Merge branch 'main' into withdraw

Signed-off-by: Jason Hall <[email protected]>

.github/workflows/build-world.yaml

@@ -24,7 +24,7 @@ jobs:
     # permissions:
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:fe85df7dc646f29552dab0ebd7e6e6e1cc6f4a5ce83e724693cf0fece5b8f8ac
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:bb5769922852c5a389e7ef2dfaab1d07312dd2cbad66552df77dfefe4c1d022d
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined

.github/workflows/build.yaml

@@ -29,7 +29,7 @@ jobs:
     # permissions:
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:fe85df7dc646f29552dab0ebd7e6e6e1cc6f4a5ce83e724693cf0fece5b8f8ac
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:bb5769922852c5a389e7ef2dfaab1d07312dd2cbad66552df77dfefe4c1d022d
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -102,7 +102,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:fe85df7dc646f29552dab0ebd7e6e6e1cc6f4a5ce83e724693cf0fece5b8f8ac
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:bb5769922852c5a389e7ef2dfaab1d07312dd2cbad66552df77dfefe4c1d022d
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/ci-build.yaml

@@ -27,7 +27,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:fe85df7dc646f29552dab0ebd7e6e6e1cc6f4a5ce83e724693cf0fece5b8f8ac -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:bb5769922852c5a389e7ef2dfaab1d07312dd2cbad66552df77dfefe4c1d022d -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this
@@ -58,7 +58,7 @@ jobs:
       group: wolfi-builder-${{ matrix.arch }}
     needs: changes
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:fe85df7dc646f29552dab0ebd7e6e6e1cc6f4a5ce83e724693cf0fece5b8f8ac
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:bb5769922852c5a389e7ef2dfaab1d07312dd2cbad66552df77dfefe4c1d022d
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
     outputs:
@@ -142,7 +142,7 @@ jobs:
     name: "Scan packages for CVEs"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:fe85df7dc646f29552dab0ebd7e6e6e1cc6f4a5ce83e724693cf0fece5b8f8ac
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:bb5769922852c5a389e7ef2dfaab1d07312dd2cbad66552df77dfefe4c1d022d
     needs: build
     if: needs.build.outputs.packages_were_built == 'true'
 

.github/workflows/lint-world.yaml

@@ -29,7 +29,7 @@ jobs:
       group: wolfi-os-builder-${{ matrix.arch }}
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:fe85df7dc646f29552dab0ebd7e6e6e1cc6f4a5ce83e724693cf0fece5b8f8ac
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:bb5769922852c5a389e7ef2dfaab1d07312dd2cbad66552df77dfefe4c1d022d
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/withdraw-packages.yaml

@@ -22,7 +22,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:fe85df7dc646f29552dab0ebd7e6e6e1cc6f4a5ce83e724693cf0fece5b8f8ac -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:bb5769922852c5a389e7ef2dfaab1d07312dd2cbad66552df77dfefe4c1d022d -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       - name: 'Authenticate to Google Cloud'

.github/workflows/wolfictl-check-update.yaml

@@ -29,7 +29,7 @@ jobs:
     - name: Check
       id: check
       if: ${{ steps.files.outputs.all_changed_files != '' }}
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7c137cd6a8e88f750a593b12d8a8a3b9064207fea2200bef60c8c862910d7694
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:2896ee68bc353a0601cbd9b3ae9e0a8e866fe99006fe4f05404271e2b98f1038
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:

.github/workflows/wolfictl-lint.yaml

@@ -19,13 +19,13 @@ jobs:
     - uses: actions/checkout@v4
     - name: Lint
       id: lint
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7c137cd6a8e88f750a593b12d8a8a3b9064207fea2200bef60c8c862910d7694
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:2896ee68bc353a0601cbd9b3ae9e0a8e866fe99006fe4f05404271e2b98f1038
       with:
         entrypoint: wolfictl
         args: lint --skip-rule no-makefile-entry-for-package
     - name: Enforce YAML formatting
       id: lint-yaml
-      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7c137cd6a8e88f750a593b12d8a8a3b9064207fea2200bef60c8c862910d7694
+      uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:2896ee68bc353a0601cbd9b3ae9e0a8e866fe99006fe4f05404271e2b98f1038
       with:
         entrypoint: wolfictl
         args: lint yam

