Merge branch 'main' into extra-npm

.github/chainguard/elastic-build.sts.yaml

@@ -0,0 +1,11 @@
+issuer: https://accounts.google.com
+
+# kleung:  ebuild-py5wka7s7g5no2hg8tpoqi9@kleung-chainguard.iam.gserviceaccount.com
+# staging: TBD
+# prod:    TBD
+# "([kleung]|[staging]|[prod])"
+subject_pattern: "(108286754379380263406)"
+
+# Just cloning repo.
+permissions:
+  contents: read

.github/chainguard/lifecycle-automated-approver.sts.yaml

@@ -0,0 +1,10 @@
+issuer: https://accounts.google.com
+
+# prod-images: [email protected]
+subject: "111142206721819985077"
+
+permissions:
+  contents: write
+  actions: read
+  checks: read
+  pull_requests: write

.github/chainguard/lifecycle-bincapz-check.sts.yaml

@@ -0,0 +1,10 @@
+issuer: https://accounts.google.com
+
+# prod-images: [email protected]
+subject: "100391373612188354572"
+
+permissions:
+  contents: read
+  actions: read
+  checks: read
+  pull_requests: write

.github/chainguard/lifecycle-cont-scanning.sts.yaml

@@ -0,0 +1,9 @@
+issuer: https://accounts.google.com
+
+# staging-images: not in use
+# prod-images: [email protected]
+subject: "106649619308723948792"
+
+permissions:
+  contents: read
+  metadata: read

.github/chainguard/lifecycle-gpt.sts.yaml

@@ -0,0 +1,9 @@
+issuer: https://accounts.google.com
+
+# staging-images: not in use
+# prod-images: [email protected]
+subject: "113866670232979663129"
+
+permissions:
+  contents: read
+  pull_requests: write

.github/chainguard/lifecycle-label-sla-cve.sts.yaml

@@ -0,0 +1,11 @@
+issuer: https://accounts.google.com
+
+# have more than one service account
+# staging-images: not in use
+# prod-images: [email protected] (102019613950547524864)
+# prod-images: [email protected] (102992167601221151705)
+subject_pattern: "(102019613950547524864|102992167601221151705)"
+
+permissions:
+  contents: read
+  pull_requests: write # to add labels

.github/chainguard/lifecycle-logs.sts.yaml

@@ -0,0 +1,11 @@
+issuer: https://accounts.google.com
+
+# staging-images: not in use
+# prod-images: [email protected]
+subject: "103105401375465041216"
+
+permissions:
+  contents: read
+  actions: read
+  checks: read
+  pull_requests: read

.github/chainguard/lifecycle-update-bot.sts.yaml

@@ -0,0 +1,10 @@
+issuer: https://accounts.google.com
+
+# [email protected]
+subject: "113420690109142620056"
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write
+  issues: write

.github/chainguard/lofo.sts.yaml

@@ -0,0 +1,13 @@
+# LOg FOrwarder GH Bot
+
+issuer: https://accounts.google.com
+
+
+# 107094302893801739313 -
+# 113526919988895235687 - chainops
+# 100039185168246011183 - enforce
+subject_pattern: "(107094302893801739313|113526919988895235687|100039185168246011183)"
+
+permissions:
+  actions: read
+  workflows: read

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/pull-request-template.md

@@ -39,6 +39,14 @@ addressed, and remove any items that are not relevant to this PR.
 - [ ] The upstream project actually supports multiple concurrent versions.
 - [ ] Any subpackages include the version string in their package name (e.g. `name: ${{package.name}}-compat`)
 - [ ] The package (and subpackages) `provides:` logical unversioned forms of the package (e.g. `nodejs`, `nodejs-lts`)
+- [ ] If non-streamed package names no longer built, open PR to withdraw them (see [WITHDRAWING PACKAGES](https://github.com/wolfi-dev/os/blob/main/WITHDRAWING_PACKAGES.md))
+
+#### For package updates (renames) in the base images
+<!-- remove if unrelated -->
+When updating packages part of base images (i.e. cgr.dev/chainguard/wolfi-base or ghcr.io/wolfi-dev/sdk)
+- [ ] REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk images successfully build
+- [ ] REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk contain no obsolete (no longer built) packages
+- [ ] Upon launch, does `apk upgrade --latest` successfully upgrades packages or performs no actions
 
 #### For security-related PRs
 <!-- remove if unrelated -->

.github/workflows/auto-approve.yaml

@@ -0,0 +1,31 @@
+name: automated-pr-approve
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '*/45 * * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  review-pr:
+    runs-on: ubuntu-latest
+    if: github.repository == 'wolfi-dev/os'
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
+      - name: Check out repository code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - run: |
+          ./scripts/auto-approve-pr.sh ${{ github.repository }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/postsubmit-bundle-build.yaml

