From 62dec8ff7c922c4fffbade1024b4582f97e68f6a Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Tue, 11 Jun 2024 11:17:26 +0000
Subject: [PATCH 01/51] kubewatch/2.7.0 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 kubewatch.yaml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/kubewatch.yaml b/kubewatch.yaml
index 9c87ba47a77..a2dfa34fd8b 100644
--- a/kubewatch.yaml
+++ b/kubewatch.yaml
@@ -1,7 +1,7 @@
 package:
   name: kubewatch
-  version: 2.6.0
-  epoch: 2
+  version: 2.7.0
+  epoch: 0
   description: Watch k8s events and trigger Handlers
   copyright:
     - license: Apache-2.0
@@ -16,14 +16,10 @@ environment:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: 4730af84d096fabf3d0c5a2aae15d666baac141b
+      expected-commit: 957dc4a61943136220e2c32a15881928eec81fb4
       repository: https://github.com/robusta-dev/kubewatch
       tag: v${{package.version}}
 
-  - uses: go/bump
-    with:
-      deps: google.golang.org/protobuf@v1.33.0 golang.org/x/net@v0.23.0
-
   - runs: |
       make build
       install -Dm755 kubewatch "${{targets.destdir}}"/usr/bin/kubewatch

From c9e877fb213313d45524e45760eb33a87329a4f3 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Date: Wed, 12 Jun 2024 23:10:45 -0400
Subject: [PATCH 02/51] Reapply "openssl/3.3.1 package update"

This reverts commit 2d18b5bcd51cf7bcb53f109e55e83ce626b20a7b.
---
 openssl.yaml                |  10 +--
 openssl/CVE-2024-4603.patch | 172 ------------------------------------
 openssl/CVE-2024-4741.patch |  36 --------
 3 files changed, 3 insertions(+), 215 deletions(-)
 delete mode 100644 openssl/CVE-2024-4603.patch
 delete mode 100644 openssl/CVE-2024-4741.patch

diff --git a/openssl.yaml b/openssl.yaml
index 18b645c8429..bd981221dca 100644
--- a/openssl.yaml
+++ b/openssl.yaml
@@ -1,7 +1,7 @@
 package:
   name: openssl
-  version: 3.3.0
-  epoch: 9
+  version: 3.3.1
+  epoch: 0
   description: "the OpenSSL cryptography suite"
   copyright:
     - license: Apache-2.0
@@ -27,11 +27,7 @@ pipeline:
   - uses: fetch
     with:
       uri: https://www.openssl.org/source/openssl-${{package.version}}.tar.gz
-      expected-sha256: 53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02
-
-  - uses: patch
-    with:
-      patches: CVE-2024-4603.patch CVE-2024-4741.patch
+      expected-sha256: 777cd596284c883375a2a7a11bf5d2786fc5413255efab20c50d6ffe6d020b7e
 
   - name: Configure and build
     runs: |
diff --git a/openssl/CVE-2024-4603.patch b/openssl/CVE-2024-4603.patch
deleted file mode 100644
index 89c5d0cf0e0..00000000000
--- a/openssl/CVE-2024-4603.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From 53ea06486d296b890d565fb971b2764fcd826e7e Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Wed, 8 May 2024 15:23:45 +0200
-Subject: [PATCH] Check DSA parameters for excessive sizes before validating
-
-This avoids overly long computation of various validation
-checks.
-
-Fixes CVE-2024-4603
-
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-(Merged from https://github.com/openssl/openssl/pull/24346)
-
-(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
----
- CHANGES.md                                    | 17 +++++-
- crypto/dsa/dsa_check.c                        | 44 ++++++++++++--
- .../invalid/p10240_q256_too_big.pem           | 57 +++++++++++++++++++
- 3 files changed, 113 insertions(+), 5 deletions(-)
- create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
-
-diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
-index 7b6d7df88fdb8..e1375dfad9c0f 100644
---- a/crypto/dsa/dsa_check.c
-+++ b/crypto/dsa/dsa_check.c
-@@ -19,8 +19,34 @@
- #include "dsa_local.h"
- #include "crypto/dsa.h"
- 
-+static int dsa_precheck_params(const DSA *dsa, int *ret)
-+{
-+    if (dsa->params.p == NULL || dsa->params.q == NULL) {
-+        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
-+        *ret = FFC_CHECK_INVALID_PQ;
-+        return 0;
-+    }
-+
-+    if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
-+        ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
-+        *ret = FFC_CHECK_INVALID_PQ;
-+        return 0;
-+    }
-+
-+    if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
-+        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
-+        *ret = FFC_CHECK_INVALID_PQ;
-+        return 0;
-+    }
-+
-+    return 1;
-+}
-+
- int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
- {
-+    if (!dsa_precheck_params(dsa, ret))
-+        return 0;
-+
-     if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
-         return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
-                                                FFC_PARAM_TYPE_DSA, ret);
-@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
-  */
- int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
- {
-+    if (!dsa_precheck_params(dsa, ret))
-+        return 0;
-+
-     return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
-            && *ret == 0;
- }
-@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
-  */
- int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
- {
-+    if (!dsa_precheck_params(dsa, ret))
-+        return 0;
-+
-     return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
-            && *ret == 0;
- }
-@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)
- {
-     *ret = 0;
- 
--    return (dsa->params.q != NULL
--            && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
-+    if (!dsa_precheck_params(dsa, ret))
-+        return 0;
-+
-+    return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
- }
- 
- /*
-@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
-     BN_CTX *ctx = NULL;
-     BIGNUM *pub_key = NULL;
- 
--    if (dsa->params.p == NULL
--        || dsa->params.g == NULL
-+    if (!dsa_precheck_params(dsa, &ret))
-+        return 0;
-+
-+    if (dsa->params.g == NULL
-         || dsa->priv_key == NULL
-         || dsa->pub_key == NULL)
-         return 0;
-diff --git a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
-new file mode 100644
-index 0000000000000..e85e2953b7a24
---- /dev/null
-+++ b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
-@@ -0,0 +1,57 @@
-+-----BEGIN DSA PARAMETERS-----
-+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
-+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
-+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
-+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
-+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
-+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
-+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
-+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
-+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
-+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
-+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
-+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
-+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
-+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
-+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
-+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
-+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
-+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
-+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
-+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
-+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
-+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
-+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
-+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
-+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
-+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
-+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
-+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
-+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
-+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
-+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
-+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
-+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
-+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
-+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
-++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
-+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
-+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
-+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
-+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
-+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
-+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
-+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
-+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
-+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
-+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
-+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
-+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
-+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
-+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
-+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
-+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
-+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
-+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
-+vKuje86bePD6kD/LH3wmkA==
-+-----END DSA PARAMETERS-----
diff --git a/openssl/CVE-2024-4741.patch b/openssl/CVE-2024-4741.patch
deleted file mode 100644
index f40317d396c..00000000000
--- a/openssl/CVE-2024-4741.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From e5093133c35ca82874ad83697af76f4b0f7e3bd8 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 23 Apr 2024 16:34:46 +0100
-Subject: [PATCH] Only free the read buffers if we're not using them
-
-If we're part way through processing a record, or the application has
-not released all the records then we should not free our buffer because
-they are still needed.
-
-CVE-2024-4741
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24395)
-
-(cherry picked from commit 38690cab18de88198f46478565fab423cf534efa)
----
- ssl/record/methods/tls_common.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
-index b7481c071f746..01cf3012b8c2c 100644
---- a/ssl/record/methods/tls_common.c
-+++ b/ssl/record/methods/tls_common.c
-@@ -2124,7 +2124,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl)
-     /* Read direction */
- 
-     /* If we have pending data to be read then fail */
--    if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0)
-+    if (rl->curr_rec < rl->num_recs
-+            || rl->curr_rec != rl->num_released
-+            || TLS_BUFFER_get_left(&rl->rbuf) != 0
-+            || rl->rstate == SSL_ST_READ_BODY)
-         return 0;
- 
-     return tls_release_read_buffer(rl);

From 461481373fd861a1b24ce8ef9f79cb6dfc170401 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Date: Wed, 12 Jun 2024 23:45:44 -0400
Subject: [PATCH 03/51] openssl: revert hkdf changes

Revert:
- https://github.com/openssl/openssl/commit/1c95d96411de59379a043fa4e60f15f7862433d3
- https://github.com/openssl/openssl/commit/77995ed7fff59c07a67eb03d6c6453115c3772cf
- https://github.com/openssl/openssl/pull/24141
- https://github.com/openssl/openssl/pull/23456

As it appears to introduce incompatibility with the 3.0.9 fips
provider, as used by https://github.com/golang-fips/openssl toolchain
like so:

```
2024/06/12 23:21:24 WARN go: downloading google.golang.org/protobuf v1.33.0
2024/06/12 23:21:24 WARN panic: tls: HKDF-Expand-Label invocation failed unexpectedly
2024/06/12 23:21:24 WARN
2024/06/12 23:21:24 WARN goroutine 1579 [running]:
2024/06/12 23:21:24 WARN crypto/tls.(*cipherSuiteTLS13).expandLabel(0xf53a40, {0xc0006821c0, 0x20, 0x20}, {0xaccde0?, 0x7?}, {0xc0006821e0, 0x20, 0x20}, 0x20)
2024/06/12 23:21:24 WARN     crypto/tls/key_schedule.go:66 +0x565
2024/06/12 23:21:24 WARN crypto/tls.(*cipherSuiteTLS13).deriveSecret(0xf53a40, {0xc0006821c0, 0x20, 0x20}, {0xaccde0, 0x7}, {0x0?, 0x0?})
2024/06/12 23:21:24 WARN     crypto/tls/key_schedule.go:86 +0xd2
2024/06/12 23:21:24 WARN crypto/tls.(*clientHandshakeStateTLS13).establishHandshakeKeys(0xc000bc1bd0)
2024/06/12 23:21:24 WARN     crypto/tls/handshake_client_tls13.go:392 +0x109
2024/06/12 23:21:24 WARN crypto/tls.(*clientHandshakeStateTLS13).handshake(0xc000bc1bd0)
2024/06/12 23:21:24 WARN     crypto/tls/handshake_client_tls13.go:90 +0x2bb
2024/06/12 23:21:24 WARN crypto/tls.(*Conn).clientHandshake(0xc00088d508, {0xbe5b80, 0xc000f036d0})
2024/06/12 23:21:24 WARN     crypto/tls/handshake_client.go:265 +0x594
2024/06/12 23:21:24 WARN crypto/tls.(*Conn).handshakeContext(0xc00088d508, {0xbe5b10, 0xffe2e0})
2024/06/12 23:21:24 WARN     crypto/tls/conn.go:1553 +0x3cb
2024/06/12 23:21:24 WARN crypto/tls.(*Conn).HandshakeContext(...)
2024/06/12 23:21:24 WARN     crypto/tls/conn.go:1493
2024/06/12 23:21:24 WARN net/http.(*persistConn).addTLS.func2()
2024/06/12 23:21:24 WARN     net/http/transport.go:1573 +0x6e
2024/06/12 23:21:24 WARN created by net/http.(*persistConn).addTLS in goroutine 1078
2024/06/12 23:21:24 WARN     net/http/transport.go:1569 +0x309
```

Not yet sure if the golang-fips/openssl bindings are at fault, or if
the libcrypto <-> old fips provider backwards compat is missmatched.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
---
 openssl.yaml                                  |   6 +-
 ...pty-param-in-EVP_PKEY_CTX_add1_hkdf_.patch |  88 ++++++
 ...EVP_PKEY_CTX_add1_hkdf_info-behavior.patch | 297 ++++++++++++++++++
 3 files changed, 390 insertions(+), 1 deletion(-)
 create mode 100644 openssl/0001-Revert-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_.patch
 create mode 100644 openssl/0002-Revert-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch

diff --git a/openssl.yaml b/openssl.yaml
index bd981221dca..ad13c0ea554 100644
--- a/openssl.yaml
+++ b/openssl.yaml
@@ -1,7 +1,7 @@
 package:
   name: openssl
   version: 3.3.1
-  epoch: 0
+  epoch: 1
   description: "the OpenSSL cryptography suite"
   copyright:
     - license: Apache-2.0
@@ -29,6 +29,10 @@ pipeline:
       uri: https://www.openssl.org/source/openssl-${{package.version}}.tar.gz
       expected-sha256: 777cd596284c883375a2a7a11bf5d2786fc5413255efab20c50d6ffe6d020b7e
 