.github/workflows/wolfictl-update-gh.yaml

@@ -23,7 +23,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7c137cd6a8e88f750a593b12d8a8a3b9064207fea2200bef60c8c862910d7694
+    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:2896ee68bc353a0601cbd9b3ae9e0a8e866fe99006fe4f05404271e2b98f1038
       with:
         entrypoint: wolfictl
         args: update https://github.com/${{github.repository}} --release-monitoring-query=false --github-labels request-version-update --github-labels "automated pr"

.github/workflows/wolfictl-update-rm.yaml

@@ -23,7 +23,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:7c137cd6a8e88f750a593b12d8a8a3b9064207fea2200bef60c8c862910d7694
+    - uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:2896ee68bc353a0601cbd9b3ae9e0a8e866fe99006fe4f05404271e2b98f1038
       with:
         entrypoint: wolfictl
         args: update https://github.com/${{github.repository}} --github-release-query=false --github-labels request-version-update --github-labels "automated pr"

Makefile

@@ -91,7 +91,7 @@ dev-container:
 	    -v "${PWD}:${PWD}" \
 	    -w "${PWD}" \
 	    -e SOURCE_DATE_EPOCH=0 \
-	    ghcr.io/wolfi-dev/sdk:latest@sha256:fe85df7dc646f29552dab0ebd7e6e6e1cc6f4a5ce83e724693cf0fece5b8f8ac
+	    ghcr.io/wolfi-dev/sdk:latest@sha256:bb5769922852c5a389e7ef2dfaab1d07312dd2cbad66552df77dfefe4c1d022d
 
 PACKAGES_CONTAINER_FOLDER ?= /work/packages
 TMP_REPOSITORIES_DIR := $(shell mktemp -d)
@@ -156,6 +156,6 @@ dev-container-wolfi:
 		--mount type=bind,source="${PWD}/local-melange.rsa.pub",destination="/etc/apk/keys/local-melange.rsa.pub",readonly \
 		--mount type=bind,source="$(TMP_REPOSITORIES_FILE)",destination="/etc/apk/repositories",readonly \
 		-w "$(PACKAGES_CONTAINER_FOLDER)" \
-		ghcr.io/wolfi-dev/sdk:latest@sha256:fe85df7dc646f29552dab0ebd7e6e6e1cc6f4a5ce83e724693cf0fece5b8f8ac
+		ghcr.io/wolfi-dev/sdk:latest@sha256:bb5769922852c5a389e7ef2dfaab1d07312dd2cbad66552df77dfefe4c1d022d
 	@rm "$(TMP_REPOSITORIES_FILE)"
 	@rmdir "$(TMP_REPOSITORIES_DIR)"

aws-c-s3.yaml

@@ -1,6 +1,6 @@
 package:
   name: aws-c-s3
-  version: 0.3.23
+  version: 0.3.24
   epoch: 0
   description: "AWS C99 library implementation for communicating with the S3 service"
   copyright:
@@ -36,7 +36,7 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha256: cede7c1b8b5f2c459f1a6f5cbc2a119f001e7a4c1164e0efb1b22e7b9b5235bf
+      expected-sha256: 09803db4af98bba0af263434e2de432cdccdb3ab709411abba8e05d34840f815
       uri: https://github.com/awslabs/aws-c-s3/archive/refs/tags/v${{package.version}}.tar.gz
 
   - runs: |

aws-cli.yaml

@@ -1,7 +1,7 @@
 package:
   name: aws-cli
-  version: 1.29.84
-  epoch: 1
+  version: 1.29.85
+  epoch: 0
   description: "Universal Command Line Interface for Amazon Web Services"
   copyright:
     - license: Apache-2.0
@@ -33,7 +33,7 @@ pipeline:
   - uses: fetch
     with:
       uri: https://github.com/aws/aws-cli/archive/${{package.version}}.tar.gz
-      expected-sha256: adfb94cbf92fa46d343b56245a3955964696f88410aa96ce66ef255f24b736ac
+      expected-sha256: d8faf32a2bc002b4b85381fd74dbac37f409d8ca0bbe42a49f419921bec61aef
 
   - runs: |
       python3 setup.py build

aws-crt-cpp.yaml

@@ -1,6 +1,6 @@
 package:
   name: aws-crt-cpp
-  version: 0.24.5
+  version: 0.24.7
   epoch: 0
   description: "C++ wrapper around the aws-c-* libraries. Provides Cross-Platform Transport Protocols and SSL/TLS implementations for C++"
   copyright:
@@ -32,7 +32,7 @@ pipeline:
     with:
       repository: https://github.com/awslabs/aws-crt-cpp
       tag: v${{package.version}}
-      expected-commit: a7fc0969ea3508e5aae01289cd17be9cdc98ffad
+      expected-commit: 1bdd7dc9ca877697265a6b3a4685f6b190b3b811
 
