Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package melange for openSUSE:Factory checked in at 2026-05-18 17:47:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/melange (Old) and /work/SRC/openSUSE:Factory/.melange.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "melange" Mon May 18 17:47:20 2026 rev:158 rq:1353662 version:0.50.7 Changes: -------- --- /work/SRC/openSUSE:Factory/melange/melange.changes 2026-05-11 17:08:08.579455104 +0200 +++ /work/SRC/openSUSE:Factory/.melange.new.1966/melange.changes 2026-05-18 17:47:53.327985375 +0200 @@ -1,0 +2,7 @@ +Mon May 18 05:15:55 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.50.7: + * build(deps): bump sigstore/cosign-installer (#2526) + * chore: Bump go to 1.26.2 (#2528) + +------------------------------------------------------------------- Old: ---- melange-0.50.6.obscpio New: ---- melange-0.50.7.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ melange.spec ++++++ --- /var/tmp/diff_new_pack.LSNBXF/_old 2026-05-18 17:47:54.256023724 +0200 +++ /var/tmp/diff_new_pack.LSNBXF/_new 2026-05-18 17:47:54.256023724 +0200 @@ -17,7 +17,7 @@ Name: melange -Version: 0.50.6 +Version: 0.50.7 Release: 0 Summary: Build APKs from source code License: Apache-2.0 @@ -26,7 +26,7 @@ Source1: vendor.tar.gz BuildRequires: bash-completion BuildRequires: fish -BuildRequires: go1.25 >= 1.25.6 +BuildRequires: go1.26 >= 1.26.2 BuildRequires: zsh %description ++++++ _service ++++++ --- /var/tmp/diff_new_pack.LSNBXF/_old 2026-05-18 17:47:54.292025211 +0200 +++ /var/tmp/diff_new_pack.LSNBXF/_new 2026-05-18 17:47:54.304025707 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/melange.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">refs/tags/v0.50.6</param> + <param name="revision">refs/tags/v0.50.7</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.LSNBXF/_old 2026-05-18 17:47:54.336027030 +0200 +++ /var/tmp/diff_new_pack.LSNBXF/_new 2026-05-18 17:47:54.344027360 +0200 @@ -3,6 +3,6 @@ <param name="url">https://github.com/chainguard-dev/melange</param> <param name="changesrevision">3f6115b820985d70ca3c93cdf8519c1b3b4cfe81</param></service><service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/melange.git</param> - <param name="changesrevision">02f6591a691807e561bb77cfda160a902ff8aa50</param></service></servicedata> + <param name="changesrevision">b91021631829858a5302466dce6f84288b45f335</param></service></servicedata> (No newline at EOF) ++++++ melange-0.50.6.obscpio -> melange-0.50.7.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.6/Makefile new/melange-0.50.7/Makefile --- old/melange-0.50.6/Makefile 2026-05-08 01:57:51.000000000 +0200 +++ new/melange-0.50.7/Makefile 2026-05-13 21:14:58.000000000 +0200 @@ -118,7 +118,7 @@ setup-golangci-lint: rm -f $(GOLANGCI_LINT_BIN) || : set -e ; - GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/v2/cmd/[email protected]; + GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/v2/cmd/[email protected]; .PHONY: fmt fmt: ## Format all go files diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.6/docs/cmd/pipeline-reference-gen/main.go new/melange-0.50.7/docs/cmd/pipeline-reference-gen/main.go --- old/melange-0.50.6/docs/cmd/pipeline-reference-gen/main.go 2026-05-08 01:57:51.000000000 +0200 +++ new/melange-0.50.7/docs/cmd/pipeline-reference-gen/main.go 2026-05-13 21:14:58.000000000 +0200 @@ -127,7 +127,7 @@ // File doesn't exist, write as-is. if os.IsNotExist(err) { - // #nosec G306 - Documentation file should be world-readable + // #nosec G306,G703 - Documentation file should be world-readable; path derived from pipeline-dir flag walked by filepath.Walk return os.WriteFile(path, out.Bytes(), 0o644) } @@ -139,6 +139,6 @@ // Append to the end content = append(content, out.Bytes()...) fmt.Println("Wrote", path) - // #nosec G306 - Documentation file should be world-readable + // #nosec G306,G703 - Documentation file should be world-readable; path derived from pipeline-dir flag walked by filepath.Walk return os.WriteFile(path, content, 0o644) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.6/go.mod new/melange-0.50.7/go.mod --- old/melange-0.50.6/go.mod 2026-05-08 01:57:51.000000000 +0200 +++ new/melange-0.50.7/go.mod 2026-05-13 21:14:58.000000000 +0200 @@ -1,6 +1,6 @@ module chainguard.dev/melange -go 1.25.7 +go 1.26.2 require ( chainguard.dev/apko v1.2.9 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.6/pkg/build/compiler_config.go new/melange-0.50.7/pkg/build/compiler_config.go --- old/melange-0.50.6/pkg/build/compiler_config.go 2026-05-08 01:57:51.000000000 +0200 +++ new/melange-0.50.7/pkg/build/compiler_config.go 2026-05-13 21:14:58.000000000 +0200 @@ -62,7 +62,7 @@ func createClangConfigFile(outputPath string, includePaths ...string) error { var content strings.Builder for _, includePath := range includePaths { - content.WriteString(fmt.Sprintf("@%s\n", includePath)) + fmt.Fprintf(&content, "@%s\n", includePath) } // #nosec G306 -- clang config files should be world-readable diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.6/pkg/container/qemu_runner.go new/melange-0.50.7/pkg/container/qemu_runner.go --- old/melange-0.50.6/pkg/container/qemu_runner.go 2026-05-08 01:57:51.000000000 +0200 +++ new/melange-0.50.7/pkg/container/qemu_runner.go 2026-05-13 21:14:58.000000000 +0200 @@ -1671,7 +1671,7 @@ func getUserSSHKey(ctx context.Context) ([]byte, error) { socket := os.Getenv("SSH_AUTH_SOCK") - conn, err := net.Dial("unix", socket) + conn, err := net.Dial("unix", socket) // #nosec G704 - connecting to user's SSH agent socket from SSH_AUTH_SOCK is intentional if err != nil { clog.FromContext(ctx).Warnf("Failed to open SSH_AUTH_SOCK: %v, falling back to key search", err) currentUser, err := user.Current() @@ -2275,7 +2275,7 @@ // Check for prebuilt initramfs via environment variable if prebuiltPath := os.Getenv("QEMU_BASE_INITRAMFS"); prebuiltPath != "" { // Validate file exists and is readable - if _, err := os.Stat(prebuiltPath); err != nil { + if _, err := os.Stat(prebuiltPath); err != nil { // #nosec G304,G703 - prebuilt initramfs path is intentionally user-configurable via env var return "", fmt.Errorf("QEMU_BASE_INITRAMFS file not accessible: %w", err) } clog.FromContext(ctx).Infof("qemu: using prebuilt base initramfs from QEMU_BASE_INITRAMFS: %s", prebuiltPath) @@ -2412,7 +2412,7 @@ // cpioContainsPath reports whether target exists as a record name in the CPIO // archive at cpioFile. CPIO record names are stored without a leading slash. func cpioContainsPath(cpioFile, target string) (bool, error) { - f, err := os.Open(cpioFile) + f, err := os.Open(cpioFile) // #nosec G304,G703 - cpio path is internally computed/cached, not user-supplied if err != nil { return false, err } @@ -2444,10 +2444,10 @@ sidecar := cpioFile + ".observability" // Use the cached result when the sidecar is at least as new as the CPIO. - cpioInfo, cpioErr := os.Stat(cpioFile) - sidecarInfo, sidecarErr := os.Stat(sidecar) + cpioInfo, cpioErr := os.Stat(cpioFile) // #nosec G304,G703 - cpio path is internally computed/cached + sidecarInfo, sidecarErr := os.Stat(sidecar) // #nosec G304,G703 - sidecar path is derived from cpioFile if cpioErr == nil && sidecarErr == nil && !sidecarInfo.ModTime().Before(cpioInfo.ModTime()) { - data, err := os.ReadFile(sidecar) + data, err := os.ReadFile(sidecar) // #nosec G304,G703 - sidecar path is derived from cpioFile if err == nil { return strings.TrimSpace(string(data)) == "true" } @@ -2465,7 +2465,7 @@ if present { val = "true" } - if err := os.WriteFile(sidecar, []byte(val+"\n"), 0o600); err != nil { + if err := os.WriteFile(sidecar, []byte(val+"\n"), 0o600); err != nil { // #nosec G304,G703 - sidecar path is derived from cpioFile clog.FromContext(ctx).Debugf("qemu: could not write observability sidecar: %v", err) } return present @@ -2602,7 +2602,7 @@ } }() - baseFile, err := os.Open(baseInitramfs) // #nosec G304 - Reading base initramfs from cache + baseFile, err := os.Open(baseInitramfs) // #nosec G304,G703 - Reading base initramfs from cache or env-configured path if err != nil { return "", fmt.Errorf("failed to open base initramfs: %w", err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.6/pkg/http/http.go new/melange-0.50.7/pkg/http/http.go --- old/melange-0.50.6/pkg/http/http.go 2026-05-08 01:57:51.000000000 +0200 +++ new/melange-0.50.7/pkg/http/http.go 2026-05-13 21:14:58.000000000 +0200 @@ -26,7 +26,7 @@ return nil, err } } - resp, err := c.Client.Do(req) + resp, err := c.Client.Do(req) // #nosec G107,G704 - URLs come from build configuration, not untrusted runtime input if err != nil { return nil, err } ++++++ melange.obsinfo ++++++ --- /var/tmp/diff_new_pack.LSNBXF/_old 2026-05-18 17:47:57.392153315 +0200 +++ /var/tmp/diff_new_pack.LSNBXF/_new 2026-05-18 17:47:57.420154472 +0200 @@ -1,5 +1,5 @@ name: melange -version: 0.50.6 -mtime: 1778198271 -commit: 02f6591a691807e561bb77cfda160a902ff8aa50 +version: 0.50.7 +mtime: 1778699698 +commit: b91021631829858a5302466dce6f84288b45f335 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/melange/vendor.tar.gz /work/SRC/openSUSE:Factory/.melange.new.1966/vendor.tar.gz differ: char 13, line 1
