Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package melange for openSUSE:Factory checked in at 2026-06-08 14:21:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/melange (Old) and /work/SRC/openSUSE:Factory/.melange.new.2375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "melange" Mon Jun 8 14:21:38 2026 rev:162 rq:1357830 version:0.52.1 Changes: -------- --- /work/SRC/openSUSE:Factory/melange/melange.changes 2026-06-02 16:09:08.858902414 +0200 +++ /work/SRC/openSUSE:Factory/.melange.new.2375/melange.changes 2026-06-08 14:27:11.421711613 +0200 @@ -1,0 +2,11 @@ +Mon Jun 08 04:47:50 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.52.1: + * build(deps): bump actions/checkout in the actions group (#2560) + * chore(pipelines/xcover): add scope parameter (#2558) + * build(deps): bump the actions group across 1 directory with 4 + updates (#2554) + * git-checkout: guard branch+expected-commit against + stale/diverged commits (#2555) + +------------------------------------------------------------------- Old: ---- melange-0.51.0.obscpio melange-0.52.0.obscpio New: ---- melange-0.52.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ melange.spec ++++++ --- /var/tmp/diff_new_pack.Lc9AC6/_old 2026-06-08 14:27:12.761767218 +0200 +++ /var/tmp/diff_new_pack.Lc9AC6/_new 2026-06-08 14:27:12.765767384 +0200 @@ -17,7 +17,7 @@ Name: melange -Version: 0.52.0 +Version: 0.52.1 Release: 0 Summary: Build APKs from source code License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.Lc9AC6/_old 2026-06-08 14:27:12.825769873 +0200 +++ /var/tmp/diff_new_pack.Lc9AC6/_new 2026-06-08 14:27:12.829770039 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/melange.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">refs/tags/v0.52.0</param> + <param name="revision">refs/tags/v0.52.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.Lc9AC6/_old 2026-06-08 14:27:12.877772031 +0200 +++ /var/tmp/diff_new_pack.Lc9AC6/_new 2026-06-08 14:27:12.905773193 +0200 @@ -3,6 +3,6 @@ <param name="url">https://github.com/chainguard-dev/melange</param> <param name="changesrevision">3f6115b820985d70ca3c93cdf8519c1b3b4cfe81</param></service><service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/melange.git</param> - <param name="changesrevision">80a0dd3ec39318ffe05598119238a323c5dee987</param></service></servicedata> + <param name="changesrevision">920b26ee516cb4be0f71c0a74b1fa012ffe7587e</param></service></servicedata> (No newline at EOF) ++++++ melange-0.51.0.obscpio -> melange-0.52.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.51.0/e2e-tests/git-checkout-build.yaml new/melange-0.52.1/e2e-tests/git-checkout-build.yaml --- old/melange-0.51.0/e2e-tests/git-checkout-build.yaml 2026-05-29 22:26:45.000000000 +0200 +++ new/melange-0.52.1/e2e-tests/git-checkout-build.yaml 2026-06-05 19:52:08.000000000 +0200 @@ -153,6 +153,113 @@ cd .. rm -R branch-old-expected + # expected-commit-is-branch-tip: when the expected-commit IS the current tip + # of the branch, the checkout succeeds (the branch is treated as an immutable + # release pointer). 4b1593d is the current tip of the 1.x branch. + # + # The flag is verification-only and must not change the clone depth. With no + # explicit depth, branch + expected-commit-is-branch-tip defaults to a shallow + # (depth 1) clone -- we only compare against the tip -- so 'git show HEAD^' + # must fail here. + - name: "branch tip with expected-commit-is-branch-tip" + working-directory: branch-tip-expected + uses: git-checkout + with: + repository: ${{vars.giturl}} + branch: 1.x + expected-commit: 4b1593d8d8038f8c0ce1e2c608c9dd89066a2a0f + expected-commit-is-branch-tip: true + + - name: "check branch tip with expected-commit-is-branch-tip" + working-directory: branch-tip-expected + runs: | + hash=$(git rev-parse --verify HEAD) + [ "$hash" = 4b1593d8d8038f8c0ce1e2c608c9dd89066a2a0f ] + if out=$(git show HEAD^ 2>&1); then + echo "FAIL: expected