Merge branch 'main' into coverage/pr4-test-single

omercnet · web-flow · commit ec8a1d39e1ca · 2026-05-19T13:53:27.000-04:00
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -33,6 +33,7 @@ Copacetic (Copa) is a CLI tool that patches container image vulnerabilities usin
   - Unit tests for individual functions and components
   - Integration tests for end-to-end patching scenarios
 - Add relevant documentation for new functionality in `website/docs/`
+- When updating current website docs (`website/docs`), check whether the latest versioned docs need the same change (`website/versioned_docs`)
 
 ## Key Architecture Concepts
 - **Patching modes**: Targeted (with vulnerability reports) or comprehensive (all available updates)
diff --git a/Makefile b/Makefile
@@ -129,7 +129,7 @@ release-manifest:
 .PHONY: test
 test:
 	$(info $(INFOMARK) Running unit tests on pkg libraries ...)
-	go test ./pkg/... $(CODECOV_OPTS)
+	go test ./pkg/... -coverpkg=./pkg/... $(CODECOV_OPTS)
 
 ################################################################################
 # Target: clean                                                                #
diff --git a/go.mod b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
 	github.com/moby/buildkit v0.28.1
-	github.com/moby/moby/api v1.54.1
+	github.com/moby/moby/api v1.54.2
 	github.com/moby/moby/client v0.4.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
@@ -90,7 +90,7 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/in-toto/attestation v1.1.2 // indirect
-	github.com/in-toto/in-toto-golang v0.10.0 // indirect
+	github.com/in-toto/in-toto-golang v0.11.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/klauspost/compress v1.18.5 // indirect
diff --git a/go.sum b/go.sum
@@ -269,8 +269,8 @@ github.com/hashicorp/hcl/v2 v2.24.0/go.mod h1:oGoO1FIQYfn/AgyOhlg9qLC6/nOJPX3qGb
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/in-toto/attestation v1.1.2 h1:MBFn6lsMq6dptQZJBhalXTcWMb/aJy3V+GX3VYj/V1E=
 github.com/in-toto/attestation v1.1.2/go.mod h1:gYFddHMZj3DiQ0b62ltNi1Vj5rC879bTmBbrv9CRHpM=
-github.com/in-toto/in-toto-golang v0.10.0 h1:+s2eZQSK3WmWfYV85qXVSBfqgawi/5L02MaqA4o/tpM=
-github.com/in-toto/in-toto-golang v0.10.0/go.mod h1:wjT4RiyFlLWCmLUJjwB8oZcjaq7HA390aMJcD3xXgmg=
+github.com/in-toto/in-toto-golang v0.11.0 h1:nfidMYBFx+E0lnmX5KUnN2Pdm8zdNKal1ayjJuzzRoA=
+github.com/in-toto/in-toto-golang v0.11.0/go.mod h1:u3PjTnwFKjp5a1YCcw8SJg0G+tMeKfVoWsWeFMDCMtw=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -329,8 +329,8 @@ github.com/moby/go-archive v0.2.0 h1:zg5QDUM2mi0JIM9fdQZWC7U8+2ZfixfTYoHL7rWUcP8
 github.com/moby/go-archive v0.2.0/go.mod h1:mNeivT14o8xU+5q1YnNrkQVpK+dnNe/K6fHqnTg4qPU=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/moby/api v1.54.1 h1:TqVzuJkOLsgLDDwNLmYqACUuTehOHRGKiPhvH8V3Nn4=
-github.com/moby/moby/api v1.54.1/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
+github.com/moby/moby/api v1.54.2 h1:wiat9QAhnDQjA7wk1kh/TqHz2I1uUA7M7t9SAl/JNXg=
+github.com/moby/moby/api v1.54.2/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
 github.com/moby/moby/client v0.4.0 h1:S+2XegzHQrrvTCvF6s5HFzcrywWQmuVnhOXe2kiWjIw=
 github.com/moby/moby/client v0.4.0/go.mod h1:QWPbvWchQbxBNdaLSpoKpCdf5E+WxFAgNHogCWDoa7g=
 github.com/moby/patternmatcher v0.6.1 h1:qlhtafmr6kgMIJjKJMDmMWq7WLkKIo23hsrpR3x084U=
diff --git a/website/docs/faq.md b/website/docs/faq.md
@@ -137,6 +137,12 @@ export EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json
 
 For more information on source policies, see [Buildkit Source Policies](https://docs.docker.com/build/building/env-vars/#experimental_buildkit_source_policy).
 
+## Why do package updates fail with expired GPG keys?
+
+Copa can fail when it runs the distro package manager's repository refresh inside the target image, such as `apt-get update`, `dnf makecache`, `yum makecache`, `zypper refresh`, or `apk update` equivalents, if the image contains expired package repository GPG keys or other stale trust material. Copa uses the package repositories and trust material already present in the image and does not automatically replace expired repository keys.
+
+To resolve this, rebuild or update the source image with refreshed repository keys, move to a maintained base image that has current repository metadata and keys, or adjust the repository and key material in the image before running Copa.
+
 ## Can I use Dependabot with Copa patched images?
 
 Yes, see [best practices](best-practices.md#dependabot) to learn more about using Dependabot with Copa patched images.
diff --git a/website/versioned_docs/version-v0.14.x/faq.md b/website/versioned_docs/version-v0.14.x/faq.md
@@ -137,6 +137,12 @@ export EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json
 
 For more information on source policies, see [Buildkit Source Policies](https://docs.docker.com/build/building/env-vars/#experimental_buildkit_source_policy).
 
+## Why do package updates fail with expired GPG keys?
+
+Copa can fail when it runs the distro package manager's repository refresh inside the target image, such as `apt-get update`, `dnf makecache`, `yum makecache`, `zypper refresh`, or `apk update` equivalents, if the image contains expired package repository GPG keys or other stale trust material. Copa uses the package repositories and trust material already present in the image and does not automatically replace expired repository keys.
+
+To resolve this, rebuild or update the source image with refreshed repository keys, move to a maintained base image that has current repository metadata and keys, or adjust the repository and key material in the image before running Copa.
+
 ## Can I use Dependabot with Copa patched images?
 
 Yes, see [best practices](best-practices.md#dependabot) to learn more about using Dependabot with Copa patched images.
