Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apko for openSUSE:Factory checked in
at 2025-09-18 21:09:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apko (Old)
and /work/SRC/openSUSE:Factory/.apko.new.27445 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apko"
Thu Sep 18 21:09:44 2025 rev:66 rq:1305647 version:0.30.11
Changes:
--------
--- /work/SRC/openSUSE:Factory/apko/apko.changes 2025-09-02
17:58:53.415930091 +0200
+++ /work/SRC/openSUSE:Factory/.apko.new.27445/apko.changes 2025-09-18
21:10:35.203217177 +0200
@@ -1,0 +2,52 @@
+Thu Sep 18 05:39:02 UTC 2025 - Johannes Kastl
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 0.30.11:
+ * build(deps): bump step-security/harden-runner from 2.13.0 to
+ 2.13.1 (#1855)
+ * build(deps): bump google.golang.org/api from 0.248.0 to 0.249.0
+ (#1850)
+ * build(deps): bump k8s.io/apimachinery from 0.34.0 to 0.34.1
+ (#1854)
+ * build(deps): bump github/codeql-action from 3.30.1 to 3.30.3
+ (#1857)
+
+-------------------------------------------------------------------
+Thu Sep 18 05:38:06 UTC 2025 - Johannes Kastl
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 0.30.10:
+ * bug-fix: handles usrmerge base image correctly (#1856)
+ * build(deps): bump go.opentelemetry.io/otel/trace from 1.37.0 to
+ 1.38.0 (#1838)
+ * build(deps): bump golang.org/x/sys from 0.35.0 to 0.36.0
+ (#1847)
+ * build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1
+ (#1837)
+ * build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#1843)
+ * build(deps): bump github/codeql-action from 3.29.11 to 3.30.1
+ (#1844)
+ * build(deps): bump golang.org/x/time from 0.12.0 to 0.13.0
+ (#1846)
+ * build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0
+ (#1848)
+ * build(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0
+ (#1849)
+ * build(deps): bump chainguard-dev/actions from 1.4.12 to 1.4.14
+ (#1845)
+
+-------------------------------------------------------------------
+Thu Sep 18 05:35:17 UTC 2025 - Johannes Kastl
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 0.30.9:
+ * Update release.md to use release workflow (#1842)
+
+-------------------------------------------------------------------
+Thu Sep 18 05:32:27 UTC 2025 - Johannes Kastl
<opensuse_buildserv...@ojkastl.de>
+
+- Update to version 0.30.8:
+ * Reduce the log noise from auto-auth failures. (#1835)
+ * build(deps): bump k8s.io/apimachinery from 0.33.4 to 0.34.0
+ (#1833)
+ * build(deps): bump github.com/u-root/u-root from 0.14.0 to
+ 0.15.0 (#1828)
+
+-------------------------------------------------------------------
Old:
----
apko-0.30.7.obscpio
New:
----
apko-0.30.11.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apko.spec ++++++
--- /var/tmp/diff_new_pack.L8QR0S/_old 2025-09-18 21:10:36.023251634 +0200
+++ /var/tmp/diff_new_pack.L8QR0S/_new 2025-09-18 21:10:36.023251634 +0200
@@ -17,7 +17,7 @@
Name: apko
-Version: 0.30.7
+Version: 0.30.11
Release: 0
Summary: Build OCI images from APK packages directly without Dockerfile
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.L8QR0S/_old 2025-09-18 21:10:36.063253315 +0200
+++ /var/tmp/diff_new_pack.L8QR0S/_new 2025-09-18 21:10:36.063253315 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/chainguard-dev/apko</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.30.7</param>
+ <param name="revision">v0.30.11</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">enable</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.L8QR0S/_old 2025-09-18 21:10:36.099254829 +0200
+++ /var/tmp/diff_new_pack.L8QR0S/_new 2025-09-18 21:10:36.107255165 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/chainguard-dev/apko</param>
- <param
name="changesrevision">68e5577b0636f7def8a14c8440aaee946b54323c</param></service></servicedata>
+ <param
name="changesrevision">df5cfdc89ad4e4dd1c990479de55746a7c0b0ef7</param></service></servicedata>
(No newline at EOF)
++++++ apko-0.30.7.obscpio -> apko-0.30.11.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apko-0.30.7/examples/on_top_of_base/build.sh
new/apko-0.30.11/examples/on_top_of_base/build.sh
--- old/apko-0.30.7/examples/on_top_of_base/build.sh 2025-08-28
17:00:30.000000000 +0200
+++ new/apko-0.30.11/examples/on_top_of_base/build.sh 2025-09-13
15:50:34.000000000 +0200
@@ -3,9 +3,11 @@
# Script for building image on top of base with apko. Must be run from the
root of github repository.
