
2025-04-10 10:36:10.000000000 +0200
+++ new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/Dockerfile   
1970-01-01 01:00:00.000000000 +0100
@@ -1,17 +0,0 @@
-FROM ubuntu:22.04
-
-RUN --mount=type=secret,id=ENV_SECRET \
-    [ "$(cat /run/secrets/ENV_SECRET)" = "WERF_BUILD_SECRET" ] || (echo "Env 
does not match the expected value" && exit 1)
-
-RUN --mount=type=secret,id=file \
-    grep -q "filecontent" /run/secrets/file || (echo "Src secret does not 
contain the expected content" && exit 1)
-
-RUN --mount=type=secret,id=plainSecret \
-    [ "$(cat /run/secrets/plainSecret)" = "plainSecretValue" ] || (echo 
"PlainSecret does not match the expected value" && exit 1)
-
-RUN --mount=type=secret,id=secret_file_in_home \
-    grep -q "secret" /run/secrets/secret_file_in_home || (echo "Src secret 
does not contain the expected content" && exit 1)
-
-COPY file /file
-
-RUN touch /created-by-run
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/file 
new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/file
--- old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/file 2025-04-10 
10:36:10.000000000 +0200
+++ new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/file 1970-01-01 
01:00:00.000000000 +0100
@@ -1 +0,0 @@
-filecontent
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/werf-giterminism.yaml 
new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/werf-giterminism.yaml
--- 
old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/werf-giterminism.yaml    
    2025-04-10 10:36:10.000000000 +0200
+++ 
new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/werf-giterminism.yaml    
    1970-01-01 01:00:00.000000000 +0100
@@ -1,11 +0,0 @@
-giterminismConfigVersion: 1
-
-config:
-  secrets:
-    allowEnvVariables:
-      - "ENV_SECRET"
-    allowFiles:
-      - "./file"
-      - "~/secret_file_in_home"
-    allowValueIds:
-      - plainSecret
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/werf.yaml 
new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/werf.yaml
--- old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/werf.yaml    
2025-04-10 10:36:10.000000000 +0200
+++ new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/werf.yaml    
1970-01-01 01:00:00.000000000 +0100
@@ -1,32 +0,0 @@
-project: werf-test-e2e-build-simple
-configVersion: 1
-
----
-image: dockerfile
-dockerfile: Dockerfile
-secrets:
-  - env: ENV_SECRET
-  - src: "./file"
-  - id: "plainSecret"
-    value: "plainSecretValue"
-  - src: "~/secret_file_in_home"
-
----
-image: stapel-shell
-from: ubuntu:22.04
-git:
-  - add: /file
-    to: /file
-secrets:
-  - env: ENV_SECRET
-  - src: "./file"
-  - id: "plainSecret"
-    value: "plainSecretValue"
-  - src: "~/secret_file_in_home"
-shell:
-  setup:
-    - "touch /created-by-setup"
-    - '[ "$(cat /run/secrets/ENV_SECRET)" = "WERF_BUILD_SECRET" ] || (echo 
"Env does not match the expected value" && exit 1)'
-    - 'grep -q "filecontent" /run/secrets/file || (echo "Src secret does not 
contain the expected content" && exit 1)'
-    - '[ "$(cat /run/secrets/plainSecret)" = "plainSecretValue" ] || (echo 
"PlainSecret does not match the expected value" && exit 1)'
-    - 'grep -q "secret" /run/secrets/secret_file_in_home || (echo "Src secret 
does not contain the expected content" && exit 1)'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/test/e2e/build/simple_test.go 
new/werf-2.35.4/test/e2e/build/simple_test.go
--- old/werf-2.35.1/test/e2e/build/simple_test.go       2025-04-10 
10:36:10.000000000 +0200
+++ new/werf-2.35.4/test/e2e/build/simple_test.go       2025-04-16 
13:51:13.000000000 +0200
@@ -1,8 +1,6 @@
 package e2e_build_test
 
 import (
-       "fmt"
-
        . "github.com/onsi/ginkgo/v2"
        . "github.com/onsi/gomega"
 
@@ -26,28 +24,28 @@
                                Fail(err.Error())
                        }
 
-                       By(fmt.Sprintf("%s: starting", testOpts.State))
+                       By("state0: starting")
                        {
                                repoDirname := "repo0"
-                               fixtureRelPath := fmt.Sprintf("simple/%s", 
testOpts.State)
+                               fixtureRelPath := "simple/state0"
                                buildReportName := "report0.json"
 
-                               By(fmt.Sprintf("%s: preparing test repo", 
testOpts.State))
+                               By("state0: preparing test repo")
                                SuiteData.InitTestRepo(repoDirname, 
fixtureRelPath)
 
