Merge branch 'main' into add-diffstat-package

Author: C0DE-X

Makefile

@@ -29,7 +29,7 @@ MELANGE_OPTS += --repository-append ${REPO}
 MELANGE_OPTS += --keyring-append ${KEY}.pub
 MELANGE_OPTS += --signing-key ${KEY}
 MELANGE_OPTS += --arch ${ARCH}
-MELANGE_OPTS += --env-file build-${ARCH}.env
+MELANGE_OPTS += --env-file build-common.env --env-file build-${ARCH}.env
 MELANGE_OPTS += --namespace wolfi
 MELANGE_OPTS += --license 'Apache-2.0'
 MELANGE_OPTS += --git-repo-url 'https://github.com/wolfi-dev/os'
@@ -69,8 +69,8 @@ WOLFI_REPO ?= https://packages.wolfi.dev/os
 WOLFI_KEY ?= https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
 BOOTSTRAP ?= no
 
-SOURCE_DATE_EPOCH := $(shell git --no-pager log -1 --pretty=%ct || echo no-git)
-ifeq ($(SOURCE_DATE_EPOCH),no-git)
+SOURCE_DATE_EPOCH := $(shell git --no-pager log -1 --pretty=%ct 2>/dev/null || jj log -r @ --no-graph -T 'committer.timestamp().utc().format("%s")' 2>/dev/null || echo 0)
+ifeq ($(SOURCE_DATE_EPOCH),0)
 $(error setting SOURCE_DATE_EPOCH failed - $(SOURCE_DATE_EPOCH))
 endif
 export SOURCE_DATE_EPOCH

R-magrittr.yaml

@@ -1,7 +1,7 @@
 package:
   name: R-magrittr
-  version: "2.0.4"
-  epoch: 1
+  version: "2.0.5"
+  epoch: 0
   description: Improve the readability of R code with the pipe
   copyright:
     - license: MIT
@@ -21,7 +21,7 @@ pipeline:
     with:
       repository: https://github.com/cran/magrittr
       tag: ${{package.version}}
-      expected-commit: 16a8acec01ceea1b0a849286115c112dd3b3e4d6
+      expected-commit: 9cbdba1a40f06942be6c30ea1c22f74e39b5c240
 
   - uses: R/build
     with:

R-showtext.yaml

@@ -1,7 +1,7 @@
 package:
   name: R-showtext
-  version: 0.9.7
-  epoch: 3 # go/wolfi-rsc/R-showtext
+  version: "0.9.8"
+  epoch: 0 # go/wolfi-rsc/R-showtext
   description: Using Fonts More Easily in R Graphs
   copyright:
     - license: Apache-2.0
@@ -40,7 +40,7 @@ pipeline:
     with:
       repository: https://github.com/cran/showtext
       tag: ${{vars.mangled-package-version}}
-      expected-commit: 7abf994a45ab6da26cafddbf8b15678cd8f2c8d5
+      expected-commit: 887cc2e654bf0e797a683bc36b3f95140e3ecbe6
 
   - uses: R/build
     with:

R-sysfonts.yaml

@@ -1,7 +1,7 @@
 package:
   name: R-sysfonts
   version: 0.8.9
-  epoch: 3 # go/wolfi-rsc/R-sysfonts
+  epoch: 4
   description: Loading Fonts into R
   copyright:
     - license: GPL-2.0-only
@@ -42,7 +42,24 @@ pipeline:
 test:
   pipeline:
     - runs: |
-        Rscript -e 'library(sysfonts)'
+        Rscript -e '
+          library(sysfonts)
+
+          # List available font families (should include at least "sans", "serif", "mono")
+          families <- font_families()
+          stopifnot(length(families) > 0)
+          cat("Font families:", paste(families, collapse=", "), "\n")
+
+          # Verify font search paths are returned
+          paths <- font_paths()
+          cat("Font paths:", paste(paths, collapse=", "), "\n")
+
+          # List font files found in search paths
+          files <- font_files()
+          cat("Font files found:", nrow(files), "\n")
+
+          cat("sysfonts functional test passed\n")
+        '
     - uses: test/tw/ldd-check
       with:
         extra-library-paths: "/usr/lib/R/lib/"