apko_binary="${1:-apko}"
+BASE_IMAGE="${2:-cgr.dev/chainguard/wolfi-base:latest}"
+OUTPUT_TAR="${3:-}"
+ARCH="${4:-x86_64}"
EXAMPLE_DIR=./examples/on_top_of_base
-BASE_IMAGE=cgr.dev/chainguard/wolfi-base:latest
BASE_IMAGE_DIR="$EXAMPLE_DIR/base_image"
APKINDEX_DIR="$EXAMPLE_DIR/apkindexes"
FS_DUMP_DIR="$EXAMPLE_DIR/fs_dump"
@@ -16,11 +18,16 @@
mkdir -p "$FS_DUMP_DIR"
crane export "$BASE_IMAGE" "$FS_DUMP_DIR/fs.tar"
tar -C "$FS_DUMP_DIR" -xf "$FS_DUMP_DIR/fs.tar"
-mkdir -p "$APKINDEX_DIR/x86_64/"
-cp "$FS_DUMP_DIR/lib/apk/db/installed" "$APKINDEX_DIR/x86_64/APKINDEX"
+mkdir -p "$APKINDEX_DIR/$ARCH/"
+cp "$FS_DUMP_DIR/lib/apk/db/installed" "$APKINDEX_DIR/$ARCH/APKINDEX"
-"$apko_binary" lock "$EXAMPLE_DIR/base_image.yaml"
+"$apko_binary" lock "$EXAMPLE_DIR/base_image.yaml" --arch="$ARCH"
-mkdir -p "$EXAMPLE_DIR/top_image"
-
-"$apko_binary" build "$EXAMPLE_DIR/base_image.yaml" base_image:latest
"$EXAMPLE_DIR/top_image/" --lockfile="$EXAMPLE_DIR/base_image.lock.json"
--sbom=False
+if [ -n "$OUTPUT_TAR" ]; then
+ # Output to tar file
+ "$apko_binary" build --arch="$ARCH" "$EXAMPLE_DIR/base_image.yaml"
base_image:latest "$OUTPUT_TAR" --lockfile="$EXAMPLE_DIR/base_image.lock.json"
--sbom=False
+else
+ # Output to directory (original behavior)
+ mkdir -p "$EXAMPLE_DIR/top_image"
+ "$apko_binary" build --arch="$ARCH" "$EXAMPLE_DIR/base_image.yaml"
base_image:latest "$EXAMPLE_DIR/top_image/"
--lockfile="$EXAMPLE_DIR/base_image.lock.json" --sbom=False
+fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apko-0.30.7/go.mod new/apko-0.30.11/go.mod
--- old/apko-0.30.7/go.mod 2025-08-28 17:00:30.000000000 +0200
+++ new/apko-0.30.11/go.mod 2025-09-13 15:50:34.000000000 +0200
@@ -17,22 +17,22 @@
github.com/klauspost/pgzip v1.2.6
github.com/package-url/packageurl-go v0.1.3
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
- github.com/spf13/cobra v1.9.1
+ github.com/spf13/cobra v1.10.1
github.com/stretchr/testify v1.11.1
github.com/tmc/dot v0.0.0-20210901225022-f9bc17da75c0
- github.com/u-root/u-root v0.14.0
+ github.com/u-root/u-root v0.15.0
go.lsp.dev/uri v0.3.0
- go.opentelemetry.io/otel v1.37.0
- go.opentelemetry.io/otel/trace v1.37.0
+ go.opentelemetry.io/otel v1.38.0
+ go.opentelemetry.io/otel/trace v1.38.0
go.step.sm/crypto v0.70.0
- golang.org/x/oauth2 v0.30.0
- golang.org/x/sync v0.16.0
- golang.org/x/sys v0.35.0
- golang.org/x/time v0.12.0
- google.golang.org/api v0.248.0
+ golang.org/x/oauth2 v0.31.0
+ golang.org/x/sync v0.17.0
+ golang.org/x/sys v0.36.0
+ golang.org/x/time v0.13.0
+ google.golang.org/api v0.249.0
gopkg.in/ini.v1 v1.67.0
gopkg.in/yaml.v3 v3.0.1
- k8s.io/apimachinery v0.33.4
+ k8s.io/apimachinery v0.34.1
sigs.k8s.io/release-utils v0.12.1
)
@@ -102,7 +102,7 @@
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 //
indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.1 // indirect
- github.com/pierrec/lz4/v4 v4.1.21 // indirect
+ github.com/pierrec/lz4/v4 v4.1.22 // indirect
github.com/pjbgf/sha1cd v0.3.2 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 //
indirect
@@ -114,8 +114,8 @@
github.com/sergi/go-diff v1.4.0 // indirect
github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af //
indirect
github.com/skeema/knownhosts v1.3.1 // indirect
- github.com/spf13/pflag v1.0.6 // indirect
- github.com/u-root/uio v0.0.0-20240209044354-b3d14b93376a // indirect
+ github.com/spf13/pflag v1.0.9 // indirect
+ github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
github.com/vbatts/tar-split v0.12.1 // indirect
github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -123,7 +123,7 @@
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
v0.62.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0
// indirect
- go.opentelemetry.io/otel/metric v1.37.0 // indirect
+ go.opentelemetry.io/otel/metric v1.38.0 // indirect
golang.org/x/crypto v0.41.0 // indirect
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
golang.org/x/net v0.43.0 // indirect
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apko-0.30.7/go.sum new/apko-0.30.11/go.sum
