Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package melange for openSUSE:Factory checked in at 2026-06-11 17:27:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/melange (Old) and /work/SRC/openSUSE:Factory/.melange.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "melange" Thu Jun 11 17:27:54 2026 rev:163 rq:1358636 version:0.53.0 Changes: -------- --- /work/SRC/openSUSE:Factory/melange/melange.changes 2026-06-08 14:27:11.421711613 +0200 +++ /work/SRC/openSUSE:Factory/.melange.new.1981/melange.changes 2026-06-11 17:29:31.231763704 +0200 @@ -1,0 +2,11 @@ +Thu Jun 11 04:59:07 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.53.0: + * feat(qemu): add QEMU_NET_CIDR to override SLIRP internal + network (#2564) + * ci: remove stale wolfi-presubmit package matrix entries (#2566) + * chore(source): allow GitHub verified signatures (#2565) + * fix(renovate): bump git-checkout regardless of tag if there is + only one (#2562) + +------------------------------------------------------------------- Old: ---- melange-0.52.1.obscpio New: ---- melange-0.53.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ melange.spec ++++++ --- /var/tmp/diff_new_pack.sIBZ7v/_old 2026-06-11 17:29:32.423813692 +0200 +++ /var/tmp/diff_new_pack.sIBZ7v/_new 2026-06-11 17:29:32.427813860 +0200 @@ -17,7 +17,7 @@ Name: melange -Version: 0.52.1 +Version: 0.53.0 Release: 0 Summary: Build APKs from source code License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.sIBZ7v/_old 2026-06-11 17:29:32.467815538 +0200 +++ /var/tmp/diff_new_pack.sIBZ7v/_new 2026-06-11 17:29:32.475815873 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/melange.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">refs/tags/v0.52.1</param> + <param name="revision">refs/tags/v0.53.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.sIBZ7v/_old 2026-06-11 17:29:32.499816879 +0200 +++ /var/tmp/diff_new_pack.sIBZ7v/_new 2026-06-11 17:29:32.507817215 +0200 @@ -3,6 +3,6 @@ <param name="url">https://github.com/chainguard-dev/melange</param> <param name="changesrevision">3f6115b820985d70ca3c93cdf8519c1b3b4cfe81</param></service><service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/melange.git</param> - <param name="changesrevision">920b26ee516cb4be0f71c0a74b1fa012ffe7587e</param></service></servicedata> + <param name="changesrevision">65ed1ab7cc749cfcb67188fca18c4eb326f33c31</param></service></servicedata> (No newline at EOF) ++++++ melange-0.52.1.obscpio -> melange-0.53.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.52.1/.chainguard/source.yaml new/melange-0.53.0/.chainguard/source.yaml --- old/melange-0.52.1/.chainguard/source.yaml 2026-06-05 19:52:08.000000000 +0200 +++ new/melange-0.53.0/.chainguard/source.yaml 2026-06-10 17:14:50.000000000 +0200 @@ -11,3 +11,6 @@ - key: # allow commits signed by GitHub, e.g. the UI kms: https://github.com/web-flow.gpg + # Allow Github verified ssh, gpg, and smime signatures + github: + verified: true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.52.1/pkg/container/qemu_runner.go new/melange-0.53.0/pkg/container/qemu_runner.go --- old/melange-0.52.1/pkg/container/qemu_runner.go 2026-06-05 19:52:08.000000000 +0200 +++ new/melange-0.53.0/pkg/container/qemu_runner.go 2026-06-10 17:14:50.000000000 +0200 @@ -798,6 +798,22 @@ baseargs = append(baseargs, serialArgs...) // use -netdev + -device instead of -nic, as this is better supported by microvm machine type netdevArgs := "user,id=id1,hostfwd=tcp:" + cfg.SSHAddress + "-:22,hostfwd=tcp:" + cfg.SSHControlAddress + "-:2223" + // QEMU_NET_CIDR overrides SLIRP's default internal network (10.0.2.0/24). + // This is necessary when the host needs to reach VPC-internal addresses + // that fall within the 10.0.0.0/8 range, since SLIRP treats its default + // network as part of its own NAT space and may not correctly forward + // connections to other 10.x.x.x addresses on the host's network. + // The value must be a valid IPv4 CIDR. SLIRP automatically assigns the + // gateway, DNS, and DHCP range based on the supplied network. + // Example: QEMU_NET_CIDR="192.168.76.0/24" + if netCIDR, ok := os.LookupEnv("QEMU_NET_CIDR"); ok { + cidr, err := parseAndValidateNetCIDR(netCIDR) + if err != nil { + return fmt.Errorf("invalid QEMU_NET_CIDR value %q: %w", netCIDR, err) + } + log.Infof("qemu: QEMU_NET_CIDR set to %s, overriding SLIRP default network", cidr) + netdevArgs += ",net=" + cidr + } // QEMU_DNS_SEARCH allows configuring DNS search domains inside the guest VM. // This is useful for builds that need to resolve short hostnames via search // domains, or when the build environment requires specific DNS resolution @@ -2543,6 +2559,36 @@ return domains, nil } +// parseAndValidateNetCIDR validates an IPv4 CIDR string for use as the SLIRP +// internal network. The CIDR must be a valid IPv4 network with a prefix length +// between 8 and 30 (SLIRP requires at least 4 usable addresses). The input is +// returned unchanged on success so it can be passed directly to SLIRP. +func parseAndValidateNetCIDR(input string) (string, error) { + input = strings.TrimSpace(input) + if input == "" { + return "", fmt.Errorf("empty CIDR") + } + + ip, ipnet, err := net.ParseCIDR(input) + if err != nil { + return "", fmt.Errorf("parse CIDR: %w", err) + } + + if ip.To4() == nil { + return "", fmt.Errorf("CIDR must be IPv4") + } + + ones, bits := ipnet.Mask.Size() + if bits != 32 { + return "", fmt.Errorf("CIDR must be IPv4 (got %d-bit mask)", bits) + } + if ones < 8 || ones > 30 { + return "", fmt.Errorf("CIDR prefix length must be between 8 and 30 (got /%d)", ones) + } + + return ipnet.String(), nil +} + // buildDNSSearchNetdevArgs constructs the QEMU netdev dnssearch options string. // Returns empty string if no domains provided. // Each domain produces a separate ",dnssearch=<domain>" option. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.52.1/pkg/container/qemu_runner_test.go new/melange-0.53.0/pkg/container/qemu_runner_test.go --- old/melange-0.52.1/pkg/container/qemu_runner_test.go 2026-06-05 19:52:08.000000000 +0200 +++ new/melange-0.53.0/pkg/container/qemu_runner_test.go 2026-06-10 17:14:50.000000000 +0200 @@ -492,6 +492,90 @@ } } +func TestParseAndValidateNetCIDR(t *testing.T) { + tests := []struct { + name string + input string + expected string + wantErr bool + }{ + { + name: "valid /24", + input: "192.168.76.0/24", + expected: "192.168.76.0/24", + }, + { + name: "valid /16", + input: "192.168.0.0/16", + expected: "192.168.0.0/16", + }, + { + name: "non-zero host bits normalized", + input: "192.168.76.5/24", + expected: "192.168.76.0/24", + }, + { + name: "whitespace trimmed", + input: " 192.168.76.0/24 ", + expected: "192.168.76.0/24", + }, + { + name: "empty", + input: "", + wantErr: true, + }, + { + name: "not a CIDR", + input: "192.168.76.0", + wantErr: true, + }, + { + name: "garbage", + input: "not-a-cidr", + wantErr: true, + }, + { + name: "IPv6", + input: "fd00::/64", + wantErr: true, + }, + { + name: "prefix too short", + input: "10.0.0.0/7", + wantErr: true, + }, + { + name: "prefix too long", + input: "192.168.76.0/31", + wantErr: true, + }, + { + name: "injection via comma", + input: "192.168.76.0/24,dnssearch=evil.com", + wantErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result, err := parseAndValidateNetCIDR(tt.input) + if tt.wantErr { + if err == nil { + t.Errorf("parseAndValidateNetCIDR(%q) expected error, got nil with result %q", tt.input, result) + } + return + } + if err != nil { + t.Errorf("parseAndValidateNetCIDR(%q) unexpected error: %v", tt.input, err) + return + } + if result != tt.expected { + t.Errorf("parseAndValidateNetCIDR(%q) = %q, expected %q", tt.input, result, tt.expected) + } + }) + } +} + func TestGetPackageCacheSuffix(t *testing.T) { tests := []struct { name string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.52.1/pkg/renovate/bump/bump.go new/melange-0.53.0/pkg/renovate/bump/bump.go --- old/melange-0.52.1/pkg/renovate/bump/bump.go 2026-06-05 19:52:08.000000000 +0200 +++ new/melange-0.53.0/pkg/renovate/bump/bump.go 2026-06-10 17:14:50.000000000 +0200 @@ -149,8 +149,23 @@ RecurseNodes(). Filter(yit.WithMapValue("git-checkout")) + var gitCheckoutNodes []*yaml.Node for gitCheckoutNode, ok := it(); ok; gitCheckoutNode, ok = it() { - if err := updateGitCheckout(ctx, rc.Configuration, gitCheckoutNode, bcfg.ExpectedCommit); err != nil { + gitCheckoutNodes = append(gitCheckoutNodes, gitCheckoutNode) + } + + for _, gitCheckoutNode := range gitCheckoutNodes { + // When there are multiple git-checkout nodes, only bump the ones + // whose tag is derived from package.version. With a single + // git-checkout node, always bump it regardless of its tag. + if versioned, err := gitCheckoutDependsOnVersion(rc.Configuration, gitCheckoutNode); err != nil { + return err + } else if len(gitCheckoutNodes) > 1 && !versioned { + log.Infof("Skipping git-checkout node as tag is not derived from package.version") + continue + } + + if err := updateGitCheckout(ctx, gitCheckoutNode, bcfg.ExpectedCommit); err != nil { return err } } @@ -220,8 +235,27 @@ return nil } +// gitCheckoutDependsOnVersion reports whether a "git-checkout" pipeline node's +// tag is derived from package.version. If there is no tag (e.g. a branch-only +// checkout), it returns true since branches are often built from main and +// should not be skipped. +func gitCheckoutDependsOnVersion(cfg *config.Configuration, node *yaml.Node) (bool, error) { + withNode, err := renovate.NodeFromMapping(node, "with") + if err != nil { + return false, err + } + + // If a tag is present, check whether it contains a version substitution. + tag, tagErr := renovate.NodeFromMapping(withNode, "tag") + if tagErr == nil { + return dependsOnVersion(tag.Value, cfg), nil + } + + return true, nil +} + // updateGitCheckout takes a "git-checkout" pipeline node and updates the parameters of it. -func updateGitCheckout(ctx context.Context, cfg *config.Configuration, node *yaml.Node, expectedGitSha string) error { +func updateGitCheckout(ctx context.Context, node *yaml.Node, expectedGitSha string) error { log := clog.FromContext(ctx) withNode, err := renovate.NodeFromMapping(node, "with") @@ -229,16 +263,6 @@ return err } - // If a tag is present, check it contains a version substitution. - // If it doesn't depend on package.version, skip updating. - // If there is no tag (e.g. branch-only checkout), always update since - // branches are often built from main and should not be skipped. - tag, tagErr := renovate.NodeFromMapping(withNode, "tag") - if tagErr == nil && !dependsOnVersion(tag.Value, cfg) { - log.Infof("Skipping git-checkout node as tag is not derived from package.version") - return nil - } - log.Infof("processing git-checkout node") if expectedGitSha != "" { ++++++ melange.obsinfo ++++++ --- /var/tmp/diff_new_pack.sIBZ7v/_old 2026-06-11 17:29:34.407896900 +0200 +++ /var/tmp/diff_new_pack.sIBZ7v/_new 2026-06-11 17:29:34.415897236 +0200 @@ -1,5 +1,5 @@ name: melange -version: 0.52.1 -mtime: 1780681928 -commit: 920b26ee516cb4be0f71c0a74b1fa012ffe7587e +version: 0.53.0 +mtime: 1781104490 +commit: 65ed1ab7cc749cfcb67188fca18c4eb326f33c31 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/melange/vendor.tar.gz /work/SRC/openSUSE:Factory/.melange.new.1981/vendor.tar.gz differ: char 133, line 3
