Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package werf for openSUSE:Factory checked in at 2025-04-17 16:08:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/werf (Old) and /work/SRC/openSUSE:Factory/.werf.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "werf" Thu Apr 17 16:08:58 2025 rev:45 rq:1270105 version:2.35.4 Changes: -------- --- /work/SRC/openSUSE:Factory/werf/werf.changes 2025-04-11 16:47:13.120333209 +0200 +++ /work/SRC/openSUSE:Factory/.werf.new.30101/werf.changes 2025-04-20 20:12:05.443483195 +0200 @@ -1,0 +2,39 @@ +Wed Apr 16 18:01:22 UTC 2025 - Johannes Kastl <opensuse_buildserv...@ojkastl.de> + +- Update to version 2.35.4: + * chore: release 2.35.4 + * chore(release): release v2.35.4 + * Revert "chore: update Nelm module" + * Revert "fix(deploy): possible panic in tracking Flux Canary + resource" + * Revert "fix(deploy): allow `werf.io/sensitive: false` for + Secrets" + * Revert "fix(deploy): default kubeconfig not used" + * chore(channels): revert alpha + +------------------------------------------------------------------- +Wed Apr 16 17:59:20 UTC 2025 - Johannes Kastl <opensuse_buildserv...@ojkastl.de> + +- Update to version 2.35.3: + * fix(deploy): default kubeconfig not used + +------------------------------------------------------------------- +Wed Apr 16 17:51:05 UTC 2025 - Johannes Kastl <opensuse_buildserv...@ojkastl.de> + +- Update to version 2.35.2: + * chore: release 2.35.2 + * docs(build, secrets): update example + * test(build, secrets): remove from e2e simple test + * fix(build, secrets): fix secrets validation error when + rendering config + * fix(deploy): allow `werf.io/sensitive: false` for Secrets + * fix(deploy): possible panic in tracking Flux Canary resource + * chore: task format + * fix(build, imageSpec): invalidate cache (breaking changes) + * fix(build, imageSpec): keep essential werf-stage-content-digest + label + * chore: update Nelm module + * refactor(cleanup): update logging message + * chore(release): 2 alpha,beta,ea + +------------------------------------------------------------------- Old: ---- werf-2.35.1.obscpio New: ---- werf-2.35.4.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ werf.spec ++++++ --- /var/tmp/diff_new_pack.FvlSIC/_old 2025-04-20 20:12:06.543529248 +0200 +++ /var/tmp/diff_new_pack.FvlSIC/_new 2025-04-20 20:12:06.547529415 +0200 @@ -17,7 +17,7 @@ Name: werf -Version: 2.35.1 +Version: 2.35.4 Release: 0 Summary: CLI for the Werf CI/CD system License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.FvlSIC/_old 2025-04-20 20:12:06.583530922 +0200 +++ /var/tmp/diff_new_pack.FvlSIC/_new 2025-04-20 20:12:06.587531090 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/werf/werf</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v2.35.1</param> + <param name="revision">v2.35.4</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.FvlSIC/_old 2025-04-20 20:12:06.611532094 +0200 +++ /var/tmp/diff_new_pack.FvlSIC/_new 2025-04-20 20:12:06.611532094 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/werf/werf</param> - <param name="changesrevision">efb923c6e24496f497418e529a06f72339f226cd</param></service></servicedata> + <param name="changesrevision">a878391d9331ee5583e43fbd2ca96a6c5ed67182</param></service></servicedata> (No newline at EOF) ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/werf/vendor.tar.gz /work/SRC/openSUSE:Factory/.werf.new.30101/vendor.tar.gz differ: char 5, line 1 ++++++ werf-2.35.1.obscpio -> werf-2.35.4.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/CHANGELOG.md new/werf-2.35.4/CHANGELOG.md --- old/werf-2.35.1/CHANGELOG.md 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/CHANGELOG.md 2025-04-16 13:51:13.000000000 +0200 @@ -1,5 +1,30 @@ # Changelog +### [2.35.4](https://www.github.com/werf/werf/compare/v2.35.3...v2.35.4) (2025-04-16) + + +### Miscellaneous Chores + +* **release:** release v2.35.4 ([336b284](https://www.github.com/werf/werf/commit/336b284a023a151eaf769d7e2781d4a051220a6e)) + +### [2.35.3](https://www.github.com/werf/werf/compare/v2.35.2...v2.35.3) (2025-04-16) + + +### Bug Fixes + +* **deploy:** default kubeconfig not used ([cbf9f55](https://www.github.com/werf/werf/commit/cbf9f55bd14f60ece0b6c39f611cb14814117479)) + +### [2.35.2](https://www.github.com/werf/werf/compare/v2.35.1...v2.35.2) (2025-04-14) + + +### Bug Fixes + +* **build, imageSpec:** invalidate cache (breaking changes) ([c827491](https://www.github.com/werf/werf/commit/c827491bb77fc410da7591eeac295dd186ccd46a)) +* **build, imageSpec:** keep essential werf-stage-content-digest label ([73fcd70](https://www.github.com/werf/werf/commit/73fcd70ba3291ae1f20a79ac8c3eb6b3b944f466)) +* **build, secrets:** fix secrets validation error when rendering config ([94b4333](https://www.github.com/werf/werf/commit/94b433383cc042d6326cd0c95025300477b8959e)) +* **deploy:** allow `werf.io/sensitive: false` for Secrets ([9d4fcec](https://www.github.com/werf/werf/commit/9d4fcec4a87b56eedf26d042cb30877ceb72a86b)) +* **deploy:** possible panic in tracking Flux Canary resource ([047fb12](https://www.github.com/werf/werf/commit/047fb12f920b5063cde54daefd4255b1b8c1378e)) + ### [2.35.1](https://www.github.com/werf/werf/compare/v2.35.0...v2.35.1) (2025-04-10) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/docs/pages_en/usage/build/images.md new/werf-2.35.4/docs/pages_en/usage/build/images.md --- old/werf-2.35.1/docs/pages_en/usage/build/images.md 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/docs/pages_en/usage/build/images.md 2025-04-16 13:51:13.000000000 +0200 @@ -165,6 +165,7 @@ secrets: allowEnvVariables: - "AWS_ACCESS_KEY_ID" + - "AWS_SECRET_ACCESS_KEY" allowFiles: - "~/.aws/credentials" allowValueIds: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/docs/pages_en/usage/build/stapel/instructions.md new/werf-2.35.4/docs/pages_en/usage/build/stapel/instructions.md --- old/werf-2.35.1/docs/pages_en/usage/build/stapel/instructions.md 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/docs/pages_en/usage/build/stapel/instructions.md 2025-04-16 13:51:13.000000000 +0200 @@ -373,6 +373,7 @@ secrets: allowEnvVariables: - "AWS_ACCESS_KEY_ID" + - "AWS_SECRET_ACCESS_KEY" allowFiles: - "~/.aws/credentials" allowValueIds: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/docs/pages_en/usage/deploy/charts.md new/werf-2.35.4/docs/pages_en/usage/deploy/charts.md --- old/werf-2.35.1/docs/pages_en/usage/deploy/charts.md 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/docs/pages_en/usage/deploy/charts.md 2025-04-16 13:51:13.000000000 +0200 @@ -205,7 +205,7 @@ - name: backend ``` -If you want to connect multiple dependent charts with the same name or connect the same dependent chart several times, use the parent chart's `dependencies[].alias' directive to add alias for the charts to be included, for example: +If you want to connect multiple dependent charts with the same name or connect the same dependent chart several times, use the parent chart's `dependencies[].alias` directive to add alias for the charts to be included, for example: ```yaml # .helm/Chart.yaml: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/go.mod new/werf-2.35.4/go.mod --- old/werf-2.35.1/go.mod 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/go.mod 2025-04-16 13:51:13.000000000 +0200 @@ -273,7 +273,7 @@ github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.15 // indirect github.com/mattn/go-shellwords v1.0.12 // indirect - github.com/mattn/go-sqlite3 v1.14.22 // indirect + github.com/mattn/go-sqlite3 v2.0.1+incompatible // indirect github.com/miekg/pkcs11 v1.1.1 // indirect github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/go.sum new/werf-2.35.4/go.sum --- old/werf-2.35.1/go.sum 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/go.sum 2025-04-16 13:51:13.000000000 +0200 @@ -951,8 +951,8 @@ github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/go-sqlite3 v1.14.7/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= -github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= -github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= +github.com/mattn/go-sqlite3 v2.0.1+incompatible h1:xQ15muvnzGBHpIpdrNi1DA5x0+TcBZzsIDwmw9uTHzw= +github.com/mattn/go-sqlite3 v2.0.1+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= github.com/mattn/go-zglob v0.0.6 h1:mP8RnmCgho4oaUYDIDn6GNxYk+qJGUs8fJLn+twYj2A= github.com/mattn/go-zglob v0.0.6/go.mod h1:MxxjyoXXnMxfIpxTK2GAkw1w8glPsQILx3N5wrKakiY= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/build/build_phase.go new/werf-2.35.4/pkg/build/build_phase.go --- old/werf-2.35.1/pkg/build/build_phase.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/build/build_phase.go 2025-04-16 13:51:13.000000000 +0200 @@ -860,8 +860,6 @@ contentDigest, exist := stageDescCopy.Info.Labels[imagePkg.WerfStageContentDigestLabel] if exist { stg.SetContentDigest(contentDigest) - } else if stg.Name() == stage.ImageSpec { // The content digest tag might be missing for the imageSpec stage (removed by the user). - stg.SetContentDigest(stageDescCopy.Info.GetDigest()) } else { panic(fmt.Sprintf("expected stage %q content digest label to be set!", stg.Name())) } @@ -983,8 +981,6 @@ contentDigest, exist := stageDesc.Info.Labels[imagePkg.WerfStageContentDigestLabel] if exist { stageContentSig = contentDigest - } else if stg.Name() == stage.ImageSpec { // The content digest tag might be missing for the imageSpec stage (removed by the user). - stageContentSig = stageDesc.Info.GetDigest() } else { panic(fmt.Sprintf("expected stage %q content digest label to be set!", stg.Name())) } @@ -1188,8 +1184,6 @@ contentDigest, exist := stageDesc.Info.Labels[imagePkg.WerfStageContentDigestLabel] if exist { stg.SetContentDigest(contentDigest) - } else if stg.Name() == stage.ImageSpec { // The content digest tag might be missing for the imageSpec stage (removed by the user). - stg.SetContentDigest(stageDesc.Info.GetDigest()) } else { panic(fmt.Sprintf("expected stage %q content digest label to be set!", stg.Name())) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/build/builder/ansible.go new/werf-2.35.4/pkg/build/builder/ansible.go --- old/werf-2.35.1/pkg/build/builder/ansible.