Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package melange for openSUSE:Factory checked in at 2026-04-13 23:19:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/melange (Old) and /work/SRC/openSUSE:Factory/.melange.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "melange" Mon Apr 13 23:19:00 2026 rev:152 rq:1346336 version:0.49.0 Changes: -------- --- /work/SRC/openSUSE:Factory/melange/melange.changes 2026-04-04 19:07:20.676945974 +0200 +++ /work/SRC/openSUSE:Factory/.melange.new.21863/melange.changes 2026-04-13 23:19:58.122803369 +0200 @@ -1,0 +2,27 @@ +Mon Apr 13 05:01:23 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.49.0: + * build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 + in the actions group (#2476) + * fix(pipelines/autoconf/configure): add libtool (#2472) + * build(deps): bump golang.org/x/crypto from 0.49.0 to 0.50.0 in + the gomod group (#2473) + * build(deps): bump step-security/action-actionlint from 1.69.1 + to 1.72.0 in the actions group (#2474) + * feat(qemu): apply reasonable CPU/memory defaults (#2470) + * build(deps): bump the gomod group with 2 updates (#2468) + * build(deps): bump step-security/harden-runner from 2.16.1 to + 2.17.0 in the actions group (#2469) + * build(deps): bump + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp + from 1.40.0 to 1.43.0 (#2467) + * build(deps): bump golang.org/x/sys in the gomod group (#2466) + * build(deps): bump the gomod group with 3 updates (#2464) + * build(deps): bump step-security/harden-runner from 2.16.0 to + 2.16.1 in the actions group (#2465) + * chore(workflows): add actionlint and zizmor action linters + [SECINT-75] (#2463) + * build(deps): bump the gomod group across 1 directory with 4 + updates (#2462) + +------------------------------------------------------------------- Old: ---- melange-0.48.2.obscpio New: ---- melange-0.49.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ melange.spec ++++++ --- /var/tmp/diff_new_pack.F2e2ji/_old 2026-04-13 23:19:59.510860664 +0200 +++ /var/tmp/diff_new_pack.F2e2ji/_new 2026-04-13 23:19:59.514860829 +0200 @@ -17,7 +17,7 @@ Name: melange -Version: 0.48.2 +Version: 0.49.0 Release: 0 Summary: Build APKs from source code License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.F2e2ji/_old 2026-04-13 23:19:59.550862314 +0200 +++ /var/tmp/diff_new_pack.F2e2ji/_new 2026-04-13 23:19:59.554862480 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/melange.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">refs/tags/v0.48.2</param> + <param name="revision">refs/tags/v0.49.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.F2e2ji/_old 2026-04-13 23:19:59.598864296 +0200 +++ /var/tmp/diff_new_pack.F2e2ji/_new 2026-04-13 23:19:59.602864461 +0200 @@ -3,6 +3,6 @@ <param name="url">https://github.com/chainguard-dev/melange</param> <param name="changesrevision">3f6115b820985d70ca3c93cdf8519c1b3b4cfe81</param></service><service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/melange.git</param> - <param name="changesrevision">64499184a8b0b78a9ab5f33b78d2e714bcc9e1c8</param></service></servicedata> + <param name="changesrevision">4121ddfd1c96ecefe8644566858072682828c1ac</param></service></servicedata> (No newline at EOF) ++++++ melange-0.48.2.obscpio -> melange-0.49.