-                               By(fmt.Sprintf("%s: building images", 
testOpts.State))
+                               By("state0: building images")
                                werfProject := 
werf.NewProject(SuiteData.WerfBinPath, SuiteData.GetTestRepoPath(repoDirname))
                                buildOut, buildReport := 
werfProject.BuildWithReport(SuiteData.GetBuildReportPath(buildReportName), nil)
                                Expect(buildOut).To(ContainSubstring("Building 
stage"))
                                Expect(buildOut).NotTo(ContainSubstring("Use 
previously built image"))
 
-                               By(fmt.Sprintf("%s: rebuilding same images", 
testOpts.State))
+                               By("state0: rebuilding same images")
                                Expect(werfProject.Build(nil)).To(And(
                                        ContainSubstring("Use previously built 
image"),
                                        Not(ContainSubstring("Building stage")),
                                ))
 
-                               By(fmt.Sprintf(`%s: checking "dockerfile" image 
content`, testOpts.State))
+                               By(`state0: checking "dockerfile" image 
content`)
                                contRuntime.ExpectCmdsToSucceed(
                                        
buildReport.Images["dockerfile"].DockerImageName,
                                        "test -f /file",
@@ -56,7 +54,7 @@
                                        "test -f /created-by-run",
                                )
 
-                               By(fmt.Sprintf(`%s: checking "stapel-shell" 
image content`, testOpts.State))
+                               By(`state0: checking "stapel-shell" image 
content`)
                                contRuntime.ExpectCmdsToSucceed(
                                        
buildReport.Images["stapel-shell"].DockerImageName,
                                        "test -f /file",
@@ -71,37 +69,31 @@
                        ContainerBackendMode:        "vanilla-docker",
                        WithLocalRepo:               false,
                        WithStagedDockerfileBuilder: false,
-                       State:                       "state0",
                }}),
                Entry("with local repo using Vanilla Docker", 
simpleTestOptions{setupEnvOptions{
                        ContainerBackendMode:        "vanilla-docker",
                        WithLocalRepo:               true,
                        WithStagedDockerfileBuilder: false,
-                       State:                       "state0",
                }}),
                Entry("without repo using BuildKit Docker", 
simpleTestOptions{setupEnvOptions{
                        ContainerBackendMode:        "buildkit-docker",
                        WithLocalRepo:               false,
                        WithStagedDockerfileBuilder: false,
-                       State:                       "state1",
                }}),
                Entry("with local repo using BuildKit Docker", 
simpleTestOptions{setupEnvOptions{
                        ContainerBackendMode:        "buildkit-docker",
                        WithLocalRepo:               true,
                        WithStagedDockerfileBuilder: false,
-                       State:                       "state1",
                }}),
                Entry("with local repo using Native Buildah with rootless 
isolation", simpleTestOptions{setupEnvOptions{
                        ContainerBackendMode:        "native-rootless",
                        WithLocalRepo:               true,
                        WithStagedDockerfileBuilder: false,
-                       State:                       "state0", // 
TODO(iapershin): change after buildah version upgrade
                }}),
                Entry("with local repo using Native Buildah with chroot 
isolation", simpleTestOptions{setupEnvOptions{
                        ContainerBackendMode:        "native-chroot",
                        WithLocalRepo:               true,
                        WithStagedDockerfileBuilder: false,
-                       State:                       "state1",
                }}),
                // TODO(ilya-lesikov): uncomment after Staged Dockerfile 
builder finished
                // // TODO(1.3): after Full Dockerfile Builder removed and 
Staged Dockerfile Builder enabled by default this test no longer needed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/werf-2.35.1/trdl_channels.yaml 
new/werf-2.35.4/trdl_channels.yaml
--- old/werf-2.35.1/trdl_channels.yaml  2025-04-10 10:36:10.000000000 +0200
+++ new/werf-2.35.4/trdl_channels.yaml  2025-04-16 13:51:13.000000000 +0200
@@ -38,11 +38,11 @@
   - name: "2"
     channels:
       - name: alpha
-        version: 2.35.0
+        version: 2.35.1
       - name: beta
-        version: 2.35.0
+        version: 2.35.1
       - name: ea
-        version: 2.35.0
+        version: 2.35.1
       - name: stable
         version: 2.31.1
       - name: rock-solid

++++++ werf.obsinfo ++++++
--- /var/tmp/diff_new_pack.FvlSIC/_old  2025-04-20 20:12:07.975589199 +0200
+++ /var/tmp/diff_new_pack.FvlSIC/_new  2025-04-20 20:12:07.975589199 +0200
@@ -1,5 +1,5 @@
 name: werf
-version: 2.35.1
-mtime: 1744274170
-commit: efb923c6e24496f497418e529a06f72339f226cd
+version: 2.35.4
+mtime: 1744804273
+commit: a878391d9331ee5583e43fbd2ca96a6c5ed67182
 

Reply via email to