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/build/builder/ansible.go 2025-04-16 13:51:13.000000000 +0200 @@ -16,6 +16,7 @@ "github.com/werf/common-go/pkg/util" "github.com/werf/logboek" + "github.com/werf/werf/v2/pkg/build/secrets" "github.com/werf/werf/v2/pkg/config" "github.com/werf/werf/v2/pkg/container_backend" "github.com/werf/werf/v2/pkg/container_backend/stage_builder" @@ -247,7 +248,7 @@ func (b *Ansible) addBuildSecretsVolumes(stageHostTmpDir string, fn func(string)) error { for _, s := range b.secrets { - secretPath, err := s.GetMountPath(stageHostTmpDir) + secretPath, err := secrets.GetMountPath(s, stageHostTmpDir) if err != nil { return err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/build/builder/shell.go new/werf-2.35.4/pkg/build/builder/shell.go --- old/werf-2.35.1/pkg/build/builder/shell.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/build/builder/shell.go 2025-04-16 13:51:13.000000000 +0200 @@ -11,6 +11,7 @@ "github.com/werf/common-go/pkg/util" "github.com/werf/logboek" + "github.com/werf/werf/v2/pkg/build/secrets" "github.com/werf/werf/v2/pkg/config" "github.com/werf/werf/v2/pkg/container_backend" "github.com/werf/werf/v2/pkg/container_backend/stage_builder" @@ -200,7 +201,7 @@ func (b *Shell) addBuildSecretsVolumes(stageHostTmpDir string, fn func(string)) error { for _, s := range b.secrets { - secretPath, err := s.GetMountPath(stageHostTmpDir) + secretPath, err := secrets.GetMountPath(s, stageHostTmpDir) if err != nil { return err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/build/image/dockerfile.go new/werf-2.35.4/pkg/build/image/dockerfile.go --- old/werf-2.35.1/pkg/build/image/dockerfile.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/build/image/dockerfile.go 2025-04-16 13:51:13.000000000 +0200 @@ -13,6 +13,7 @@ "github.com/werf/common-go/pkg/util" "github.com/werf/logboek" + "github.com/werf/werf/v2/pkg/build/secrets" "github.com/werf/werf/v2/pkg/build/stage" stage_instruction "github.com/werf/werf/v2/pkg/build/stage/instruction" "github.com/werf/werf/v2/pkg/config" @@ -86,6 +87,15 @@ }{WerfImageName: werfImageName, Stage: stage, Level: level}) } + buildSecrets := make([]string, 0, len(dockerfileImageConfig.Secrets)) + for _, s := range dockerfileImageConfig.Secrets { + secret, err := secrets.GetSecretStringArg(s) + if err != nil { + return nil, fmt.Errorf("unable to get build secrets: %w", err) + } + buildSecrets = append(buildSecrets, secret) + } + for len(queue) > 0 { item := queue[0] queue = queue[1:] @@ -219,7 +229,7 @@ case *dockerfile.DockerfileStageInstruction[*instructions.OnbuildCommand]: stg = stage_instruction.NewOnBuild(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions) case *dockerfile.DockerfileStageInstruction[*instructions.RunCommand]: - stg = stage_instruction.NewRun(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions, dockerfileImageConfig.Secrets, dockerfileImageConfig.SSH) + stg = stage_instruction.NewRun(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions, buildSecrets, dockerfileImageConfig.SSH) case *dockerfile.DockerfileStageInstruction[*instructions.ShellCommand]: stg = stage_instruction.NewShell(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions) case *dockerfile.DockerfileStageInstruction[*instructions.StopSignalCommand]: @@ -320,6 +330,15 @@ ProjectName: opts.ProjectName, } + buildSecrets := make([]string, 0, len(dockerfileImageConfig.Secrets)) + for _, s := range dockerfileImageConfig.Secrets { + secret, err := secrets.GetSecretStringArg(s) + if err != nil { + return nil, fmt.Errorf("unable to get build secrets: %w", err) + } + buildSecrets = append(buildSecrets, secret) + } + imageCacheVersion := option.ValueOrDefault(dockerfileImageConfig.CacheVersion(), metaConfig.Build.CacheVersion) dockerfileStage := stage.GenerateFullDockerfileStage(stage.NewDockerRunArgs( @@ -332,7 +351,7 @@ dockerfileImageConfig.AddHost, dockerfileImageConfig.Network, dockerfileImageConfig.SSH, - dockerfileImageConfig.Secrets, + buildSecrets, ), ds, stage.NewContextChecksum(dockerIgnorePathMatcher), baseStageOptions, dockerfileImageConfig.Dependencies, imageCacheVersion) img.stages = append(img.stages, dockerfileStage) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/build/secrets/build_secrets.go new/werf-2.35.4/pkg/build/secrets/build_secrets.go --- old/werf-2.35.1/pkg/build/secrets/build_secrets.go 1970-01-01 01:00:00.000000000 +0100 +++ new/werf-2.35.4/pkg/build/secrets/build_secrets.go 2025-04-16 13:51:13.000000000 +0200 @@ -0,0 +1,155 @@ +package secrets + +import ( + "fmt" + "math" + "math/rand/v2" + "os" + + "github.com/werf/common-go/pkg/util" + "github.com/werf/werf/v2/pkg/config" +) + +type SecretFromEnv struct { + Id string + Value string +} + +type SecretFromSrc struct { + Id string + Value string +} + +type SecretFromPlainValue struct { + Id string + Value string +} + +type Secret interface { + GetSecretStringArg() (string, error) + GetMountPath(stageHostTmpDir string) (string, error) +} + +func GetSecretStringArg(secret config.Secret) (string, error) { + s, err := parseSecret(secret) + if err != nil { + return "", fmt.Errorf("error parsing secrets: %w", err) + } + return s.GetSecretStringArg() +} + +func (s *SecretFromEnv) GetSecretStringArg() (string, error) { + return fmt.Sprintf("id=%s,env=%s", s.Id, s.Value), nil +} + +func (s *SecretFromSrc) GetSecretStringArg() (string, error) { + return fmt.Sprintf("id=%s,src=%s", s.Id, s.Value), nil +} + +func (s *SecretFromPlainValue) GetSecretStringArg() (string, error) { + secret, err := s.setPlainValueAsEnv() + if err != nil { + return "", err + } + return secret.GetSecretStringArg() +} + +func (s *SecretFromPlainValue) setPlainValueAsEnv() (*SecretFromEnv, error) { + envKey := fmt.Sprintf("tmpbuild%d_%s", rand.IntN(math.MaxInt32), s.Id) // generate unique value + if _, e := os.LookupEnv(envKey); e { + return nil, fmt.Errorf("can't set secret %s: id is not unique", s.Id) // should never be here + } + + err := os.Setenv(envKey, s.Value) + if err != nil { + return nil, fmt.Errorf("can't set value") + } + + return &SecretFromEnv{ + Id: s.Id, + Value: envKey, + }, nil +} + +func GetMountPath(secret config.Secret, stageHostTmpDir string) (string, error) { + s, err := parseSecret(secret) + if err != nil { + return "", fmt.Errorf("unable to get secret mount path: %w", err) + } + return s.GetMountPath(stageHostTmpDir) +} + +func parseSecret(secret config.Secret) (Secret, error) { + if secret.ValueFromEnv != "" { + return newSecretFromEnv(secret) + } else if secret.ValueFromSrc != "" { + return newSecretFromSrc(secret) + } else if secret.ValueFromPlain != "" { + return newSecretFromPlainValue(secret) + } + return nil, fmt.Errorf("unknown secret type") +} + +func newSecretFromEnv(s config.Secret) (*SecretFromEnv, error) { + if _, exists := os.LookupEnv(s.ValueFromEnv); !exists { + return nil, fmt.Errorf("specified env variable `%s` is not set", s.ValueFromEnv) + } + return &SecretFromEnv{Id: s.Id, Value: s.ValueFromEnv}, nil +} + +func newSecretFromSrc(s config.Secret) (*SecretFromSrc, error) { + absPath, err := util.ExpandPath(s.ValueFromSrc) + if err != nil { + return nil, fmt.Errorf("error load secret from src: %w", err) + } + + if exists, _ := util.FileExists(absPath); !exists { + return nil, fmt.Errorf("error load secret from src: path %s doesn't exist", absPath) + } + return &SecretFromSrc{Id: s.Id, Value: absPath}, nil +} + +func newSecretFromPlainValue(s config.Secret) (*SecretFromPlainValue, error) { + return &SecretFromPlainValue{Id: s.Id, Value: s.ValueFromPlain}, nil +} + +func (s *SecretFromEnv) GetMountPath(stageHostTmpDir string) (string, error) { + data := []byte(os.Getenv(s.Value)) + return getMountPath(s.Id, stageHostTmpDir, data) +} + +func (s *SecretFromSrc) GetMountPath(stageHostTmpDir string) (string, error) { + return generateMountPath(s.Id, s.Value), nil +} + +func (s *SecretFromPlainValue) GetMountPath(stageHostTmpDir string) (string, error) { + return getMountPath(s.Id, stageHostTmpDir, []byte(s.Value)) +} + +func getMountPath(secretId, stageHostTmpDir string, data []byte) (string, error) { + tmpFile, err := writeToTmpFile(stageHostTmpDir, data) + if err != nil { + return "", fmt.Errorf("unable to mount secret: %w", err) + } + return generateMountPath(secretId, tmpFile), nil +} + +func writeToTmpFile(stageHostTmpDir string, data []byte) (string, error) { + tmpFile, err := os.CreateTemp(stageHostTmpDir, "stapel*") + if err != nil { + return "", err + } + + tmpFilePath := tmpFile.Name() + + if err := os.WriteFile(tmpFilePath, data, 0o400); err != nil { + return "", err + } + + return tmpFilePath, nil +} + +func generateMountPath(id, filepath string) string { + containerPath := fmt.Sprintf("/run/secrets/%s", id) + return fmt.Sprintf("%s:%s:ro", filepath, containerPath) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/build/stage/image_spec.go new/werf-2.35.4/pkg/build/stage/image_spec.go --- old/werf-2.35.1/pkg/build/stage/image_spec.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/build/stage/image_spec.go 2025-04-16 13:51:13.000000000 +0200 @@ -22,7 +22,7 @@ labelTemplateImage = "image" labelTemplateProject = "project" labelTemplateDelimiter = "%" - werfLabelsGlobalWarning = `The "werf" and "werf-parent-stage-id" labels cannot be removed within the imageSpec stage, as they are essential for the proper operation of host and container registry cleanup. + werfLabelsGlobalWarning = `The "werf", "werf-stage-content-digest" and "werf.io/parent-stage-id" labels cannot be removed within the imageSpec stage, as they are essential for the proper operation of host and container registry cleanup. If you need to remove all werf labels, use the werf export command. By default, this command removes all werf labels and fully detaches images from werf control, transferring host and container registry cleanup entirely to the user. @@ -111,44 +111,34 @@ return nil } -const imageSpecStageCacheVersion = "2" - func (s *ImageSpecStage) GetDependencies(_ context.Context, _ Conveyor, _ container_backend.ContainerBackend, _, _ *StageImage, _ container_backend.BuildContextArchiver) (string, error) { var args []string - args = append(args, imageSpecStageCacheVersion) + // imageSpec args = append(args, s.imageSpec.Author) args = append(args, fmt.Sprint(s.imageSpec.ClearHistory)) - args = append(args, fmt.Sprint(s.imageSpec.ClearWerfLabels)) - args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveLabels)...) - args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveVolumes)...) - args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveEnv)...) - - args = append(args, sortSliceWithNewSlice(s.imageSpec.Volumes)...) - args = append(args, mapToSortedArgs(s.imageSpec.Labels)...) + // imageSpec.config + args = append(args, strings.Join(s.imageSpec.Cmd, " ")) + args = append(args, strings.Join(s.imageSpec.Entrypoint, " ")) args = append(args, mapToSortedArgs(s.imageSpec.Env)...) args = append(args, sortSliceWithNewSlice(s.imageSpec.Expose)...) + args = append(args, fmt.Sprint(s.imageSpec.Healthcheck)) + args = append(args, mapToSortedArgs(s.imageSpec.Labels)...) + args = append(args, s.imageSpec.StopSignal) args = append(args, s.imageSpec.User) - args = append(args, strings.Join(s.imageSpec.Cmd, " ")) - args = append(args, fmt.Sprint(s.imageSpec.ClearCmd)) - args = append(args, strings.Join(s.imageSpec.Entrypoint, " ")) - args = append(args, fmt.Sprint(s.imageSpec.ClearEntrypoint)) + args = append(args, sortSliceWithNewSlice(s.imageSpec.Volumes)...) args = append(args, s.imageSpec.WorkingDir) - args = append(args, s.imageSpec.StopSignal) - args = append(args, fmt.Sprint(s.imageSpec.Healthcheck)) - - if s.imageSpec.ClearUser { - args = append(args, fmt.Sprint(s.imageSpec.ClearUser)) - } - if s.imageSpec.ClearWorkingDir { - args = append(args, fmt.Sprint(s.imageSpec.ClearWorkingDir)) - } + args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveLabels)...) + args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveVolumes)...) + args = append(args, sortSliceWithNewSlice(s.imageSpec.RemoveEnv)...) + args = append(args, fmt.Sprint(s.imageSpec.KeepEssentialWerfLabels)) - if s.imageSpec.KeepEssentialWerfLabels { - args = append(args, fmt.Sprint(s.imageSpec.KeepEssentialWerfLabels)) - } + args = append(args, fmt.Sprint(s.imageSpec.ClearCmd)) + args = append(args, fmt.Sprint(s.imageSpec.ClearEntrypoint)) + args = append(args, fmt.Sprint(s.imageSpec.ClearUser)) + args = append(args, fmt.Sprint(s.imageSpec.ClearWorkingDir)) return util.Sha256Hash(args...), nil } @@ -207,7 +197,7 @@ continue } - if key == image.WerfLabel || key == image.WerfParentStageID { + if key == image.WerfLabel || key == image.WerfParentStageID || key == image.WerfStageContentDigestLabel { if !keepEssentialWerfLabels { shouldPrintGlobalWarn = true } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/cleaning/cleanup.go new/werf-2.35.4/pkg/cleaning/cleanup.go --- old/werf-2.35.1/pkg/cleaning/cleanup.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/cleaning/cleanup.go 2025-04-16 13:51:13.000000000 +0200 @@ -813,7 +813,7 @@ // skip kept stages and their relatives. { - logboek.Context(ctx).Default().LogProcess("Skipping relative stages for protected stages").Do(func() { + logboek.Context(ctx).Default().LogProcess("Processing relative stages for saved stages").Do(func() { handledStageDescSet := image.NewStageDescSet() for protectionReason, stageDescToKeepSet := range m.stageManager.GetProtectedStageDescSetByReason() { // Git history based policy keeps import sources more effectively, other policies do not keep them. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/config/image_from_dockerfile.go new/werf-2.35.4/pkg/config/image_from_dockerfile.go --- old/werf-2.35.1/pkg/config/image_from_dockerfile.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/config/image_from_dockerfile.go 2025-04-16 13:51:13.000000000 +0200 @@ -20,7 +20,7 @@ SSH string Dependencies []*Dependency Staged bool - Secrets []string + Secrets []Secret ImageSpec *ImageSpec cacheVersion string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/config/raw_image_from_dockerfile.go new/werf-2.35.4/pkg/config/raw_image_from_dockerfile.go --- old/werf-2.35.1/pkg/config/raw_image_from_dockerfile.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/config/raw_image_from_dockerfile.go 2025-04-16 13:51:13.000000000 +0200 @@ -145,16 +145,7 @@ return nil, err } - secretsArgs := make([]string, 0, len(secrets)) - for _, s := range secrets { - secret, err := s.GetSecretStringArg() - if err != nil { - return nil, err - } - secretsArgs = append(secretsArgs, secret) - } - - image.Secrets = secretsArgs + image.Secrets = secrets if c.RawImageSpec != nil { image.ImageSpec = c.RawImageSpec.toDirective() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/config/raw_image_from_dockerfile_test.go new/werf-2.35.4/pkg/config/raw_image_from_dockerfile_test.go --- old/werf-2.35.1/pkg/config/raw_image_from_dockerfile_test.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/config/raw_image_from_dockerfile_test.go 2025-04-16 13:51:13.000000000 +0200 @@ -53,7 +53,7 @@ Name: "image1", ContextAddFiles: []string{}, AddHost: []string{}, - Secrets: []string{}, + Secrets: []Secret{}, cacheVersion: "docker-cache-version", platform: []string{}, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/config/raw_secrets.go new/werf-2.35.4/pkg/config/raw_secrets.go --- old/werf-2.35.1/pkg/config/raw_secrets.