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.2/go.mod new/melange-0.49.0/go.mod --- old/melange-0.48.2/go.mod 2026-04-02 23:53:57.000000000 +0200 +++ new/melange-0.49.0/go.mod 2026-04-11 04:29:31.000000000 +0200 @@ -3,18 +3,18 @@ go 1.25.7 require ( - chainguard.dev/apko v1.2.1 + chainguard.dev/apko v1.2.2 github.com/chainguard-dev/clog v1.8.0 github.com/chainguard-dev/go-pkgconfig v0.0.0-20240404163941-6351b37b2a10 github.com/chainguard-dev/yam v0.2.54 github.com/charmbracelet/log v1.0.0 - github.com/docker/cli v29.3.1+incompatible + github.com/docker/cli v29.4.0+incompatible github.com/docker/docker v28.5.2+incompatible github.com/dprotaso/go-yit v0.0.0-20250513224043-18a80f8f6df4 github.com/github/go-spdx/v2 v2.4.0 github.com/go-git/go-git/v5 v5.17.2 github.com/google/go-cmp v0.7.0 - github.com/google/go-containerregistry v0.21.3 + github.com/google/go-containerregistry v0.21.4 github.com/google/licenseclassifier/v2 v2.0.0 github.com/in-toto/attestation v1.2.0 github.com/invopop/jsonschema v0.13.0 @@ -32,20 +32,20 @@ github.com/ulikunitz/xz v0.5.15 github.com/yookoala/realpath v1.0.0 github.com/zealic/xignore v0.3.3 - go.opentelemetry.io/otel v1.42.0 - go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.42.0 - go.opentelemetry.io/otel/sdk v1.42.0 + go.opentelemetry.io/otel v1.43.0 + go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0 + go.opentelemetry.io/otel/sdk v1.43.0 go.yaml.in/yaml/v2 v2.4.4 - golang.org/x/crypto v0.49.0 + golang.org/x/crypto v0.50.0 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 golang.org/x/sync v0.20.0 - golang.org/x/sys v0.42.0 - golang.org/x/term v0.41.0 - golang.org/x/text v0.35.0 + golang.org/x/sys v0.43.0 + golang.org/x/term v0.42.0 + golang.org/x/text v0.36.0 golang.org/x/time v0.15.0 gopkg.in/ini.v1 v1.67.1 gopkg.in/yaml.v3 v3.0.1 - mvdan.cc/sh/v3 v3.13.0 + mvdan.cc/sh/v3 v3.13.1 sigs.k8s.io/release-utils v0.12.4 sigs.k8s.io/yaml v1.6.0 ) @@ -66,7 +66,7 @@ github.com/morikuni/aec v1.1.0 // indirect github.com/pavlo-v-chernykh/keystore-go/v4 v4.5.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/tools v0.43.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect @@ -105,7 +105,6 @@ github.com/cyphar/filepath-securejoin v0.6.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.4 // indirect github.com/docker/go-connections v0.6.0 // indirect github.com/docker/go-units v0.5.0 // indirect @@ -113,7 +112,7 @@ github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.8.0 // indirect - github.com/go-jose/go-jose/v3 v3.0.4 // indirect + github.com/go-jose/go-jose/v3 v3.0.5 // indirect github.com/go-logfmt/logfmt v0.6.1 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -165,16 +164,16 @@ go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect - go.opentelemetry.io/otel/metric v1.42.0 // indirect - go.opentelemetry.io/otel/trace v1.42.0 // indirect + go.opentelemetry.io/otel/metric v1.43.0 // indirect + go.opentelemetry.io/otel/trace v1.43.0 // indirect go.step.sm/crypto v0.77.2 // indirect golang.org/x/mod v0.34.0 // indirect golang.org/x/net v0.52.0 // indirect golang.org/x/oauth2 v0.36.0 // indirect google.golang.org/api v0.273.1 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20260316180232-0b37fe3546d5 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7 // indirect - google.golang.org/grpc v1.79.3 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/grpc v1.80.0 // indirect google.golang.org/protobuf v1.36.11 gopkg.in/warnings.v0 v0.1.2 // indirect k8s.io/apimachinery v0.35.3 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.2/go.sum new/melange-0.49.0/go.sum --- old/melange-0.48.2/go.sum 2026-04-02 23:53:57.000000000 +0200 +++ new/melange-0.49.0/go.sum 2026-04-11 04:29:31.000000000 +0200 @@ -1,5 +1,5 @@ -chainguard.dev/apko v1.2.1 h1:sRNvd45n99be9Z720qTEtdsa20PQ8acBq0f0eSloo3A= -chainguard.dev/apko v1.2.1/go.mod h1:Nq9ZJnHzB+eBJCvWJ+Ucm9wqA0abAs9iiwtXmvJuQ5A= +chainguard.dev/apko v1.2.2 h1:6WGvPASk3VXK1D+m4HkYX0PixQkP6NDGwP201KovTLE= +chainguard.dev/apko v1.2.2/go.mod h1:Q2bBBulVerKw0Jq9id7oeEuj0cLGh2q2vb8xu0mrFSA= chainguard.dev/go-grpc-kit v0.17.16 h1:Y9RKwZCnrYR3S0K8BiazyOoBrZF+Q7bJWDacfKXz2zg= chainguard.dev/go-grpc-kit v0.17.16/go.mod h1:0vrfIBJguXNa+EKOUEhx1Fj2aBp8o6A8gAHoidiF8ps= chainguard.dev/sdk v0.1.52 h1:G1wmZHU8v5E78YlCHuwQH0Hwt4NBBCvCNAFad5FUanQ= @@ -87,10 +87,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v29.3.1+incompatible h1:M04FDj2TRehDacrosh7Vlkgc7AuQoWloQkf1PA5hmoI= -github.com/docker/cli v29.