--- old/apko-0.30.7/go.sum 2025-08-28 17:00:30.000000000 +0200
+++ new/apko-0.30.11/go.sum 2025-09-13 15:50:34.000000000 +0200
@@ -205,8 +205,8 @@
github.com/opencontainers/image-spec v1.1.1/go.mod
h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
github.com/package-url/packageurl-go v0.1.3
h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
github.com/package-url/packageurl-go v0.1.3/go.mod
h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
-github.com/pierrec/lz4/v4 v4.1.21
h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
-github.com/pierrec/lz4/v4 v4.1.21/go.mod
h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.22
h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
+github.com/pierrec/lz4/v4 v4.1.22/go.mod
h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
github.com/pjbgf/sha1cd v0.3.2/go.mod
h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
@@ -237,10 +237,10 @@
github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod
h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/skeema/knownhosts v1.3.1
h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
github.com/skeema/knownhosts v1.3.1/go.mod
h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod
h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod
h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod
h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod
h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod
h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod
h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.4.0/go.mod
h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -249,10 +249,10 @@
github.com/stretchr/testify v1.11.1/go.mod
h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
github.com/tmc/dot v0.0.0-20210901225022-f9bc17da75c0
h1:hwIpbdjckSFqmZ6hod7WZgGR7tVVrSUzZrBfNZl7AOg=
github.com/tmc/dot v0.0.0-20210901225022-f9bc17da75c0/go.mod
h1:DV83s9TfD0rgoKcqvDmM+aYdz6BXmTkquwd+bI/8tlo=
-github.com/u-root/u-root v0.14.0
h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg=
-github.com/u-root/u-root v0.14.0/go.mod
h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE=
-github.com/u-root/uio v0.0.0-20240209044354-b3d14b93376a
h1:BH1SOPEvehD2kVrndDnGJiUF0TrBpNs+iyYocu6h0og=
-github.com/u-root/uio v0.0.0-20240209044354-b3d14b93376a/go.mod
h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
+github.com/u-root/u-root v0.15.0
h1:8JXfjAA/Vs8EXfZUA2ftvoHbiYYLdaU8umJ461aq+Jw=
+github.com/u-root/u-root v0.15.0/go.mod
h1:/0Qr7qJeDwWxoKku2xKQ4Szc+SwBE3g9VE8jNiamsmc=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701
h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod
h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
github.com/vbatts/tar-split v0.12.1
h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo=
github.com/vbatts/tar-split v0.12.1/go.mod
h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
github.com/wk8/go-ordered-map/v2 v2.1.8
h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
@@ -272,20 +272,20 @@
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
v0.62.0/go.mod h1:ru6KHrNtNHxM4nD/vd6QrLVWgKhxPYgblq4VAtNawTQ=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0
h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod
h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
-go.opentelemetry.io/otel v1.37.0
h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.37.0/go.mod
h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/otel v1.38.0
h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod
h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0
h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod
h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0
h1:wpMfgF8E1rkrT1Z6meFh1NDtownE9Ii3n3X2GJYjsaU=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0/go.mod
h1:wAy0T/dUbs468uOlkT31xjvqQgEVXv58BRFWEgn5v/0=
-go.opentelemetry.io/otel/metric v1.37.0
h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.37.0/go.mod