+  - uses: patch
+    with:
+      patches: 0001-Revert-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_.patch 0002-Revert-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
+
   - name: Configure and build
     runs: |
       export CC=${{host.triplet.gnu}}-gcc
diff --git a/openssl/0001-Revert-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_.patch b/openssl/0001-Revert-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_.patch
new file mode 100644
index 00000000000..bfff9bed989
--- /dev/null
+++ b/openssl/0001-Revert-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_.patch
@@ -0,0 +1,88 @@
+From d6ecc583f7398417dd078edbfb78fd99b9972dbd Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
+Date: Wed, 12 Jun 2024 23:24:20 -0400
+Subject: [PATCH 1/2] Revert "Handle empty param in
+ EVP_PKEY_CTX_add1_hkdf_info"
+
+This reverts commit 1c95d96411de59379a043fa4e60f15f7862433d3.
+---
+ crypto/evp/pmeth_lib.c |  2 --
+ test/evp_extra_test.c  | 42 ------------------------------------------
+ 2 files changed, 44 deletions(-)
+
+diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
+index 0a561323f1..65f5fcb804 100644
+--- a/crypto/evp/pmeth_lib.c
++++ b/crypto/evp/pmeth_lib.c
+@@ -1027,8 +1027,6 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+     if (datalen < 0) {
+         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
+         return 0;
+-    } else if (datalen == 0) {
+-        return 1;
+     }
+ 
+     /* Get the original value length */
+diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
+index a42e42d929..c46e288a1f 100644
+--- a/test/evp_extra_test.c
++++ b/test/evp_extra_test.c
+@@ -2721,47 +2721,6 @@ static int test_emptyikm_HKDF(void)
+     return ret;
+ }
+ 
+-static int test_empty_salt_info_HKDF(void)
+-{
+-    EVP_PKEY_CTX *pctx;
+-    unsigned char out[20];
+-    size_t outlen;
+-    int ret = 0;
+-    unsigned char salt[] = "";
+-    unsigned char key[] = "012345678901234567890123456789";
+-    unsigned char info[] = "";
+-    const unsigned char expected[] = {
+-	0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a,
+-	0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06,
+-    };
+-    size_t expectedlen = sizeof(expected);
+-
+-    if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
+-        goto done;
+-
+-    outlen = sizeof(out);
+-    memset(out, 0, outlen);
+-
+-    if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
+-            || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
+-            || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
+-                                                        sizeof(salt) - 1), 0)
+-            || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
+-                                                       sizeof(key) - 1), 0)
+-            || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
+-                                                        sizeof(info) - 1), 0)
+-            || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
+-            || !TEST_mem_eq(out, outlen, expected, expectedlen))
+-        goto done;
+-
+-    ret = 1;
+-
+- done:
+-    EVP_PKEY_CTX_free(pctx);
+-
+-    return ret;
+-}
+-
+ #ifndef OPENSSL_NO_EC
+ static int test_X509_PUBKEY_inplace(void)
+ {
+@@ -5701,7 +5660,6 @@ int setup_tests(void)
+ #endif
+     ADD_TEST(test_HKDF);
+     ADD_TEST(test_emptyikm_HKDF);
+-    ADD_TEST(test_empty_salt_info_HKDF);
+ #ifndef OPENSSL_NO_EC
+     ADD_TEST(test_X509_PUBKEY_inplace);
+     ADD_TEST(test_X509_PUBKEY_dup);
+-- 
+2.43.0
+
diff --git a/openssl/0002-Revert-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch b/openssl/0002-Revert-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
new file mode 100644
index 00000000000..7f498082b9d
--- /dev/null
+++ b/openssl/0002-Revert-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
@@ -0,0 +1,297 @@
+From e7e67334d49d1a63423a8e4af2018ac784954bef Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
+Date: Wed, 12 Jun 2024 23:24:27 -0400
+Subject: [PATCH 2/2] Revert "Fix EVP_PKEY_CTX_add1_hkdf_info() behavior"
+
+This reverts commit 77995ed7fff59c07a67eb03d6c6453115c3772cf.
+---
+ crypto/evp/pmeth_lib.c                        | 65 +------------------
+ providers/implementations/exchange/kdf_exch.c | 42 ------------
+ providers/implementations/kdfs/hkdf.c         |  8 ---
+ test/pkey_meth_kdf_test.c                     | 53 ++++-----------
+ 4 files changed, 12 insertions(+), 156 deletions(-)
+
+diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
+index 65f5fcb804..c4b96156fd 100644
+--- a/crypto/evp/pmeth_lib.c
++++ b/crypto/evp/pmeth_lib.c
+@@ -1002,69 +1002,6 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+     return EVP_PKEY_CTX_set_params(ctx, octet_string_params);
+ }
+ 
+-static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+-                                          const char *param, int op, int ctrl,
+-                                          const unsigned char *data,
+-                                          int datalen)
+-{
+-    OSSL_PARAM os_params[2];
+-    unsigned char *info = NULL;
+-    size_t info_len = 0;
+-    size_t info_alloc = 0;
+-    int ret = 0;
+-
+-    if (ctx == NULL || (ctx->operation & op) == 0) {
+-        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+-        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+-        return -2;
+-    }
+-
+-    /* Code below to be removed when legacy support is dropped. */
+-    if (fallback)
+-        return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data));
+-    /* end of legacy support */
+-
+-    if (datalen < 0) {
+-        ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
+-        return 0;
+-    }
+-
+-    /* Get the original value length */
+-    os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
+-    os_params[1] = OSSL_PARAM_construct_end();
+-
+-    if (!EVP_PKEY_CTX_get_params(ctx, os_params))
+-        return 0;
+-
+-    /* Older provider that doesn't support getting this parameter */
+-    if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
+-        return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
+-
+-    info_alloc = os_params[0].return_size + datalen;
+-    if (info_alloc == 0)
+-        return 0;
+-    info = OPENSSL_zalloc(info_alloc);
+-    if (info == NULL)
+-        return 0;
+-    info_len = os_params[0].return_size;
+-
+-    os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc);
+-
+-    /* if we have data, then go get it */
+-    if (info_len > 0) {
+-        if (!EVP_PKEY_CTX_get_params(ctx, os_params))
+-            goto error;
+-    }
+-
+-    /* Copy the input data */
+-    memcpy(&info[info_len], data, datalen);
+-    ret = EVP_PKEY_CTX_set_params(ctx, os_params);
+-
+- error:
+-    OPENSSL_clear_free(info, info_alloc);
+-    return ret;
+-}
+-
+ int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx,
+                                       const unsigned char *sec, int seclen)
+ {
+@@ -1115,7 +1052,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx,
+ int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx,
+                                       const unsigned char *info, int infolen)
+ {
+-    return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL,
++    return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL,
+                                           OSSL_KDF_PARAM_INFO,
+                                           EVP_PKEY_OP_DERIVE,
+                                           EVP_PKEY_CTRL_HKDF_INFO,
+diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c
+index 340a2663c5..454c24a789 100644
+--- a/providers/implementations/exchange/kdf_exch.c
++++ b/providers/implementations/exchange/kdf_exch.c
+@@ -28,13 +28,9 @@ static OSSL_FUNC_keyexch_derive_fn kdf_derive;
+ static OSSL_FUNC_keyexch_freectx_fn kdf_freectx;
+ static OSSL_FUNC_keyexch_dupctx_fn kdf_dupctx;
+ static OSSL_FUNC_keyexch_set_ctx_params_fn kdf_set_ctx_params;
+-static OSSL_FUNC_keyexch_get_ctx_params_fn kdf_get_ctx_params;
+ static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params;
+ static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
+ static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
+-static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params;
+-static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
+-static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
+ 
+ typedef struct {
+     void *provctx;
+@@ -173,13 +169,6 @@ static int kdf_set_ctx_params(void *vpkdfctx, const OSSL_PARAM params[])
+     return EVP_KDF_CTX_set_params(pkdfctx->kdfctx, params);
+ }
+ 
+-static int kdf_get_ctx_params(void *vpkdfctx, OSSL_PARAM params[])
+-{
+-    PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;
+-
+-    return EVP_KDF_CTX_get_params(pkdfctx->kdfctx, params);
+-}
+-
+ static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx,
+                                                  void *provctx,
+                                                  const char *kdfname)
+@@ -208,34 +197,6 @@ KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
+ KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF")
+ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+ 
+-static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx,
+-                                                 void *provctx,
+-                                                 const char *kdfname)
+-{
+-    EVP_KDF *kdf = EVP_KDF_fetch(PROV_LIBCTX_OF(provctx), kdfname,
+-                                 NULL);
+-    const OSSL_PARAM *params;
+-
+-    if (kdf == NULL)
+-        return NULL;
+-
+-    params = EVP_KDF_gettable_ctx_params(kdf);
+-    EVP_KDF_free(kdf);
+-
+-    return params;
+-}
+-
+-#define KDF_GETTABLE_CTX_PARAMS(funcname, kdfname) \
+-    static const OSSL_PARAM *kdf_##funcname##_gettable_ctx_params(void *vpkdfctx, \
+-                                                                  void *provctx) \
+-    { \
+-        return kdf_gettable_ctx_params(vpkdfctx, provctx, kdfname); \
+-    }
+-
+-KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
+-KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF")
+-KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+-
+ #define KDF_KEYEXCH_FUNCTIONS(funcname) \
+     const OSSL_DISPATCH ossl_kdf_##funcname##_keyexch_functions[] = { \
+         { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))kdf_##funcname##_newctx }, \
+@@ -244,11 +205,8 @@ KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+         { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))kdf_freectx }, \
+         { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))kdf_dupctx }, \
+         { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))kdf_set_ctx_params }, \
+-        { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))kdf_get_ctx_params }, \
+         { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, \
+         (void (*)(void))kdf_##funcname##_settable_ctx_params }, \
+-        { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, \
+-        (void (*)(void))kdf_##funcname##_gettable_ctx_params }, \
+         OSSL_DISPATCH_END \
+     };
+ 
+diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
+index 4a24013bfc..06b123e5fb 100644
+--- a/providers/implementations/kdfs/hkdf.c
++++ b/providers/implementations/kdfs/hkdf.c
+@@ -316,13 +316,6 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+             return 0;
+         return OSSL_PARAM_set_size_t(p, sz);
+     }
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
+-        if (ctx->info == NULL || ctx->info_len == 0) {
+-            p->return_size = 0;
+-            return 1;
+-        }
+-        return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
+-    }
+     return -2;
+ }
+ 
+@@ -331,7 +324,6 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+-        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+diff --git a/test/pkey_meth_kdf_test.c b/test/pkey_meth_kdf_test.c
+index ad58adf482..41b190d3cf 100644
+--- a/test/pkey_meth_kdf_test.c
++++ b/test/pkey_meth_kdf_test.c
+@@ -16,7 +16,7 @@
+ #include <openssl/kdf.h>
+ #include "testutil.h"
+ 
+-static int test_kdf_tls1_prf(int index)
++static int test_kdf_tls1_prf(void)
+ {
+     int ret = 0;
+     EVP_PKEY_CTX *pctx;
+@@ -40,23 +40,10 @@ static int test_kdf_tls1_prf(int index)
+         TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret");
+         goto err;
+     }
+-    if (index == 0) {
+-        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+-                                            (unsigned char *)"seed", 4) <= 0) {
+-            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+-            goto err;
+-        }
+-    } else {
+-        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+-                                            (unsigned char *)"se", 2) <= 0) {
+-            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+-            goto err;
+-        }
+-        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+-                                            (unsigned char *)"ed", 2) <= 0) {
+-            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+-            goto err;
+-        }
++    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
++                                        (unsigned char *)"seed", 4) <= 0) {
++        TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
++        goto err;
+     }
+     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
+         TEST_error("EVP_PKEY_derive");
+@@ -78,7 +65,7 @@ err:
+     return ret;
+ }
+ 
+-static int test_kdf_hkdf(int index)
++static int test_kdf_hkdf(void)
+ {
+     int ret = 0;
+     EVP_PKEY_CTX *pctx;
+@@ -107,23 +94,10 @@ static int test_kdf_hkdf(int index)
+         TEST_error("EVP_PKEY_CTX_set1_hkdf_key");
+         goto err;
+     }
+-    if (index == 0) {
+-        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
+-            <= 0) {
+-            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+-            goto err;
+-        }
+-    } else {
+-        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3)
++    if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
+             <= 0) {
+-            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+-            goto err;
+-        }
+-        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2)
+-            <= 0) {
+-            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+-            goto err;
+-        }
++        TEST_error("EVP_PKEY_CTX_set1_hkdf_info");
++        goto err;
+     }
+     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
+         TEST_error("EVP_PKEY_derive");
+@@ -221,13 +195,8 @@ err:
+ 
+ int setup_tests(void)
+ {
+-    int tests = 1;
+-
+-    if (fips_provider_version_ge(NULL, 3, 3, 1))
+-        tests = 2;
+-
+-    ADD_ALL_TESTS(test_kdf_tls1_prf, tests);
+-    ADD_ALL_TESTS(test_kdf_hkdf, tests);
++    ADD_TEST(test_kdf_tls1_prf);
++    ADD_TEST(test_kdf_hkdf);
+ #ifndef OPENSSL_NO_SCRYPT
+     ADD_TEST(test_kdf_scrypt);
+ #endif
+-- 
+2.43.0
+

From 9ca02c0b6ab0a98682ca4b25d448ed6ab75bd22e Mon Sep 17 00:00:00 2001
From: Samuel Dacanay <sam.dacanay@chainguard.dev>
Date: Wed, 12 Jun 2024 12:08:58 -0400
Subject: [PATCH 04/51] Move some more packages to git-checkout

Signed-off-by: Samuel Dacanay <sam.dacanay@chainguard.dev>
---
 alsa-lib.yaml    | 22 ++++++++++++++++------
 apk-tools.yaml   | 11 ++++++-----
 curl-rustls.yaml | 15 +++++++++++----
 cyrus-sasl.yaml  | 13 +++++++++----
 dav1d.yaml       |  7 ++++---
 5 files changed, 46 insertions(+), 22 deletions(-)

diff --git a/alsa-lib.yaml b/alsa-lib.yaml
index 9333e3ce457..555da7dd35a 100644
--- a/alsa-lib.yaml
+++ b/alsa-lib.yaml
@@ -1,7 +1,7 @@
 package:
   name: alsa-lib
   version: 1.2.12
-  epoch: 0
+  epoch: 1
   description: Advanced Linux Sound Architecture (ALSA) library
   copyright:
     - license: LGPL-2.1-or-later
@@ -14,13 +14,22 @@ environment:
       - build-base
       - busybox
       - ca-certificates-bundle
+      - libtool
       - linux-headers
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      expected-sha256: 4868cd908627279da5a634f468701625be8cc251d84262c7e5b6a218391ad0d2
-      uri: https://alsa-project.org/files/pub/lib/alsa-lib-${{package.version}}.tar.bz2
+      repository: https://github.com/alsa-project/alsa-lib.git
+      tag: v${{package.version}}
+      expected-commit: 34422861f5549aee3e9df9fd8240d10b530d9abd
+
+  - runs: |
+      libtoolize --force --copy --automake
+      aclocal
+      autoheader
+      automake --foreign --copy --add-missing
+      autoconf
 
   - uses: autoconf/configure
     with:
@@ -49,5 +58,6 @@ subpackages:
 
 update:
   enabled: true
-  release-monitor:
-    identifier: 38
+  github:
+    identifier: alsa-project/alsa-lib
+    strip-prefix: v
diff --git a/apk-tools.yaml b/apk-tools.yaml
index aebfee95848..51334558a4d 100644
--- a/apk-tools.yaml
+++ b/apk-tools.yaml
@@ -1,7 +1,7 @@
 package:
   name: apk-tools
-  version: 2.14.1
-  epoch: 2
+  version: 2.14.4
+  epoch: 0
   description: "apk-tools (Wolfi package manager)"
   copyright:
     - license: GPL-2.0-only
@@ -23,10 +23,11 @@ environment:
       - zlib-dev
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      uri: https://gitlab.alpinelinux.org/alpine/apk-tools/-/archive/v${{package.version}}/apk-tools-v${{package.version}}.tar.gz
-      expected-sha256: c06487563cae9e92161dfe1a81e714f700229cc0ad075b6c26ac3f157892e732
+      repository: https://gitlab.alpinelinux.org/alpine/apk-tools.git
+      tag: v${{package.version}}
+      expected-commit: de114558a5d8fa15350b1b3d440712fab6bae817
 
   - runs: |
       sed -i -e 's:-Werror::' Make.rules
diff --git a/curl-rustls.yaml b/curl-rustls.yaml
index 9a8932d6a35..009a0e0d7c6 100644
--- a/curl-rustls.yaml
+++ b/curl-rustls.yaml
@@ -1,7 +1,7 @@
 package:
   name: curl-rustls
   version: 8.8.0
-  epoch: 0
+  epoch: 1
   description: "URL retrieval utility and library"
   copyright:
     - license: MIT
@@ -30,11 +30,18 @@ environment:
       - wolfi-base
       - zlib-dev
 