a shallow clone (depth 1) but 'git show HEAD^' succeeded" + echo "git show HEAD^ output: $out" + exit 1 + fi + cd .. + rm -R branch-tip-expected + + # ...with an explicit depth: -1 it must still produce a full clone (some + # builds need history), so 'git show HEAD^' must succeed. + - name: "branch tip with expected-commit-is-branch-tip, depth -1" + working-directory: branch-tip-full + uses: git-checkout + with: + repository: ${{vars.giturl}} + branch: 1.x + expected-commit: 4b1593d8d8038f8c0ce1e2c608c9dd89066a2a0f + expected-commit-is-branch-tip: true + depth: -1 + + - name: "check branch tip with expected-commit-is-branch-tip, depth -1" + working-directory: branch-tip-full + runs: | + hash=$(git rev-parse --verify HEAD) + [ "$hash" = 4b1593d8d8038f8c0ce1e2c608c9dd89066a2a0f ] + out=$(git show HEAD^ 2>&1) || { + echo "FAIL: expected a full clone (depth -1) but 'git show HEAD^' failed" + echo "git show HEAD^ output: $out" + exit 1 + } + cd .. + rm -R branch-tip-full + + # ...with an explicit finite depth it honors that depth: a depth-2 clone of + # 1.x has the tip and its parent but nothing beyond, so 'git show HEAD^' + # succeeds while 'git show HEAD~2' fails. + - name: "branch tip with expected-commit-is-branch-tip, partial depth" + working-directory: branch-tip-partial + uses: git-checkout + with: + repository: ${{vars.giturl}} + branch: 1.x + expected-commit: 4b1593d8d8038f8c0ce1e2c608c9dd89066a2a0f + expected-commit-is-branch-tip: true + depth: 2 + + - name: "check branch tip with expected-commit-is-branch-tip, partial depth" + working-directory: branch-tip-partial + runs: | + hash=$(git rev-parse --verify HEAD) + [ "$hash" = 4b1593d8d8038f8c0ce1e2c608c9dd89066a2a0f ] + out=$(git show HEAD^ 2>&1) || { + echo "FAIL: depth 2 should include HEAD^ but 'git show HEAD^' failed" + echo "git show HEAD^ output: $out" + exit 1 + } + if out=$(git show HEAD~2 2>&1); then + echo "FAIL: depth 2 should not include HEAD~2 but 'git show HEAD~2' succeeded" + echo "git show HEAD~2 output: $out" + exit 1 + fi + cd .. + rm -R branch-tip-partial + + # a specific commit with no branch and no tag (the shape used by packages + # that pin an upstream commit directly, e.g. eco-python-llvm-triton pinning + # an llvm-project commit). With depth: -1 the full history is present, so the + # ancestry-guarded reset to the (older, on-default-branch) commit succeeds. + # 0007b4c is an older commit on the fixture's default branch. + - name: "expected commit, no branch" + working-directory: commit-no-branch + uses: git-checkout + with: + repository: ${{vars.giturl}} + expected-commit: 0007b4cdf2358e7d9b0d774baf5cba9f862c023b + depth: -1 + + - name: "check expected commit, no branch" + working-directory: commit-no-branch + runs: | + hash=$(git rev-parse --verify HEAD) + [ "$hash" = 0007b4cdf2358e7d9b0d774baf5cba9f862c023b ] + cd .. + rm -R commit-no-branch + # for an annotated tag you can point to either the commit # or the tag object hash object - name: "annotated hash" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.51.0/e2e-tests/xcover-nopkg-test.yaml new/melange-0.52.1/e2e-tests/xcover-nopkg-test.yaml --- old/melange-0.51.0/e2e-tests/xcover-nopkg-test.yaml 2026-05-29 22:26:45.000000000 +0200 +++ new/melange-0.52.1/e2e-tests/xcover-nopkg-test.yaml 2026-06-05 19:52:08.000000000 +0200 @@ -7,7 +7,6 @@ capabilities: add: - CAP_SYS_ADMIN - - CAP_SYS_RESOURCE test: environment: @@ -19,6 +18,7 @@ - uses: xcover/profile with: executable-path: /usr/bin/crane + include-functions: ^github\\.com/google/go-containerregistry exclude-functions: ^runtime\\. - runs: | crane version || exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.51.0/e2e-tests/xcover-project-scope-nopkg-test.yaml new/melange-0.52.1/e2e-tests/xcover-project-scope-nopkg-test.yaml --- old/melange-0.51.0/e2e-tests/xcover-project-scope-nopkg-test.