h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
+go.opentelemetry.io/otel/metric v1.38.0
h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod
h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
go.opentelemetry.io/otel/sdk v1.37.0
h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
go.opentelemetry.io/otel/sdk v1.37.0/go.mod
h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
go.opentelemetry.io/otel/sdk/metric v1.37.0
h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod
h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
-go.opentelemetry.io/otel/trace v1.37.0
h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.37.0/go.mod
h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+go.opentelemetry.io/otel/trace v1.38.0
h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod
h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
go.opentelemetry.io/proto/otlp v1.7.0
h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os=
go.opentelemetry.io/proto/otlp v1.7.0/go.mod
h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo=
go.step.sm/crypto v0.70.0 h1:Q9Ft7N637mucyZcHZd1+0VVQJVwDCKqcb9CYcYi7cds=
@@ -319,15 +319,15 @@
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod
h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo=
+golang.org/x/oauth2 v0.31.0/go.mod
h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod
h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod
h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod
h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -344,8 +344,8 @@
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod
h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod
h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -362,8 +362,8 @@
golang.org/x/text v0.14.0/go.mod
h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
golang.org/x/text v0.28.0/go.mod
h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod
h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI=
+golang.org/x/time v0.13.0/go.mod
h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod
h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod
h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod
h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -378,8 +378,8 @@
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
gonum.org/v1/gonum v0.16.0/go.mod
h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.248.0 h1:hUotakSkcwGdYUqzCRc5yGYsg4wXxpkKlW5ryVqvC1Y=
-google.golang.org/api v0.248.0/go.mod
h1:yAFUAF56Li7IuIQbTFoLwXTCI6XCFKueOlS7S9e4F9k=
+google.golang.org/api v0.249.0 h1:0VrsWAKzIZi058aeq+I86uIXbNhm9GxSHpbmZ92a38w=
+google.golang.org/api v0.249.0/go.mod
h1:dGk9qyI0UYPwO/cjt2q06LG/EhUpwZGdAbYF14wHHrQ=
google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c
h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=
google.golang.org/genproto/googleapis/api
v0.0.0-20250818200422-3122310a409c/go.mod
h1:ea2MjsO70ssTfCjiwHgI0ZFqcw45Ksuk2ckf9G468GA=
google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c
h1:qXWI/sQtv5UKboZ/zUk7h+mrf/lXORyI+n9DKDAusdg=
@@ -403,7 +403,7 @@
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-k8s.io/apimachinery v0.33.4 h1:SOf/JW33TP0eppJMkIgQ+L6atlDiP/090oaX0y9pd9s=
-k8s.io/apimachinery v0.33.4/go.mod
h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
+k8s.io/apimachinery v0.34.1/go.mod
h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
sigs.k8s.io/release-utils v0.12.1
h1:3p9w137wBTTApHlL8izdJHcCuaBe8wZhQz+B0QIAaBE=
sigs.k8s.io/release-utils v0.12.1/go.mod
h1:0z7JOb7iQcuDQcemQw5CSVrkH8evRHY0DMMjcyRB1e4=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apko-0.30.7/pkg/apk/apk/implementation.go
new/apko-0.30.11/pkg/apk/apk/implementation.go
--- old/apko-0.30.7/pkg/apk/apk/implementation.go 2025-08-28
17:00:30.000000000 +0200
+++ new/apko-0.30.11/pkg/apk/apk/implementation.go 2025-09-13
15:50:34.000000000 +0200
@@ -340,18 +340,43 @@
return nil
}
+// hasUsrMergeBaseImage checks if the base image uses a usr-merge filesystem
layout.