   - runs: |
       if [ "$CBUILD" != "$CHOST" ]; then

aws-for-fluent-bit.yaml

@@ -82,6 +82,8 @@ subpackages:
       - uses: strip
 
 update:
+  ignore-regex-patterns:
+    - ^\d+\.\d+.\d+\.\d+$
   enabled: true
   github:
     identifier: aws/aws-for-fluent-bit

crane.yaml

@@ -1,7 +1,7 @@
 package:
   name: crane
   version: 0.16.1
-  epoch: 5
+  epoch: 6
   description: Tool for interacting with remote images and registries.
   copyright:
     - license: Apache-2.0

external-secrets-operator.yaml

@@ -1,6 +1,6 @@
 package:
   name: external-secrets-operator
-  version: 0.9.8
+  version: 0.9.9
   epoch: 0
   description: Integrate external secret management systems with Kubernetes
   copyright:
@@ -21,13 +21,9 @@ pipeline:
     with:
       repository: https://github.com/external-secrets/external-secrets
       tag: v${{package.version}}
-      expected-commit: c5d647bae1d3bbebb2f0d9c1ab1e3e3cbe869875
+      expected-commit: 8b0fa87f301abd5ac2d15a45493aa4609e433772
 
   - runs: |
-      # Mitigate CVE-2023-39325 and CVE-2023-3978
-      go get golang.org/x/[email protected]
-      go mod tidy
-
       make build-$(go env GOARCH)
       mkdir -p ${{targets.destdir}}/usr/bin
       install -m755 -D bin/external-secrets-$(go env GOOS)-$(go env GOARCH) "${{targets.destdir}}"/usr/bin/external-secrets

gitlab-exporter.yaml

@@ -4,8 +4,8 @@
 #nolint:git-checkout-must-use-github-updates
 package:
   name: gitlab-exporter
-  version: 13.4.1
-  epoch: 1
+  version: 13.5.0
+  epoch: 0
   description: GitLab Exporter is a Prometheus Web exporter.
   copyright:
     - license: MIT
@@ -57,7 +57,7 @@ pipeline:
     with:
       repository: https://gitlab.com/gitlab-org/ruby/gems/gitlab-exporter.git
       tag: v${{package.version}}
-      expected-commit: 590c4261bd09b341742ee5249225b3aaac421445
+      expected-commit: 7d0f9c6e59bf0b8a387edcd2ce636ba5aeda0020
 
   - uses: ruby/unlock-spec
 

gst-plugins-base.yaml

@@ -1,6 +1,6 @@
 package:
   name: gst-plugins-base
-  version: 1.22.6
+  version: 1.22.7
   epoch: 0
   description: GStreamer streaming media framework base plug-ins
   copyright:
@@ -39,7 +39,7 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha512: b03b585c54f1ed2c143495b3d302f73d5fc4c2acd37360a510791d97ca73a895b6154d7205004418504e90b2bfebe51f84c7f55e99caca39b167d2f36dac677a
+      expected-sha512: a33d332aebf5e209380c2740e0fc6762e49b78a9921822adfc07efdd4780cbe038867d9924a2df334c8a624e8be49b5d46e276538d6d77ff8ac9f002ced052e3
       uri: https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-${{package.version}}.tar.xz
 
   - runs: |

gstreamer.yaml

@@ -1,8 +1,8 @@
 # Generated from https://git.alpinelinux.org/aports/plain/main/gstreamer/APKBUILD
 package:
   name: gstreamer
-  version: 1.22.6
-  epoch: 1
+  version: 1.22.7
+  epoch: 0
   description: GStreamer streaming media framework
   copyright:
     - license: LGPL-2.0-or-later
@@ -28,7 +28,7 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha256: f500e6cfddff55908f937711fc26a0840de28a1e9ec49621c0b6f1adbd8f818e
+      expected-sha256: 01e42c6352a06bdfa4456e64b06ab7d98c5c487a25557c761554631cbda64217
       uri: https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-${{package.version}}.tar.xz
 
