From b80cfa3a6ce4293c6cda53ac6a6f4a0447a54743 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Fri, 13 Dec 2024 19:13:46 +0000
Subject: [PATCH 1/4] mattermost-10.2/10.2.1-r0: fix GHSA-v778-237x-gjrc

---
 mattermost-10.2.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/mattermost-10.2.yaml b/mattermost-10.2.yaml
index 8558c41d921..07260181c57 100644
--- a/mattermost-10.2.yaml
+++ b/mattermost-10.2.yaml
@@ -1,7 +1,7 @@
 package:
   name: mattermost-10.2
   version: 10.2.1
-  epoch: 0
+  epoch: 1
   description: "Mattermost is an open source platform for secure collaboration across the entire software development lifecycle."
   copyright:
     - license: MIT
@@ -44,6 +44,10 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: d5218ee031bcd31f69a027b183cac72a6142b351
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/crypto@v0.31.0
+
   - runs: |
       mkdir -p ${{targets.contextdir}}/usr/bin
       for dir in bin data logs config plugins fonts i18n templates client test; do

From d10a7ff901e6ccf0484f82a6607b02c4a9c51986 Mon Sep 17 00:00:00 2001
From: Mark McCormick <mark.mccormick@chainguard.dev>
Date: Sat, 14 Dec 2024 21:03:27 +0000
Subject: [PATCH 2/4] Update path to go.mod files in go/bump

Signed-off-by: Mark McCormick <mark.mccormick@chainguard.dev>
---
 mattermost-10.2.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/mattermost-10.2.yaml b/mattermost-10.2.yaml
index 07260181c57..bb2ebebea9c 100644
--- a/mattermost-10.2.yaml
+++ b/mattermost-10.2.yaml
@@ -47,6 +47,12 @@ pipeline:
   - uses: go/bump
     with:
       deps: golang.org/x/crypto@v0.31.0
+      modroot: ./server
+
+  - uses: go/bump
+    with:
+      deps: golang.org/x/crypto@v0.31.0
+      modroot: ./server/public
 
   - runs: |
       mkdir -p ${{targets.contextdir}}/usr/bin

From e6761797c9b96e5112afe81676a14f0db0ac8c94 Mon Sep 17 00:00:00 2001
From: Ville Aikas <vaikas@chainguard.dev>
Date: Mon, 16 Dec 2024 18:52:01 -0800
Subject: [PATCH 3/4] move the go bump to server subpackage.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
---
 mattermost-10.2.yaml | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/mattermost-10.2.yaml b/mattermost-10.2.yaml
index bb2ebebea9c..b52856f8cd6 100644
--- a/mattermost-10.2.yaml
+++ b/mattermost-10.2.yaml
@@ -44,16 +44,6 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: d5218ee031bcd31f69a027b183cac72a6142b351
 
-  - uses: go/bump
-    with:
-      deps: golang.org/x/crypto@v0.31.0
-      modroot: ./server
-
-  - uses: go/bump
-    with:
-      deps: golang.org/x/crypto@v0.31.0
-      modroot: ./server/public
-
   - runs: |
       mkdir -p ${{targets.contextdir}}/usr/bin
       for dir in bin data logs config plugins fonts i18n templates client test; do
@@ -62,6 +52,11 @@ pipeline:
 
   - working-directory: server
     pipeline:
+      - uses: go/bump
+        with:
+          deps: golang.org/x/crypto@v0.31.0
+          modroot: .
+
       - runs: make modules-tidy
       - runs: |
           # Our global LDFLAGS conflict with a Makefile parameter: `flag provided but not defined: -Wl,--as-needed,-O1,--sort-common`

From 99d62f193cb9cfdedd819dbe73f07f2a7be8df80 Mon Sep 17 00:00:00 2001
From: Ville Aikas <vaikas@chainguard.dev>
Date: Mon, 16 Dec 2024 18:59:29 -0800
Subject: [PATCH 4/4] do not do tidy as part of gobump.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
---
 mattermost-10.2.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/mattermost-10.2.yaml b/mattermost-10.2.yaml
index b52856f8cd6..34d08177648 100644
--- a/mattermost-10.2.yaml
+++ b/mattermost-10.2.yaml
@@ -1,5 +1,7 @@
 package:
   name: mattermost-10.2
+  # Note the npm version has been pinned to 10.8.3 to avoid the error:
+  # "npm error notsup Required: {"node":">=18.10.0","npm":"^9.0.0 || ^10.0.0"}"
   version: 10.2.1
   epoch: 1
   description: "Mattermost is an open source platform for secure collaboration across the entire software development lifecycle."
@@ -30,7 +32,7 @@ environment:
       - libpng-dev
       - libtool
       - nodejs-20
-      - npm
+      - npm=10.8.3 # Have to specify older version, or: "npm error notsup Required: {"node":">=18.10.0","npm":"^9.0.0 || ^10.0.0"}"
       - pkgconf-dev
       - posix-libc-utils
       - wolfi-base
@@ -56,7 +58,7 @@ pipeline:
         with:
           deps: golang.org/x/crypto@v0.31.0
           modroot: .
-
+          tidy: false # https://github.com/mattermost/mattermost/issues/26221
       - runs: make modules-tidy
       - runs: |
           # Our global LDFLAGS conflict with a Makefile parameter: `flag provided but not defined: -Wl,--as-needed,-O1,--sort-common`