Merge remote-tracking branch 'origin/main' into feat/readonly-root

.devcontainer/Dockerfile

@@ -1 +1 @@
-FROM ghcr.io/containerbase/devcontainer:9.33.1
+FROM ghcr.io/containerbase/devcontainer:9.33.9

.devcontainer/devcontainer.json

@@ -1,21 +1,21 @@
 {
   "name": "containerbase",
   "build": {
-    "dockerfile": "Dockerfile",
+    "dockerfile": "Dockerfile"
   },
   "customizations": {
     "vscode": {
       "settings": {
         "terminal.integrated.profiles.linux": {
           "bash": {
             "path": "bash",
-            "icon": "terminal-bash",
-          },
+            "icon": "terminal-bash"
+          }
         },
-        "terminal.integrated.defaultProfile.linux": "bash",
+        "terminal.integrated.defaultProfile.linux": "bash"
       },
-      "extensions": ["dbaeumer.vscode-eslint", "esbenp.prettier-vscode"],
-    },
+      "extensions": ["dbaeumer.vscode-eslint", "esbenp.prettier-vscode"]
+    }
   },
-  "postCreateCommand": "pnpm install",
+  "postCreateCommand": "pnpm install"
 }

.github/actions/setup-node/action.yml

@@ -18,7 +18,7 @@ runs:
       shell: bash
       run: |
         echo 'CACHE_KEY=node_modules-${{
-          hashFiles('.node-version', 'pnpm-lock.yaml')
+          hashFiles('.node-version', 'pnpm-lock.yaml', 'package.json')
         }}' >> "$GITHUB_ENV"
 
     - name: ♻️ Restore `node_modules`
@@ -37,7 +37,7 @@ runs:
         }}' >> "$GITHUB_ENV"
 
     - name: ⚙️ Setup Node.js
-      uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version-file: .node-version
         cache: ${{ env.CACHE_HIT != 'true' && 'pnpm' || '' }}

.github/workflows/build-push.yml

@@ -8,13 +8,13 @@ on:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
-  cancel-in-progress: true
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
 
 permissions:
   contents: read
 
 env:
-  DRY_RUN: ${{ github.ref_name != 'main' }}
+  DRY_RUN: ${{ github.ref_name != github.event.repository.default_branch }}
   OWNER: ${{ github.repository_owner }}
   FILE: base
   BUILDKIT_PROGRESS: plain
@@ -43,7 +43,7 @@ jobs:
 
     steps:
       - name: docker-config
-        uses: containerbase/internal-tools@a12a7d23492f0805ce2237f46c9b69d9c3ba5f01 # v3.0.54
+        uses: containerbase/internal-tools@2951ced35dd6127673e4e2cf937416460a317f3b # v3.0.57
         with:
           command: docker-config
 
@@ -52,6 +52,7 @@ jobs:
         with:
           fetch-depth: 0
           show-progress: false
+          filter: blob:none # we don't need all blobs
 
       - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
 
@@ -64,7 +65,7 @@ jobs:
         uses: ./.github/actions/setup-node
 
       - name: Docker registry login
-        if: github.ref_name == 'main'
+        if: github.ref_name == github.event.repository.default_branch
         run: |
           echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
           echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin

.github/workflows/build.yml

@@ -216,7 +216,7 @@ jobs:
 
     steps:
       - name: docker-config
-        uses: containerbase/internal-tools@a12a7d23492f0805ce2237f46c9b69d9c3ba5f01 # v3.0.54
+        uses: containerbase/internal-tools@2951ced35dd6127673e4e2cf937416460a317f3b # v3.0.57
         with:
           command: docker-config
 

.github/workflows/devcontainer.yml

@@ -1,9 +1,5 @@
 name: devcontainer
 on:
-  push:
-    branches:
-      - '**'
-      - '!main'
   pull_request:
     branches:
       - main
@@ -19,7 +15,7 @@ permissions:
 jobs:
   devcontainer-test:
     runs-on: ubuntu-latest
-    if: github.event_name != 'pull_request' || (github.repository_owner != github.event.pull_request.head.repo.owner.login && github.event.pull_request.draft != true)
+    if: github.event.pull_request.draft != true
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.node-version