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/config/raw_secrets.go 2025-04-16 13:51:13.000000000 +0200 @@ -59,6 +59,6 @@ case s.PlainValue != "": return newSecretFromPlainValue(s) default: - return nil, newDetailedConfigError("secret should be defined as `env`, `src` or `value`", s, s.parent.getDoc()) + return Secret{}, newDetailedConfigError("secret should be defined as `env`, `src` or `value`", s, s.parent.getDoc()) } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/config/secrets.go new/werf-2.35.4/pkg/config/secrets.go --- old/werf-2.35.1/pkg/config/secrets.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/config/secrets.go 2025-04-16 13:51:13.000000000 +0200 @@ -2,135 +2,57 @@ import ( "fmt" - "math" - "math/rand/v2" - "os" "path/filepath" - "github.com/werf/common-go/pkg/util" - "github.com/werf/kubedog/pkg/utils" "github.com/werf/werf/v2/pkg/giterminism_manager" ) -type Secret interface { - GetSecretStringArg() (string, error) - GetSecretId() string - InspectByGiterminism(giterminismManager giterminism_manager.Interface) error - GetMountPath(stageHostTmpDir string) (string, error) +type Secret struct { + Id string + ValueFromEnv string + ValueFromSrc string + ValueFromPlain string } -type SecretFromEnv struct { - Id string - Value string -} - -type SecretFromSrc struct { - Id string - Value string -} - -type SecretFromPlainValue struct { - Id string - Value string -} - -func newSecretFromEnv(s *rawSecret) (*SecretFromEnv, error) { - if _, exists := os.LookupEnv(s.Env); !exists { - return nil, fmt.Errorf("specified env variable `%s` doesn't exist", s.Env) - } +func newSecretFromEnv(s *rawSecret) (Secret, error) { if s.Id == "" { s.Id = s.Env } - return &SecretFromEnv{ - Id: s.Id, - Value: s.Env, + return Secret{ + Id: s.Id, + ValueFromEnv: s.Env, }, nil } -func newSecretFromSrc(s *rawSecret) (*SecretFromSrc, error) { - absPath, err := util.ExpandPath(s.Src) - if err != nil { - return nil, fmt.Errorf("error load secret from src: %w", err) - } - - if exists, _ := utils.FileExists(absPath); !exists { - return nil, fmt.Errorf("error load secret from src: path %s doesn't exist", absPath) - } - +func newSecretFromSrc(s *rawSecret) (Secret, error) { if s.Id == "" { - s.Id = filepath.Base(absPath) + s.Id = filepath.Base(s.Src) } - return &SecretFromSrc{ - Id: s.Id, - Value: absPath, + return Secret{ + Id: s.Id, + ValueFromSrc: s.Src, }, nil } -func newSecretFromPlainValue(s *rawSecret) (*SecretFromPlainValue, error) { +func newSecretFromPlainValue(s *rawSecret) (Secret, error) { if s.Id == "" { - return nil, fmt.Errorf("type value should be used with id parameter") + return Secret{}, fmt.Errorf("type value should be used with id parameter") } - return &SecretFromPlainValue{ - Id: s.Id, - Value: s.PlainValue, + return Secret{ + Id: s.Id, + ValueFromPlain: s.PlainValue, }, nil } -func (s *SecretFromEnv) GetSecretStringArg() (string, error) { - return fmt.Sprintf("id=%s,env=%s", s.Id, s.Value), nil -} - -func (s *SecretFromSrc) GetSecretStringArg() (string, error) { - return fmt.Sprintf("id=%s,src=%s", s.Id, s.Value), nil -} - -func (s *SecretFromPlainValue) GetSecretStringArg() (string, error) { - secret, err := s.setPlainValueAsEnv() - if err != nil { - return "", err - } - return secret.GetSecretStringArg() -} - -func (s *SecretFromPlainValue) setPlainValueAsEnv() (*SecretFromEnv, error) { - envKey := fmt.Sprintf("tmpbuild%d_%s", rand.IntN(math.MaxInt32), s.Id) // generate unique value - if _, e := os.LookupEnv(envKey); e { - return nil, fmt.Errorf("can't set secret %s: id is not unique", s.Id) // should never be here - } - - err := os.Setenv(envKey, s.Value) - if err != nil { - return nil, fmt.Errorf("can't set value") +func inspectSecretByGiterminism(giterminismManager giterminism_manager.Interface, secret Secret) error { + if secret.ValueFromEnv != "" { + return giterminismManager.Inspector().InspectConfigSecretEnvAccepted(secret.ValueFromEnv) + } else if secret.ValueFromSrc != "" { + return giterminismManager.Inspector().InspectConfigSecretSrcAccepted(secret.ValueFromSrc) + } else if secret.ValueFromPlain != "" { + return giterminismManager.Inspector().InspectConfigSecretValueAccepted(secret.Id) } - - return &SecretFromEnv{ - Id: s.Id, - Value: envKey, - }, nil -} - -func (s *SecretFromEnv) GetSecretId() string { - return s.Id -} - -func (s *SecretFromSrc) GetSecretId() string { - return s.Id -} - -func (s *SecretFromPlainValue) GetSecretId() string { - return s.Id -} - -func (s *SecretFromEnv) InspectByGiterminism(giterminismManager giterminism_manager.Interface) error { - return giterminismManager.Inspector().InspectConfigSecretEnvAccepted(s.Value) -} - -func (s *SecretFromSrc) InspectByGiterminism(giterminismManager giterminism_manager.Interface) error { - return giterminismManager.Inspector().InspectConfigSecretSrcAccepted(s.Value) -} - -func (s *SecretFromPlainValue) InspectByGiterminism(giterminismManager giterminism_manager.Interface) error { - return giterminismManager.Inspector().InspectConfigSecretValueAccepted(s.Id) + return