Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package melange for openSUSE:Factory checked in at 2026-04-04 19:05:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/melange (Old) and /work/SRC/openSUSE:Factory/.melange.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "melange" Sat Apr 4 19:05:50 2026 rev:151 rq:1344457 version:0.48.2 Changes: -------- --- /work/SRC/openSUSE:Factory/melange/melange.changes 2026-04-02 17:43:55.294185582 +0200 +++ /work/SRC/openSUSE:Factory/.melange.new.21863/melange.changes 2026-04-04 19:07:20.676945974 +0200 @@ -1,0 +2,16 @@ +Fri Apr 03 10:53:31 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.48.2: + * build(deps): bump chainguard.dev/apko from 1.2.0 to 1.2.1 in + the gomod group (#2459) + * renovate/bump: always update branch-only git-checkout nodes + (#2457) + +------------------------------------------------------------------- +Thu Apr 02 15:58:48 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.48.1: + * fix: remove moby/moby/v2 dependency for compatibility (#2456) + * pipelines/git-am: use xargs and quote patches input (#2455) + +------------------------------------------------------------------- Old: ---- melange-0.48.0.obscpio New: ---- melange-0.48.2.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ melange.spec ++++++ --- /var/tmp/diff_new_pack.lb1lR6/_old 2026-04-04 19:07:21.944997964 +0200 +++ /var/tmp/diff_new_pack.lb1lR6/_new 2026-04-04 19:07:21.948998128 +0200 @@ -17,7 +17,7 @@ Name: melange -Version: 0.48.0 +Version: 0.48.2 Release: 0 Summary: Build APKs from source code License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.lb1lR6/_old 2026-04-04 19:07:21.984999604 +0200 +++ /var/tmp/diff_new_pack.lb1lR6/_new 2026-04-04 19:07:21.988999769 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/melange.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">refs/tags/v0.48.0</param> + <param name="revision">refs/tags/v0.48.2</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.lb1lR6/_old 2026-04-04 19:07:22.013000752 +0200 +++ /var/tmp/diff_new_pack.lb1lR6/_new 2026-04-04 19:07:22.017000916 +0200 @@ -3,6 +3,6 @@ <param name="url">https://github.com/chainguard-dev/melange</param> <param name="changesrevision">3f6115b820985d70ca3c93cdf8519c1b3b4cfe81</param></service><service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/melange.git</param> - <param name="changesrevision">54faa684108e9d1e0a716adc3819e105da614bf7</param></service></servicedata> + <param name="changesrevision">64499184a8b0b78a9ab5f33b78d2e714bcc9e1c8</param></service></servicedata> (No newline at EOF) ++++++ melange-0.48.0.obscpio -> melange-0.48.2.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.0/go.mod new/melange-0.48.2/go.mod --- old/melange-0.48.0/go.mod 2026-03-31 23:10:54.000000000 +0200 +++ new/melange-0.48.2/go.mod 2026-04-02 23:53:57.000000000 +0200 @@ -3,7 +3,7 @@ go 1.25.7 require ( - chainguard.dev/apko v1.2.0 + chainguard.dev/apko v1.2.1 github.com/chainguard-dev/clog v1.8.0 github.com/chainguard-dev/go-pkgconfig v0.0.0-20240404163941-6351b37b2a10 github.com/chainguard-dev/yam v0.2.54 @@ -22,7 +22,6 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 github.com/klauspost/compress v1.18.5 github.com/klauspost/pgzip v1.2.6 - github.com/moby/moby/v2 v2.0.0-beta.8 github.com/opencontainers/image-spec v1.1.1 github.com/package-url/packageurl-go v0.1.5 github.com/pkg/errors v0.9.1 @@ -55,6 +54,7 @@ github.com/clipperhouse/uax29/v2 v2.6.0 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect + github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/google/martian/v3 v3.3.3 // indirect github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect @@ -62,8 +62,11 @@ github.com/klauspost/cpuid/v2 v2.3.0 // indirect github.com/moby/moby/api v1.54.0 // indirect github.com/moby/moby/client v0.3.0 // indirect + github.com/moby/sys/atomicwriter v0.1.0 // indirect + github.com/morikuni/aec v1.1.0 // indirect github.com/pavlo-v-chernykh/keystore-go/v4 v4.5.0 // indirect go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/tools v0.43.