search

wolfi-dev / os

Main package repository for production Wolfi images
Other
785 stars 212 forks source link

Convert from tarballs to git checkout (batch 1) #18091

Open xnox opened 4 months ago

xnox commented 4 months ago

Generated using: $ git grep '/archive/refs/' | sed 's/: */: /g' | sed 's|^|- [ ] |'

### Convert archive tarballs to git checkout
- [ ] aws-c-auth.yaml: uri: https: //github.com/awslabs/aws-c-auth/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] aws-c-cal.yaml: uri: https: //github.com/awslabs/aws-c-cal/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] aws-c-common.yaml: uri: https: //github.com/awslabs/aws-c-common/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] aws-c-compression.yaml: uri: https: //github.com/awslabs/aws-c-compression/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] aws-c-http.yaml: uri: https: //github.com/awslabs/aws-c-http/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] aws-c-io.yaml: uri: https: //github.com/awslabs/aws-c-io/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] aws-c-mqtt.yaml: uri: https: //github.com/awslabs/aws-c-mqtt/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] aws-c-s3.yaml: uri: https: //github.com/awslabs/aws-c-s3/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] aws-c-sdkutils.yaml: uri: https: //github.com/awslabs/aws-c-sdkutils/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] aws-checksums.yaml: uri: https: //github.com/awslabs/aws-checksums/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] bubblewrap.yaml: uri: https: //github.com/containers/bubblewrap/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] confluent-kafka.yaml: uri: https: //github.com/confluentinc/kafka/archive/refs/tags/v${{vars.mangled-package-version}}.tar.gz
- [ ] container-entrypoint.yaml: uri: https: //github.com/wolfi-dev/container-entrypoint/archive/refs/tags/${{package.version}}.tar.gz
- [ ] delve.yaml: uri: https: //github.com/go-delve/delve/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] deno.yaml: uri: https: //github.com/denoland/deno/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] elixir-1.16.yaml: uri: https: //github.com/elixir-lang/elixir/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] fluent-plugin-splunk-hec.yaml: uri: https: //github.com/splunk/fluent-plugin-splunk-hec/archive/refs/tags/${{package.version}}.tar.gz
- [ ] font-lohit-beng-assamese.yaml: uri: https: //github.com/pravins/lohit/archive/refs/heads/master.zip
- [ ] font-lohit-beng-bengali.yaml: uri: https: //github.com/pravins/lohit/archive/refs/heads/master.zip
- [ ] gke-gcloud-auth-plugin.yaml: uri: https: //github.com/kubernetes/cloud-provider-gcp/archive/refs/tags/auth-provider-gcp/v${{package.version}}.tar.gz
- [ ] glslang.yaml: uri: https: //github.com/KhronosGroup/glslang/archive/refs/tags/sdk-${{package.version}}.tar.gz
- [ ] golangci-lint.yaml: uri: https: //github.com/golangci/golangci-lint/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] grpcurl.yaml: uri: https: //github.com/fullstorydev/grpcurl/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] gtest.yaml: uri: https: //github.com/google/googletest/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] hwdata.yaml: uri: https: //github.com/vcrhonek/hwdata/archive/refs/tags/v${{vars.mangled-package-version}}.tar.gz
- [ ] imagemagick.yaml: uri: https: //github.com/ImageMagick/ImageMagick/archive/refs/tags/${{vars.mangled-package-version}}.tar.gz
- [ ] kafkacat.yaml: uri: https: //github.com/edenhill/kafkacat/archive/refs/tags/${{package.version}}.tar.gz
- [ ] kots.yaml: uri: https: //github.com/replicatedhq/kots/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] kubevela.yaml: uri: https: //github.com/kubevela/kubevela/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] kustomize.yaml: uri: https: //github.com/kubernetes-sigs/kustomize/archive/refs/tags/kustomize/v${{package.version}}.tar.gz
- [ ] libeconf.yaml: uri: https: //github.com/openSUSE/libeconf/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] libepoxy.yaml: uri: https: //github.com/anholt/libepoxy/archive/refs/tags/${{package.version}}.tar.gz
- [ ] libhtp.yaml: uri: https: //github.com/OISF/libhtp/archive/refs/tags/${{package.version}}.tar.gz
- [ ] libpsl-native.yaml: uri: https: //github.com/PowerShell/PowerShell-Native/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] librdkafka.yaml: uri: https: //github.com/confluentinc/librdkafka/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] libxcrypt.yaml: uri: https: //github.com/besser82/libxcrypt/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] lua-resty-cookie.yaml: uri: https: //github.com/cloudflare/lua-resty-cookie/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] lz4.yaml: uri: https: //github.com/lz4/lz4/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] memcached-exporter.yaml: uri: https: //github.com/prometheus/memcached_exporter/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] mimalloc.yaml: uri: https: //github.com/microsoft/mimalloc/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] mimalloc2.yaml: uri: https: //github.com/microsoft/mimalloc/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] mold.yaml: uri: https: //github.com/rui314/mold/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] oauth2-proxy.yaml: uri: https: //github.com/oauth2-proxy/oauth2-proxy/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] openjdk-12.yaml: uri: https: //github.com/openjdk/jdk12u/archive/refs/tags/jdk-${{vars.mangled-package-version}}.tar.gz
- [ ] openjdk-13.yaml: uri: https: //github.com/openjdk/jdk13u/archive/refs/tags/jdk-${{vars.mangled-package-version}}.tar.gz
- [ ] openjdk-14.yaml: uri: https: //github.com/openjdk/jdk14u/archive/refs/tags/jdk-${{vars.mangled-package-version}}.tar.gz
- [ ] openjdk-15.yaml: uri: https: //github.com/openjdk/jdk15u/archive/refs/tags/jdk-${{vars.mangled-package-version}}.tar.gz
- [ ] openjdk-16.yaml: uri: https: //github.com/openjdk/jdk16u/archive/refs/tags/jdk-${{vars.mangled-package-version}}.tar.gz
- [ ] openjdk-18.yaml: uri: https: //github.com/openjdk/jdk18u/archive/refs/tags/jdk-${{vars.mangled-package-version}}.tar.gz
- [ ] openjdk-19.yaml: uri: https: //github.com/openjdk/jdk19u/archive/refs/tags/jdk-${{vars.mangled-package-version}}.tar.gz
- [ ] openjdk-20.yaml: uri: https: //github.com/openjdk/jdk20u/archive/refs/tags/jdk-${{vars.mangled-package-version}}.tar.gz
- [ ] pciutils.yaml: uri: https: //github.com/pciutils/pciutils/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] pkgconf.yaml: uri: https: //github.com/pkgconf/pkgconf/archive/refs/tags/pkgconf-${{package.version}}.tar.gz
- [ ] py3-ml-metadata/0001-bump-abseil-boringssl-six-rules-foreign-cc-versions.patch: url = "https: //github.com/bazelbuild/rules_foreign_cc/archive/refs/tags/%s.tar.gz" % RULES_FOREIGN_CC_VERSION,
- [ ] py3-wheel.yaml: uri: https: //github.com/pypa/wheel/archive/refs/tags/${{package.version}}.tar.gz
