Merge branch 'main' into feature/openmpi

Author: smoser

.github/workflows/build-world.yaml

@@ -24,7 +24,7 @@ jobs:
     # permissions:
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -55,7 +55,7 @@ jobs:
         # TODO: See how big these get, maybe we only upload failures and shorten the retention, or throw them in GCS
       - name: Upload build logs
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: buildlogs
           path: ./packages/**/buildlogs/*.log

.github/workflows/build.yaml

@@ -29,7 +29,7 @@ jobs:
       contents: read
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5
       # TODO: Deprivilege
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
@@ -122,7 +122,7 @@ jobs:
       # Always run this step for https://github.com/wolfi-dev/os/issues/8698
       - if: ${{ always() }}
         name: 'Upload built packages archive to GitHub Artifacts'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: packages-${{ matrix.arch }}
           path: /tmp/packages-${{ matrix.arch }}.tar.gz
@@ -142,7 +142,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5
 
     steps:
       - uses: actions/checkout@v4
@@ -154,33 +154,32 @@ jobs:
           git config --global --add safe.directory "$(pwd)"
 
       - name: 'Download x86_64 package archives'
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1
         with:
           path: /tmp/artifacts/
           name: packages-x86_64
 
       - name: 'Download aarch64 package archives'
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1
         with:
           path: /tmp/artifacts/
           name: packages-aarch64
 
-      - name: 'Authenticate to Google Cloud'
+      # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
+      - uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
         id: auth
-        uses: google-github-actions/auth@f6de81663f7788d05bd15bcce18f0e57f23f0846 # v2.0.1
         with:
-          workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
-          service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com"
-
+          workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
+          service_account: "wolfi-dev@chainguard-github-secrets.iam.gserviceaccount.com"
       - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1
         with:
-          project_id: "prod-images-c6e5"
-
+          project_id: "chainguard-github-secrets"
       - uses: 'google-github-actions/get-secretmanager-secrets@ae0d4054c32840e2ced71207a9df55161ae3debc' # v2.0.0
         id: secrets
         with:
           secrets: |-
-            token:prod-images-c6e5/melange-signing-key
+            token:chainguard-github-secrets/wolfi-dev-signing-key
+
       - run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa
       - run: |
           mkdir -p /etc/apk/keys
@@ -208,6 +207,15 @@ jobs:
       # of an abundance of caution.
       - run: rm ./wolfi-signing.rsa
 
+      # We use a different GSA for our interaction with GCS.
+      - uses: google-github-actions/auth@f6de81663f7788d05bd15bcce18f0e57f23f0846 # v2.0.1
+        with:
+          workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
+          service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com"
+      - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1
+        with:
+          project_id: "prod-images-c6e5"
+
       - name: 'Upload packages to GCS'
         run: |
           for arch in "x86_64" "aarch64"; do
@@ -229,7 +237,7 @@ jobs:
           tar -cvzf /tmp/indexes.tar.gz --files-from to-include
 
       - name: 'Upload APKINDEX archive to GitHub Artifacts'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: indexes
           path: /tmp/indexes.tar.gz
@@ -246,7 +254,7 @@ jobs:
 
     container:
       # NOTE: This step only signs and uploads, so it doesn't need any privileges
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5
 
     steps:
       - uses: actions/checkout@v4
@@ -269,7 +277,7 @@ jobs:
           project_id: prod-images-c6e5
 
       - name: 'Download index archive'
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1
         with:
           path: /tmp/artifacts/
           name: indexes

.github/workflows/ci-build.yaml

@@ -33,7 +33,7 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1 -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5 -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
       # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this
@@ -70,7 +70,7 @@ jobs:
       group: wolfi-builder-${{ matrix.arch }}
     needs: changes
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5
       options: |
         --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
     outputs:
@@ -176,7 +176,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: 'Upload built packages to GitHub artifacts'
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           path: |
             ./packages/${{ matrix.arch }}
@@ -192,19 +192,19 @@ jobs:
     name: "ABI Compatibility check"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5
     needs: build
     if: needs.build.outputs.packages_were_built == 'true'
 
     steps:
       - name: 'Retrieve x86_64 packages'
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1
         with:
           name: packages-x86_64
           path: /tmp/artifacts-1/
 