+var-transforms:
+  - from: ${{package.version}}
+    match: \.
+    replace: _
+    to: mangled-package-version
+
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      uri: https://curl.se/download/curl-${{package.version}}.tar.xz
-      expected-sha256: 0f58bb95fc330c8a46eeb3df5701b0d90c9d9bfcc42bd1cd08791d12551d4400
+      repository: https://github.com/curl/curl.git
+      tag: curl-${{vars.mangled-package-version}}
+      expected-commit: fd567d4f06857f4fc8e2f64ea727b1318f76ad33
 
   - runs: autoreconf -vif
 
diff --git a/cyrus-sasl.yaml b/cyrus-sasl.yaml
index 9349662fc83..291775149e2 100644
--- a/cyrus-sasl.yaml
+++ b/cyrus-sasl.yaml
@@ -1,7 +1,7 @@
 package:
   name: cyrus-sasl
   version: 2.1.28
-  epoch: 2
+  epoch: 3
   description: "Cyrus Simple Authentication Service Layer (SASL)"
   copyright:
     - license: BSD-3-Clause
@@ -9,6 +9,8 @@ package:
 environment:
   contents:
     packages:
+      - autoconf
+      - automake
       - build-base
       - busybox
       - ca-certificates-bundle
@@ -21,10 +23,13 @@ environment:
       - wolfi-base
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      uri: https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-${{package.version}}/cyrus-sasl-${{package.version}}.tar.gz
-      expected-sha512: db15af9079758a9f385457a79390c8a7cd7ea666573dace8bf4fb01bb4b49037538d67285727d6a70ad799d2e2318f265c9372e2427de9371d626a1959dd6f78
+      repository: https://github.com/cyrusimap/cyrus-sasl.git
+      tag: cyrus-sasl-${{package.version}}
+      expected-commit: 7a6b45b177070198fed0682bea5fa87c18abb084
+
+  - runs: ./autogen.sh
 
   - uses: autoconf/configure
     with:
diff --git a/dav1d.yaml b/dav1d.yaml
index adad7b35a7e..1e8c854b5f5 100644
--- a/dav1d.yaml
+++ b/dav1d.yaml
@@ -18,10 +18,11 @@ environment:
       - nasm
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      expected-sha256: 2a7e68a17b22d1c060d31a7af84c8e033a145fca1d63ef36d57f0f39eb4dd0df
-      uri: https://code.videolan.org/videolan/dav1d/-/archive/${{package.version}}/dav1d-${{package.version}}.tar.bz2
+      repository: https://code.videolan.org/videolan/dav1d.git
+      tag: ${{package.version}}
+      expected-commit: e9986de7f4264940af6fa1df1498fd2754077de4
 
   - uses: meson/configure
     with:

From 34e98590e1ab5eb898acc8a0a655ab6f16884419 Mon Sep 17 00:00:00 2001
From: Samuel Dacanay <sam.dacanay@chainguard.dev>
Date: Wed, 12 Jun 2024 15:03:25 -0400
Subject: [PATCH 05/51] 5 more packages

Signed-off-by: Samuel Dacanay <sam.dacanay@chainguard.dev>
---
 erlang-26.yaml  |  9 +++++----
 execline.yaml   |  9 +++++----
 file.yaml       | 28 ++++++++++++++++++++++------
 fontconfig.yaml | 13 +++++++++----
 fping.yaml      | 10 +++++++---
 5 files changed, 48 insertions(+), 21 deletions(-)

diff --git a/erlang-26.yaml b/erlang-26.yaml
index ed05cc04d6d..f4a8fe16e73 100644
--- a/erlang-26.yaml
+++ b/erlang-26.yaml
@@ -1,7 +1,7 @@
 package:
   name: erlang-26
   version: 26.2.5
-  epoch: 1
+  epoch: 2
   description: General-purpose programming language and runtime environment
   copyright:
     - license: Apache-2.0
@@ -26,10 +26,11 @@ environment:
       - zlib-dev
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      expected-sha256: de155c4ad9baab2b9e6c96dbd03bf955575a04dd6feee9c08758beb28484c9f6
-      uri: https://github.com/erlang/otp/releases/download/OTP-${{package.version}}/otp_src_${{package.version}}.tar.gz
+      repository: https://github.com/erlang/otp.git
+      tag: OTP-${{package.version}}
+      expected-commit: 412bff5196fc0ab88a61fe37ca30e5226fc7872d
 
   - runs: |
       export CPPFLAGS="-D_BSD_SOURCE $CPPFLAGS"
diff --git a/execline.yaml b/execline.yaml
index c8a537de5d9..3288cffdced 100644
--- a/execline.yaml
+++ b/execline.yaml
@@ -1,7 +1,7 @@
 package:
   name: execline
   version: 2.9.6.0
-  epoch: 0
+  epoch: 1
   description: "a small scripting language intended to be an alternative to shell scripting"
   copyright:
     - license: ISC
@@ -16,10 +16,11 @@ environment:
       - wolfi-baselayout
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      uri: https://skarnet.org/software/execline/execline-${{package.version}}.tar.gz
-      expected-sha256: ba2a27e97c5eb6bd7ca6a0987a8925e44465a5be996daa0d18f8feca37d7571a
+      repository: git://git.skarnet.org/execline
+      tag: v${{package.version}}
+      expected-commit: 48ebde9a5ea2a5a96f438b1bc9a19cd3bcb96f8c
 
   - name: Configure
     runs: |
diff --git a/file.yaml b/file.yaml
index 027546db770..4da3390be0d 100644
--- a/file.yaml
+++ b/file.yaml
@@ -1,24 +1,37 @@
 package:
   name: file
   version: "5.45"
-  epoch: 2
+  epoch: 3
   description: "file-type identification utility"
   copyright:
     - license: BSD-2-Clause
 
+var-transforms:
+  - from: ${{package.version}}
+    match: \.
+    replace: _
+    to: mangled-package-version
+
 environment:
   contents:
     packages:
+      - autoconf
+      - automake
       - build-base
       - busybox
       - ca-certificates-bundle
       - file
+      - libtool
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      uri: http://ftp.astron.com/pub/file/file-${{package.version}}.tar.gz
-      expected-sha256: fc97f51029bb0e2c9f4e3bffefdaf678f0e039ee872b9de5c002a6d09c784d82
+      repository: https://github.com/file/file.git
+      tag: FILE${{vars.mangled-package-version}}
+      expected-commit: 4cbd5c8f0851201d203755b76cb66ba991ffd8be
+
+  - runs: |
+      autoreconf -vif
 
   - name: Configure
     runs: |
@@ -60,5 +73,8 @@ subpackages:
 
 update:
   enabled: true
-  release-monitor:
-    identifier: 807
+  version-separator: _
+  github:
+    identifier: file/file
+    tag-filter-prefix: FILE
+    strip-prefix: FILE
diff --git a/fontconfig.yaml b/fontconfig.yaml
index 52a9922fdcb..c7d311bfbc8 100644
--- a/fontconfig.yaml
+++ b/fontconfig.yaml
@@ -26,18 +26,23 @@ environment:
       - ca-certificates-bundle
       - expat-dev
       - freetype-dev
+      - gettext-dev
       - gperf
       - libpng-dev
+      - libtool
       - python3-dev
       - zlib-dev
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      expected-sha256: f5f359d6332861bd497570848fcb42520964a9e83d5e3abe397b6b6db9bcaaf4
-      uri: https://www.freedesktop.org/software/fontconfig/release/fontconfig-${{package.version}}.tar.gz
+      repository: https://gitlab.freedesktop.org/fontconfig/fontconfig.git
+      tag: ${{package.version}}
+      expected-commit: 72b9a48f57de6204d99ce1c217b5609ee92ece9b
 
-  - runs: rm -f src/fcobjshash.h
+  - runs: |
+      rm -f src/fcobjshash.h
+      ./autogen.sh
 
   - uses: autoconf/configure
     with:
diff --git a/fping.yaml b/fping.yaml
index a0b5c9dc0c8..f27a9fd09bb 100644
--- a/fping.yaml
+++ b/fping.yaml
@@ -17,10 +17,14 @@ environment:
       - libcap-utils
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      expected-sha256: a7692d10d73fb0bb76e1f7459aa7f19bbcdbfc5adbedef02f468974b18b0e42f
-      uri: https://fping.org/dist/fping-${{package.version}}.tar.gz
+      repository: https://github.com/schweikert/fping.git
+      tag: v${{package.version}}
+      expected-commit: 0d08321346164487464bd2910b323314d5607219
+
+  - runs: |
+      ./autogen.sh
 
   - uses: autoconf/configure
     with:

From 2183f946bc848dbe651948ddd3b864a3ca72f3ab Mon Sep 17 00:00:00 2001
From: Samuel Dacanay <sam.dacanay@chainguard.dev>
Date: Wed, 12 Jun 2024 15:43:01 -0400
Subject: [PATCH 06/51] add fuse3.yaml

Signed-off-by: Samuel Dacanay <sam.dacanay@chainguard.dev>
---
 fuse3.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fuse3.yaml b/fuse3.yaml
index 3173c182a91..7ed8a98a088 100644
--- a/fuse3.yaml
+++ b/fuse3.yaml
@@ -19,10 +19,11 @@ environment:
       - meson
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      expected-sha256: f797055d9296b275e981f5f62d4e32e089614fc253d1ef2985851025b8a0ce87
-      uri: https://github.com/libfuse/libfuse/releases/download/fuse-${{package.version}}/fuse-${{package.version}}.tar.gz
+      repository: https://github.com/libfuse/libfuse.git
+      tag: fuse-${{package.version}}
+      expected-commit: 7a92727d97c10290b3501d86a194738973edb61d
 
   - uses: meson/configure
 

From fcbdcb4c8d8055b11deae3547a679358c3dc4b81 Mon Sep 17 00:00:00 2001
From: Samuel Dacanay <sam.dacanay@chainguard.dev>
Date: Wed, 12 Jun 2024 15:46:35 -0400
Subject: [PATCH 07/51] update fping to use github for updates

Signed-off-by: Samuel Dacanay <sam.dacanay@chainguard.dev>
---
 fping.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fping.yaml b/fping.yaml
index f27a9fd09bb..b3216e37a52 100644
--- a/fping.yaml
+++ b/fping.yaml
@@ -52,5 +52,7 @@ subpackages:
 
 update:
   enabled: true
-  release-monitor:
-    identifier: 834
+  github:
+    identifier: schweikert/fping
+    tag-filter-prefix: v
+    strip-prefix: v

From 2474c77df4ab2aca04a21f15de096cc691d5e71a Mon Sep 17 00:00:00 2001
From: Samuel Dacanay <sam.dacanay@chainguard.dev>
Date: Thu, 13 Jun 2024 09:51:22 -0400
Subject: [PATCH 08/51] Update apr-util to use git-checkout

Signed-off-by: Samuel Dacanay <sam.dacanay@chainguard.dev>
---
 apr-util.yaml | 25 +++++++++++++++++++------
 libapr.yaml   |  4 ++--
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/apr-util.yaml b/apr-util.yaml
index 5e516972215..a930b255d94 100644
--- a/apr-util.yaml
+++ b/apr-util.yaml
@@ -1,7 +1,7 @@
 package:
   name: apr-util
   version: 1.6.3
-  epoch: 1
+  epoch: 2
   description: The Apache Portable Runtime Utility Library
   copyright:
     # Some files also contain RSA-MD.
@@ -9,26 +9,36 @@ package:
     # for details on using it without license, i.e. under Apache-2.0 in this case.
     - license: Apache-2.0 AND CC0-1.0 AND OLDAP-2.7 AND Beerware
 
+vars:
+  apr_version: 1.7.4
+
 environment:
   contents:
     packages:
+      - automake
       - autoconf
       - build-base
       - busybox
       - ca-certificates-bundle
       - expat-dev
       - gdbm-dev
+      - libapr
       - libapr-dev
+      - libtool
       - openldap-dev
       - openssl-dev
       - postgresql-16-dev
       - sqlite-dev
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      expected-sha256: a41076e3710746326c3945042994ad9a4fcac0ce0277dd8fea076fec3c9772b5
-      uri: https://www.apache.org/dist/apr/apr-util-${{package.version}}.tar.bz2
+      repository: https://github.com/apache/apr-util.git
+      tag: ${{package.version}}
+      expected-commit: 28327eeca2614816c1fa33ff7c4105213e0ad938
+
+  - runs: |
+      ./buildconf --with-apr=/usr/share/apr-1/
 
   - uses: autoconf/configure
     with:
@@ -78,5 +88,8 @@ subpackages:
 
 update:
   enabled: true
-  release-monitor:
-    identifier: 96
+  ignore-regex-patterns:
+    - ^[^0-9].*
+  github:
+    identifier: apache/apr-util
+    use-tag: true
diff --git a/libapr.yaml b/libapr.yaml
index 7c8337d4b18..671de168e95 100644
--- a/libapr.yaml
+++ b/libapr.yaml
@@ -1,7 +1,7 @@
 package:
   name: libapr
   version: 1.7.4
-  epoch: 2
+  epoch: 3
   description: "Apache Portable Runtime Library (APR)"
   copyright:
     - license: Apache-2.0
@@ -50,7 +50,7 @@ pipeline:
   # These files are needed for building other packages like tomcat-native.
   # Those packages expect a `/build` to exist under the apr root.
   - runs: |
-      for file in find_apr.m4 apr_common.m4 install.sh gen-build.py get-version.sh config.guess config.sub; do
+      for file in find_apr.m4 apr_common.m4 install.sh gen-build.py get-version.sh config.guess config.sub PrintPath; do
         install build/$file -t ${{targets.destdir}}/usr/share/apr-1/build
       done
 

From 7258beec894742203747e2190d6c2c2dcf9d9eee Mon Sep 17 00:00:00 2001
From: Samuel Dacanay <sam.dacanay@chainguard.dev>
Date: Thu, 13 Jun 2024 09:55:52 -0400
Subject: [PATCH 09/51] fix apr-util formatting and add a pattern to ignore
 when updating

Signed-off-by: Samuel Dacanay <sam.dacanay@chainguard.dev>
---
 apr-util.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apr-util.yaml b/apr-util.yaml
index a930b255d94..e035bf6e536 100644
--- a/apr-util.yaml
+++ b/apr-util.yaml
@@ -15,8 +15,8 @@ vars:
 environment:
   contents:
     packages:
-      - automake
       - autoconf
+      - automake
       - build-base
       - busybox
       - ca-certificates-bundle
@@ -90,6 +90,7 @@ update:
   enabled: true
   ignore-regex-patterns:
     - ^[^0-9].*
+    - '.*x-.*'
   github:
     identifier: apache/apr-util
     use-tag: true

From 5df282d5d2b771d3906eb414c632c1e62daf4ff6 Mon Sep 17 00:00:00 2001
From: Samuel Dacanay <sam.dacanay@chainguard.dev>
Date: Thu, 13 Jun 2024 11:54:54 -0400
Subject: [PATCH 10/51] Update gd, gdbm, geoip to use git-checkout