   - runs: |

k8sgpt-operator.yaml

@@ -1,6 +1,6 @@
 package:
   name: k8sgpt-operator
-  version: 0.0.22
+  version: 0.0.23
   epoch: 0
   description: Automatic SRE Superpowers within your Kubernetes cluster
   copyright:
@@ -20,7 +20,7 @@ pipeline:
     with:
       repository: https://github.com/k8sgpt-ai/k8sgpt-operator
       tag: v${{package.version}}
-      expected-commit: f0ebd2888357293ec36eb75ec7153223ce4f914f
+      expected-commit: bb00c901103fd68182f5b13175452f3185c934d5
 
   - uses: go/build
     with:

k8sgpt.yaml

@@ -1,6 +1,6 @@
 package:
   name: k8sgpt
-  version: 0.3.19
+  version: 0.3.21
   epoch: 0
   description: Giving Kubernetes Superpowers to everyone
   copyright:
@@ -23,7 +23,7 @@ pipeline:
     with:
       repository: https://github.com/k8sgpt-ai/k8sgpt
       tag: v${{package.version}}
-      expected-commit: f4b361aed68e7c0547a08a4990e8e525a159ef86
+      expected-commit: c78c4f0cb693f78cc3c0e95e49d832a14500a14e
       destination: k8sgpt
 
   - runs: |

kor.yaml

@@ -1,6 +1,6 @@
 package:
   name: kor
-  version: 0.2.7
+  version: 0.2.8
   epoch: 0
   description: A Golang Tool to discover unused Kubernetes Resources
   copyright:
@@ -11,7 +11,7 @@ pipeline:
     with:
       repository: https://github.com/yonahd/kor
       tag: v${{package.version}}
-      expected-commit: e74ae5709df28493104f9d906cc4dc6db6c983f6
+      expected-commit: dec8161f811a3710916c3eb85d6e89272d6de0f7
 
   - uses: go/build
     with:

kube-fluentd-operator.yaml

@@ -1,7 +1,7 @@
 package:
   name: kube-fluentd-operator
-  version: 1.17.6
-  epoch: 8
+  version: 1.18.1
+  epoch: 0
   description: Auto-configuration of Fluentd daemon-set based on Kubernetes metadata
   copyright:
     - license: MIT
@@ -35,7 +35,6 @@ environment:
       - wget
       - bash
       - go
-      # - shadow
 
 # https://github.com/javiercri/fluent-plugin-google-cloud/commit/619c813c265d51f4dd0b1cada3a07e615b47cdde
 vars:
@@ -46,12 +45,12 @@ pipeline:
     with:
       repository: https://github.com/vmware/kube-fluentd-operator
       tag: v${{package.version}}
-      expected-commit: 818fbdd8e007f029bc32433d5ee138f43d653e73
+      expected-commit: e568a6b2508153ee721bd22fc560338f6bad283d
 
   - runs: |
       echo 'gem: --no-rdoc --no-ri' >> ~/.gemrc
 
-      cd base-image
+      cd image
       GEM_DIR=${{targets.destdir}}$(ruby -e 'puts Gem.default_dir')
       mkdir -p ${GEM_DIR}
       bundle config set --local path ${GEM_DIR}
@@ -84,6 +83,10 @@ pipeline:
   - uses: strip
 
   - runs: |
+      # makefile has moved to the root of the repo without any changes
+      # This may break in future versions TODO : Remove this when the makefile works again from root of repo
+      cp Makefile ./config-reloader
+
       mkdir -p ${{targets.destdir}}/usr/bin
       cd config-reloader
 
@@ -102,7 +105,7 @@ subpackages:
         - bash
     pipeline:
       - runs: |
-          cd base-image
+          cd image
           mkdir -p ${{targets.subpkgdir}}/var/lib/kube-fluentd-operator/initdb
           cp entrypoint.sh ${{targets.subpkgdir}}/var/lib/kube-fluentd-operator/initdb/
           chmod +x ${{targets.subpkgdir}}/var/lib/kube-fluentd-operator/initdb/entrypoint.sh
@@ -111,7 +114,7 @@ subpackages:
     description: Default configuration for kube-fluentd-operator
     pipeline:
       - runs: |
-          cd base-image
+          cd image
           mkdir -p ${{targets.subpkgdir}}/etc/fluent
           cp failsafe.conf ${{targets.subpkgdir}}/etc/fluent/fluent.conf