       - name: 'Retrieve aarch64 packages'
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1
         with:
           name: packages-aarch64
           path: /tmp/artifacts-2/
@@ -231,19 +231,19 @@ jobs:
     name: "Scan packages for CVEs"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5
     needs: build
     if: needs.build.outputs.packages_were_built == 'true'
 
     steps:
       - name: 'Retrieve x86_64 packages'
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1
         with:
           name: packages-x86_64
           path: /tmp/artifacts-1/
 
       - name: 'Retrieve aarch64 packages'
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1
         with:
           name: packages-aarch64
           path: /tmp/artifacts-2/

.github/workflows/lint-world.yaml

@@ -29,7 +29,7 @@ jobs:
       group: wolfi-os-builder-${{ matrix.arch }}
 
     container:
-      image: ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5
 
     steps:
       - uses: actions/checkout@v4
@@ -149,7 +149,7 @@ jobs:
 
       - name: Upload failed build logs
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           path: ./packages/${{ matrix.arch }}/buildlogs/*.log
           retention-days: 7

.github/workflows/withdraw-packages.yaml

@@ -24,25 +24,24 @@ jobs:
         run: |
           # Copy wolfictl out of the wolfictl image and onto PATH
           TMP=$(mktemp -d)
-          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1 -c "cp /usr/bin/wolfictl /out"
+          docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5 -c "cp /usr/bin/wolfictl /out"
           echo "$TMP" >> $GITHUB_PATH
 
-      - name: 'Authenticate to Google Cloud'
+      # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
+      - uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
         id: auth
-        uses: google-github-actions/auth@f6de81663f7788d05bd15bcce18f0e57f23f0846 # v2.0.1
         with:
-          workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
-          service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com"
-
+          workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
+          service_account: "wolfi-dev@chainguard-github-secrets.iam.gserviceaccount.com"
       - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1
         with:
-          project_id: "prod-images-c6e5"
-
+          project_id: "chainguard-github-secrets"
       - uses: 'google-github-actions/get-secretmanager-secrets@ae0d4054c32840e2ced71207a9df55161ae3debc' # v2.0.0
         id: secrets
         with:
           secrets: |-
-            token:prod-images-c6e5/melange-signing-key
+            token:chainguard-github-secrets/wolfi-dev-signing-key
+
       - run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa
       - run: |
           sudo mkdir -p /etc/apk/keys
@@ -56,6 +55,15 @@ jobs:
             curl https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz | wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz
           done
 
+      # We use a different GSA for our interaction with GCS.
+      - uses: google-github-actions/auth@f6de81663f7788d05bd15bcce18f0e57f23f0846 # v2.0.1
+        with:
+          workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
+          service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com"
+      - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1
+        with:
+          project_id: "prod-images-c6e5"
+
       - name: Delete withdrawn packages
         run: |
           set -euo pipefail

Makefile

@@ -23,6 +23,7 @@ MELANGE_OPTS += ${MELANGE_EXTRA_OPTS}
 
 # Enter interactive mode on failure for debug
 MELANGE_DEBUG_OPTS += --interactive
+MELANGE_DEBUG_OPTS += --package-append apk-tools
 MELANGE_DEBUG_OPTS += ${MELANGE_OPTS}
 
 # These are separate from MELANGE_OPTS because for building we need additional
@@ -184,7 +185,7 @@ dev-container:
 	    -v "${PWD}:${PWD}" \
 	    -w "${PWD}" \
 	    -e SOURCE_DATE_EPOCH=0 \
-	    ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1
+	    ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5
 