act.yaml

@@ -0,0 +1,54 @@
+package:
+  name: act
+  version: "0.2.87"
+  epoch: 1
+  description: Run your GitHub Actions locally
+  copyright:
+    - license: MIT
+  dependencies: {}
+  checks: {}
+  cpe: {}
+
+capabilities: {}
+
+environment:
+  contents:
+    packages:
+      - go
+
+pipeline:
+  - uses: git-checkout
+    with:
+      expected-commit: 36add66f6520c77c15dfce4715ba6c689d427981
+      repository: https://github.com/nektos/act
+      tag: v${{package.version}}
+
+  - uses: go/bump
+    with:
+      deps: |-
+        github.com/go-git/go-git/v5@v5.17.1
+
+  - uses: go/build
+    with:
+      output: act
+      packages: .
+
+  - uses: strip
+
+update:
+  enabled: true
+  github:
+    identifier: nektos/act
+    strip-prefix: v
+
+test:
+  environment: {}
+  pipeline:
+    - uses: test/tw/ldd-check
+    - uses: test/tw/ver-check
+      with:
+        bins: act
+        version: ${{package.version}}
+    - uses: test/tw/help-check
+      with:
+        bins: act

actions-runner-controller.yaml

@@ -1,7 +1,7 @@
 package:
   name: actions-runner-controller
-  version: "0.13.1"
-  epoch: 4 # CVE-2026-27139
+  version: "0.14.0"
+  epoch: 2 # fix test bins format
   description: Kubernetes controller for GitHub Actions self-hosted runners
   copyright:
     - license: Apache-2.0
@@ -11,39 +11,38 @@ environment:
     packages:
       - busybox
       - ca-certificates-bundle
-      - go
+      - go-1.26
 
 pipeline:
   - uses: git-checkout
     with:
       repository: https://github.com/actions/actions-runner-controller
       tag: gha-runner-scale-set-${{package.version}}
-      expected-commit: a505fb5616f37947f7671dcf23eeae746bab69a0
-
-  - uses: go/bump
-    with:
-      deps: |-
-        github.com/cloudflare/circl@v1.6.3
+      expected-commit: 8b7f232dc402bcc6a9300630dd3a124339f7f2f1
 
   - uses: go/build
     with:
+      go-package: go-1.26
       packages: .
       output: manager
       ldflags: -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
 
   - uses: go/build
     with:
+      go-package: go-1.26
       packages: ./cmd/ghalistener
       output: ghalistener
       ldflags: -X 'github.com/actions/actions-runner-controller/build.Version=${{package.version}}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=$(git rev-parse HEAD)'
 
   - uses: go/build
     with:
+      go-package: go-1.26
       packages: ./cmd/githubwebhookserver
       output: github-webhook-server
 
   - uses: go/build
     with:
+      go-package: go-1.26
       packages: ./cmd/actionsmetricsserver
       output: actions-metrics-server
 
@@ -53,8 +52,8 @@ subpackages:
     pipeline:
       - runs: |
           mkdir -p "${{targets.subpkgdir}}"
-          ln -sf /usr/bin/manager ${{targets.subpkgdir}}/manager
-          ln -sf /usr/bin/ghalistener ${{targets.subpkgdir}}/ghalistener
+          ln -sf ./usr/bin/manager ${{targets.subpkgdir}}/manager
+          ln -sf ./usr/bin/ghalistener ${{targets.subpkgdir}}/ghalistener
     # test added by a robot (compat)
     test:
       pipeline:
@@ -91,7 +90,10 @@ test:
     - uses: test/tw/ldd-check
     - uses: test/tw/help-check
       with:
-        bins: ghalistener github-webhook-server actions-metrics-server
+        bins: |
+          ghalistener
+          github-webhook-server
+          actions-metrics-server
     - uses: test/kwok/cluster
       with:
         serviceaccount: true

aerospike-7.yaml

@@ -1,7 +1,7 @@
 package:
   name: aerospike-7
   version: "7.2.0.16"
-  epoch: 0 # go/wolfi-rsc/aerospike-7
+  epoch: 1 # go/wolfi-rsc/aerospike-7
   description: Aerospike Database Server - flash-optimized, in-memory, nosql database
   copyright:
     - license: AGPL-3.0-only
@@ -22,7 +22,7 @@ environment:
       - coreutils
       - gmp-dev
       - libtool
-      - openssl-dev
+      - openssl-hardened-dev
       - zlib-dev
 
 pipeline:
@@ -71,6 +71,10 @@ update:
 
 test:
   pipeline:
-    - runs: |
-        asd --version
-        asd --help
+    - uses: test/tw/ldd-check
+    - uses: test/tw/ver-check
+      with:
+        bins: asd
+    - uses: test/tw/help-check
+      with:
+        bins: asd

age.yaml

@@ -1,11 +1,16 @@
 package:
   name: age
   version: "1.3.1"
-  epoch: 3 # GHSA-fw7p-63qq-7hpr
+  epoch: 4 # add go-1.26 stream, go-package fields, ldd-check test
   description: A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
   copyright:
     - license: BSD-3-Clause
 