nil } func GetValidatedSecrets(rawSecrets []*rawSecret, giterminismManager giterminism_manager.Interface, doc *doc) ([]Secret, error) { @@ -143,14 +65,14 @@ return nil, newDetailedConfigError(fmt.Sprintf("unable to load build secrets: %s", err.Error()), s, s.parent.getDoc()) } - secretId := secret.GetSecretId() + secretId := secret.Id if _, ok := secretIds[secretId]; !ok { secretIds[secretId] = struct{}{} } else { return nil, newDetailedConfigError(fmt.Sprintf("duplicated secret %q", secretId), nil, s.parent.getDoc()) } - err = secret.InspectByGiterminism(giterminismManager) + err = inspectSecretByGiterminism(giterminismManager, secret) if err != nil { return nil, err } @@ -160,44 +82,3 @@ return secrets, nil } - -func (s *SecretFromEnv) GetMountPath(stageHostTmpDir string) (string, error) { - data := []byte(os.Getenv(s.Value)) - return getMountPath(s.Id, stageHostTmpDir, data) -} - -func (s *SecretFromSrc) GetMountPath(stageHostTmpDir string) (string, error) { - return generateMountPath(s.Id, s.Value), nil -} - -func (s *SecretFromPlainValue) GetMountPath(stageHostTmpDir string) (string, error) { - return getMountPath(s.Id, stageHostTmpDir, []byte(s.Value)) -} - -func getMountPath(secretId, stageHostTmpDir string, data []byte) (string, error) { - tmpFile, err := writeToTmpFile(stageHostTmpDir, data) - if err != nil { - return "", fmt.Errorf("unable to mount secret: %w", err) - } - return generateMountPath(secretId, tmpFile), nil -} - -func writeToTmpFile(stageHostTmpDir string, data []byte) (string, error) { - tmpFile, err := os.CreateTemp(stageHostTmpDir, "stapel*") - if err != nil { - return "", err - } - - tmpFilePath := tmpFile.Name() - - if err := os.WriteFile(tmpFilePath, data, 0o400); err != nil { - return "", err - } - - return tmpFilePath, nil -} - -func generateMountPath(id, filepath string) string { - containerPath := fmt.Sprintf("/run/secrets/%s", id) - return fmt.Sprintf("%s:%s:ro", filepath, containerPath) -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/pkg/giterminism_manager/config/config.go new/werf-2.35.4/pkg/giterminism_manager/config/config.go --- old/werf-2.35.1/pkg/giterminism_manager/config/config.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/pkg/giterminism_manager/config/config.go 2025-04-16 13:51:13.000000000 +0200 @@ -235,7 +235,11 @@ } func (s *secrets) IsAllowSecretsFileAccepted(path string) bool { - return isAbsPathMatched(s.AllowFiles, path) + absPath, err := util.ExpandPath(path) + if err != nil { + return false + } + return isAbsPathMatched(s.AllowFiles, absPath) } func (s *secrets) IsValueIdAccepted(name string) bool { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/Dockerfile new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/Dockerfile --- old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/Dockerfile 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/Dockerfile 1970-01-01 01:00:00.000000000 +0100 @@ -1,17 +0,0 @@ -FROM ubuntu:22.04 - -RUN --mount=type=secret,id=ENV_SECRET \ - [ "$(cat /run/secrets/ENV_SECRET)" = "WERF_BUILD_SECRET" ] || (echo "Env does not match the expected value" && exit 1) - -RUN --mount=type=secret,id=file \ - grep -q "filecontent" /run/secrets/file || (echo "Src secret does not contain the expected content" && exit 1) - -RUN --mount=type=secret,id=plainSecret \ - [ "$(cat /run/secrets/plainSecret)" = "plainSecretValue" ] || (echo "PlainSecret does not match the expected value" && exit 1) - -RUN --mount=type=secret,id=secret_file_in_home \ - grep -q "secret" /run/secrets/secret_file_in_home || (echo "Src secret does not contain the expected content" && exit 1) - -COPY file /file - -RUN touch /created-by-run diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/file new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/file --- old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/file 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/file 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -filecontent diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/werf-giterminism.yaml new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/werf-giterminism.yaml --- old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/werf-giterminism.yaml 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/werf-giterminism.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,11 +0,0 @@ -giterminismConfigVersion: 1 - -config: - secrets: - allowEnvVariables: - - "ENV_SECRET" - allowFiles: - - "./file" - - "~/secret_file_in_home" - allowValueIds: - - plainSecret diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/werf.yaml new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/werf.yaml --- old/werf-2.35.1/test/e2e/build/_fixtures/simple/state1/werf.yaml 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/test/e2e/build/_fixtures/simple/state1/werf.