Bumping to the latest version of c/common and c/image to get
the latest updates for zstd:chunked and the multiple
signature keys updates.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
... and c/image/v5 to main
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
> go get github.com/containers/image/v5@main
> make vendor
This moves c/image to a commit that includes both the work on main
that we were already vendoring, and the last tagged version 5.27.0.
That should prevent Renovate from proposing downgrades which fail tests:
- https://github.com/containers/skopeo/pull/2065
- https://github.com/containers/skopeo/pull/2066
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
> go get github.com/containers/image/v5@main
> go mod tidy && go mod vendor
This updates c/image with a new version of x/exp.
That package has changed API in an incompatible way,
so just bumping x/exp (as in https://github.com/containers/skopeo/pull/2060 )
would break Skopeo builds.
This updates both c/image and x/exp in lockstep (and nothing
needs updating in Skopeo itself for the x/exp breakage).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
(skopeo copy) and (skopeo sync) now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.
That notably adds support for Fulcio and Rekor signing.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
> go get github.com/containers/image/v5@main
> make vendor
... to make sure that we don't regress against Skopeo 1.9.3.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
> go get github.com/containers/image/v5@main
> go mod tidy -go=1.16 && go mod tidy -go=1.17
> make vendor
The (go mod tidy) pair is necessary to keep c/image CI working.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
$ go get -u github.ccom/containerd/containerd
$ make vendor
... to silence warnings about https://github.com/advisories/GHSA-crp2-qrr5-8pq7 ,
in code we don't use.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to include a fix for
https://github.com/advisories/GHSA-c2h3-6mxw-7mvq .
(Note that Skopeo doesn't depend on the vulnerable code,
so this is primarily to avoid dependency checker warnings.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We currently need it to drag in recent versions of other dependencies,
per https://github.com/containers/skopeo/issues/796 .
I'll work to update the relevant dependencies in c/image, but that will
only propagate to skopeo in the next c/image release; in the meantime,
this at least undoes the downgrades.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Most of the dependencies have been copied from libpod's vendor.conf
where such a cleanup has been executed recently.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Temporarily vendor opencontainers/image-spec from a fork
to fix "id" value duplication, which is detected and
refused by gojsonschema now
( https://github.com/opencontainers/image-spec/pull/750 ).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Required to update those dependencies in containers/image.
See https://github.com/containers/image/pull/446.
Updated by mitr@redhat.com to vendor from containers/image master again,
which brought in a few more dependency updates.
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Anyone running (vndr) currently ends up with failing tests in OCI schema
validation because gojsonschema has fixed its "$ref" interpretation, exposing
inconsistent URI usage inside image-spec/schema.
So, this runs (vndr), and uses mtrmac/image-spec:id-based-loader
( https://github.com/opencontainers/image-spec/pull/739 ) to make the tests pass
again. As soon as that PR is merged we should revert to using the upstream
image-spec repo again.