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect @@ -96,7 +99,6 @@ github.com/charmbracelet/x/term v0.2.1 // indirect github.com/cloudflare/circl v1.6.3 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect - github.com/containerd/containerd/v2 v2.2.1 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect @@ -165,11 +167,11 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect go.opentelemetry.io/otel/metric v1.42.0 // indirect go.opentelemetry.io/otel/trace v1.42.0 // indirect - go.step.sm/crypto v0.77.1 // indirect + go.step.sm/crypto v0.77.2 // indirect golang.org/x/mod v0.34.0 // indirect golang.org/x/net v0.52.0 // indirect golang.org/x/oauth2 v0.36.0 // indirect - google.golang.org/api v0.273.0 // indirect + google.golang.org/api v0.273.1 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20260316180232-0b37fe3546d5 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7 // indirect google.golang.org/grpc v1.79.3 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.0/go.sum new/melange-0.48.2/go.sum --- old/melange-0.48.0/go.sum 2026-03-31 23:10:54.000000000 +0200 +++ new/melange-0.48.2/go.sum 2026-04-02 23:53:57.000000000 +0200 @@ -1,5 +1,5 @@ -chainguard.dev/apko v1.2.0 h1:44uI/EBIjMuOwdwxDCbIpY1bJrSOLEVtRqM9SUcz69E= -chainguard.dev/apko v1.2.0/go.mod h1:mLYcD45WyC55MGyjeJSju1+FmxzZFB9LCAnZzbRp8WU= +chainguard.dev/apko v1.2.1 h1:sRNvd45n99be9Z720qTEtdsa20PQ8acBq0f0eSloo3A= +chainguard.dev/apko v1.2.1/go.mod h1:Nq9ZJnHzB+eBJCvWJ+Ucm9wqA0abAs9iiwtXmvJuQ5A= chainguard.dev/go-grpc-kit v0.17.16 h1:Y9RKwZCnrYR3S0K8BiazyOoBrZF+Q7bJWDacfKXz2zg= chainguard.dev/go-grpc-kit v0.17.16/go.mod h1:0vrfIBJguXNa+EKOUEhx1Fj2aBp8o6A8gAHoidiF8ps= chainguard.dev/sdk v0.1.52 h1:G1wmZHU8v5E78YlCHuwQH0Hwt4NBBCvCNAFad5FUanQ= @@ -66,8 +66,6 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= -github.com/containerd/containerd/v2 v2.2.1 h1:TpyxcY4AL5A+07dxETevunVS5zxqzuq7ZqJXknM11yk= -github.com/containerd/containerd/v2 v2.2.1/go.mod h1:NR70yW1iDxe84F2iFWbR9xfAN0N2F0NcjTi1OVth4nU= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= @@ -253,8 +251,6 @@ github.com/moby/moby/api v1.54.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc= github.com/moby/moby/client v0.3.0 h1:UUGL5okry+Aomj3WhGt9Aigl3ZOxZGqR7XPo+RLPlKs= github.com/moby/moby/client v0.3.0/go.mod h1:HJgFbJRvogDQjbM8fqc1MCEm4mIAGMLjXbgwoZp6jCQ= -github.com/moby/moby/v2 v2.0.0-beta.8 h1:3D/xW0DrCNuGPSJ+dnw9A97IJ3qwBmTxqmCWDEYtY38= -github.com/moby/moby/v2 v2.0.0-beta.8/go.mod h1:92sEyRcWIBbM9stp3xl4I2t/gJzOFgrZ8prBT0IfD4g= github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs= github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= @@ -386,8 +382,8 @@ go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc= go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g= go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk= -go.step.sm/crypto v0.77.1 h1:4EEqfKdv0egQ1lqz2RhnU8Jv6QgXZfrgoxWMqJF9aDs= -go.step.sm/crypto v0.77.1/go.mod h1:U/SsmEm80mNnfD5WIkbhuW/B1eFp3fgFvdXyDLpU1AQ= +go.step.sm/crypto v0.77.2 h1:qFjjei+RHc5kP5R7NW9OUWT7SqWIuAOvOkXqg4fNWj8= +go.step.sm/crypto v0.77.2/go.mod h1:W0YJb9onM5l78qgkXIJ2Up6grnwW8EtpCKIza/NCg0o= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ= @@ -486,8 +482,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/api v0.273.0 h1:r/Bcv36Xa/te1ugaN1kdJ5LoA5Wj/cL+a4gj6FiPBjQ= -google.golang.org/api v0.273.0/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew= +google.golang.org/api v0.273.1 h1:L7G/TmpAMz0nKx/ciAVssVmWQiOF6+pOuXeKrWVsquY= +google.golang.org/api v0.273.1/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.0/pkg/build/pipelines/git-am.yaml new/melange-0.48.2/pkg/build/pipelines/git-am.yaml --- old/melange-0.48.0/pkg/build/pipelines/git-am.yaml 2026-03-31 23:10:54.000000000 +0200 +++ new/melange-0.48.2/pkg/build/pipelines/git-am.yaml 2026-04-02 23:53:57.000000000 +0200 @@ -22,4 +22,4 @@ pipeline: - runs: | - git am ${{inputs.patches}} + echo "${{inputs.patches}}" | xargs git am diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.0/pkg/container/bubblewrap_runner.go new/melange-0.48.2/pkg/container/bubblewrap_runner.go --- old/melange-0.48.0/pkg/container/bubblewrap_runner.go 2026-03-31 23:10:54.000000000 +0200 +++ new/melange-0.48.2/pkg/container/bubblewrap_runner.go 2026-04-02 23:53:57.000000000 +0200 @@ -34,7 +34,6 @@ apko_types "chainguard.dev/apko/pkg/build/types" "github.com/chainguard-dev/clog" v1 "github.com/google/go-containerregistry/pkg/v1" - moby "github.com/moby/moby/v2/daemon/pkg/oci/caps" "go.opentelemetry.io/otel" ) @@ -45,6 +44,26 @@ buildUserID = "1000" ) +// defaultCapabilities is the set of Linux capabilities granted by the +// Docker/Moby runtime by default. Mirrors moby/moby's DefaultCapabilities() +// to avoid depending on moby/moby/v2 (pre-release) for a static list. +var defaultCapabilities = []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE", +} + type bubblewrap struct { remove bool // if true, clean up temp dirs on close. } @@ -138,7 +157,9 @@ } // Add Docker runner-parity kernel capabilities to the container. - for _, c := range moby.DefaultCapabilities() { + // These are the default Linux capabilities granted by the Docker/Moby + // runtime. Inlined to avoid pulling in moby/moby/v2 (beta) as a dependency. + for _, c := range defaultCapabilities { baseargs = append(baseargs, "--cap-add", c) } // Add additional process kernel capabilities to the container as configured. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.0/pkg/renovate/bump/bump.go new/melange-0.48.2/pkg/renovate/bump/bump.go --- old/melange-0.48.0/pkg/renovate/bump/bump.go 2026-03-31 23:10:54.000000000 +0200 +++ new/melange-0.48.2/pkg/renovate/bump/bump.go 2026-04-02 23:53:57.000000000 +0200 @@ -229,21 +229,13 @@ return err } - // Check if the tag or branch contains a version substitution. - // If neither depends on package.version, we assume this is not the main - // checkout and skip updating the expected-commit sha. + // If a tag is present, check it contains a version substitution. + // If it doesn't depend on package.version, skip updating. + // If there is no tag (e.g. branch-only checkout), always update since + // branches are often built from main and should not be skipped. tag, tagErr := renovate.NodeFromMapping(withNode, "tag") - branch, branchErr := renovate.NodeFromMapping(withNode, "branch") - - switch { - case tagErr != nil && branchErr != nil: - log.Infof("git-checkout node does not contain a tag or branch, assume we need to update the expected-commit sha") - case tagErr == nil && dependsOnVersion(tag.Value, cfg): - // tag is version-derived, proceed to update - case branchErr == nil && dependsOnVersion(branch.Value, cfg): - // branch is version-derived, proceed to update - default: - log.Infof("Skipping git-checkout node as neither tag nor branch is derived from package.version") + if tagErr == nil && !dependsOnVersion(tag.Value, cfg) { + log.Infof("Skipping git-checkout node as tag is not derived from package.version") return nil } ++++++ melange.obsinfo ++++++ --- /var/tmp/diff_new_pack.lb1lR6/_old 2026-04-04 19:07:23.845075868 +0200 +++ /var/tmp/diff_new_pack.lb1lR6/_new 2026-04-04 19:07:23.861076524 +0200 @@ -1,5 +1,5 @@ name: melange -version: 0.48.0 -mtime: 1774991454 -commit: 54faa684108e9d1e0a716adc3819e105da614bf7 +version: 0.48.2 +mtime: 1775166837 +commit: 64499184a8b0b78a9ab5f33b78d2e714bcc9e1c8 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/melange/vendor.tar.gz /work/SRC/openSUSE:Factory/.melange.new.21863/vendor.tar.gz differ: char 13, line 1