 PACKAGES_CONTAINER_FOLDER ?= /work/packages
 TMP_REPOSITORIES_DIR := $(shell mktemp -d)
@@ -249,6 +250,6 @@ dev-container-wolfi:
 		--mount type=bind,source="${PWD}/local-melange.rsa.pub",destination="/etc/apk/keys/local-melange.rsa.pub",readonly \
 		--mount type=bind,source="$(TMP_REPOSITORIES_FILE)",destination="/etc/apk/repositories",readonly \
 		-w "$(PACKAGES_CONTAINER_FOLDER)" \
-		ghcr.io/wolfi-dev/sdk:latest@sha256:110c4bc0a8941606034ee7af12f1197b4a6b6f6434fd4b4bbf61de501e18ffd1
+		ghcr.io/wolfi-dev/sdk:latest@sha256:c2f7cbbfb67ff9cad47e25ff8eb87945a4c5a0a81b2fa9e93a1d9ac6504a8df5
 	@rm "$(TMP_REPOSITORIES_FILE)"
 	@rmdir "$(TMP_REPOSITORIES_DIR)"

asciidoctor.yaml

@@ -1,6 +1,6 @@
 package:
   name: asciidoctor
-  version: 2.0.20
+  version: 2.0.21
   epoch: 0
   description: A fast, open source text processor and publishing toolchain, written in Ruby, for converting AsciiDoc content to HTML 5, DocBook 5, and other formats.
   copyright:
@@ -25,7 +25,7 @@ pipeline:
     with:
       repository: https://github.com/asciidoctor/asciidoctor
       tag: v${{package.version}}
-      expected-commit: e559f0db61f5ad1446602253e0543568ff662bc8
+      expected-commit: 1ec651ddcf4d2cb49576e7cc62c17ec33f8aa5c1
 
   - uses: ruby/build
     with:

aws-cli.yaml

@@ -1,6 +1,6 @@
 package:
   name: aws-cli
-  version: 1.32.45
+  version: 1.32.46
   epoch: 0
   description: "Universal Command Line Interface for Amazon Web Services"
   copyright:
@@ -33,7 +33,7 @@ pipeline:
   - uses: fetch
     with:
       uri: https://github.com/aws/aws-cli/archive/${{package.version}}.tar.gz
-      expected-sha256: a86e25e0f3b9fc21f468db6ddd45a4ce6301b28186a6cd658f25befc8634ddb6
+      expected-sha256: c0452a599bda369e974169263353a4dfdb4903280923e47a319a06ca92c9d210
 
   - runs: |
       python3 setup.py build

botan.yaml

@@ -1,6 +1,6 @@
 package:
   name: botan
-  version: 3.2.0
+  version: 3.3.0
   epoch: 0
   description: "Cryptography Toolkit"
   copyright:
@@ -24,7 +24,7 @@ pipeline:
   - uses: git-checkout
     with:
       repository: https://github.com/randombit/botan
-      expected-commit: 6f466a2704a31856ebc27451ca861527d3dd00a1
+      expected-commit: 9074b04c1303a24e2084f8325fa570a5ad4f2478
       tag: ${{package.version}}
 
   - name: Configure and build

clickhouse.yaml

@@ -1,7 +1,7 @@
 package:
   name: clickhouse
   version: 24.1.5.6
-  epoch: 0
+  epoch: 1
   description: ClickHouse is the fastest and most resource efficient open-source database for real-time apps and analytics.
   copyright:
     - license: Apache-2.0
@@ -56,8 +56,9 @@ pipeline:
   - runs: |
       cd build
       ninja -j $(nproc)
+      mkdir -p  ${{targets.destdir}}/var/lib/clickhouse
+      mkdir -p  ${{targets.destdir}}/var/log/clickhouse-server
       DESTDIR=${{targets.destdir}} ninja install
-
       rm -rf ${{targets.destdir}}/usr/lib/debug
 
   - uses: strip
@@ -75,6 +76,15 @@ subpackages:
           mkdir -p ${{targets.subpkgdir}}/usr/share/bash-completion/completions
           mv ${{targets.destdir}}/usr/share/bash-completion/completions/clickhouse ${{targets.subpkgdir}}/usr/share/bash-completion/completions
 
+  - name: "clickhouse-compat"
+    description: "docker compat for clickhouse"
+    pipeline:
+      - runs: |
+          cd build
+          install -Dm755 ../docker/server/entrypoint.sh ${{targets.subpkgdir}}/entrypoint.sh
+          mkdir -p ${{targets.subpkgdir}}/etc/clickhouse-server/config.d/
+          cp  ../docker/server/docker_related_config.xml ${{targets.subpkgdir}}/etc/clickhouse-server/config.d/docker_related_config.xml
+
 update:
   enabled: true
   github: