Merge branch 'main' into ci-typos

Signed-off-by: Sertac Ozercan <[email protected]>

.github/workflows/ci.yml

@@ -8,28 +8,22 @@ on:
   pull_request:
     branches:
       - main
-    paths:
-        - "*.go"
-        - "**/*.go"
-        - Dockerfile
-        - docker-bake.hcl
-        - .github/workflows/ci.yml
-        - frontend/mariner2/Dockerfile
-        - "test/fixtures/*"
-        - go.mod
-        - go.sum
+    paths-ignore:
+      - 'website/**'
+      - 'docs/**'
+      - '*.md'
+      - 'CODEOWNERS'
+      - 'LICENSE'
+
   push:
     branches:
       - main
-    paths:
-      - "*.go"
-      - "**/*.go"
-      - Dockerfile
-      - docker-bake.hcl
-      - .github/workflows/ci.yml
-      - frontend/mariner2/Dockerfile
-      - go.mod
-      - go.sum
+    paths-ignore:
+      - 'website/**'
+      - 'docs/**'
+      - '*.md'
+      - 'CODEOWNERS'
+      - 'LICENSE'
 
 permissions:
   contents: read
@@ -44,8 +38,8 @@ jobs:
           egress-policy: audit
 
       - name: checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: '1.22'
           cache: false
@@ -78,8 +72,8 @@ jobs:
           egress-policy: audit
 
       - name: checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: '1.22'
           cache: false
@@ -93,7 +87,7 @@ jobs:
         uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
       - name: download deps
         run: go mod download
-      - name: Run integaration tests
+      - name: Run integration tests
         run: go test -v -json ./test | go run ./cmd/test2json2gha
       - name: dump logs
         if: failure()
@@ -109,8 +103,8 @@ jobs:
           egress-policy: audit
 
       - name: checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: '1.22'
           cache: false
@@ -136,7 +130,7 @@ jobs:
           egress-policy: audit
 
       - name: checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # We need to fetch all commits so that we can diff against the base branch
           fetch-depth: 0

.github/workflows/codeql.yml

@@ -46,11 +46,11 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
+        uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
+        uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
+        uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -22,6 +22,6 @@ jobs:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0

.github/workflows/deploy-docs.yml

@@ -26,7 +26,7 @@ jobs:
       run:
         working-directory: website
     steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
@@ -40,7 +40,7 @@ jobs:
             *.blob.core.windows.net:443
 
       - name: Setup Node
-        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 20.x
 
@@ -49,7 +49,7 @@ jobs:
         run: echo "dir=$(yarn cache dir)" > $GITHUB_OUTPUT
 
       - name: Cache dependencies
-        uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ${{ steps.yarn-cache.outputs.dir }}
           key: ${{ runner.os }}-website-${{ hashFiles('**/yarn.lock') }}

.github/workflows/frontend-image.yml

@@ -32,7 +32,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         name: Checkout
       - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         name: Login to GHCR

.github/workflows/scorecards.yml

@@ -36,7 +36,7 @@ jobs:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
@@ -63,14 +63,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
+        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           sarif_file: results.sarif

_typos.toml

@@ -1,2 +1,2 @@
 [default.extend-words]
-ba = "ba"
+ba = "ba"

artifacts.go

@@ -12,6 +12,8 @@ import (
 type Artifacts struct {
 	// Binaries is the list of binaries to include in the package.
 	Binaries map[string]ArtifactConfig `yaml:"binaries,omitempty" json:"binaries,omitempty"`
+	// Libexec is the list of additional binaries that may be invoked by the main package binary.
+	Libexec map[string]ArtifactConfig `yaml:"libexec,omitempty" json:"libexec,omitempty"`
 	// Manpages is the list of manpages to include in the package.
 	Manpages map[string]ArtifactConfig `yaml:"manpages,omitempty" json:"manpages,omitempty"`
 	// DataDirs is a list of read-only architecture-independent data files, to be placed in /usr/share/

cmd/gen-jsonschema/main.go

@@ -17,6 +17,10 @@ func main() {
 	}
 
 	schema := r.Reflect(&dalec.Spec{})
+	if schema.PatternProperties == nil {
+		schema.PatternProperties = make(map[string]*jsonschema.Schema)
+	}
+	schema.PatternProperties["^x-"] = &jsonschema.Schema{}
 