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/melange-0.52.1/e2e-tests/xcover-project-scope-nopkg-test.yaml 2026-06-05 19:52:08.000000000 +0200 @@ -0,0 +1,52 @@ +package: + name: crane + version: "0.20.3" + epoch: 3 + description: Tests the xcover project function scope on a Go binary + +capabilities: + add: + - CAP_SYS_ADMIN + +test: + environment: + contents: + packages: + - jq + - crane + pipeline: + - uses: xcover/profile + with: + executable-path: /usr/bin/crane + scope: project + - runs: | + crane version || exit 1 + crane --help + - runs: | + crane manifest chainguard/static | jq '.schemaVersion' | grep '2' || exit 1 + - runs: | + crane ls chainguard/static | grep -E 'latest|v[0-9]+.[0-9]+.[0-9]+' || exit 1 + - runs: | + crane digest chainguard/static:latest && echo "Image exists" || exit 1 + - runs: | + crane pull chainguard/static:latest static_latest.tar || exit 1 + [ -f static_latest.tar ] || exit 1 + - uses: xcover/stop + - runs: | + # Project scope must keep only crane's own Go module functions + # (github.com/google/go-containerregistry/...) plus root main.* funcs. + # Any Go stdlib or third-party dependency symbol means scope leaked, + # i.e. the pipeline did not actually apply scope=project. + mod="github.com/google/go-containerregistry" + jq -r '.funcs_traced[]' xcover-report.json > traced.txt + [ -s traced.txt ] || { echo "no functions traced"; exit 1; } + leaked=$(grep -vE "^(main\\.|${mod}[/.])" traced.txt || true) + if [ -n "$leaked" ]; then + echo "project scope leaked non-project functions:" + echo "$leaked" | head -20 + exit 1 + fi + echo "all $(wc -l < traced.txt) traced functions are project-scoped" + - uses: xcover/ensure + with: + min-coverage: 10 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.51.0/examples/test-xcover.yaml new/melange-0.52.1/examples/test-xcover.yaml --- old/melange-0.51.0/examples/test-xcover.yaml 2026-05-29 22:26:45.000000000 +0200 +++ new/melange-0.52.1/examples/test-xcover.yaml 2026-06-05 19:52:08.000000000 +0200 @@ -40,7 +40,6 @@ capabilities: add: - CAP_SYS_ADMIN - - CAP_SYS_RESOURCE test: environment: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.51.0/pkg/build/pipelines/README.md new/melange-0.52.1/pkg/build/pipelines/README.md --- old/melange-0.51.0/pkg/build/pipelines/README.md 2026-05-29 22:26:45.000000000 +0200 +++ new/melange-0.52.1/pkg/build/pipelines/README.md 2026-06-05 19:52:08.000000000 +0200 @@ -59,6 +59,7 @@ | depth | false | The depth to use when cloning. Use -1 to get full branch history. If 'branch' and 'expected-commit' are provided the default is -1. Otherwise, default is to use '1' (shallow clone). | unset | | destination | false | The path to check out the sources to. | . | | expected-commit | false | The expected commit hash | | +| expected-commit-is-branch-tip | false | When "true", require that expected-commit exactly matches the tip of the checked-out branch instead of allowing any older commit on the branch. Use this when a branch is used as an immutable release pointer (e.g. version-named release branches) so that a stale expected-commit -- for example after bumping the version but forgetting to update the commit -- fails loudly instead of silently checking out old code. Only valid together with 'branch'; mutually exclusive with 'tag'. | false | | initial-backoff | false | Initial backoff duration in seconds before first retry. | 2 | | max-backoff | false | Maximum backoff duration in seconds between retries. | 60 | | max-retries | false | Maximum number of retry attempts for git clone operation on failure. | 3 | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.51.0/pkg/build/pipelines/git-checkout.yaml new/melange-0.52.1/pkg/build/pipelines/git-checkout.yaml --- old/melange-0.51.0/pkg/build/pipelines/git-checkout.yaml 2026-05-29 22:26:45.000000000 +0200 +++ new/melange-0.52.1/pkg/build/pipelines/git-checkout.yaml 2026-06-05 19:52:08.000000000 +0200 @@ -30,6 +30,16 @@ expected-commit: description: | The expected commit hash + expected-commit-is-branch-tip: + description: | + When "true", require that expected-commit exactly matches the tip of + the checked-out branch instead of allowing any older commit on the + branch. Use this when a branch is used as an immutable release pointer + (e.g. version-named release branches) so that a stale expected-commit -- + for example after bumping the version but forgetting to update the + commit -- fails loudly instead of silently checking out old code. + Only valid together with 'branch'; mutually exclusive with 'tag'. + default: "false" recurse-submodules: description: | Indicates whether --recurse-submodules should be passed to git clone. @@ -232,11 +242,13 @@ local cherry_pick="$8" sparse_paths="$9" local max_retries="${10:-3}" initial_backoff="${11:-2}" max_backoff="${12:-60}" local shallow_submodules="${13:-false}" submodule_jobs="${14:-1}" + local expected_commit_is_branch_tip="${15:-false}" msg "repo='$repo' dest='$dest' depth='$depth' branch='$branch'" \ "tag='$tag' expcommit='$expcommit' recurse='$recurse'" \ "sparse_paths='$sparse_paths' max_retries='$max_retries'" \ "initial_backoff='$initial_backoff' max_backoff='$max_backoff'" \ - "shallow_submodules='$shallow_submodules' submodule_jobs='$submodule_jobs'" + "shallow_submodules='$shallow_submodules' submodule_jobs='$submodule_jobs'" \ + "expected_commit_is_branch_tip='$expected_commit_is_branch_tip'" case "$recurse" in true|false) :;; @@ -246,6 +258,11 @@ true|false) :;; *) fail "shallow_submodules must be true or false, not '$shallow_submodules'" esac + case "$expected_commit_is_branch_tip" in + true|false) :;; + *) fail "expected-commit-is-branch-tip must be true or false," \ + "not '$expected_commit_is_branch_tip'" + esac [ -n "$repo" ] || fail "repository not provided" @@ -255,6 +272,17 @@ fail "both branch ($branch) and tag ($tag) are specified." fi + if [ "$expected_commit_is_branch_tip" = "true" ]; then + [ -z "$tag" ] || + fail "expected-commit-is-branch-tip is only valid with" \ + "'branch', not 'tag'." + [ -n "$branch" ] || + fail "expected-commit-is-branch-tip requires 'branch' to be set." + [ -n "$expcommit" ] || + fail "expected-commit-is-branch-tip requires 'expected-commit'" \ + "to be set." + fi + [ -n "$expcommit" ] || msg "Warning: no expected-commit" @@ -271,10 +299,13 @@ if [ "$depth" = "unset" ]; then depth=1 - if [ -n "$branch" ] && [ -n "$expcommit" ]; then + if [ -n "$branch" ] && [ -n "$expcommit" ] && + [ "$expected_commit_is_branch_tip" = "false" ]; then # if we're just checking out a specific commit on a branch # then we need to get history, otherwise it will break # if the expected commit is not tip of the branch. + # (when expected-commit-is-branch-tip is set we only compare + # against the tip, so a shallow clone is sufficient.) depth=-1 fi fi @@ -323,10 +354,30 @@ if [ -z "$tag" ]; then foundcommit=$(git rev-parse --verify HEAD) if [ -n "$expcommit" ] && [ "$expcommit" != "$foundcommit" ]; then - if [ "$depth" = "-1" ]; then - msg "expected commit $expcommit on ${branch:-HEAD}," \ - "got $foundcommit, performing reset" - vr git reset --hard "$expcommit" + if [ "$expected_commit_is_branch_tip" = "true" ]; then + # the branch is being used as an immutable release + # pointer, so expected-commit must be its tip exactly. + fail "expected-commit $expcommit is not the tip of branch" \ + "${branch:-HEAD} ($foundcommit); the branch advanced" \ + "or the version was bumped without updating" \ + "expected-commit" + elif [ "$depth" = "-1" ]; then + # depth=-1 is a full clone, so $foundcommit (the branch + # tip) has its complete history present. Only reset to + # $expcommit if it is reachable from the tip; otherwise it + # belongs to a different/diverged branch and resetting + # would silently build stale code (e.g. the branch was + # bumped but expected-commit was not). + if git merge-base --is-ancestor "$expcommit" "$foundcommit"; then + msg "expected commit $expcommit on ${branch:-HEAD}," \ + "got $foundcommit, performing reset" + vr git reset --hard "$expcommit" + else + fail "expected commit $expcommit is not reachable from" \ + "${branch:-HEAD} (tip $foundcommit); the branch may" \ + "have diverged from the pinned commit -- update" \ + "expected-commit" + fi else fail "expected commit $expcommit on ${branch:-HEAD}," \ "got $foundcommit, set depth to -1 to attempt a reset" @@ -390,6 +441,7 @@ "${{inputs.sparse-paths}}" \ "${{inputs.max-retries}}" "${{inputs.initial-backoff}}" \ "${{inputs.max-backoff}}" \ - "${{inputs.shallow-submodules}}" "${{inputs.submodule-jobs}}" + "${{inputs.shallow-submodules}}" "${{inputs.submodule-jobs}}" \ + "${{inputs.expected-commit-is-branch-tip}}" rm -f "$cpickf" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.51.0/pkg/build/pipelines/xcover/README.md new/melange-0.52.1/pkg/build/pipelines/xcover/README.md --- old/melange-0.51.0/pkg/build/pipelines/xcover/README.md 2026-05-29 22:26:45.000000000 +0200 +++ new/melange-0.52.1/pkg/build/pipelines/xcover/README.md 2026-06-05 19:52:08.000000000 +0200 @@ -29,8 +29,10 @@ | ---- | -------- | ----------- | ------- | | exclude-functions | false | The function symbols to exclude from profiling as a regular expression. | | | executable-path | true | The path to the executable of the application to test. | | +| include-functions | false | The function symbols to include in profiling as a regular expression. When set, only matching symbols are profiled. | | | log-level | false | The log level of the xcover profile command. | info | | package | false | The xcover package | xcover | +| scope | false | The function scope to profile: "binary" (all functions) or "project" (project module only). The "project" scope is only supported by Go binaries and is a no-op for others. | project | | verbose | false | Enable verbosity of the xcover profile command. It prints out all the functions being traced real-time. | false | | wait-timeout | false | The maximum amount of time to wait for the xcover profiler to be ready for profiling, in seconds. | 60 | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.51.0/pkg/build/pipelines/xcover/profile.yaml new/melange-0.52.1/pkg/build/pipelines/xcover/profile.yaml --- old/melange-0.51.0/pkg/build/pipelines/xcover/profile.yaml 2026-05-29 22:26:45.000000000 +0200 +++ new/melange-0.52.1/pkg/build/pipelines/xcover/profile.yaml 2026-06-05 19:52:08.000000000 +0200 @@ -16,6 +16,13 @@ exclude-functions: description: The function symbols to exclude from profiling as a regular expression. required: false + include-functions: + description: The function symbols to include in profiling as a regular expression. When set, only matching symbols are profiled. + required: false + scope: + description: 'The function scope to profile: "binary" (all functions) or "project" (project module only). The "project" scope is only supported by Go binaries and is a no-op for others.' + required: false + default: project log-level: description: The log level of the xcover profile command. required: false @@ -35,7 +42,9 @@ # Run profile in background. xcover run \ --path ${{inputs.executable-path}} \ - --exclude ${{inputs.exclude-functions}} \ + --exclude=${{inputs.exclude-functions}} \ + --include=${{inputs.include-functions}} \ + --scope=${{inputs.scope}} \ --log-level=${{inputs.log-level}} \ --verbose=${{inputs.verbose}} \ --status \ ++++++ melange.obsinfo ++++++ --- /var/tmp/diff_new_pack.Lc9AC6/_old 2026-06-08 14:27:15.673888054 +0200 +++ /var/tmp/diff_new_pack.Lc9AC6/_new 2026-06-08 14:27:15.701889216 +0200 @@ -1,5 +1,5 @@ name: melange -version: 0.52.0 -mtime: 1780324686 -commit: 80a0dd3ec39318ffe05598119238a323c5dee987 +version: 0.52.1 +mtime: 1780681928 +commit: 920b26ee516cb4be0f71c0a74b1fa012ffe7587e ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/melange/vendor.tar.gz /work/SRC/openSUSE:Factory/.melange.new.2375/vendor.tar.gz differ: char 132, line 3