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,32 +0,0 @@ -project: werf-test-e2e-build-simple -configVersion: 1 - ---- -image: dockerfile -dockerfile: Dockerfile -secrets: - - env: ENV_SECRET - - src: "./file" - - id: "plainSecret" - value: "plainSecretValue" - - src: "~/secret_file_in_home" - ---- -image: stapel-shell -from: ubuntu:22.04 -git: - - add: /file - to: /file -secrets: - - env: ENV_SECRET - - src: "./file" - - id: "plainSecret" - value: "plainSecretValue" - - src: "~/secret_file_in_home" -shell: - setup: - - "touch /created-by-setup" - - '[ "$(cat /run/secrets/ENV_SECRET)" = "WERF_BUILD_SECRET" ] || (echo "Env does not match the expected value" && exit 1)' - - 'grep -q "filecontent" /run/secrets/file || (echo "Src secret does not contain the expected content" && exit 1)' - - '[ "$(cat /run/secrets/plainSecret)" = "plainSecretValue" ] || (echo "PlainSecret does not match the expected value" && exit 1)' - - 'grep -q "secret" /run/secrets/secret_file_in_home || (echo "Src secret does not contain the expected content" && exit 1)' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/test/e2e/build/simple_test.go new/werf-2.35.4/test/e2e/build/simple_test.go --- old/werf-2.35.1/test/e2e/build/simple_test.go 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/test/e2e/build/simple_test.go 2025-04-16 13:51:13.000000000 +0200 @@ -1,8 +1,6 @@ package e2e_build_test import ( - "fmt" - . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -26,28 +24,28 @@ Fail(err.Error()) } - By(fmt.Sprintf("%s: starting", testOpts.State)) + By("state0: starting") { repoDirname := "repo0" - fixtureRelPath := fmt.Sprintf("simple/%s", testOpts.State) + fixtureRelPath := "simple/state0" buildReportName := "report0.json" - By(fmt.Sprintf("%s: preparing test repo", testOpts.State)) + By("state0: preparing test repo") SuiteData.InitTestRepo(repoDirname, fixtureRelPath) - By(fmt.Sprintf("%s: building images", testOpts.State)) + By("state0: building images") werfProject := werf.NewProject(SuiteData.WerfBinPath, SuiteData.GetTestRepoPath(repoDirname)) buildOut, buildReport := werfProject.BuildWithReport(SuiteData.GetBuildReportPath(buildReportName), nil) Expect(buildOut).To(ContainSubstring("Building stage")) Expect(buildOut).NotTo(ContainSubstring("Use previously built image")) - By(fmt.Sprintf("%s: rebuilding same images", testOpts.State)) + By("state0: rebuilding same images") Expect(werfProject.Build(nil)).To(And( ContainSubstring("Use previously built image"), Not(ContainSubstring("Building stage")), )) - By(fmt.Sprintf(`%s: checking "dockerfile" image content`, testOpts.State)) + By(`state0: checking "dockerfile" image content`) contRuntime.ExpectCmdsToSucceed( buildReport.Images["dockerfile"].DockerImageName, "test -f /file", @@ -56,7 +54,7 @@ "test -f /created-by-run", ) - By(fmt.Sprintf(`%s: checking "stapel-shell" image content`, testOpts.State)) + By(`state0: checking "stapel-shell" image content`) contRuntime.ExpectCmdsToSucceed( buildReport.Images["stapel-shell"].DockerImageName, "test -f /file", @@ -71,37 +69,31 @@ ContainerBackendMode: "vanilla-docker", WithLocalRepo: false, WithStagedDockerfileBuilder: false, - State: "state0", }}), Entry("with local repo using Vanilla Docker", simpleTestOptions{setupEnvOptions{ ContainerBackendMode: "vanilla-docker", WithLocalRepo: true, WithStagedDockerfileBuilder: false, - State: "state0", }}), Entry("without repo using BuildKit Docker", simpleTestOptions{setupEnvOptions{ ContainerBackendMode: "buildkit-docker", WithLocalRepo: false, WithStagedDockerfileBuilder: false, - State: "state1", }}), Entry("with local repo using BuildKit Docker", simpleTestOptions{setupEnvOptions{ ContainerBackendMode: "buildkit-docker", WithLocalRepo: true, WithStagedDockerfileBuilder: false, - State: "state1", }}), Entry("with local repo using Native Buildah with rootless isolation", simpleTestOptions{setupEnvOptions{ ContainerBackendMode: "native-rootless", WithLocalRepo: true, WithStagedDockerfileBuilder: false, - State: "state0", // TODO(iapershin): change after buildah version upgrade }}), Entry("with local repo using Native Buildah with chroot isolation", simpleTestOptions{setupEnvOptions{ ContainerBackendMode: "native-chroot", WithLocalRepo: true, WithStagedDockerfileBuilder: false, - State: "state1", }}), // TODO(ilya-lesikov): uncomment after Staged Dockerfile builder finished // // TODO(1.3): after Full Dockerfile Builder removed and Staged Dockerfile Builder enabled by default this test no longer needed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/werf-2.35.1/trdl_channels.yaml new/werf-2.35.4/trdl_channels.yaml --- old/werf-2.35.1/trdl_channels.yaml 2025-04-10 10:36:10.000000000 +0200 +++ new/werf-2.35.4/trdl_channels.yaml 2025-04-16 13:51:13.000000000 +0200 @@ -38,11 +38,11 @@ - name: "2" channels: - name: alpha - version: 2.35.0 + version: 2.35.1 - name: beta - version: 2.35.0 + version: 2.35.1 - name: ea - version: 2.35.0 + version: 2.35.1 - name: stable version: 2.31.1 - name: rock-solid ++++++ werf.obsinfo ++++++ --- /var/tmp/diff_new_pack.FvlSIC/_old 2025-04-20 20:12:07.975589199 +0200 +++ /var/tmp/diff_new_pack.FvlSIC/_new 2025-04-20 20:12:07.975589199 +0200 @@ -1,5 +1,5 @@ name: werf -version: 2.35.1 -mtime: 1744274170 -commit: efb923c6e24496f497418e529a06f72339f226cd +version: 2.35.4 +mtime: 1744804273 +commit: a878391d9331ee5583e43fbd2ca96a6c5ed67182