Merge branch 'main' into wolfictl-09ea0ffe-7dda-4dff-bcb3-bc180febf8ef

Signed-off-by: dlorenc <[email protected]>

.github/actions/docker-run/action.yaml

@@ -6,7 +6,7 @@ inputs:
     required: true
   image:
     description: "The image to use"
-    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05"
+    default: "ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba"
     required: false
   workdir:
     description: "The images working directory"

.github/chainguard/lifecycle-automation-release.sts.yaml

@@ -1,8 +1,8 @@
 issuer: https://accounts.google.com
 
 # staging-images: not in use
-# prod-images: insights-publisher-sa@prod-images-c6e5.iam.gserviceaccount.com
-subject: "101826719708554282120"
+# prod-images: lifecycle-upstream-github@prod-images-c6e5.iam.gserviceaccount.com
+subject: "100889997859037637297"
 
 permissions:
   contents: read

.github/chainguard/lifecycle-devops-data-collector.sts.yaml

@@ -0,0 +1,9 @@
+issuer: https://accounts.google.com
+
+# staging-images: not in use
+# prod-images: lifecycle-devops-collector@prod-images-c6e5.iam.gserviceaccount.com
+subject: "109102922315025257155"
+
+permissions:
+  contents: read
+  metadata: read

.github/workflows/build-beta.yaml

@@ -152,7 +152,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
 
     steps:
       - name: Harden Runner

.github/workflows/build-old.yaml

@@ -26,7 +26,7 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -139,7 +139,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
 
     steps:
       - name: Harden Runner
@@ -262,7 +262,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
 
     steps:
       - name: Harden Runner

.github/workflows/build-world.yaml

@@ -27,7 +27,7 @@ jobs:
     # permissions:
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined

.github/workflows/build.yaml

@@ -29,7 +29,7 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -170,7 +170,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
 
     steps:
       - name: Harden Runner
@@ -293,7 +293,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
 
     steps:
       - name: Harden Runner

.github/workflows/lint-world.yaml

@@ -32,7 +32,7 @@ jobs:
       group: wolfi-os-builder-${{ matrix.arch }}
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

Makefile

@@ -188,7 +188,7 @@ dev-container:
 	    -v "${PWD}:${PWD}" \
 	    -w "${PWD}" \
 	    -e SOURCE_DATE_EPOCH=0 \
-	    ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+	    ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
 
 PACKAGES_CONTAINER_FOLDER ?= /work/packages
 TMP_REPOSITORIES_DIR := $(shell mktemp -d)
@@ -253,6 +253,6 @@ dev-container-wolfi:
 		--mount type=bind,source="${PWD}/local-melange.rsa.pub",destination="/etc/apk/keys/local-melange.rsa.pub",readonly \
 		--mount type=bind,source="$(TMP_REPOSITORIES_FILE)",destination="/etc/apk/repositories",readonly \
 		-w "$(PACKAGES_CONTAINER_FOLDER)" \
-		ghcr.io/wolfi-dev/sdk:latest@sha256:8252bb7f54c82ea8791141001dd27d29dca5e3e628e98f7fee2957ffb7e36a05
+		ghcr.io/wolfi-dev/sdk:latest@sha256:2e886d70760f2d3c34089102def36a2bb2130f6d607d0a71517e9446714cd4ba
 	@rm "$(TMP_REPOSITORIES_FILE)"
 	@rmdir "$(TMP_REPOSITORIES_DIR)"

actions-runner-controller.yaml

@@ -1,6 +1,6 @@
 package:
   name: actions-runner-controller
-  version: 0.9.0
+  version: 0.9.1
   epoch: 1
   description: Kubernetes controller for GitHub Actions self-hosted runners
   copyright:
@@ -18,24 +18,25 @@ pipeline:
     with:
       repository: https://github.com/actions/actions-runner-controller
       tag: gha-runner-scale-set-${{package.version}}
-      expected-commit: 4357525445b0b77388af4e1f171b5b7bd9b116a4
-
-  # Ref: https://github.com/actions/actions-runner-controller/blob/gha-runner-scale-set-0.5.0/Dockerfile#L35
-  - uses: go/bump
-    with:
-      deps: github.com/cloudflare/[email protected]
+      expected-commit: 9e191cdd21621f4e43023e0bdbbd2ff9b139c8a6
 
   - uses: go/build
     with:
       packages: .
       output: manager
-      ldflags: -s -w
+      ldflags: -s -w -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
 
   - uses: go/build
     with:
       packages: ./cmd/githubrunnerscalesetlistener
       output: github-runnerscaleset-listener
-      ldflags: -s -w -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}'
+      ldflags: -s -w -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
+
+  - uses: go/build
+    with:
+      packages: ./cmd/ghalistener
+      output: ghalistener
+      ldflags: -s -w -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
 