Signed-off-by: Samuel Dacanay <sam.dacanay@chainguard.dev>
---
 gd.yaml    | 13 +++++++++----
 gdbm.yaml  | 20 ++++++++++++++++----
 geoip.yaml | 14 ++++++++++----
 3 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/gd.yaml b/gd.yaml
index fc3d0a7c1a3..9f39d7f51cf 100644
--- a/gd.yaml
+++ b/gd.yaml
@@ -1,7 +1,7 @@
 package:
   name: gd
   version: 2.3.3
-  epoch: 7
+  epoch: 8
   description: Library for the dynamic creation of images by programmers
   copyright:
     - license: GD
@@ -19,16 +19,21 @@ environment:
       - libavif-dev
       - libjpeg-turbo-dev
       - libpng-dev
+      - libtool
       - libwebp-dev
       - libxpm-dev
+      - pkgconf-dev
       - tiff-dev
       - zlib-dev
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      expected-sha256: 3fe822ece20796060af63b7c60acb151e5844204d289da0ce08f8fdf131e5a61
-      uri: https://github.com/libgd/libgd/releases/download/gd-${{package.version}}/libgd-${{package.version}}.tar.xz
+      repository: https://github.com/libgd/libgd.git
+      tag: gd-${{package.version}}
+      expected-commit: b5319a41286107b53daa0e08e402aa1819764bdc
+
+  - runs: ./bootstrap.sh
 
   - uses: autoconf/configure
     with:
diff --git a/gdbm.yaml b/gdbm.yaml
index e28ad4541cb..03ebc450810 100644
--- a/gdbm.yaml
+++ b/gdbm.yaml
@@ -1,7 +1,7 @@
 package:
   name: gdbm
   version: 1.23
-  epoch: 6
+  epoch: 7
   description: "GNU dbm is a set of database routines which use extensible hashing"
   copyright:
     - license: GPL-3.0-or-later
@@ -9,15 +9,27 @@ package:
 environment:
   contents:
     packages:
+      - autoconf
+      - automake
+      - bison
       - build-base
       - busybox
       - ca-certificates-bundle
+      - flex
+      - gettext-dev
+      - libtool
+      - rsync
+      - texinfo
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      uri: https://ftp.gnu.org/gnu/gdbm/gdbm-${{package.version}}.tar.gz
-      expected-sha256: 74b1081d21fff13ae4bd7c16e5d6e504a4c26f7cde1dca0d963a484174bbcacd
+      repository: git://git.savannah.gnu.org/gdbm.git
+      tag: v${{package.version}}
+      expected-commit: 6de35853113a2a4a8eab661c569fe0d9171eb13a
+
+  - runs: |
+      ./bootstrap
 
   - name: Configure
     runs: |
diff --git a/geoip.yaml b/geoip.yaml
index 510f47672d5..1bccebc4275 100644
--- a/geoip.yaml
+++ b/geoip.yaml
@@ -1,7 +1,7 @@
 package:
   name: geoip
   version: 1.6.12
-  epoch: 2
+  epoch: 3
   description: Lookup countries by IP addresses
   copyright:
     - license: GPL-2.0-or-later
@@ -14,13 +14,19 @@ environment:
       - build-base
       - busybox
       - ca-certificates-bundle
+      - gtk-doc
+      - intltool
+      - libtool
       - zlib-dev
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      expected-sha256: 1dfb748003c5e4b7fd56ba8c4cd786633d5d6f409547584f6910398389636f80
-      uri: https://github.com/maxmind/geoip-api-c/releases/download/v${{package.version}}/GeoIP-${{package.version}}.tar.gz
+      repository: https://github.com/maxmind/geoip-api-c
+      tag: v${{package.version}}
+      expected-commit: 4b526e7331ca1d692b74a0509ddcc725622ed31a
+
+  - runs: ./bootstrap
 
   - uses: autoconf/configure
 

From 593b10e4acde438f9985fea5a43042b63ed62d82 Mon Sep 17 00:00:00 2001
From: Samuel Dacanay <sam.dacanay@chainguard.dev>
Date: Thu, 13 Jun 2024 12:29:35 -0400
Subject: [PATCH 11/51] Remove gdbm for now until python-bootstrap is ready

Signed-off-by: Samuel Dacanay <sam.dacanay@chainguard.dev>
---
 gdbm.yaml | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/gdbm.yaml b/gdbm.yaml
index 03ebc450810..e28ad4541cb 100644
--- a/gdbm.yaml
+++ b/gdbm.yaml
@@ -1,7 +1,7 @@
 package:
   name: gdbm
   version: 1.23
-  epoch: 7
+  epoch: 6
   description: "GNU dbm is a set of database routines which use extensible hashing"
   copyright:
     - license: GPL-3.0-or-later
@@ -9,27 +9,15 @@ package:
 environment:
   contents:
     packages:
-      - autoconf
-      - automake
-      - bison
       - build-base
       - busybox
       - ca-certificates-bundle
-      - flex
-      - gettext-dev
-      - libtool
-      - rsync
-      - texinfo
 
 pipeline:
-  - uses: git-checkout
+  - uses: fetch
     with:
-      repository: git://git.savannah.gnu.org/gdbm.git
-      tag: v${{package.version}}
-      expected-commit: 6de35853113a2a4a8eab661c569fe0d9171eb13a
-
-  - runs: |
-      ./bootstrap
+      uri: https://ftp.gnu.org/gnu/gdbm/gdbm-${{package.version}}.tar.gz
+      expected-sha256: 74b1081d21fff13ae4bd7c16e5d6e504a4c26f7cde1dca0d963a484174bbcacd
 
   - name: Configure
     runs: |

From 55ba1d25510a0cce93345d2d0ae173cd12191963 Mon Sep 17 00:00:00 2001
From: Samuel Dacanay <sam.dacanay@chainguard.dev>
Date: Thu, 13 Jun 2024 14:09:08 -0400
Subject: [PATCH 12/51] Add git-checkout support for giflib and glib and
 runtime dependency of xmlto

Signed-off-by: Samuel Dacanay <sam.dacanay@chainguard.dev>
---
 giflib.yaml | 15 +++++++++++----
 glib.yaml   |  9 +++++----
 xmlto.yaml  |  3 ++-
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/giflib.yaml b/giflib.yaml
index a58783197a2..7c4b7001661 100644
--- a/giflib.yaml
+++ b/giflib.yaml
@@ -1,7 +1,7 @@
 package:
   name: giflib
   version: 5.2.2
-  epoch: 2
+  epoch: 3
   description: "A library for reading and writing GIF images"
   copyright:
     - license: MIT
@@ -15,15 +15,22 @@ environment:
       - busybox
       - ca-certificates-bundle
       - coreutils
+      - docbook-xml
       - libtool
       - wolfi-base
       - xmlto
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      uri: http://downloads.sourceforge.net/sourceforge/giflib/giflib-${{package.version}}.tar.gz
-      expected-sha256: be7ffbd057cadebe2aa144542fd90c6838c6a083b5e8a9048b8ee3b66b29d5fb
+      repository: https://git.code.sf.net/p/giflib/code
+      tag: ${{package.version}}
+      expected-commit: 7cad0c7f5aaf5723b814549c024cac8c7d735077
+
+  # The giflib build will try to convert the filesize on this gif file, but we can't add `convert` as a build dependency as it already depends on giflib.
+  # We overlay the gif file anyways as part of the build, and this pacifies make so that it doesn't try to convert the file.
+  - runs: |
+      touch doc/giflib-logo.gif
 
   - uses: autoconf/make
 
diff --git a/glib.yaml b/glib.yaml
index 9b1a42bf173..f0ac1e6be86 100644
--- a/glib.yaml
+++ b/glib.yaml
@@ -1,7 +1,7 @@
 package:
   name: glib
   version: 2.80.3
-  epoch: 0
+  epoch: 1
   description: Common C routines used by Gtk+ and other libs
   copyright:
     - license: LGPL-2.1-or-later
@@ -41,10 +41,11 @@ var-transforms:
     to: mangled-package-version
 
 pipeline:
-  - uses: fetch
+  - uses: git-checkout
     with:
-      expected-sha256: 3947a0eaddd0f3613d0230bb246d0c69e46142c19022f5c4b1b2e3cba236d417
-      uri: https://download.gnome.org/sources/glib/${{vars.mangled-package-version}}/glib-${{package.version}}.tar.xz
+      repository: https://gitlab.gnome.org/GNOME/glib.git
+      tag: ${{package.version}}
+      expected-commit: 8f3ed0770184727a9871a2ffbf2e8eab660b8985
 
   - uses: meson/configure
     with:
diff --git a/xmlto.yaml b/xmlto.yaml
index 2c55290b50a..6c6c61407c8 100644
--- a/xmlto.yaml
+++ b/xmlto.yaml
@@ -1,12 +1,13 @@
 package:
   name: xmlto
   version: 0.0.28
-  epoch: 3
+  epoch: 4
   description: Convert xml to many other formats
   copyright:
     - license: GPL-2.0-or-later
   dependencies:
     runtime:
+      - bash
       - libxslt
       - perl-test-pod
       - perl-yaml-syck

From d81c424314c1e35128db894b025c6d4348572b46 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Thu, 13 Jun 2024 22:08:42 +0000
Subject: [PATCH 13/51] chromium/126.0.6478.61 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 chromium.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chromium.yaml b/chromium.yaml
index edbe1d0d9b8..d3d21ff8abc 100644
--- a/chromium.yaml
+++ b/chromium.yaml
@@ -1,7 +1,7 @@
 #nolint:git-checkout-must-use-github-updates
 package:
   name: chromium
-  version: 126.0.6478.55
+  version: 126.0.6478.61
   epoch: 0
   description: "Open souce version of Google's chrome web browser"
   copyright:

From 09636c4229693a2b734a3c6c05aa06711bea98db Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Fri, 14 Jun 2024 06:18:26 +0000
Subject: [PATCH 14/51] minio/0.20240613.225353 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 minio.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/minio.yaml b/minio.yaml
index 39e227abf02..4eaaa2d333d 100644
--- a/minio.yaml
+++ b/minio.yaml
@@ -1,6 +1,6 @@
 package:
   name: minio
-  version: 0.20240606.093642
+  version: 0.20240613.225353
   epoch: 0
   description: Multi-Cloud Object Storage
   copyright:

From 6c89200cba8f96fb3ca1a38614caf76ebdf2a0a3 Mon Sep 17 00:00:00 2001
From: Scott Moser <scott.moser@chainguard.dev>
Date: Fri, 14 Jun 2024 10:08:54 -0400
Subject: [PATCH 15/51] Update xmlsec to 1.3.4

xmlIOHTTPMatch and some other functions were removed from libxml2
between libxml2 2.12.7 and 2.13.0.

That broke libxmlsec leaving it with

    $ xmlsec1 --help
    symbol lookup error: usr/bin/xmlsec1:
       undefined symbol: xmlIOHTTPMatch, version LIBXML2_2.4.30

https://gitlab.gnome.org/GNOME/libxml2/-/commit/229e5ff7f9b5291fb074c4e5a4516a3c7ed7f580
---
 xmlsec.yaml         |  25 +++++---
 xmlsec/PR_729.patch | 150 --------------------------------------------
 2 files changed, 18 insertions(+), 157 deletions(-)
 delete mode 100644 xmlsec/PR_729.patch

diff --git a/xmlsec.yaml b/xmlsec.yaml
index c1af6523d5f..69bed656642 100644
--- a/xmlsec.yaml
+++ b/xmlsec.yaml
@@ -1,7 +1,7 @@
 package:
   name: xmlsec
-  version: 1.3.2
-  epoch: 2
+  version: 1.3.4
+  epoch: 0
   description: C based implementation for XML Signature Syntax and Processing and XML Encryption Syntax and Processing
   copyright:
     - license: MIT
@@ -45,13 +45,9 @@ pipeline:
   - uses: git-checkout
     with:
       repository: https://github.com/lsh123/xmlsec
-      expected-commit: 641b8f49b883064597236487b09b48dd95f06926
+      expected-commit: 8e1f115fa16afc20a13c899a715b9816f5106049
       tag: xmlsec_${{vars.mangled-package-version}}
 
-  - uses: patch
-    with:
-      patches: PR_729.patch
-
   - name: Autogen
     runs: |
       git clean -fdx . && NOCONFIGURE=1
@@ -94,6 +90,21 @@ subpackages:
       - uses: split/manpages
     description: xmlsec manpages
 
+test:
+  pipeline:
+    - runs: |
+        fail() { echo "ERROR:" "$@"; exit 1; }
+
+        set +x
+        echo "execute: xmlsec1 --help"
+        xmlsec1 --help || fail "'xmlsec1 --help' exited non-zero value $?"
+        echo "execute: xmlsec1 --version"
+        out=$(xmlsec1 --version) ||
+            fail "'xmlsec --version' exited non-zero value $?"
+        echo "check 'xmlsec1 --version' output for ${{package.version}}"
+        echo "$out" | grep "${{package.version}}" ||
+          fail "'xmlsec1 --version' output did not contain ${{package.version}}"
+
 update:
   enabled: true
   version-separator: _
diff --git a/xmlsec/PR_729.patch b/xmlsec/PR_729.patch
deleted file mode 100644
index 2899d201df7..00000000000
--- a/xmlsec/PR_729.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From 098a4d0219d3ed672bf8e5934ca7482dc739b103 Mon Sep 17 00:00:00 2001
-From: Aleksey Sanin <aleksey@aleksey.com>
-Date: Mon, 20 Nov 2023 09:27:33 -0500
-Subject: [PATCH 1/3] Fix libxml2 includes
-
----
- include/xmlsec/xmlsec.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/include/xmlsec/xmlsec.h b/include/xmlsec/xmlsec.h
-index 5757fc57..6f910122 100644
---- a/include/xmlsec/xmlsec.h
-+++ b/include/xmlsec/xmlsec.h
-@@ -12,6 +12,7 @@
- #define __XMLSEC_H__
- 
- #include <libxml/tree.h>
-+#include <libxml/parser.h>
- 
- #include <xmlsec/version.h>
- #include <xmlsec/exports.h>
-
-From bd909345a8dcf093ac7acb0bc2f415717dad77b4 Mon Sep 17 00:00:00 2001
-From: Aleksey Sanin <aleksey@aleksey.com>
-Date: Mon, 20 Nov 2023 09:36:38 -0500
-Subject: [PATCH 2/3] Fix libxml2 includes
-
----
- apps/xmlsec.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/apps/xmlsec.c b/apps/xmlsec.c
-index 7655c1db..4bedb16a 100644
---- a/apps/xmlsec.c
-+++ b/apps/xmlsec.c
-@@ -22,6 +22,7 @@
- #include <libxml/xmlmemory.h>
- #include <libxml/parser.h>
- #include <libxml/xpath.h>
-+#include <libxml/xmlsave.h>
- #include <libxml/xpathInternals.h>
- 
- #ifndef XMLSEC_NO_XSLT
-@@ -3030,7 +3031,7 @@ xmlSecAppInit(void) {
-     /* Init libxml */
-     xmlInitParser();
-     LIBXML_TEST_VERSION
--    xmlTreeIndentString = "\t";
-+    xmlThrDefTreeIndentString("\t");
- #ifndef XMLSEC_NO_XSLT
-     xmlIndentTreeOutput = 1;
- #endif /* XMLSEC_NO_XSLT */
-
-From c29133fbeea739640ad4aace67cb4242b16f7757 Mon Sep 17 00:00:00 2001
-From: Aleksey Sanin <aleksey@aleksey.com>
-Date: Mon, 20 Nov 2023 09:43:23 -0500
-Subject: [PATCH 3/3] Fix all warnings
-
----
- apps/crypto.c             |  1 +
- src/errors_helpers.h      | 10 +++++-----
- src/mscrypto/certkeys.c   |  1 +
- src/mscrypto/signatures.c |  1 +
- 4 files changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/apps/crypto.c b/apps/crypto.c
-index 8561dd65..4411233d 100644
---- a/apps/crypto.c
-+++ b/apps/crypto.c
-@@ -12,6 +12,7 @@
- #endif
- 
- #include <string.h>
-+#include <stdlib.h>
- 
- #include <xmlsec/xmlsec.h>
- #include <xmlsec/keys.h>
-diff --git a/src/errors_helpers.h b/src/errors_helpers.h
-index 1a4f4183..470fdde6 100644
---- a/src/errors_helpers.h
-+++ b/src/errors_helpers.h
-@@ -136,7 +136,7 @@ extern "C" {
-  */
- #define xmlSecXmlError(errorFunction, errorObject) \
-     {                                                 \
--        xmlErrorPtr error = xmlGetLastError();        \
-+        const xmlError * error = xmlGetLastError();        \
-         int code = (error != NULL) ? error->code : 0; \
-         const char* message = (error != NULL) ? error->message : NULL; \
-         xmlSecError(XMLSEC_ERRORS_HERE,               \
-@@ -159,7 +159,7 @@ extern "C" {
-  */
- #define xmlSecXmlError2(errorFunction, errorObject, msg, param) \
-     {                                                 \
--        xmlErrorPtr error = xmlGetLastError();        \
-+        const xmlError * error = xmlGetLastError();        \
-         int code = (error != NULL) ? error->code : 0; \
-         const char* message = (error != NULL) ? error->message : NULL; \
-         xmlSecError(XMLSEC_ERRORS_HERE,               \
-@@ -181,7 +181,7 @@ extern "C" {
-  */
- #define xmlSecXmlParserError(errorFunction, ctxt, errorObject) \
-     {                                                 \
--        xmlErrorPtr error = xmlCtxtGetLastError(ctxt);\
-+        const xmlError * error = xmlCtxtGetLastError(ctxt);\
-         int code = (error != NULL) ? error->code : 0; \
-         const char* message = (error != NULL) ? error->message : NULL; \
-         xmlSecError(XMLSEC_ERRORS_HERE,               \
-@@ -205,7 +205,7 @@ extern "C" {
-  */
- #define xmlSecXmlParserError2(errorFunction, ctxt, errorObject, msg, param) \
-     {                                                 \
--        xmlErrorPtr error = xmlCtxtGetLastError(ctxt);\
-+        const xmlError * error = xmlCtxtGetLastError(ctxt);\
-         int code = (error != NULL) ? error->code : 0; \
-         const char* message = (error != NULL) ? error->message : NULL; \
-         xmlSecError(XMLSEC_ERRORS_HERE,               \
-@@ -227,7 +227,7 @@ extern "C" {
-  */
- #define xmlSecXsltError(errorFunction, ctxt, errorObject) \
-     {                                                 \
--        xmlErrorPtr error = xmlGetLastError();        \
-+        const xmlError * error = xmlGetLastError();        \
-         int code = (error != NULL) ? error->code : 0; \
-         const char* message = (error != NULL) ? error->message : NULL; \
-         xmlSecError(XMLSEC_ERRORS_HERE,               \
-diff --git a/src/mscrypto/certkeys.c b/src/mscrypto/certkeys.c
-index db74517a..7e02a199 100644
---- a/src/mscrypto/certkeys.c
-+++ b/src/mscrypto/certkeys.c
-@@ -18,6 +18,7 @@
- #include "globals.h"
- 
- #include <string.h>
-+#include <stdlib.h>
- 
- #ifndef XMLSEC_NO_GOST
- #include "csp_oid.h"
-diff --git a/src/mscrypto/signatures.c b/src/mscrypto/signatures.c
-index 61b95407..c5c62ced 100644
---- a/src/mscrypto/signatures.c
-+++ b/src/mscrypto/signatures.c
-@@ -17,6 +17,7 @@
- #include "globals.h"
- 
- #include <string.h>
-+#include <stdlib.h>
- 
- #ifndef XMLSEC_NO_GOST
- #include "csp_calg.h"

From f996e169bb97ec5738731277cea526642af6ab9c Mon Sep 17 00:00:00 2001
From: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
Date: Fri, 14 Jun 2024 12:41:41 -0400
Subject: [PATCH 16/51] Update minio.yaml

Signed-off-by: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
---
 minio.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/minio.yaml b/minio.yaml
index 4eaaa2d333d..14039a25e00 100644
--- a/minio.yaml
+++ b/minio.yaml
@@ -26,7 +26,7 @@ pipeline:
     with:
       repository: https://github.com/minio/minio
       tag: ${{vars.mangled-package-version}}
-      expected-commit: 5aaef9790ff4d693202ff55bc46b40a1ff67f69e
+      expected-commit: 20960b6a2ddb9594ee418035b3c7c7fe92ae6a12
 
   - runs: |
       make build

From 9f1fce8f4b347bdd9d6d121ab52898c78f77dc34 Mon Sep 17 00:00:00 2001
From: Ajay Kemparaj <ajaykemparaj@gmail.com>
Date: Fri, 14 Jun 2024 09:46:43 -0700
Subject: [PATCH 17/51] Update chromium.yaml

Signed-off-by: Ajay Kemparaj <ajaykemparaj@gmail.com>
---
 chromium.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chromium.yaml b/chromium.yaml
index d3d21ff8abc..7de27a292ab 100644
--- a/chromium.yaml
+++ b/chromium.yaml
@@ -120,7 +120,7 @@ pipeline:
       repository: https://chromium.googlesource.com/chromium/src.git
       tag: ${{package.version}}
       depth: 1
-      expected-commit: 7616ff175414646cbd1ac65e912fc530b19cc573
+      expected-commit: 8dc092df54ce9b93406cb7fec530eb297bc0b332
       destination: /home/src
 
   - runs: |

From 6a522ac0e7da1b4bd530091c586054444cc043bb Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 00:27:05 +0000
Subject: [PATCH 18/51] wolfictl/0.17.1 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 wolfictl.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/wolfictl.yaml b/wolfictl.yaml
index 8c2eed69d04..dea31cd5337 100644
--- a/wolfictl.yaml
+++ b/wolfictl.yaml
@@ -1,6 +1,6 @@
 package:
   name: wolfictl
-  version: 0.17.0
+  version: 0.17.1
   epoch: 0
   description: Helper CLI for managing Wolfi
   copyright:
@@ -11,11 +11,10 @@ pipeline:
     with:
       repository: https://github.com/wolfi-dev/wolfictl
       tag: v${{package.version}}
-      expected-commit: a1065513c7aa975aa9213114695cb160a049346a
+      expected-commit: dc84d81b0556e732b9f8991406b37d017a4c61aa
 
   - uses: go/bump
     with:
-      deps: github.com/mholt/archiver/v3@v3.5.1
       replaces: github.com/mholt/archiver/v3=github.com/anchore/archiver/v3@v3.5.2
 
   - uses: go/build

From 9472c876a7c6f86c843884116fc164200999345d Mon Sep 17 00:00:00 2001
From: James Rawlings <jrawlings@chainguard.dev>
Date: Mon, 17 Jun 2024 10:35:07 +0100
Subject: [PATCH 19/51] wolfictl: gobump applied upstream
 https://github.com/wolfi-dev/wolfictl/blob/dc84d81b0556e732b9f8991406b37d017a4c61aa/go.mod#L6

Signed-off-by: James Rawlings <jrawlings@chainguard.dev>
---
 wolfictl.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/wolfictl.yaml b/wolfictl.yaml
index dea31cd5337..2e03f9f8250 100644
--- a/wolfictl.yaml
+++ b/wolfictl.yaml
@@ -13,10 +13,6 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: dc84d81b0556e732b9f8991406b37d017a4c61aa
 
-  - uses: go/bump
-    with:
-      replaces: github.com/mholt/archiver/v3=github.com/anchore/archiver/v3@v3.5.2
-
   - uses: go/build
     with:
       packages: .

From ab289d0c48fdcdecbc8a7537dc2d7f9906abef09 Mon Sep 17 00:00:00 2001
From: Samuel Dacanay <sam.dacanay@chainguard.dev>
Date: Mon, 17 Jun 2024 09:19:10 -0700
Subject: [PATCH 20/51] remove unused var

Signed-off-by: Samuel Dacanay <sam.dacanay@chainguard.dev>
---
 apr-util.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/apr-util.yaml b/apr-util.yaml
index e035bf6e536..6e29b1d1d0b 100644
--- a/apr-util.yaml
+++ b/apr-util.yaml
@@ -9,9 +9,6 @@ package:
     # for details on using it without license, i.e. under Apache-2.0 in this case.
     - license: Apache-2.0 AND CC0-1.0 AND OLDAP-2.7 AND Beerware
 
-vars:
-  apr_version: 1.7.4
-
 environment:
   contents:
     packages:
@@ -90,7 +87,7 @@ update:
   enabled: true
   ignore-regex-patterns:
     - ^[^0-9].*
-    - '.*x-.*'
+    - ".*x-.*"
   github:
     identifier: apache/apr-util
     use-tag: true

From 42441bef5508bcf1395ee9b6eb56d27201d32663 Mon Sep 17 00:00:00 2001
From: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
Date: Mon, 17 Jun 2024 13:21:39 -0400
Subject: [PATCH 21/51] Update kubewatch.yaml

Signed-off-by: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
---
 kubewatch.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kubewatch.yaml b/kubewatch.yaml
index a2dfa34fd8b..b41cd52ad17 100644
--- a/kubewatch.yaml
+++ b/kubewatch.yaml
@@ -21,6 +21,7 @@ pipeline:
       tag: v${{package.version}}
 
   - runs: |
+      go mod tidy
       make build
       install -Dm755 kubewatch "${{targets.destdir}}"/usr/bin/kubewatch
 

From ba7a0878617e671a6fee5c04a1768ad2d386578d Mon Sep 17 00:00:00 2001
From: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
Date: Mon, 17 Jun 2024 13:47:40 -0400
Subject: [PATCH 22/51] Update kubewatch.yaml

Signed-off-by: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
---
 kubewatch.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kubewatch.yaml b/kubewatch.yaml
index b41cd52ad17..16d6b2ae788 100644
--- a/kubewatch.yaml
+++ b/kubewatch.yaml
@@ -20,10 +20,10 @@ pipeline:
       repository: https://github.com/robusta-dev/kubewatch
       tag: v${{package.version}}
 
-  - runs: |
-      go mod tidy
-      make build
-      install -Dm755 kubewatch "${{targets.destdir}}"/usr/bin/kubewatch
+  - uses: go/build
+    with:
+      output: kubewatch
+      packages: .
 
   - uses: strip
 

From efd368f1040d34a8b7e76bfdfc77b8d1d503288f Mon Sep 17 00:00:00 2001
From: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
Date: Mon, 17 Jun 2024 14:09:28 -0400
Subject: [PATCH 23/51] Update kubewatch.yaml

Signed-off-by: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
---
 kubewatch.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kubewatch.yaml b/kubewatch.yaml
index 16d6b2ae788..f53447d475b 100644
--- a/kubewatch.yaml
+++ b/kubewatch.yaml
@@ -19,6 +19,9 @@ pipeline:
       expected-commit: 957dc4a61943136220e2c32a15881928eec81fb4
       repository: https://github.com/robusta-dev/kubewatch
       tag: v${{package.version}}
+  
+  - runs: |
+      go mod tidy
 
   - uses: go/build
     with:

From f096d39836df5b7c1eefbbf95a2491a6b73762f8 Mon Sep 17 00:00:00 2001
From: ajayk <ajaykemparaj@gmail.com>
Date: Mon, 17 Jun 2024 11:15:20 -0700
Subject: [PATCH 24/51] util-linux: bump to 2.40 and fix the source path

---
 util-linux.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/util-linux.yaml b/util-linux.yaml
index b2a47c43920..4ed335a8ccd 100644
--- a/util-linux.yaml
+++ b/util-linux.yaml
@@ -1,7 +1,7 @@
 package:
   name: util-linux
-  version: 2.39.3
-  epoch: 4
+  version: 2.40.1
+  epoch: 0
   description: Random collection of Linux utilities
   copyright:
     - license: |-
@@ -25,8 +25,8 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha256: 7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f
-      uri: https://www.kernel.org/pub/linux/utils/util-linux/v2.39/util-linux-${{package.version}}.tar.xz
+      expected-sha256: 8e396eececae2b3b68db232c33b8810faa7c31f6df19f98f512739293d5829b7
+      uri: https://www.kernel.org/pub/linux/utils/util-linux/v2.40/util-linux-${{package.version}}.tar.xz
 
   - runs: |
       cp ttydefaults.h include/

From 3a1992790de31690a79b21afdd29df6cd84a8a55 Mon Sep 17 00:00:00 2001
From: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
Date: Mon, 17 Jun 2024 14:22:27 -0400
Subject: [PATCH 25/51] fix lint

Signed-off-by: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
---
 kubewatch.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubewatch.yaml b/kubewatch.yaml
index f53447d475b..1b820cafe4b 100644
--- a/kubewatch.yaml
+++ b/kubewatch.yaml
@@ -19,7 +19,7 @@ pipeline:
       expected-commit: 957dc4a61943136220e2c32a15881928eec81fb4
       repository: https://github.com/robusta-dev/kubewatch
       tag: v${{package.version}}
-  
+
   - runs: |
       go mod tidy
 

From 5a6fd31e1dd6af2588bcc7cbcb4c99f3575e8f0a Mon Sep 17 00:00:00 2001
From: ajayk <ajaykemparaj@gmail.com>
Date: Mon, 17 Jun 2024 11:40:16 -0700
Subject: [PATCH 26/51] util-linux: bump to 2.40 and fix the source path

---
 util-linux.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util-linux.yaml b/util-linux.yaml
index 4ed335a8ccd..42b933d0ada 100644
--- a/util-linux.yaml
+++ b/util-linux.yaml
@@ -25,7 +25,7 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha256: 8e396eececae2b3b68db232c33b8810faa7c31f6df19f98f512739293d5829b7
+      expected-sha256: 59e676aa53ccb44b6c39f0ffe01a8fa274891c91bef1474752fad92461def24f
       uri: https://www.kernel.org/pub/linux/utils/util-linux/v2.40/util-linux-${{package.version}}.tar.xz
 
   - runs: |

From 4fb3a7f11046f0de3e1589e356b4eb4c2d133fd9 Mon Sep 17 00:00:00 2001
From: ajayk <ajaykemparaj@gmail.com>
Date: Mon, 17 Jun 2024 11:55:33 -0700
Subject: [PATCH 27/51] util-linux: bump to 2.40 and fix the source path

---
 util-linux.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/util-linux.yaml b/util-linux.yaml
index 42b933d0ada..edf45e07379 100644
--- a/util-linux.yaml
+++ b/util-linux.yaml
@@ -12,14 +12,17 @@ environment:
     packages:
       - autoconf
       - automake
+      - bash
       - build-base
       - busybox
       - ca-certificates-bundle
       - libcap-ng-dev
       - libeconf-dev
       - libtool
+      - linux-headers
       - linux-pam-dev
       - ncurses-dev
+      - sqlite-dev
       - zlib-dev
 
 pipeline:

From f0a3b2dbab51a305d951c87165e6cb82cb38b6fb Mon Sep 17 00:00:00 2001
From: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
Date: Mon, 17 Jun 2024 14:56:48 -0400
Subject: [PATCH 28/51] add comment

Signed-off-by: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
---
 kubewatch.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kubewatch.yaml b/kubewatch.yaml
index 1b820cafe4b..1a9a94b8928 100644
--- a/kubewatch.yaml
+++ b/kubewatch.yaml
@@ -20,6 +20,7 @@ pipeline:
       repository: https://github.com/robusta-dev/kubewatch
       tag: v${{package.version}}
 
+  # Temporary Fix: Upstream go.sum file does not accurately capture package dependencies. 
   - runs: |
       go mod tidy
 

From ea9a2e6aaa202c7fe5d017ad4f2685e245c2c371 Mon Sep 17 00:00:00 2001
From: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
Date: Mon, 17 Jun 2024 15:02:35 -0400
Subject: [PATCH 29/51] fix lint

Signed-off-by: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
---
 kubewatch.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubewatch.yaml b/kubewatch.yaml
index 1a9a94b8928..bdd850bb31b 100644
--- a/kubewatch.yaml
+++ b/kubewatch.yaml
@@ -20,7 +20,7 @@ pipeline:
       repository: https://github.com/robusta-dev/kubewatch
       tag: v${{package.version}}
 
-  # Temporary Fix: Upstream go.sum file does not accurately capture package dependencies. 
+  # Temporary Fix: Upstream go.sum file does not accurately capture package dependencies.
   - runs: |
       go mod tidy
 

From 4c8a465d4000ae58776f5bdf33b5d30814a34e2a Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 19:07:20 +0000
Subject: [PATCH 30/51] glab/1.42.0 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 glab.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/glab.yaml b/glab.yaml
index 0da96acd6bc..25d79617ac2 100644
--- a/glab.yaml
+++ b/glab.yaml
@@ -4,8 +4,8 @@
 #nolint:git-checkout-must-use-github-updates
 package:
   name: glab
-  version: 1.41.0
-  epoch: 1
+  version: 1.42.0
+  epoch: 0
   description: A GitLab CLI tool bringing GitLab to your command line
   copyright:
     - license: MIT

From 006c84323cb0701f795f52fde289752bda31c734 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 19:16:47 +0000
Subject: [PATCH 31/51] terraform-provider-google/5.34.0 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 terraform-provider-google.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/terraform-provider-google.yaml b/terraform-provider-google.yaml
index aa556378962..e2419868e90 100644
--- a/terraform-provider-google.yaml
+++ b/terraform-provider-google.yaml
@@ -1,6 +1,6 @@
 package:
   name: terraform-provider-google
-  version: 5.33.0
+  version: 5.34.0
   epoch: 0
   description: Terraform GCP provider
   copyright:
@@ -16,7 +16,7 @@ pipeline:
     with:
       repository: https://github.com/hashicorp/terraform-provider-google
       tag: v${{package.version}}
-      expected-commit: 4007e3b8d2d472223906c5f861cf2d37e9b59814
+      expected-commit: 2e5de7cecaf44d90cd789576778ddbf6e3c47fd3
 
   - uses: go/build
     with:

From 642acc9d5ab09fea4232d2618d7bc2b2113f3158 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 19:16:52 +0000
Subject: [PATCH 32/51] py3-sqlglot/25.2.0 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 py3-sqlglot.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/py3-sqlglot.yaml b/py3-sqlglot.yaml
index 1f38e050332..36efe4d6f27 100644
--- a/py3-sqlglot.yaml
+++ b/py3-sqlglot.yaml
@@ -1,7 +1,7 @@
 # Generated from https://pypi.org/project/sqlglot/
 package:
   name: py3-sqlglot
-  version: 25.1.0
+  version: 25.2.0
   epoch: 0
   description: An easily customizable SQL parser and transpiler
   copyright:
@@ -26,7 +26,7 @@ pipeline:
     with:
       repository: https://github.com/tobymao/sqlglot
       tag: v${{package.version}}
-      expected-commit: 0397d6f7638c658528cdfef3c85f89afc7fc8952
+      expected-commit: 468123e4b7612287e128529de62f3a88f4e1d579
 
   - name: Python Build
     runs: python setup.py build

From a76d9bfe85ec392a1c58c977241a0a0008465c7f Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 19:16:59 +0000
Subject: [PATCH 33/51] aws-cli-v2/2.16.10 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 aws-cli-v2.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/aws-cli-v2.yaml b/aws-cli-v2.yaml
index 78671723e0d..1753cb5b831 100644
--- a/aws-cli-v2.yaml
+++ b/aws-cli-v2.yaml
@@ -2,7 +2,7 @@
 #nolint:documentation
 package:
   name: aws-cli-v2
-  version: 2.16.9
+  version: 2.16.10
   epoch: 0
   description: "Universal Command Line Interface for Amazon Web Services (v2)"
   copyright:
@@ -30,7 +30,7 @@ pipeline:
   - uses: git-checkout
     with:
       repository: https://github.com/aws/aws-cli
-      expected-commit: 8d31e37f5494889782a0d8e5b535bf8a1054b83c
+      expected-commit: a19e1f54a023a180b0707fa43a16eba69313bad0
       tag: ${{package.version}}
 
   - runs: |

From 2dd0d3892ba6ce56d81057f4faa8d1af18eecbb6 Mon Sep 17 00:00:00 2001
From: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
Date: Mon, 17 Jun 2024 15:31:23 -0400
Subject: [PATCH 34/51] Update glab.yaml

Signed-off-by: Ritwik Srinivas <ritwikrsrinivas@gmail.com>
---
 glab.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/glab.yaml b/glab.yaml
index 25d79617ac2..fe1d5c2dd2b 100644
--- a/glab.yaml
+++ b/glab.yaml
@@ -21,7 +21,7 @@ pipeline:
     with:
       repository: https://gitlab.com/gitlab-org/cli
       tag: v${{package.version}}
-      expected-commit: 3657f322c1dabbbc3b6d31567df8d2c8adf16162
+      expected-commit: c3a142d5b46441a3ceaad93184ffce26b1a621eb
 
   - uses: go/build
     with:

From 43fc076d056afa5a60b3aad4b3776b251ba837b1 Mon Sep 17 00:00:00 2001
From: Scott Moser <scott.moser@chainguard.dev>
Date: Mon, 17 Jun 2024 15:40:14 -0400
Subject: [PATCH 35/51] Fix util-linux url to reference major.minor version

Without this change, the next version (2.41.0) will
have a failed bump as seen
https://github.com/wolfi-dev/os/issues/21644
---
 util-linux.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/util-linux.yaml b/util-linux.yaml
index edf45e07379..7e820e22118 100644
--- a/util-linux.yaml
+++ b/util-linux.yaml
@@ -25,11 +25,17 @@ environment:
       - sqlite-dev
       - zlib-dev
 
+var-transforms:
+  - from: ${{package.version}}
+    match: ^(\d+)\.(\d+).(\d+)$
+    replace: $1.$2
+    to: major-minor
+
 pipeline:
   - uses: fetch
     with:
       expected-sha256: 59e676aa53ccb44b6c39f0ffe01a8fa274891c91bef1474752fad92461def24f
-      uri: https://www.kernel.org/pub/linux/utils/util-linux/v2.40/util-linux-${{package.version}}.tar.xz
+      uri: https://www.kernel.org/pub/linux/utils/util-linux/v${{vars.major-minor}}/util-linux-${{package.version}}.tar.xz
 
   - runs: |
       cp ttydefaults.h include/

From c7dbfc1c6168e50ebe53965d07eefdafdff88563 Mon Sep 17 00:00:00 2001
From: RJ Sampson <rj.sampson@chainguard.dev>
Date: Mon, 17 Jun 2024 13:13:41 -0600
Subject: [PATCH 36/51] chore(neuvector): Consolidate controller and enforcer

- Build controller and enforcer at the same time

- Drop agent and packages. Initially, it was thought
  that these would be shared across other images
  however, they're currently only useful in enforcer

Signed-off-by: RJ Sampson <rj.sampson@chainguard.dev>
---
 neuvector-agent.yaml      |  66 --------------
 neuvector-controller.yaml |  84 ------------------
 neuvector-dp.yaml         |  51 -----------
 neuvector-enforcer.yaml   |  56 ------------
 neuvector-monitor.yaml    |  36 --------
 neuvector-nstools.yaml    |  40 ---------
 neuvector.yaml            | 176 ++++++++++++++++++++++++++++++++++++++
 7 files changed, 176 insertions(+), 333 deletions(-)
 delete mode 100644 neuvector-agent.yaml
 delete mode 100644 neuvector-controller.yaml
 delete mode 100644 neuvector-dp.yaml
 delete mode 100644 neuvector-enforcer.yaml
 delete mode 100644 neuvector-monitor.yaml
 delete mode 100644 neuvector-nstools.yaml
 create mode 100644 neuvector.yaml

diff --git a/neuvector-agent.yaml b/neuvector-agent.yaml
deleted file mode 100644
index 023a01a65ce..00000000000
--- a/neuvector-agent.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-package:
-  name: neuvector-agent
-  version: 5.3.3
-  epoch: 1
-  description: "NeuVector Agent"
-  copyright:
-    - license: Apache-2.0
-
-environment:
-  contents:
-    packages:
-      - busybox
-
-pipeline:
-  - uses: git-checkout
-    with:
-      expected-commit: 6a298bdfea1a1beb2d71cc4ac345956c687ec78c
-      repository: https://github.com/neuvector/neuvector.git
-      tag: v${{package.version}}
-
-  - uses: go/bump
-    with:
-      deps: github.com/docker/docker@v26.1.3+incompatible github.com/opencontainers/runc@v1.1.12 github.com/opencontainers/image-spec@v1.1.0 github.com/docker/distribution@v2.8.2-beta.1+incompatible golang.org/x/sys@v0.19.0 golang.org/x/net@v0.23.0 golang.org/x/text@v0.14.0 gopkg.in/yaml.v3@v3.0.1 github.com/containerd/containerd@v1.6.26 google.golang.org/grpc@v1.56.3 github.com/golang/protobuf@v1.5.4
-      replaces: github.com/samalba/dockerclient=github.com/Dentrax/dockerclient@v0.1.0 github.com/vishvananda/netlink=github.com/vishvananda/netlink@v1.1.0
-      show-diff: true
-
-  - runs: |
-      sed -i 's|interim/master.xxxx|${{package.version}}|g' agent/version.go
-
-  - uses: go/build
-    with:
-      modroot: agent
-      ldflags: "-X main.version=${{package.version}} -s -w"
-      packages: .
-      output: agent
-      prefix: usr/local
-
-  - uses: go/build
-    with:
-      modroot: agent/workerlet/pathWalker
-      ldflags: "-X main.version=${{package.version}} -s -w"
-      packages: .
-      output: pathWalker
-      prefix: usr/local
-
-  - runs: |
-      chmod +x agent/nvbench/*.sh
-      install -Dm755 agent/nvbench/*.sh ${{targets.contextdir}}/usr/local/bin/
-      install -Dm755 agent/nvbench/*.rem ${{targets.contextdir}}/usr/local/bin/
-      install -Dm755 agent/nvbench/*.tmpl ${{targets.contextdir}}/usr/local/bin/
-
-  - uses: strip
-
-update:
-  enabled: true
-  ignore-regex-patterns:
-    - '.*\-.*'
-  github:
-    identifier: neuvector/neuvector
-    tag-filter: v
-    strip-prefix: v
-
-test:
-  pipeline:
-    - runs: |
-        agent -v | grep "${{package.version}}"
diff --git a/neuvector-controller.yaml b/neuvector-controller.yaml
deleted file mode 100644
index 51d28053ced..00000000000
--- a/neuvector-controller.yaml
+++ /dev/null
@@ -1,84 +0,0 @@
-package:
-  name: neuvector-controller
-  version: 5.3.2
-  epoch: 5
-  description: NeuVector Full Lifecycle Container Security Platform.
-  copyright:
-    - license: Apache-2.0
-  dependencies:
-    runtime:
-      - busybox
-      - ca-certificates
-      - consul
-      - ethtool
-      - iproute2
-      - neuvector-monitor
-      - neuvector-nstools
-      - opa
-      - pcre
-      - procps
-
-environment:
-  contents:
-    packages:
-      - busybox
-      - ca-certificates-bundle
-      - go
-      - pcre-dev
-      - pcre2-dev
-
-pipeline:
-  - uses: git-checkout
-    with:
-      repository: https://github.com/neuvector/neuvector
-      tag: v${{package.version}}
-      expected-commit: edbdcba632835d56dcc92ba86323c8a196471289
-
-  - uses: go/bump
-    with:
-      how-diff: true
-      deps: golang.org/x/net@v0.23.0 golang.org/x/crypto@v0.22.0 github.com/opencontainers/image-spec@v1.1.0 github.com/docker/distribution@v2.8.2-beta.1+incompatible github.com/opencontainers/runc@v1.1.12 github.com/containerd/containerd@v1.6.26 google.golang.org/grpc@v1.56.3 google.golang.org/protobuf@v1.33.0 github.com/golang/protobuf@v1.5.4 github.com/docker/docker@v26.1.0+incompatible
-      replaces: github.com/samalba/dockerclient=github.com/Dentrax/dockerclient@v0.1.0 github.com/dgrijalva/jwt-go=github.com/golang-jwt/jwt/v4@v4.4.2
-
-  - runs: |
-      sed -i 's|interim/master.xxxx|${{package.version}}|g' controller/version.go
-
-  - uses: go/build
-    with:
-      modroot: controller
-      ldflags: "-X main.Version=${{package.version}} -X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn"
-      packages: .
-      output: controller
-      prefix: usr/local
-
-  - runs: |
-      # Create Folders
-      mkdir -p ${{targets.contextdir}}/etc
-      mkdir -p ${{targets.contextdir}}/usr/local/bin
-      mkdir -p ${{targets.contextdir}}/etc/neuvector/templates
-
-      # Scripts
-      cp scripts/sysctl.conf ${{targets.contextdir}}/etc/
-      cp scripts/teardown.sh ${{targets.contextdir}}/usr/local/bin/
-      cp scripts/runtime-gdb.py ${{targets.contextdir}}/usr/local/bin/
-
-      # Template
-      cp templates/podTemplate.json ${{targets.contextdir}}/etc/neuvector/templates/podTemplate.json
-      touch ${{targets.contextdir}}/usr/local/bin/.nvcontainer
-
-      # symlink
-      ln -sf /usr/bin/opa ${{targets.contextdir}}/usr/local/bin/opa
-      ln -sf /bin/consul ${{targets.contextdir}}/usr/local/bin/consul
-
-update:
-  enabled: true
-  ignore-regex-patterns:
-    - '.*\-.*'
-  github:
-    identifier: neuvector/neuvector
-    strip-prefix: v
-
-test:
-  pipeline:
-    - runs: |
-        controller --help 2>&1 |pcregrep -M 'START.*\nUsage'
diff --git a/neuvector-dp.yaml b/neuvector-dp.yaml
deleted file mode 100644
index fbc248c113a..00000000000
--- a/neuvector-dp.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
-package:
-  name: neuvector-dp
-  version: 5.3.3
-  epoch: 1
-  description: NeuVector Full Lifecycle Container Security Platform.
-  copyright:
-    - license: Apache-2.0
-
-environment:
-  contents:
-    packages:
-      - busybox
-      - ca-certificates-bundle
-      - gcc
-      - glibc-dev
-      - jansson-dev
-      - jemalloc-dev
-      - libnetfilter_queue-dev
-      - libnfnetlink-dev
-      - libpcap-dev
-      - make
-      - pcre2-dev
-      - pkgconf
-      - userspace-rcu-dev
-      - vectorscan-dev
-
-pipeline:
-  - uses: git-checkout
-    with:
-      repository: https://github.com/neuvector/neuvector
-      tag: v${{package.version}}
-      expected-commit: 6a298bdfea1a1beb2d71cc4ac345956c687ec78c
-
-  - runs: |
-      export CFLAGS="$CFLAGS -DRCU_MEMBARRIER=true -I${PWD}/dp"
-      export LDFLAGS="$LDFLAGS -lurcu-memb -no-pie"
-      if [[ "${{build.arch}}" == "aarch64" ]]; then
-        make -C dp -f Makefile_arm64 CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS"
-      else
-        make -C dp CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS"
-      fi
-      mkdir -p ${{targets.contextdir}}/usr/local/bin
-      install -Dm755 dp/dp ${{targets.contextdir}}/usr/local/bin/dp
-
-update:
-  enabled: true
-  ignore-regex-patterns:
-    - '.*\-.*'
-  github:
-    identifier: neuvector/neuvector
-    strip-prefix: v
diff --git a/neuvector-enforcer.yaml b/neuvector-enforcer.yaml
deleted file mode 100644
index cc57ed32b0a..00000000000
--- a/neuvector-enforcer.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-package:
-  name: neuvector-enforcer
-  version: 5.3.3
-  epoch: 0
-  description: "NeuVector Enforcer"
-  copyright:
-    - license: Apache-2.0
-  dependencies:
-    runtime:
-      - busybox
-      - ca-certificates
-      - consul
-      - curl
-      - ethtool
-      - iproute2
-      - iptables
-      - jq
-      - neuvector-agent
-      - neuvector-dp
-      - neuvector-monitor
-      - neuvector-nstools
-      - yq
-
-environment:
-  contents:
-    packages:
-      - busybox
-
-pipeline:
-  - uses: git-checkout
-    with:
-      expected-commit: 6a298bdfea1a1beb2d71cc4ac345956c687ec78c
-      repository: https://github.com/neuvector/neuvector.git
-      tag: v${{package.version}}
-
-  - runs: |
-      mkdir -p ${{targets.contextdir}}/etc
-      install -Dm755 scripts/sysctl.conf ${{targets.contextdir}}/etc/
-
-      mkdir -p ${{targets.contextdir}}/usr/local/bin
-      install -Dm755 scripts/configure.sh ${{targets.contextdir}}/usr/local/bin/
-      install -Dm755 scripts/teardown.sh ${{targets.contextdir}}/usr/local/bin/
-      install -Dm755 scripts/runtime-gdb.py ${{targets.contextdir}}/usr/local/bin/
-
-      ln -sf /usr/bin/yq ${{targets.contextdir}}/usr/local/bin/yq
-
-  - uses: strip
-
-update:
-  enabled: true
-  ignore-regex-patterns:
-    - '.*\-.*'
-  github:
-    identifier: neuvector/neuvector
-    tag-filter: v
-    strip-prefix: v
diff --git a/neuvector-monitor.yaml b/neuvector-monitor.yaml
deleted file mode 100644
index 2bfb6ac48df..00000000000
--- a/neuvector-monitor.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-package:
-  name: neuvector-monitor
-  version: 5.3.3
-  epoch: 0
-  description: NeuVector Full Lifecycle Container Security Platform.
-  copyright:
-    - license: Apache-2.0
-
-environment:
-  contents:
-    packages:
-      - busybox
-      - ca-certificates-bundle
-      - gcc
-      - glibc-dev
-      - make
-
-pipeline:
-  - uses: git-checkout
-    with:
-      repository: https://github.com/neuvector/neuvector
-      tag: v${{package.version}}
-      expected-commit: 6a298bdfea1a1beb2d71cc4ac345956c687ec78c
-
-  - runs: |
-      make -C monitor
-      mkdir -p ${{targets.contextdir}}/usr/local/bin
-      install -Dm755 monitor/monitor ${{targets.contextdir}}/usr/local/bin/monitor
-
-update:
-  enabled: true
-  ignore-regex-patterns:
-    - '.*\-.*'
-  github:
-    identifier: neuvector/neuvector
-    strip-prefix: v
diff --git a/neuvector-nstools.yaml b/neuvector-nstools.yaml
deleted file mode 100644
index a49bf347eb3..00000000000
--- a/neuvector-nstools.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-package:
-  name: neuvector-nstools
-  version: 5.3.3
-  epoch: 0
-  description: "NeuVector NSTools"
-  copyright:
-    - license: Apache-2.0
-
-environment:
-  contents:
-    packages:
-      - busybox
-      - ca-certificates-bundle
-      - go
-
-pipeline:
-  - uses: git-checkout
-    with:
-      expected-commit: 6a298bdfea1a1beb2d71cc4ac345956c687ec78c
-      repository: https://github.com/neuvector/neuvector.git
-      tag: v${{package.version}}
-
-  - runs: |
-      make -C tools/nstools
-      mkdir -p ${{targets.contextdir}}/usr/local/bin
-      install -Dm755 tools/nstools/nstools ${{targets.contextdir}}/usr/local/bin/nstools
-
-update:
-  enabled: true
-  ignore-regex-patterns:
-    - '.*\-.*'
-  github:
-    identifier: neuvector/neuvector
-    strip-prefix: v
-
-test:
-  pipeline:
-    - name: Run Help Command
-      runs: |
-        /usr/local/bin/nstools | grep 'h: help'
diff --git a/neuvector.yaml b/neuvector.yaml
new file mode 100644
index 00000000000..0f4605037aa
--- /dev/null
+++ b/neuvector.yaml
@@ -0,0 +1,176 @@
+package:
+  name: neuvector
+  version: 5.3.3
+  epoch: 6
+  description: "NeuVector Full Lifecycle Container Security Platform"
+  copyright:
+    - license: Apache-2.0
+
+environment:
+  contents:
+    packages:
+      - build-base
+      - busybox
+      - ca-certificates-bundle
+      - glibc-dev
+      - go
+      - jansson-dev
+      - jemalloc-dev
+      - libnetfilter_queue-dev
+      - libnfnetlink-dev
+      - libpcap-dev
+      - pcre-dev
+      - pcre2-dev
+      - pkgconf
+      - userspace-rcu-dev
+      - vectorscan-dev
+
+pipeline:
+  - uses: git-checkout
+    with:
+      expected-commit: 6a298bdfea1a1beb2d71cc4ac345956c687ec78c
+      repository: https://github.com/neuvector/neuvector.git
+      tag: v${{package.version}}
+
+  - uses: go/bump
+    with:
+      deps: github.com/docker/docker@v26.1.3+incompatible github.com/opencontainers/runc@v1.1.12 github.com/opencontainers/image-spec@v1.1.0 github.com/docker/distribution@v2.8.2-beta.1+incompatible golang.org/x/sys@v0.19.0 golang.org/x/net@v0.23.0 golang.org/x/text@v0.14.0 gopkg.in/yaml.v3@v3.0.1 github.com/containerd/containerd@v1.6.26 google.golang.org/grpc@v1.56.3 github.com/golang/protobuf@v1.5.4 golang.org/x/crypto@v0.22.0
+      replaces: github.com/samalba/dockerclient=github.com/Dentrax/dockerclient@v0.1.0 github.com/vishvananda/netlink=github.com/vishvananda/netlink@v1.1.0 github.com/dgrijalva/jwt-go=github.com/golang-jwt/jwt/v4@v4.4.2
+      show-diff: true
+
+subpackages:
+  - name: neuvector-monitor
+    description: "NeuVector Monitor"
+    pipeline:
+      - runs: |
+          # Build and install monitor
+          make -C monitor
+          install -Dm755 monitor/monitor ${{targets.contextdir}}/usr/local/bin/monitor
+
+          # Install sysctl config
+          mkdir -p ${{targets.contextdir}}/etc
+          install -Dm755 scripts/sysctl.conf ${{targets.contextdir}}/etc/
+
+          # Install scripts used by monitor
+          install -Dm755 scripts/configure.sh ${{targets.contextdir}}/usr/local/bin/
+          install -Dm755 scripts/teardown.sh ${{targets.contextdir}}/usr/local/bin/
+          install -Dm755 scripts/runtime-gdb.py ${{targets.contextdir}}/usr/local/bin/
+
+  - name: neuvector-nstools
+    description: "NeuVector NSTools"
+    pipeline:
+      - runs: |
+          # Build and install nstools
+          make -C tools/nstools
+          install -Dm755 tools/nstools/nstools ${{targets.contextdir}}/usr/local/bin/nstools
+
+  - name: neuvector-enforcer
+    description: "NeuVector Enforcer"
+    dependencies:
+      runtime:
+        - busybox
+        - ca-certificates
+        - consul
+        - curl
+        - ethtool
+        - iproute2
+        - iptables
+        - jq
+        - neuvector-monitor
+        - neuvector-nstools
+        - yq
+    pipeline:
+      - runs: |
+          sed -i 's|interim/master.xxxx|${{package.version}}|g' agent/version.go
+      - uses: go/build
+        with:
+          modroot: agent
+          ldflags: "-X main.version=${{package.version}} -s -w"
+          packages: .
+          output: agent
+          prefix: usr/local
+      - uses: go/build
+        with:
+          modroot: agent/workerlet/pathWalker
+          ldflags: "-X main.version=${{package.version}} -s -w"
+          packages: .
+          output: pathWalker
+          prefix: usr/local
+      - runs: |
+          mkdir -p ${{targets.contextdir}}/usr/local/bin
+
+          # Install scripts and templates used by agent
+          chmod +x agent/nvbench/*.sh
+          install -Dm755 agent/nvbench/*.sh ${{targets.contextdir}}/usr/local/bin/
+          install -Dm755 agent/nvbench/*.rem ${{targets.contextdir}}/usr/local/bin/
+          install -Dm755 agent/nvbench/*.tmpl ${{targets.contextdir}}/usr/local/bin/
+
+          # Build and install dp
+          export CFLAGS="$CFLAGS -DRCU_MEMBARRIER=true -I${PWD}/dp"
+          export LDFLAGS="$LDFLAGS -lurcu-memb -no-pie"
+          if [[ "${{build.arch}}" == "aarch64" ]]; then
+            make -C dp -f Makefile_arm64 CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS"
+          else
+            make -C dp CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS"
+          fi
+          mkdir -p ${{targets.contextdir}}/usr/local/bin
+          install -Dm755 dp/dp ${{targets.contextdir}}/usr/local/bin/dp
+
+          # yq is expected by agent in /usr/local/bin
+          ln -sf /usr/bin/yq ${{targets.contextdir}}/usr/local/bin/yq
+    test:
+      pipeline:
+        - runs: |
+            agent -v | grep "${{package.version}}"
+
+  - name: neuvector-controller
+    description: "NeuVector Controller"
+    dependencies:
+      runtime:
+        - busybox
+        - ca-certificates
+        - consul
+        - ethtool
+        - iproute2
+        - neuvector-monitor
+        - neuvector-nstools
+        - opa
+        - pcre
+        - procps
+    pipeline:
+      - runs: |
+          sed -i 's|interim/master.xxxx|${{package.version}}|g' controller/version.go
+      - uses: go/build
+        with:
+          modroot: controller
+          ldflags: "-X main.Version=${{package.version}} -X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn"
+          packages: .
+          output: controller
+          prefix: usr/local
+      - runs: |
+          # Create Folders
+          mkdir -p ${{targets.contextdir}}/etc/neuvector/templates
+          mkdir -p ${{targets.contextdir}}/usr/local/bin
+
+          # Install pod template
+          cp templates/podTemplate.json ${{targets.contextdir}}/etc/neuvector/templates/podTemplate.json
+
+          # NV checks for this empty file to validate controller is running in container
+          touch ${{targets.contextdir}}/usr/local/bin/.nvcontainer
+
+          # Binaries expected by agent in /usr/local/bin
+          ln -sf /usr/bin/opa ${{targets.contextdir}}/usr/local/bin/opa
+          ln -sf /bin/consul ${{targets.contextdir}}/usr/local/bin/consul
+    test:
+      pipeline:
+        - runs: |
+            controller --help 2>&1 |pcregrep -M 'START.*\nUsage'
+
+update:
+  enabled: true
+  ignore-regex-patterns:
+    - '.*\-.*'
+  github:
+    identifier: neuvector/neuvector
+    tag-filter: v
+    strip-prefix: v