+// This is determined by checking if any installed packages provide the
"merged-lib" virtual package.
+// The merged-lib virtual is provided by wolfi-baselayout to indicate
usr-merge layout where
+// traditional directories like /lib, /bin, /sbin are symlinked to their /usr
counterparts.
+// See: https://github.com/wolfi-dev/os/blob/main/wolfi-baselayout.yaml
+func (a *APK) hasUsrMergeBaseImage() bool {
+ installedPkgs, err := a.GetInstalled()
+ if err != nil || len(installedPkgs) == 0 {
+ return false
+ }
+
+ for _, pkg := range installedPkgs {
+ for _, prov := range pkg.Provides {
+ if prov == "merged-lib" {
+ return true
+ }
+ }
+ }
+ return false
+}
+
// Resolves the possible locations of APK's DB and assures that it will exist
at /lib/apk/db.
func (a *APK) resolveApkDB(ctx context.Context) error {
log := clog.FromContext(ctx)
log.Debug("resolving APK DB location")
+ // Check if we have base image packages that provide merged-lib
+ // This indicates the base image has usr-merge layout
+ hasUsrMergeBase := a.hasUsrMergeBaseImage()
+
_, span := otel.Tracer("go-apk").Start(ctx, "resolveApkDB")
defer span.End()
// Do nothing more if /lib already points at usr/lib (absolute or
relative).
if target, err := a.fs.Readlink("/lib"); err == nil {
// MemFS will only let Readlink succeed on a real symlink.
- // Prepend “/” and Clean to collapse things like “/../usr/lib”
→ “/usr/lib”.
+ // Prepend "/" and Clean to collapse things like "/../usr/lib"
→ "/usr/lib".
if path.Clean("/"+target) == "/usr/lib" {
log.Debug("/lib is a symlink to /usr/lib")
return nil
@@ -369,6 +394,15 @@
// create /lib as a directory if is missing
if _, err := a.fs.Stat("lib"); errors.Is(err, fs.ErrNotExist) {
+ // If we have a usr-merge base image, we should NOT create /lib
as a directory
+ // because the base image already has /lib as a symlink to
/usr/lib
+ if hasUsrMergeBase {
+ // Don't create /lib - the base image has it as a
symlink
+ // Create the symlink in our filesystem to match the
base
+ _ = a.fs.Symlink("usr/lib", "lib")
+ // If we can't create the symlink, just skip - the base
has it
+ return nil
+ }
if err := a.fs.Mkdir("lib", 0o755); err != nil {
return fmt.Errorf("creating lib: %w", err)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apko-0.30.7/pkg/apk/apk/implementation_test.go
new/apko-0.30.11/pkg/apk/apk/implementation_test.go
--- old/apko-0.30.7/pkg/apk/apk/implementation_test.go 2025-08-28
17:00:30.000000000 +0200
+++ new/apko-0.30.11/pkg/apk/apk/implementation_test.go 2025-09-13
15:50:34.000000000 +0200
@@ -309,6 +309,102 @@
})
}
+func TestHasUsrMergeBaseImage(t *testing.T) {
+ ctx := context.Background()
+
+ t.Run("no packages installed", func(t *testing.T) {
+ src := apkfs.NewMemFS()
+ apk, err := New(ctx, WithFS(src),
WithIgnoreMknodErrors(ignoreMknodErrors))
+ require.NoError(t, err)
+ err = apk.InitDB(ctx)
+ require.NoError(t, err)
+
+ // With no installed packages, should return false
+ require.False(t, apk.hasUsrMergeBaseImage())
+ })
+
+ t.Run("packages without merged-lib", func(t *testing.T) {