 	dt, err := json.MarshalIndent(schema, "", "\t")
 	if err != nil {

docs/spec.schema.json

@@ -18,6 +18,14 @@
 					},
 					"type": "object",
 					"description": "Env is the list of environment variables to set for all commands in this step group."
+				},
+				"network_mode": {
+					"type": "string",
+					"enum": [
+						"none",
+						"sandbox"
+					],
+					"description": "NetworkMode sets the network mode to use during the build phase.\nAccepted values: none, sandbox\nDefault: none"
 				}
 			},
 			"additionalProperties": false,
@@ -76,6 +84,13 @@
 					"type": "object",
 					"description": "Binaries is the list of binaries to include in the package."
 				},
+				"libexec": {
+					"additionalProperties": {
+						"$ref": "#/$defs/ArtifactConfig"
+					},
+					"type": "object",
+					"description": "Libexec is the list of additional binaries that may be invoked by the main package binary."
+				},
 				"manpages": {
 					"additionalProperties": {
 						"$ref": "#/$defs/ArtifactConfig"
@@ -395,7 +410,15 @@
 			"description": "Frontend encapsulates the configuration for a frontend to forward a build target to."
 		},
 		"GeneratorGomod": {
-			"properties": {},
+			"properties": {
+				"paths": {
+					"items": {
+						"type": "string"
+					},
+					"type": "array",
+					"description": "Paths is the list of paths to run the generator on. Used to generate multi-module in a single source."
+				}
+			},
 			"additionalProperties": false,
 			"type": "object",
 			"description": "GeneratorGomod is used to generate a go module cache from go module sources"
@@ -540,12 +563,63 @@
 					},
 					"type": "array",
 					"description": "Test lists any extra packages required for running tests\nThese packages are only installed for tests which have steps that require\nrunning a command in the built container.\nSee [TestSpec] for more information."
+				},
+				"extra_repos": {
+					"items": {
+						"$ref": "#/$defs/PackageRepositoryConfig"
+					},
+					"type": "array",
+					"description": "ExtraRepos is used to inject extra package repositories that may be used to\nsatisfy package dependencies in various stages."
 				}
 			},
 			"additionalProperties": false,
 			"type": "object",
 			"description": "PackageDependencies is a list of dependencies for a package."
 		},
+		"PackageRepositoryConfig": {
+			"properties": {
+				"keys": {
+					"additionalProperties": {
+						"$ref": "#/$defs/Source"
+					},
+					"type": "object",
+					"description": "Keys are the list of keys that need to be imported to use the configured\nrepositories"
+				},
+				"config": {
+					"additionalProperties": {
+						"$ref": "#/$defs/Source"
+					},
+					"type": "object",
+					"description": "Config list of repo configs to to add to the environment.  The format of\nthese configs are distro specific (e.g. apt/yum configs)."
+				},
+				"data": {
+					"items": {
+						"$ref": "#/$defs/SourceMount"
+					},
+					"type": "array",
+					"description": "Data lists all the extra data that needs to be made available for the\nprovided repository config to work.\nAs an example, if the provided config is referencing a file backed repository\nthen data would include the file data, assuming its not already available\nin the environment."
+				},
+				"envs": {
+					"items": {
+						"type": "string",
+						"enum": [
+							"build",
+							"test",
+							"install"
+						]
+					},
+					"type": "array",
+					"description": "Envs specifies the list of environments to make the repositories available\nduring.\nAcceptable values are:\n - \"build\"   - Repositories are added prior to installing build dependencies\n - \"test\"    - Repositories are added prior to installing test dependencies\n - \"install\" - Repositories are added prior to installing the output\n               package in a container build target."
+				}
+			},
+			"additionalProperties": false,
+			"type": "object",
+			"required": [
+				"config",
+				"envs"
+			],
+			"description": "PackageRepositoryConfig"
+		},
 		"PackageSigner": {
 			"properties": {
 				"image": {
@@ -750,8 +824,7 @@
 			"type": "object",
 			"required": [
 				"url",
-				"commit",
-				"keepGitDir"
+				"commit"
 			]
 		},
 		"SourceHTTP": {
@@ -763,6 +836,10 @@
 				"digest": {
 					"type": "string",
 					"description": "Digest is the digest of the file to download.\nThis is used to verify the integrity of the file.\nForm: \u003calgorithm\u003e:\u003cdigest\u003e"
+				},
+				"permissions": {
+					"type": "integer",
+					"description": "Permissions is the octal file permissions to set on the file."
 				}
 			},
 			"additionalProperties": false,
@@ -853,7 +930,7 @@
 				"dest",
 				"spec"
 			],
-			"description": "SourceMount is used to take a [Source] and mount it into a build step."
+			"description": "SourceMount wraps a [Source] with a target mount point."
 		},
 		"Spec": {
 			"properties": {
@@ -1185,5 +1262,8 @@
 			],
 			"description": "TestStep is a wrapper for [BuildStep] to include checks on stdio streams"
 		}
+	},
+	"patternProperties": {
+		"^x-": true
 	}
 }

frontend/azlinux/azlinux3.go

@@ -61,7 +61,7 @@ func (w azlinux3) Install(pkgs []string, opts ...installOpt) llb.RunOption {
 }
 
 func (w azlinux3) BasePackages() []string {
-	return []string{"azurelinux-release"}
+	return []string{"distroless-packages-minimal", "prebuilt-ca-certificates"}
 }
 
 func (azlinux3) DefaultImageConfig(ctx context.Context, resolver llb.ImageMetaResolver, platform *ocispecs.Platform) (*dalec.DockerImageSpec, error) {