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= -github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/cli v29.4.0+incompatible h1:+IjXULMetlvWJiuSI0Nbor36lcJ5BTcVpUmB21KBoVM= +github.com/docker/cli v29.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.9.4 h1:76ItO69/AP/V4yT9V4uuuItG0B1N8hvt0T0c0NN/DzI= @@ -129,8 +127,8 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= github.com/go-git/go-git/v5 v5.17.2 h1:B+nkdlxdYrvyFK4GPXVU8w1U+YkbsgciIR7f2sZJ104= github.com/go-git/go-git/v5 v5.17.2/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo= -github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY= -github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/go-jose/go-jose/v3 v3.0.5 h1:BLLJWbC4nMZOfuPVxoZIxeYsn6Nl2r1fITaJ78UQlVQ= +github.com/go-jose/go-jose/v3 v3.0.5/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/go-logfmt/logfmt v0.6.1 h1:4hvbpePJKnIzH1B+8OR/JPbTx37NktoI9LE2QZBBkvE= github.com/go-logfmt/logfmt v0.6.1/go.mod h1:EV2pOAQoZaT1ZXZbqDl5hrymndi4SY9ED9/z6CO0XAk= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= @@ -167,8 +165,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -github.com/google/go-containerregistry v0.21.3 h1:Xr+yt3VvwOOn/5nJzd7UoOhwPGiPkYW0zWDLLUXqAi4= -github.com/google/go-containerregistry v0.21.3/go.mod h1:D5ZrJF1e6dMzvInpBPuMCX0FxURz7GLq2rV3Us9aPkc= +github.com/google/go-containerregistry v0.21.4 h1:VrhlIQtdhE6riZW//MjPrcJ1snAjPoCCpPHqGOygrv8= +github.com/google/go-containerregistry v0.21.4/go.mod h1:kxgc23zQ2qMY/hAKt0wCbB/7tkeovAP2mE2ienynJUw= github.com/google/go-licenses/v2 v2.0.1 h1:ti+9bi5o7DKbeeg5eBb/uZTgsaPNoJaLCh93cRcXsW8= github.com/google/go-licenses/v2 v2.0.1/go.mod h1:efibo0EDNGkau6AIMOViGW+rTNPudhxX9rCxtfw5zKE= github.com/google/go-replayers/httpreplay v1.2.0 h1:VM1wEyyjaoU53BwrOnaf9VhAyQQEEioJvFYxYcLRKzk= @@ -364,22 +362,22 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0/go.mod h1:NoUCKYWK+3ecatC4HjkRktREheMeEtrXoQxrqYFeHSc= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0= -go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho= -go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 h1:THuZiwpQZuHPul65w4WcwEnkX2QIuMT+UFoOrygtoJw= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0/go.mod h1:J2pvYM5NGHofZ2/Ru6zw/TNWnEQp5crgyDeSrYpXkAw= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 h1:wVZXIWjQSeSmMoxF74LzAnpVQOAFDo3pPji9Y4SOFKc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0/go.mod h1:khvBS2IggMFNwZK/6lEeHg/W57h/IX6J4URh57fuI40= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.42.0 h1:s/1iRkCKDfhlh1JF26knRneorus8aOwVIDhvYx9WoDw= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.42.0/go.mod h1:UI3wi0FXg1Pofb8ZBiBLhtMzgoTm1TYkMvn71fAqDzs= -go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4= -go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI= -go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo= -go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts= -go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA= -go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc= -go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY= -go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc= +go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I= +go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 