+ src := apkfs.NewMemFS()
+ apk, err := New(ctx, WithFS(src),
WithIgnoreMknodErrors(ignoreMknodErrors))
+ require.NoError(t, err)
+ err = apk.InitDB(ctx)
+ require.NoError(t, err)
+
+ // Add a package without merged-lib virtual
+ pkg := &Package{
+ Name: "test-package",
+ Version: "1.0.0",
+ Arch: "x86_64",
+ Provides: []string{"some-other-virtual"},
+ }
+ _, err = apk.AddInstalledPackage(pkg, nil)
+ require.NoError(t, err)
+
+ // Should return false as no package provides merged-lib
+ require.False(t, apk.hasUsrMergeBaseImage())
+ })
+
+ t.Run("package with merged-lib", func(t *testing.T) {
+ src := apkfs.NewMemFS()
+ apk, err := New(ctx, WithFS(src),
WithIgnoreMknodErrors(ignoreMknodErrors))
+ require.NoError(t, err)
+ err = apk.InitDB(ctx)
+ require.NoError(t, err)
+
+ // Add wolfi-baselayout which provides merged-lib
+ pkg := &Package{
+ Name: "wolfi-baselayout",
+ Version: "20230201-r23",
+ Arch: "x86_64",
+ Provides: []string{"merged-bin", "merged-lib",
"merged-sbin", "merged-usrsbin"},
+ }
+ _, err = apk.AddInstalledPackage(pkg, nil)
+ require.NoError(t, err)
+
+ // Should return true as wolfi-baselayout provides merged-lib
+ require.True(t, apk.hasUsrMergeBaseImage())
+ })
+
+ t.Run("multiple packages with one providing merged-lib", func(t
*testing.T) {
+ src := apkfs.NewMemFS()
+ apk, err := New(ctx, WithFS(src),
WithIgnoreMknodErrors(ignoreMknodErrors))
+ require.NoError(t, err)
+ err = apk.InitDB(ctx)
+ require.NoError(t, err)
+
+ // Add multiple packages
+ pkg1 := &Package{
+ Name: "glibc",
+ Version: "2.42-r0",
+ Arch: "x86_64",
+ Provides: []string{},
+ }
+ _, err = apk.AddInstalledPackage(pkg1, nil)
+ require.NoError(t, err)
+
+ pkg2 := &Package{
+ Name: "wolfi-baselayout",
+ Version: "20230201-r23",
+ Arch: "x86_64",
+ Provides: []string{"merged-bin", "merged-lib",
"merged-sbin", "merged-usrsbin"},
+ }
+ _, err = apk.AddInstalledPackage(pkg2, nil)
+ require.NoError(t, err)
+
+ pkg3 := &Package{
+ Name: "busybox",
+ Version: "1.36.1-r29",
+ Arch: "x86_64",
+ Provides: []string{},
+ }
+ _, err = apk.AddInstalledPackage(pkg3, nil)
+ require.NoError(t, err)
+
+ // Should return true as wolfi-baselayout provides merged-lib
+ require.True(t, apk.hasUsrMergeBaseImage())
+ })
+}
+
func TestSetWorld(t *testing.T) {
ctx := context.Background()
src := apkfs.NewMemFS()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apko-0.30.7/pkg/apk/auth/auth.go
new/apko-0.30.11/pkg/apk/auth/auth.go
--- old/apko-0.30.7/pkg/apk/auth/auth.go 2025-08-28 17:00:30.000000000
+0200
+++ new/apko-0.30.11/pkg/apk/auth/auth.go 2025-09-13 15:50:34.000000000
+0200
@@ -3,6 +3,7 @@
import (
"context"
"errors"
+ "io"
"net/http"
"os"
"os/exec"
@@ -101,10 +102,11 @@
sometimes.Do(func() {
cmd := exec.CommandContext(ctx, "chainctl", "auth", "token",
"--audience", host)
- cmd.Stderr = os.Stderr
+ cmd.Stderr = io.Discard // Don't pollute logs when things fail
out, err := cmd.Output()
if err != nil {
- log.Warnf("Error running `chainctl auth token`: %v",
err)
+ // Document that automatic auth failed and how to
reproduce.