- [ ] rapidjson.yaml: uri: https: //github.com/miloyip/rapidjson/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] restic.yaml: uri: https: //github.com/restic/restic/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-async-http.yaml: uri: https: //github.com/socketry/async-http/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-async-io.yaml: uri: https: //github.com/socketry/async-io/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-async-pool.yaml: uri: https: //github.com/socketry/async-pool/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-async.yaml: uri: https: //github.com/socketry/async/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-charlock_holmes.yaml: uri: https: //github.com/brianmario/charlock_holmes/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-connection_pool.yaml: uri: https: //github.com/mperham/connection_pool/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-console.yaml: uri: https: //github.com/socketry/console/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-date.yaml: uri: https: //github.com/ruby/date/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-faraday-follow_redirects.yaml: uri: https: //github.com/tisba/faraday-follow-redirects/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-faraday-net_http.yaml: uri: https: //github.com/lostisland/faraday-net_http/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-faraday.yaml: uri: https: //github.com/lostisland/faraday/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-fiber-local.yaml: uri: https: //github.com/socketry/fiber-local/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-hashie.yaml: uri: https: //github.com/hashie/hashie/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-i18n.yaml: uri: https: //github.com/ruby-i18n/i18n/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-io-event.yaml: uri: https: //github.com/socketry/io-event/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-jwt.yaml: uri: https: //github.com/jwt/ruby-jwt/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-mini_mime.yaml: uri: https: //github.com/discourse/mini_mime/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-multi_xml.yaml: uri: https: //github.com/sferik/multi_xml/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-net-http-persistent.yaml: uri: https: //github.com/drbrain/net-http-persistent/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-net-imap.yaml: uri: https: //github.com/ruby/net-imap/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-net-protocol.yaml: uri: https: //github.com/ruby/net-protocol/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-nio4r.yaml: uri: https: //github.com/socketry/nio4r/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-oj.yaml: uri: https: //github.com/ohler55/oj/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-openid_connect.yaml: uri: https: //github.com/nov/openid_connect/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-pg.yaml: uri: https: //github.com/ged/ruby-pg/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-prometheus-client.yaml: uri: https: //github.com/prometheus/client_ruby/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-protocol-http.yaml: uri: https: //github.com/socketry/protocol-http/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-protocol-http1.yaml: uri: https: //github.com/socketry/protocol-http1/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-protocol-http2.yaml: uri: https: //github.com/socketry/protocol-http2/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-puma.yaml: uri: https: //github.com/puma/puma/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-quantile.yaml: uri: http: //github.com/matttproud/ruby_quantile_estimation/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-rack-protection.yaml: uri: https: //github.com/sinatra/sinatra/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-rack.yaml: uri: https: //github.com/rack/rack/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-redis-client.yaml: uri: https: //github.com/redis-rb/redis-client/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-redis-namespace.yaml: uri: https: //github.com/resque/redis-namespace/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-redis.yaml: uri: https: //github.com/redis/redis-rb/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-rexml.yaml: uri: https: //github.com/ruby/rexml/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-sidekiq.yaml: uri: https: //github.com/sidekiq/sidekiq/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-sinatra.yaml: uri: https: //github.com/sinatra/sinatra/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-tilt.yaml: uri: https: //github.com/jeremyevans/tilt/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-timeout.yaml: uri: https: //github.com/ruby/timeout/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-timers.yaml: uri: https: //github.com/socketry/timers/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-traces.yaml: uri: https: //github.com/socketry/traces/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-tzinfo-data.yaml: uri: https: //github.com/tzinfo/tzinfo-data/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-tzinfo.yaml: uri: https: //github.com/tzinfo/tzinfo/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] ruby3.2-webrick.yaml: uri: https: //github.com/ruby/webrick/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] s2n-tls.yaml: uri: https: //github.com/aws/s2n-tls/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] spirv-headers.yaml: uri: https: //github.com/KhronosGroup/SPIRV-Headers/archive/refs/tags/sdk-${{package.version}}.tar.gz
- [ ] spirv-tools.yaml: uri: https: //github.com/KhronosGroup/SPIRV-tools/archive/refs/tags/sdk-${{package.version}}.tar.gz
- [ ] ssdeep.yaml: uri: https: //github.com/ssdeep-project/ssdeep/archive/refs/tags/release-${{package.version}}.tar.gz
- [ ] suricata-update.yaml: uri: https: //github.com/OISF/suricata-update/archive/refs/tags/${{package.version}}.tar.gz
- [ ] suricata.yaml: uri: https: //github.com/OISF/suricata/archive/refs/tags/suricata-${{package.version}}.tar.gz
- [ ] terragrunt.yaml: uri: https: //github.com/gruntwork-io/terragrunt/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] tmux.yaml: uri: https: //github.com/tmux/tmux/archive/refs/tags/${{package.version}}.tar.gz
- [ ] trurl.yaml: uri: https: //github.com/curl/trurl/archive/refs/tags/trurl-0.10.tar.gz
- [ ] uutils.yaml: uri: https: //github.com/uutils/coreutils/archive/refs/tags/${{package.version}}.tar.gz
- [ ] wasi-libc.yaml: uri: https: //github.com/WebAssembly/wasi-libc/archive/refs/tags/wasi-sdk-21.tar.gz
- [ ] ytt.yaml: uri: https: //github.com/carvel-dev/ytt/archive/refs/tags/v${{package.version}}.tar.gz
- [ ] zstd.yaml: uri: https: //github.com/facebook/zstd/archive/refs/tags/v${{package.version}}.tar.gz
xnox commented 4 months ago