@@ -1 +1 @@
-20.10.0
+20.11.0

docker-bake.hcl

@@ -31,10 +31,6 @@ group "default" {
   targets = ["build-docker"]
 }
 
-group "push" {
-  targets = ["push-ghcr", "push-hub", "push-cache"]
-}
-
 group "test" {
   targets = ["build-test", "build-arm64"]
 }
@@ -52,27 +48,13 @@ target "settings" {
     CONTAINERBASE_VERSION = "${CONTAINERBASE_VERSION}"
     GITHUB_TOKEN          = "${GITHUB_TOKEN}"
   }
-}
-
-target "cache" {
   cache-from = [
     "type=registry,ref=ghcr.io/${OWNER}/cache:${FILE}",
-    "type=registry,ref=ghcr.io/${OWNER}/cache:${FILE}-${TAG}",
-  ]
-}
-
-target "push-cache" {
-  inherits = ["settings", "cache"]
-  output   = ["type=registry"]
-  tags = [
-    "ghcr.io/${OWNER}/cache:${FILE}-${TAG}",
-    "ghcr.io/${OWNER}/cache:${FILE}",
   ]
-  cache-to = ["type=inline,mode=max"]
 }
 
 target "build" {
-  inherits = ["settings", "cache"]
+  inherits = ["settings"]
   tags = [
     "ghcr.io/${OWNER}/${FILE}",
     "ghcr.io/${OWNER}/${FILE}:${TAG}",
@@ -82,7 +64,7 @@ target "build" {
 }
 
 target "build-docker" {
-  inherits = ["settings", "cache"]
+  inherits = ["settings"]
   output   = ["type=docker"]
   tags = [
     "ghcr.io/${OWNER}/${FILE}",
@@ -109,15 +91,14 @@ target "build-arm64" {
   dockerfile = "./test/${TAG}/Dockerfile.arm64"
 }
 
-target "push-ghcr" {
-  inherits = ["settings", "cache"]
-  output   = ["type=registry"]
-  tags     = ["ghcr.io/${OWNER}/${FILE}", "ghcr.io/${OWNER}/${FILE}:${TAG}", ]
-}
-
-target "push-hub" {
-  inherits = ["settings", "cache"]
+target "push" {
+  inherits = ["settings"]
   output   = ["type=registry"]
-  tags     = ["${OWNER}/${FILE}", "${OWNER}/${FILE}:${TAG}"]
+  cache-to = ["type=registry,ref=ghcr.io/${OWNER}/cache:${FILE},mode=max,image-manifest=true,ignore-error=true"]
+  tags     = [
+    "ghcr.io/${OWNER}/${FILE}",
+    "ghcr.io/${OWNER}/${FILE}:${TAG}",
+     "${OWNER}/${FILE}",
+     "${OWNER}/${FILE}:${TAG}",
+  ]
 }
-

package.json

@@ -35,7 +35,7 @@
     "bats-support": "0.3.0",
     "esbuild": "0.20.0",
     "tsconfig-paths": "4.2.0",
-    "vite": "5.0.12"
+    "vite": "5.1.1"
   },
   "dependencies": {
     "@sindresorhus/is": "6.1.0",
@@ -45,32 +45,32 @@
     "del": "7.1.0",
     "execa": "8.0.1",
     "global-agent": "3.0.0",
-    "got": "14.1.0",
+    "got": "14.2.0",
     "inversify": "6.0.2",
     "pino": "8.18.0",
     "pino-pretty": "10.3.1",
     "pretty-ms": "9.0.0",
     "reflect-metadata": "0.2.1",
-    "semver": "7.5.4",
+    "semver": "7.6.0",
     "simple-git": "3.22.0",
     "tar": "6.2.0",
     "typanion": "3.14.0"
   },
   "devDependencies": {
     "@semantic-release/exec": "6.0.3",
     "@tsconfig/node20": "20.1.2",
-    "@tsconfig/strictest": "2.0.2",
+    "@tsconfig/strictest": "2.0.3",
     "@types/common-tags": "1.8.4",
     "@types/global-agent": "2.1.3",
-    "@types/node": "20.11.16",
+    "@types/node": "20.11.17",
     "@types/semver": "7.5.6",
     "@types/shelljs": "0.8.15",
     "@types/tar": "6.1.11",
-    "@typescript-eslint/eslint-plugin": "6.20.0",
-    "@typescript-eslint/parser": "6.20.0",
+    "@typescript-eslint/eslint-plugin": "6.21.0",
+    "@typescript-eslint/parser": "6.21.0",
     "@vitest/coverage-v8": "1.2.2",
     "@vitest/ui": "1.2.2",
-    "@yao-pkg/pkg": "5.11.1",
+    "@yao-pkg/pkg": "5.11.2",
     "bats": "1.10.0",
     "bats-assert": "2.0.0",
     "bats-support": "0.3.0",
@@ -87,19 +87,19 @@
     "eslint-plugin-jest-formatting": "3.1.0",
     "eslint-plugin-promise": "6.1.1",
     "eslint-plugin-typescript-enum": "2.1.0",
-    "eslint-plugin-vitest": "0.3.21",
+    "eslint-plugin-vitest": "0.3.22",
     "husky": "9.0.10",
-    "lint-staged": "15.2.1",
+    "lint-staged": "15.2.2",
     "nock": "13.5.1",
     "npm-run-all2": "6.1.2",
-    "prettier": "3.2.4",
+    "prettier": "3.2.5",
     "prettier-plugin-packagejson": "2.4.10",
-    "semantic-release": "23.0.0",
+    "semantic-release": "23.0.2",
     "shelljs": "0.8.5",
-    "tsx": "4.7.0",
+    "tsx": "4.7.1",
     "type-fest": "4.10.2",
     "typescript": "5.3.3",
-    "vite": "5.0.12",
+    "vite": "5.1.1",
     "vite-tsconfig-paths": "4.3.1",
     "vitest": "1.2.2",
     "vitest-github-actions-reporter": "0.11.1"
@@ -111,8 +111,10 @@
   },
   "pnpm": {
     "patchedDependencies": {
-      "[email protected]": "patches/[email protected]"
+      "[email protected]": "patches/[email protected]",
+      "@yao-pkg/[email protected]": "patches/@[email protected]"
     },
+    "allowNonAppliedPatches": true,
     "supportedArchitectures": {
       "os": [
         "linux",