+environment:
+  contents:
+    packages:
+      - go-1.26
+
 pipeline:
   - uses: git-checkout
     with:
@@ -22,20 +27,21 @@ pipeline:
     with:
       packages: ./cmd/age/
       output: age
+      go-package: go-1.26
       ldflags: |
         -X main.Version=${{package.version}}
 
   - uses: go/build
     with:
       packages: ./cmd/age-keygen/
       output: age-keygen
+      go-package: go-1.26
       ldflags: |
         -X main.Version=${{package.version}}
 
-  - uses: strip
-
 test:
   pipeline:
+    - uses: test/tw/ldd-check
     - name: "Encrypt and decrypt a secret"
       runs: |
         echo "Hello, World!" > data.txt

airflow-3.yaml

@@ -1,7 +1,7 @@
 package:
   name: airflow-3
   version: "3.1.8"
-  epoch: 2
+  epoch: 10
   description: Platform to programmatically author, schedule, and monitor workflows
   options:
     #  There is a dependency on libarrow.so although it
@@ -78,6 +78,7 @@ pipeline:
       packages: |
         commons-lang3==3.18.0 # GHSA-j288-q9x7-2f5v
         authlib==1.6.9 # GHSA-7wc2-qxgw-g8gg
+        pyasn1==0.6.3 # GHSA-jr27-m4p2-rc6r
         tornado==6.5.5
 
   - runs: |
@@ -100,7 +101,23 @@ pipeline:
       # apache-airflow-providers-cncf-kubernetes caps cryptography at <46.0.0 but
       # 46.0.5 still should be compatible. Install without deps to apply the security fix for
       # GHSA-r6ph-v2qm-q3c2
-      uv pip install --no-deps cryptography==46.0.5
+      uv pip install --no-deps cryptography==46.0.6
+
+      # apache-airflow-core==3.1.8 pins pyjwt==2.11.0 exactly, but 2.12.0 is
+      # compatible. Install without deps to apply the security fix for
+      # CVE-2026-32597 / GHSA-752w-5fwx-jx9f
+      uv pip install --no-deps pyjwt==2.12.0
+
+      # apache-airflow-providers-google==20.0.0 pins pyopenssl==25.1.0 exactly,
+      # but 26.0.0 is compatible. Install without deps to apply the security fix for
+      # CVE-2026-27459 / GHSA-5pwr-322w-8jr4 and CVE-2026-27448 / GHSA-vp96-hxj8-p424
+      uv pip install --no-deps pyopenssl==26.0.0
+
+      # GHSA-5239-wwwm-4pmq
+      uv pip install --no-deps pygments==2.20.0
+
+      # GHSA-gc5v-m9x4-r6x2
+      uv pip install --no-deps requests==2.33.0
 
       # Uninstall pip and virtualenv from virtual environment
       #
@@ -253,8 +270,9 @@ test:
   pipeline:
     - name: "Test Python package import and version"
       runs: |
+        set -euo pipefail
         source ${{vars.venv-home}}/bin/activate
-        airflow version | grep ${{package.version}}
+        airflow version
         python${{vars.python-version}} -c "import airflow"
     - name: "Test Flask is at the supported version"
       runs: |
@@ -263,6 +281,7 @@ test:
         python -c "from flask.json import JSONEncoder"
     - name: "List providers"
       runs: |
+        set -euo pipefail
         source ${{vars.venv-home}}/bin/activate
 
         PROVIDERS_LIST="$(airflow providers list)"
@@ -273,6 +292,7 @@ test:
         done
     - name: "Load and test a DAG"
       runs: |
+        set -euo pipefail
         source ${{vars.venv-home}}/bin/activate
 
         # Set environment variables
@@ -304,7 +324,7 @@ test:
         airflow dags reserialize
 
         # List DAGs
-        airflow dags list | grep test_dag || (echo "DAG not found!" && exit 1)
+        airflow dags list | grep -F test_dag || (echo "DAG not found!" && exit 1)
 
         # Test Task Execution in DAG
         airflow tasks test test_dag test_task 2024-01-01 || (echo "Task execution failed!" && exit 1)