i wonder if we can auto-rewrite this:

  - uses: fetch
    with:
      expected-sha256: dfbf1dbe06d1646ed36ac740e50f27ebb76c5b7f85205918813dc60246cee655
      uri: https://github.com/tzinfo/tzinfo/archive/refs/tags/v${{package.version}}.tar.gz

And fix up the commit, with a converter script.

tuananh commented 4 months ago

@xnox we need to make sure the build script doesn't use any information from git, which is quite common in go.

xnox commented 4 months ago

@xnox we need to make sure the build script doesn't use any information from git, which is quite common in go.

On the contrary, I think. Most security scanners do pick up version information from binaries (and specifically go) and can provide more accurate data when VCS identifiers are present in the binaries. (SBOMs, vulnerabilities, etc.)

In part, this goal is to ensure all/most binaries come from git tags, instead of arbitrary disconnected tarballs.

tuananh commented 4 months ago

@xnox we need to make sure the build script doesn't use any information from git, which is quite common in go.

On the contrary, I think. Most security scanners do pick up version information from binaries (and specifically go) and can provide more accurate data when VCS identifiers are present in the binaries. (SBOMs, vulnerabilities, etc.)

In part, this goal is to ensure all/most binaries come from git tags, instead of arbitrary disconnected tarballs.

my bad. i thought we convert git-checkout to tarball. git-checkout has more information than tarball so we're fine :)