h1:3iZJKlCZufyRzPzlQhUIWVmfltrXuGyfjREgGP3UUjc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0/go.mod h1:/G+nUPfhq2e+qiXMGxMwumDrP5jtzU+mWN7/sjT2rak= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0 h1:mS47AX77OtFfKG4vtp+84kuGSFZHTyxtXIN269vChY0= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0/go.mod h1:PJnsC41lAGncJlPUniSwM81gc80GkgWJWr3cu2nKEtU= +go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM= +go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY= +go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg= +go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg= +go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw= +go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A= +go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A= +go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0= go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g= go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk= go.step.sm/crypto v0.77.2 h1:qFjjei+RHc5kP5R7NW9OUWT7SqWIuAOvOkXqg4fNWj8= @@ -395,8 +393,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= -golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= +golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI= +golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY= golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70= @@ -448,15 +446,15 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= -golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI= +golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= -golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= +golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY= +golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -464,8 +462,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= -golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= +golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -480,8 +478,8 @@ golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= -gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= +gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4= +gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E= google.golang.org/api v0.273.1 h1:L7G/TmpAMz0nKx/ciAVssVmWQiOF6+pOuXeKrWVsquY= google.golang.org/api v0.273.1/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= @@ -489,17 +487,17 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20260316180232-0b37fe3546d5 h1:CogIeEXn4qWYzzQU0QqvYBM8yDF9cFYzDq9ojSpv0Js= -google.golang.org/genproto/googleapis/api v0.0.0-20260316180232-0b37fe3546d5/go.mod h1:EIQZ5bFCfRQDV4MhRle7+OgjNtZ6P1PiZBgAKuxXu/Y= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7 h1:ndE4FoJqsIceKP2oYSnUZqhTdYufCYYkqwtFzfrhI7w= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= -google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= +google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM= +google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -535,8 +533,8 @@ k8s.io/apimachinery v0.35.3/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -mvdan.cc/sh/v3 v3.13.0 h1:dSfq/MVsY4w0Vsi6Lbs0IcQquMVqLdKLESAOZjuHdLg= -mvdan.cc/sh/v3 v3.13.0/go.mod h1:KV1GByGPc/Ho0X1E6Uz9euhsIQEj4hwyKnodLlFLoDM= +mvdan.cc/sh/v3 v3.13.1 h1:DP3TfgZhDkT7lerUdnp6PTGKyxxzz6T+cOlY/xEvfWk= +mvdan.cc/sh/v3 v3.13.1/go.mod h1:lXJ8SexMvEVcHCoDvAGLZgFJ9Wsm2sulmoNEXGhYZD0= pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk= pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04= sigs.k8s.io/release-utils v0.12.4 h1:kuG6WTWGCKx5uUrJwl2uFErOKOw+4Ba8WrPmOQh5J3g= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.2/pkg/build/build_test.go new/melange-0.49.0/pkg/build/build_test.go --- old/melange-0.48.2/pkg/build/build_test.go 