   - uses: go/build
     with:
@@ -64,10 +65,27 @@ subpackages:
       - runs: |
           mkdir -p "${{targets.subpkgdir}}"
           ln -sf /usr/bin/manager ${{targets.subpkgdir}}/manager
+          ln -sf /usr/bin/ghalistener ${{targets.subpkgdir}}/ghalistener
 
 update:
   enabled: true
   github:
     identifier: actions/actions-runner-controller
     strip-prefix: gha-runner-scale-set-
     tag-filter: gha-runner-scale-set-
+
+test:
+  environment:
+    contents:
+      packages:
+        - ${{package.name}}-compat
+  pipeline:
+    - runs: |
+        set +e
+        /manager -h
+        /ghalistener -h
+        github-runnerscaleset-listener -h
+        ghalistener -h
+        github-webhook-server -h
+        actions-metrics-server -h
+        sleep 1

apache-arrow.yaml

@@ -1,7 +1,7 @@
 package:
   name: apache-arrow
-  version: 15.0.2
-  epoch: 2
+  version: 16.0.0
+  epoch: 0
   description: "multi-language toolbox for accelerated data interchange and in-memory processing"
   copyright:
     - license: Apache-2.0
@@ -51,12 +51,7 @@ pipeline:
     with:
       repository: https://github.com/apache/arrow
       tag: apache-arrow-${{package.version}}
-      expected-commit: e03105efc38edca4ca429bf967a17b4d0fbebe40
-
-  - working-directory: /home/build/apache-arrow
-    uses: patch
-    with:
-      patches: /home/build/glog.patch
+      expected-commit: 6a28035c2b49b432dc63f5ee7524d76b4ed2d762
 
   - working-directory: /home/build/apache-arrow/cpp
     uses: cmake/configure

argo-workflows.yaml

@@ -1,7 +1,7 @@
 package:
   name: argo-workflows
-  version: 3.5.5
-  epoch: 5
+  version: 3.5.6
+  epoch: 0
   description: Workflow engine for Kubernetes.
   copyright:
     - license: Apache-2.0
@@ -20,15 +20,10 @@ environment:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: c80b2e91ebd7e7f604e88442f45ec630380effa0
+      expected-commit: 555030053825dd61689a086cb3c2da329419325a
       repository: https://github.com/argoproj/argo-workflows
       tag: v${{package.version}}
 
-  - uses: go/bump
-    with:
-      deps: github.com/docker/[email protected] github.com/go-jose/go-jose/[email protected] github.com/jackc/pgx/[email protected] google.golang.org/[email protected] github.com/golang/[email protected]
-      replaces: github.com/whilp/git-urls=github.com/dlorenc/[email protected]
-
   - runs: |
       # NODE_OPTIONS has to been set
       sed -i 's/NODE_OPTIONS='\''[^'\'']*'\''/NODE_OPTIONS='\''--openssl-legacy-provider'\''/g' ui/package.json

argocd-extension-installer.yaml

@@ -1,10 +1,10 @@
-#nolint:valid-pipeline-git-checkout-commit,valid-pipeline-git-checkout-tag
 package:
   name: argocd-extension-installer
-  # This project doesn't do releases and everything is commit based.
-  # This corresponds to commit 880f978f59bd6434202504355c62c12e251e327a
-  version: 0.0_git20231025
-  epoch: 1
+  # they started to create new releases for this project by following the semver rules
+  # in the beginning there were no releases, so we were using the commit hash as the version
+  # now we are using the latest release version
+  version: 0.0.5
+  epoch: 0
   description: Install Argo CD extensions using init-containers
   copyright:
     - license: Apache-2.0
@@ -25,7 +25,8 @@ pipeline:
   - uses: git-checkout
     with:
       repository: https://github.com/argoproj-labs/argocd-extension-installer
-      branch: main
+      tag: v${{package.version}}
+      expected-commit: 57ce7fcaed37b3ff6b1da5d593275fb9c2eee903
 
   - runs: |
       # https://github.com/argoproj-labs/argocd-extension-installer/blob/880f978f59bd6434202504355c62c12e251e327a/Dockerfile#L14
@@ -35,7 +36,11 @@ pipeline:
 
 # Upstream repo doesn't provide any tags or releases
 update:
-  enabled: false
+  enabled: true
+  github:
+    identifier: argoproj-labs/argocd-extension-installer
+    strip-prefix: v
+    use-tag: true
 
 # https://raw.githubusercontent.com/argoproj/argo-helm/main/charts/argo-cd/values.yaml
 test:

aws-c-auth.yaml

@@ -1,6 +1,6 @@
 package:
   name: aws-c-auth
-  version: 0.7.17
+  version: 0.7.18
   epoch: 0
   description: "C99 library implementation of AWS client-side authentication: standard credentials providers and signing"
   copyright:
@@ -26,7 +26,7 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha256: 8fe380255a71a2d5c9acd4979c135f9842135ce6385010ea562bc0b532bf5b84
+      expected-sha256: c705199655066f1f874bc3758683f32e288024196a22f28360d336231e45406f
       uri: https://github.com/awslabs/aws-c-auth/archive/refs/tags/v${{package.version}}.tar.gz
 
   - runs: |

aws-cli-v2.yaml

@@ -2,7 +2,7 @@
 #nolint:documentation
 package:
   name: aws-cli-v2
-  version: 2.15.38
+  version: 2.15.40
   epoch: 0
   description: "Universal Command Line Interface for Amazon Web Services (v2)"
   copyright:
@@ -30,7 +30,7 @@ pipeline:
   - uses: git-checkout
     with:
       repository: https://github.com/aws/aws-cli
-      expected-commit: 3f77da6d32fca117fb9d84d155284b9f045122a0
+      expected-commit: 08861ec47b465c827ce0ab82bac2d327638c789e
       tag: ${{package.version}}
 
   - runs: |

aws-ebs-csi-driver.yaml

@@ -1,7 +1,7 @@
 package:
   name: aws-ebs-csi-driver
   version: 1.29.1
-  epoch: 1
+  epoch: 2
   description: CSI driver for Amazon EBS.
   copyright:
     - license: Apache-2.0
@@ -32,6 +32,10 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 58275ada7ddfb60ee4b2ecbf7aaa5d7798f1f195
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+
   - runs: |
       # Our global LDFLAGS conflict with a Makefile parameter
       unset LDFLAGS