+ log.Infof("Unable to automatically authenticate, run
`chainctl auth token --audience %q` to diagnose", host)
return
}
tok = string(out)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/apko-0.30.7/release.md new/apko-0.30.11/release.md
--- old/apko-0.30.7/release.md 2025-08-28 17:00:30.000000000 +0200
+++ new/apko-0.30.11/release.md 2025-09-13 15:50:34.000000000 +0200
@@ -1,34 +1,41 @@
# Apko Release Process
-## Patch releases
+## Automated releases
-The most common type of release of Apko is a patch release. Generally we
should aim to do these as often as necessary to release _backward compatible_
changes, especially to release updated dependencies to fix vulnerabilities.
+Apko uses an automated release process via GitHub Actions. Releases are
handled by the [`Release`
action](https://github.com/chainguard-dev/apko/actions/workflows/release.yaml).
-To cut a release:
-- go to https://github.com/chainguard-dev/apko/releases/new
-- click "Choose a tag" then "Find or create a new tag"
-- type a new patch version tag for the latest minor version
- - for example, if the latest version is `v0.11.5`, create a patch release
`v0.11.6`
-- click "Create new tag: v0.X.Y on publish"
- - you can leave the release title empty
-- click "Generate release notes"
- - make any editorial changes to the release notes you think are relevant
-- make sure "Set as the latest release" is checked
-- click **"Publish release"**
+### Scheduled releases
-### Monitor the release automation
+The release workflow runs automatically every Monday at 00:00 UTC. It will:
+1. Check if there have been any changes since the last release
+2. Automatically bump the patch version if changes are detected
+3. Create a new tag and release with generated release notes
+4. Build and attach release artifacts using GoReleaser
+
+### Manual releases
+
+To trigger a release manually:
-Once the tag is pushed, the [`Create Release`
action](https://github.com/chainguard-dev/apko/actions/workflows/release.yaml)
-will attach the appropriate release artifacts and update release notes.
+1. Go to the [Release
workflow](https://github.com/chainguard-dev/apko/actions/workflows/release.yaml)
+2. Click **"Run workflow"**
+3. Select the branch (usually `main`)
+4. Click **"Run workflow"**
-At the time of this writing, the release job takes 20 to 30 minutes to execute.
+The workflow will automatically determine if a release is needed and create
one if there have been changes since the last release.
-Make any editorial changes to the release notes you think are necessary.
-You may want to highlight certain changes or remove items that aren't
interesting.
+### Monitor the release automation
+
+The release job takes 20 to 30 minutes to execute and will:
+- Create a new patch version tag
+- Generate release notes
+- Build and sign release artifacts with Cosign
+- Publish the release to GitHub
-Once the `Release` action has been completed successfully, find your release on
+Once the `Release` action has completed successfully, find your release on
the [releases page](https://github.com/chainguard-dev/apko/releases)
+You can make editorial changes to the release notes after automation completes
if needed.
+
### Update dependents
Apko is used as a library in
[Melange](https://github.com/chainguard-dev/melange),
[`wolfictl`](https://wolfi.dev/wolifctl), and
[`terraform-provider-apko`](https://github.com/chainguard-dev/terraform-provider-apko),
among others.
++++++ apko.obsinfo ++++++
--- /var/tmp/diff_new_pack.L8QR0S/_old 2025-09-18 21:10:36.531272981 +0200
+++ /var/tmp/diff_new_pack.L8QR0S/_new 2025-09-18 21:10:36.535273150 +0200
@@ -1,5 +1,5 @@
name: apko
-version: 0.30.7
-mtime: 1756393230
-commit: 68e5577b0636f7def8a14c8440aaee946b54323c
+version: 0.30.11
+mtime: 1757771434
+commit: df5cfdc89ad4e4dd1c990479de55746a7c0b0ef7
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/apko/vendor.tar.gz
/work/SRC/openSUSE:Factory/.apko.new.27445/vendor.tar.gz differ: char 13, line 1