@@ -0,0 +1,158 @@
+name: Bundle Build Wolfi Packages
+
+on:
+  schedule:
+    # Deploy at 7:23 AM (PST) every day.
+    - cron: "23 15 * * *"
+  workflow_dispatch:
+    inputs:
+      package_names:
+        required: false
+        type: string
+        default: ""
+        description: "comma separated list of package names to build. If empty, build all packages."
+
+# Only run one build at a time to prevent out of sync signatures.
+concurrency: 'bundle-runner-a'
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build packages
+    if: github.repository == 'wolfi-dev/os'
+
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3
+
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+
+      - name: 'Trust the github workspace'
+        run: |
+          # This is to avoid fatal errors about "dubious ownership" because we are
+          # running inside of a container action with the workspace mounted in.
+          git config --global --add safe.directory "$(pwd)"
+
+      - name: Authenticate to Google Cloud
+        uses: "google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa" # v2.1.3
+        with:
+          workload_identity_provider: "projects/567187841907/locations/global/workloadIdentityPools/bundle-post-wolfi/providers/github-provider"
+          service_account: "bundle-runner-post-wolfi@staging-images-183e.iam.gserviceaccount.com"
+      - name: Setup G Cloud SDK
+        uses: "google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200" # v2.0.11
+        with:
+          install_components: 'gke-gcloud-auth-plugin'
+      - name: Print gcloud info
+        shell: bash
+        run: "gcloud info"
+      - name: Configure GCR auth
+        shell: bash
+        run: gcloud auth configure-docker
+      - name: Configure AR auth
+        shell: bash
+        run: gcloud auth configure-docker us-central1-docker.pkg.dev
+
+      - name: Install sudo for gke-auth
+        shell: bash
+        run: apk add cmd:sudo
+
+      - name: Make parent dir for gke-auth
+        shell: bash
+        run: mkdir -p /usr/local/bin
+
+      - name: Connect to cluster
+        uses: "imjasonh/gke-auth@31f5c5f16489a15037d46b08903d983889c46ddf" # v0.2.0
+        with:
+          cluster: "bundle-runner-a"
+          location: "us-central1"
+          project: "staging-images-183e"
+
+      - name: kubectl test
+        shell: bash
+        run: |
+          apk add kubectl
+          kubectl get namespace kube-system
+
+      - name: "Generate local signing key"
+        run: |
+          make local-melange.rsa
+
+      - name: "bundle build"
+        shell: bash
+        env:
+          BUNDLE_REPO: us-central1-docker.pkg.dev/staging-images-183e/bundles
+          BUCKET: "wolfi-registry-destination/${{ github.run_id }}"
+        run: |
+          set -x
+          set -v
+
+          COMMON_FLAGS=$(cat <<-END
+            --keyring-append ./local-melange.rsa.pub \
+            --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+            --repository-append https://packages.wolfi.dev/os
+          END
+          )
+
+          BUNDLE=$(wolfictl bundle \
+            --bundle-base ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 \
+            --bundle-repo "${BUNDLE_REPO}" \
+            ${COMMON_FLAGS} \
+            --runner bubblewrap \
+            --pipeline-dir ./pipelines \
+            ${{ github.event.inputs.package_names }}
+            )
+          wolfictl build \
+            --jobs 128 \
+            --bucket "${BUCKET}" \
+            --destination-bucket "${BUCKET}" \
+            ${COMMON_FLAGS} \
+            --k8s-namespace 'post-wolfi' \
+            --service-account 'post-wolfi' \
+            --trace /tmp/trace.json \
+            --bundle "${BUNDLE}"
+
+      - if: ${{ always() }}
+        name: 'Upload trace to GitHub Artifacts'
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        with:
+          name: trace-build.json
+          path: /tmp/trace.json
+          if-no-files-found: warn
+
+  postrun:
+    name: Notify Slack
+    runs-on: ubuntu-latest
+    if: failure() && false # TODO(kleung): remove `&& false` when ready to slack
+    needs: [build]
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
+      - uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.3.0
+        env:
+          SLACK_ICON: http://github.com/chainguard-dev.png?size=48
+          SLACK_USERNAME: guardian
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_CHANNEL: chainguard-images-alerts
+          SLACK_MSG_AUTHOR: wolfi-bot
+          SLACK_COLOR: "#8E1600"
+          MSG_MINIMAL: "true"
+          SLACK_TITLE: "[bundle build wolfi] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          SLACK_MESSAGE: |
+            https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

CODEOWNERS

@@ -4,3 +4,6 @@ Makefile @wolfi-dev/wolfi-build-maintainers
 
 # Require review by repo owners of changes to CODEOWNERS
 CODEOWNERS @wolfi-dev/wolfi-owners
+
+# These packages require approval from the Foundations squad.
+openssh.yaml @wolfi-dev/foundations-squad

CONTRIBUTING.md

@@ -62,6 +62,8 @@ Check for anything unexpected, or for any [CVEs you can patch](./HOW_TO_PATCH_CV
 
 - `melange` CLI has a command `bump` to make it easier. More details are [available here](https://github.com/chainguard-dev/melange/blob/f52b622351657fd9ccdb7e3bfb124caef61ad651/NEWS.md).
 
+- We will consider contributions for latest package versions. However, we do not build pre-release versions until they are officially released.
+
 ## Some tips
 
 - melange has a few built-in pipelines. You can see their source code [in the melange repository](https://github.com/chainguard-dev/melange/tree/main/pkg/build/pipelines).