patches/@yao-pkg__pkg@5.11.1.patch

@@ -0,0 +1,89 @@
+diff --git a/prelude/bootstrap.js b/prelude/bootstrap.js
+index 36aa2a4d1448fa33869181fe0a9ab5fd92abd0bd..809eeaee0943875745e1d82ae81c5bb427332b3d 100644
+--- a/prelude/bootstrap.js
++++ b/prelude/bootstrap.js
+@@ -2113,7 +2113,7 @@ function payloadFileSync(pointer) {
+     modifyLong(args, 0);
+     return ancestor.execSync.apply(childProcess, args);
+   };
+-})();
++}); // fix: disable child_process patch ();
+
+ // /////////////////////////////////////////////////////////////////
+ // PROMISIFY ///////////////////////////////////////////////////////
+@@ -2147,40 +2147,41 @@ function payloadFileSync(pointer) {
+   // /////////////////////////////////////////////////////////////
+   // CHILD_PROCESS ///////////////////////////////////////////////
+   // /////////////////////////////////////////////////////////////
+-
+-  const customPromiseExecFunction =
+-    (o) =>
+-    (...args) => {
+-      let resolve;
+-      let reject;
+-      const p = new Promise((res, rej) => {
+-        resolve = res;
+-        reject = rej;
+-      });
+-
+-      p.child = o.apply(
+-        undefined,
+-        args.concat((error, stdout, stderr) => {
+-          if (error !== null) {
+-            error.stdout = stdout;
+-            error.stderr = stderr;
+-            reject(error);
+-          } else {
+-            resolve({ stdout, stderr });
+-          }
+-        }),
+-      );
+-
+-      return p;
+-    };
+-
+-  Object.defineProperty(childProcess.exec, custom, {
+-    value: customPromiseExecFunction(childProcess.exec),
+-  });
+-
+-  Object.defineProperty(childProcess.execFile, custom, {
+-    value: customPromiseExecFunction(childProcess.execFile),
+-  });
++  
++  // fix: disable child_process patch
++  // const customPromiseExecFunction =
++  //   (o) =>
++  //   (...args) => {
++  //     let resolve;
++  //     let reject;
++  //     const p = new Promise((res, rej) => {
++  //       resolve = res;
++  //       reject = rej;
++  //     });
++
++  //     p.child = o.apply(
++  //       undefined,
++  //       args.concat((error, stdout, stderr) => {
++  //         if (error !== null) {
++  //           error.stdout = stdout;
++  //           error.stderr = stderr;
++  //           reject(error);
++  //         } else {
++  //           resolve({ stdout, stderr });
++  //         }
++  //       }),
++  //     );
++
++  //     return p;
++  //   };
++
++  // Object.defineProperty(childProcess.exec, custom, {
++  //   value: customPromiseExecFunction(childProcess.exec),
++  // });
++
++  // Object.defineProperty(childProcess.execFile, custom, {
++  //   value: customPromiseExecFunction(childProcess.execFile),
++  // });
+ })();
+
+ // /////////////////////////////////////////////////////////////////