2026-04-02 23:53:57.000000000 +0200 +++ new/melange-0.49.0/pkg/build/build_test.go 2026-04-11 04:29:31.000000000 +0200 @@ -50,7 +50,7 @@ Package: config.Package{ Name: "hello", Version: "world", - Resources: &config.Resources{}, + Resources: &config.Resources{CPU: "2", Memory: "4Gi"}, }, Pipeline: []config.Pipeline{ { @@ -127,7 +127,7 @@ Package: config.Package{ Name: "cosign", Version: "2.0.0", - Resources: &config.Resources{}, + Resources: &config.Resources{CPU: "2", Memory: "4Gi"}, }, Update: config.Update{ Enabled: true, @@ -144,7 +144,7 @@ name: "release-monitor", requireErr: require.NoError, expected: &config.Configuration{ - Package: config.Package{Name: "bison", Version: "3.8.2", Resources: &config.Resources{}}, + Package: config.Package{Name: "bison", Version: "3.8.2", Resources: &config.Resources{CPU: "2", Memory: "4Gi"}}, Update: config.Update{ Enabled: true, Shared: false, @@ -199,7 +199,7 @@ Name: "cosign", Version: "2.0.0", Epoch: 0, - Resources: &config.Resources{}, + Resources: &config.Resources{CPU: "2", Memory: "4Gi"}, }, Environment: apko_types.ImageConfiguration{ Environment: map[string]string{ @@ -282,7 +282,7 @@ Package: config.Package{ Name: "nginx", Version: "100", - Resources: &config.Resources{}, + Resources: &config.Resources{CPU: "2", Memory: "4Gi"}, }, Subpackages: []config.Subpackage{}, } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.2/pkg/build/pipelines/autoconf/configure.yaml new/melange-0.49.0/pkg/build/pipelines/autoconf/configure.yaml --- old/melange-0.48.2/pkg/build/pipelines/autoconf/configure.yaml 2026-04-02 23:53:57.000000000 +0200 +++ new/melange-0.49.0/pkg/build/pipelines/autoconf/configure.yaml 2026-04-11 04:29:31.000000000 +0200 @@ -4,6 +4,7 @@ packages: - autoconf - automake + - libtool inputs: dir: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.2/pkg/build/test_test.go new/melange-0.49.0/pkg/build/test_test.go --- old/melange-0.48.2/pkg/build/test_test.go 2026-04-02 23:53:57.000000000 +0200 +++ new/melange-0.49.0/pkg/build/test_test.go 2026-04-11 04:29:31.000000000 +0200 @@ -179,7 +179,7 @@ Package: config.Package{ Name: "hello", Version: "world", - Resources: &config.Resources{}, + Resources: &config.Resources{CPU: "2", Memory: "4Gi"}, }, Test: &config.Test{ Environment: defaultEnv(), @@ -291,7 +291,7 @@ Package: config.Package{ Name: "py3-pandas", Version: "2.1.3", - Resources: &config.Resources{}, + Resources: &config.Resources{CPU: "2", Memory: "4Gi"}, }, Test: &config.Test{ Environment: defaultEnv(func(env *apko_types.ImageConfiguration) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.2/pkg/config/config.go new/melange-0.49.0/pkg/config/config.go --- old/melange-0.48.2/pkg/config/config.go 2026-04-02 23:53:57.000000000 +0200 +++ new/melange-0.49.0/pkg/config/config.go 2026-04-11 04:29:31.000000000 +0200 @@ -1861,6 +1861,17 @@ cfg.Package.Resources.Disk = options.disk } + // Apply reasonable defaults for CPU and memory if still unset after YAML and CLI + // flag processing. Without these, the QEMU runner defaults to all host CPUs + // and 85% of host memory, causing resource contention when multiple builds + // share a node. + if cfg.Package.Resources.CPU == "" { + cfg.Package.Resources.CPU = "2" + } + if cfg.Package.Resources.Memory == "" { + cfg.Package.Resources.Memory = "4Gi" + } + // Finally, validate the configuration we ended up with before returning it for use downstream. if err = cfg.validate(ctx); err != nil { return nil, fmt.Errorf("validating configuration %q: %w", cfg.Package.Name, err) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.2/pkg/config/config_test.go new/melange-0.49.0/pkg/config/config_test.go --- old/melange-0.48.2/pkg/config/config_test.go 2026-04-02 23:53:57.000000000 +0200 +++ new/melange-0.49.0/pkg/config/config_test.go 2026-04-11 04:29:31.000000000 +0200 @@ -1504,8 +1504,8 @@ memory: 8Gi `, expectResources: &Resources{ - CPU: "", - Memory: "", + CPU: "2", + Memory: "4Gi", }, expectTestResources: &Resources{ CPU: "4", @@ -1540,8 +1540,8 @@ epoch: 0 `, expectResources: &Resources{ - CPU: "", - Memory: "", + CPU: "2", + Memory: "4Gi", }, expectTestResources: nil, expectParseError: false, @@ -1585,8 +1585,8 @@ memory: 8Gi `, expectResources: &Resources{ - CPU: "", - Memory: "", + CPU: "2", + Memory: "4Gi", }, expectTestResources: &Resources{ CPU: "4", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.48.2/pkg/container/qemu_runner.go new/melange-0.49.0/pkg/container/qemu_runner.go --- old/melange-0.48.2/pkg/container/qemu_runner.go 2026-04-02 23:53:57.000000000 +0200 +++ new/melange-0.49.0/pkg/container/qemu_runner.go 2026-04-11 04:29:31.000000000 +0200 @@ -697,8 +697,13 @@ baseargs = append(baseargs, "-m", fmt.Sprintf("%dk", mem)) } - // default to use all CPUs, if a cpu limit is set, respect it. + // default to use all CPUs, if a cgroup or config limit is set, respect it. + // In a container (e.g. Kubernetes pod), runtime.NumCPU() returns the host's + // total CPUs, not the pod's allocation. Check cgroup limits first. nproc := runtime.NumCPU() + if cgroupCPU := getCgroupCPULimitCores(); cgroupCPU > 0 && cgroupCPU < nproc { + nproc = cgroupCPU + } if cfg.CPU != "" { cpu, err := strconv.Atoi(cfg.CPU) if err == nil && nproc > cpu { @@ -1760,6 +1765,39 @@ return num * multiplier / 1024, nil } +// getCgroupCPULimitCores reads the cgroup CPU quota for the current process and +// returns the number of whole CPU cores available. It checks cgroup v2 first, +// then falls back to cgroup v1. Returns 0 if no cgroup limit is found. +func getCgroupCPULimitCores() int { + // cgroup v2: /sys/fs/cgroup/cpu.max (format: "quota period" e.g. "1000000 100000") + if data, err := os.ReadFile("/sys/fs/cgroup/cpu.max"); err == nil { + s := strings.TrimSpace(string(data)) + if !strings.HasPrefix(s, "max") { + parts := strings.Fields(s) + if len(parts) == 2 { + quota, err1 := strconv.ParseInt(parts[0], 10, 64) + period, err2 := strconv.ParseInt(parts[1], 10, 64) + if err1 == nil && err2 == nil && period > 0 && quota > 0 { + return max(int(quota/period), 1) + } + } + } + } + + // cgroup v1: cpu.cfs_quota_us / cpu.cfs_period_us + quotaData, err1 := os.ReadFile("/sys/fs/cgroup/cpu/cpu.cfs_quota_us") + periodData, err2 := os.ReadFile("/sys/fs/cgroup/cpu/cpu.cfs_period_us") + if err1 == nil && err2 == nil { + quota, err1 := strconv.ParseInt(strings.TrimSpace(string(quotaData)), 10, 64) + period, err2 := strconv.ParseInt(strings.TrimSpace(string(periodData)), 10, 64) + if err1 == nil && err2 == nil && period > 0 && quota > 0 { + return max(int(quota/period), 1) + } + } + + return 0 +} + // getCgroupMemoryLimitKB reads the cgroup memory limit for the current process. // It checks cgroup v2 first, then falls back to cgroup v1. Returns 0 if no // cgroup limit is found or the limit is effectively unlimited. ++++++ melange.obsinfo ++++++ --- /var/tmp/diff_new_pack.F2e2ji/_old 2026-04-13 23:20:01.730952302 +0200 +++ /var/tmp/diff_new_pack.F2e2ji/_new 2026-04-13 23:20:01.742952797 +0200 @@ -1,5 +1,5 @@ name: melange -version: 0.48.2 -mtime: 1775166837 -commit: 64499184a8b0b78a9ab5f33b78d2e714bcc9e1c8 +version: 0.49.0 +mtime: 1775874571 +commit: 4121ddfd1c96ecefe8644566858072682828c1ac ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/melange/vendor.tar.gz /work/SRC/openSUSE:Factory/.melange.new.21863/vendor.tar.gz differ: char 13, line 1