From b22d1cafc2b7b1224fbf5245bf279ee13d7fb407 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 21:17:16 +0000
Subject: [PATCH 37/51] grype/0.79.1 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 grype.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/grype.yaml b/grype.yaml
index d7ec1a4d6b5..121bf17378b 100644
--- a/grype.yaml
+++ b/grype.yaml
@@ -1,6 +1,6 @@
 package:
   name: grype
-  version: 0.79.0
+  version: 0.79.1
   epoch: 0
   description: Vulnerability scanner for container images, filesystems, and SBOMs
   copyright:
@@ -15,7 +15,7 @@ pipeline:
     with:
       repository: https://github.com/anchore/grype
       tag: v${{package.version}}
-      expected-commit: 5821351240dab7145f7cdd156f6a1ecf88cf8da7
+      expected-commit: 239741f535c59d6e1b9faee61f64ebcf4361d2c5
 
   - uses: go/build
     with:

From be64f4b809d4751d85d00b1c31ce1f62e4e6b519 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 21:17:20 +0000
Subject: [PATCH 38/51] cargo-c/0.10.0 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 cargo-c.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cargo-c.yaml b/cargo-c.yaml
index ad4fba18075..3b867ca010f 100644
--- a/cargo-c.yaml
+++ b/cargo-c.yaml
@@ -1,6 +1,6 @@
 package:
   name: cargo-c
-  version: 0.9.32
+  version: 0.10.0
   epoch: 0
   description: build and install C-compatible libraries
   copyright:
@@ -20,7 +20,7 @@ pipeline:
     with:
       repository: https://github.com/lu-zero/cargo-c
       tag: v${{package.version}}
-      expected-commit: 56dfe34ce1281f6ae5eb5517f7cf03f87bec352c
+      expected-commit: 62e72d44915675b2678f32e701bc1503d32881bb
 
   - runs: |
       cargo build --release

From addba96f4c047ca32aee6c803c5623e6f7dc9f3e Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 21:17:25 +0000
Subject: [PATCH 39/51] k8sgpt/0.3.37 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 k8sgpt.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/k8sgpt.yaml b/k8sgpt.yaml
index 67683e7df56..e107ccbfd21 100644
--- a/k8sgpt.yaml
+++ b/k8sgpt.yaml
@@ -1,6 +1,6 @@
 package:
   name: k8sgpt
-  version: 0.3.35
+  version: 0.3.37
   epoch: 0
   description: Giving Kubernetes Superpowers to everyone
   copyright:
@@ -23,7 +23,7 @@ pipeline:
     with:
       repository: https://github.com/k8sgpt-ai/k8sgpt
       tag: v${{package.version}}
-      expected-commit: c3f164eb2b7fee572d2dd77c30c05b3d245e05c3
+      expected-commit: 3f80bbaa1b07f69d6033cc4df4b9b30c41e259e6
 
   - uses: go/bump
     with:

From b5818ff1e210b8079630b7b7f2f4e3bf2cb9ca16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= <batuhan.apaydin@chainguard.dev>
Date: Tue, 18 Jun 2024 00:50:41 +0300
Subject: [PATCH 40/51] fluentbit-watcher (#22127)

Signed-off-by: Batuhan Apaydin <batuhan.apaydin@chainguard.dev>
---
 fluent-operator.yaml | 51 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 50 insertions(+), 1 deletion(-)

diff --git a/fluent-operator.yaml b/fluent-operator.yaml
index 0dfaab8eb8e..386dda551b6 100644
--- a/fluent-operator.yaml
+++ b/fluent-operator.yaml
@@ -1,7 +1,7 @@
 package:
   name: fluent-operator
   version: 2.9.0
-  epoch: 0
+  epoch: 1
   description: Operate Fluent Bit and Fluentd in the Kubernetes way - Previously known as FluentBit Operator
   copyright:
     - license: Apache-2.0
@@ -26,6 +26,55 @@ pipeline:
 
   - uses: strip
 
+subpackages:
+  - name: fluent-watcher
+    pipeline:
+      - runs: |
+          # https://github.com/fluent/fluent-operator/blob/v2.8.0/cmd/fluent-watcher/fluentbit/main.go#L24
+          mkdir -p "${{targets.contextdir}}"/fluent-bit/config
+      - uses: go/build
+        with:
+          packages: ./cmd/fluent-watcher/fluentbit
+          output: fluent-watcher
+          ldflags: -s -w
+          subpackage: true
+    test:
+      environment:
+        contents:
+          packages:
+            - fluent-bit
+            - fluent-bit-compat
+            - fluent-watcher-compat
+      pipeline:
+        - runs: |
+            echo "Testing fluent-watcher"
+            fluent-watcher -h
+            # Run fluent-watcher in the background and redirect its output to a temporary file
+            tempfile=$(mktemp)
+            fluent-watcher > "$tempfile" 2>&1 &
+
+            # Capture the PID of fluent-watcher
+            FLUENT_WATCHER_PID=$!
+
+            sleep 5
+
+            cat "$tempfile"
+
+            # Use grep to filter the output
+            cat "$tempfile" | grep -i "fluent-bit started"
+
+            # Wait for fluent-watcher to finish (optional)
+            kill $FLUENT_WATCHER_PID
+
+            # Clean up the temporary file
+            rm "$tempfile"
+
+  - name: fluent-watcher-compat
+    pipeline:
+      - runs: |
+          mkdir -p "${{targets.contextdir}}"/fluent-bit/bin/
+          ln -s /usr/bin/fluent-watcher "${{targets.contextdir}}"/fluent-bit/bin/fluent-watcher
+
 update:
   enabled: true
   github:

From ab31dce98b1b1e7927293ad4128959ea92fb81e1 Mon Sep 17 00:00:00 2001
From: Scott Moser <scott.moser@chainguard.com>
Date: Mon, 17 Jun 2024 22:14:44 +0000
Subject: [PATCH 41/51] xmlsec: Do not run make check

Running 'make check' during the build here:
1. is inconsistent with almost all our other packages
2. failed via timeout after 360 minutes during build of this PR
3. is run with `-i` (`--keep-going`) which entirely ignores the failure.

So, I'm removing it from the build.

If someone told me that `make -i` would exit success when something
failed, I would have not believed them.  To prove this to my future
self, and anyone else reading this commit:

    $ printf "all:\n\texit 1\n" > my.mk

    $ make -f my.mk; echo got $?
    exit 1
    make: *** [my.mk:2: all] Error 1
    got 2

    $ make -i -f my.mk; echo got $?
    exit 1
    make: [my.mk:2: all] Error 1 (ignored)
    got 0
---
 xmlsec.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/xmlsec.yaml b/xmlsec.yaml
index 69bed656642..d3c9793d55b 100644
--- a/xmlsec.yaml
+++ b/xmlsec.yaml
@@ -59,9 +59,8 @@ pipeline:
         --without-gnutls \
         --without-gcrypt \
         --without-nss \
-        --with-default-crypto=openssl \
-      && make \
-      && make -k check
+        --with-default-crypto=openssl
+      make
 
   - name: Install
     runs: |

From 1bc5e35d5c9cd0af1d95450a2bfef849e27f3ca3 Mon Sep 17 00:00:00 2001
From: Jon Johnson <jon.johnson@chainguard.dev>
Date: Mon, 17 Jun 2024 15:47:51 -0700
Subject: [PATCH 42/51] Bump util-linux epoch

Trying to fix signatures.

Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
---
 util-linux.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util-linux.yaml b/util-linux.yaml
index 7e820e22118..7610fd25301 100644
--- a/util-linux.yaml
+++ b/util-linux.yaml
@@ -1,7 +1,7 @@
 package:
   name: util-linux
   version: 2.40.1
-  epoch: 0
+  epoch: 1
   description: Random collection of Linux utilities
   copyright:
     - license: |-

From ca233ef6bfc3e77136c400bd53e37879189bc6a6 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 23:07:42 +0000
Subject: [PATCH 43/51] py3-boto3/1.34.128 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 py3-boto3.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/py3-boto3.yaml b/py3-boto3.yaml
index 01b67791355..e83469ed772 100644
--- a/py3-boto3.yaml
+++ b/py3-boto3.yaml
@@ -1,7 +1,7 @@
 # Generated from https://pypi.org/project/boto3/
 package:
   name: py3-boto3
-  version: 1.34.127
+  version: 1.34.128
   epoch: 0
   description: The AWS SDK for Python
   copyright:
@@ -24,7 +24,7 @@ environment:
 pipeline:
   - uses: fetch
     with:
-      expected-sha256: 58ccdeae3a96811ecc9d5d866d8226faadbd0ee1891756e4a04d5186e9a57a64
+      expected-sha256: 43a6e99f53a8d34b3b4dbe424dbcc6b894350dc41a85b0af7c7bc24a7ec2cead
       uri: https://files.pythonhosted.org/packages/source/b/boto3/boto3-${{package.version}}.tar.gz
 
   - name: Python Build

From c4927ee410b97be6739075251fc0470ce662c64b Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 23:08:20 +0000
Subject: [PATCH 44/51] py3-botocore/1.34.128 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 py3-botocore.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/py3-botocore.yaml b/py3-botocore.yaml
index 81cb0704a98..e6c8b21a4d6 100644
--- a/py3-botocore.yaml
+++ b/py3-botocore.yaml
@@ -1,6 +1,6 @@
 package:
   name: py3-botocore
-  version: 1.34.127
+  version: 1.34.128
   epoch: 0
   description: The low-level, core functionality of Boto3
   copyright:
@@ -27,7 +27,7 @@ pipeline:
   - uses: fetch
     with:
       uri: https://files.pythonhosted.org/packages/source/b/botocore/botocore-${{package.version}}.tar.gz
-      expected-sha256: a377871742c40603d559103f19acb7bc93cfaf285e68f21b81637ec396099877
+      expected-sha256: 8d8e03f7c8c080ecafda72036eb3b482d649f8417c90b5dca33b7c2c47adb0c9
 
   - runs: |
       python3 setup.py build

From 54787c8e22e6f4a072ff8084b1fe6ea42c40069f Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Mon, 17 Jun 2024 23:17:11 +0000
Subject: [PATCH 45/51] uv/0.2.12 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 uv.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/uv.yaml b/uv.yaml
index 5d7ec1acd4f..22f9f397abf 100644
--- a/uv.yaml
+++ b/uv.yaml
@@ -1,6 +1,6 @@
 package:
   name: uv
-  version: 0.2.11
+  version: 0.2.12
   epoch: 0
   description: An extremely fast Python package installer and resolver, written in Rust.
   copyright:
@@ -22,7 +22,7 @@ pipeline:
     with:
       repository: https://github.com/astral-sh/uv
       tag: ${{package.version}}
-      expected-commit: 44041bccd2e3d72c81390a231021fbd03c66dbc1
+      expected-commit: b8c039166754e7906ca36ca356b7df8481c576b5
 
   - runs: |
       cargo build --locked --release

From 9dd4424f239bc7a2b50a9dfc9d436019f4713b15 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Tue, 18 Jun 2024 00:26:24 +0000
Subject: [PATCH 46/51] sigstore-scaffolding/0.7.2 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 sigstore-scaffolding.yaml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/sigstore-scaffolding.yaml b/sigstore-scaffolding.yaml
index e08db3189f7..e8f2a81c53a 100644
--- a/sigstore-scaffolding.yaml
+++ b/sigstore-scaffolding.yaml
@@ -1,7 +1,7 @@
 package:
   name: sigstore-scaffolding
-  version: 0.7.1
-  epoch: 2
+  version: 0.7.2
+  epoch: 0
   description: Software Supply Chain Transparency Log
   copyright:
     - license: Apache-2.0
@@ -38,11 +38,7 @@ pipeline:
     with:
       repository: https://github.com/sigstore/scaffolding
       tag: v${{package.version}}
-      expected-commit: ca17aba7fb36a399884feb08ea114e1fdb3ea2cf
-
-  - uses: go/bump
-    with:
-      deps: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.6.0
+      expected-commit: fb8d1817d2571303daf88f49d3a23daeb7474e84
 
 subpackages:
   - range: components

From 53c614a1a9f6d6b83cc8ae4aa7a5283e6ea91484 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Tue, 18 Jun 2024 01:43:13 +0000
Subject: [PATCH 47/51] velero-plugin-for-aws/1.10.0 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 velero-plugin-for-aws.yaml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/velero-plugin-for-aws.yaml b/velero-plugin-for-aws.yaml
index a21499a708a..2dc41d31c8b 100644
--- a/velero-plugin-for-aws.yaml
+++ b/velero-plugin-for-aws.yaml
@@ -1,7 +1,7 @@
 package:
   name: velero-plugin-for-aws
-  version: 1.9.2
-  epoch: 5
+  version: 1.10.0
+  epoch: 0
   description: Plugins to support Velero on AWS
   copyright:
     - license: Apache-2.0
@@ -10,13 +10,9 @@ pipeline:
   - uses: git-checkout
     with:
       tag: v${{package.version}}
-      expected-commit: 40c18f15bd464b0e6c1f6158a6bd3373fd1420b9
+      expected-commit: dc31965355236e4c07454b44eefc13525ff037ef
       repository: https://github.com/vmware-tanzu/velero-plugin-for-aws
 
-  - uses: go/bump
-    with:
-      deps: golang.org/x/net@v0.23.0
-
   - uses: go/build
     with:
       packages: ./velero-plugin-for-aws

From 7b86774b4170e75d7c4f5d58dc8618a893f08dac Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Tue, 18 Jun 2024 04:17:26 +0000
Subject: [PATCH 48/51] teleport/16.0.1 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 teleport.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/teleport.yaml b/teleport.yaml
index 25db98cc213..861c37eb5ac 100644
--- a/teleport.yaml
+++ b/teleport.yaml
@@ -1,6 +1,6 @@
 package:
   name: teleport
-  version: 16.0.0
+  version: 16.0.1
   epoch: 0
   description: The easiest, and most secure way to access and protect all of your infrastructure.
   copyright:
@@ -30,7 +30,7 @@ pipeline:
   - uses: git-checkout
     with:
       repository: https://github.com/gravitational/teleport
-      expected-commit: bb8b73a29fd2f830ac9a0a1bd4ca585f4b877528
+      expected-commit: 9c7b506d5d36f0714535602e16ae794047b753f2
       tag: v${{package.version}}
 
   - runs: |

From 9938e43cd0d43e878286a59fbb995faae24f7a69 Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Tue, 18 Jun 2024 05:18:21 +0000
Subject: [PATCH 49/51] argo-workflows/3.5.8 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 argo-workflows.yaml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/argo-workflows.yaml b/argo-workflows.yaml
index a38132678a1..9278bf2ed9a 100644
--- a/argo-workflows.yaml
+++ b/argo-workflows.yaml
@@ -1,7 +1,7 @@
 package:
   name: argo-workflows
-  version: 3.5.7
-  epoch: 2
+  version: 3.5.8
+  epoch: 0
   description: Workflow engine for Kubernetes.
   copyright:
     - license: Apache-2.0
@@ -20,14 +20,10 @@ environment:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: 503eef1357ebc9facc3f463708031441072ef7c2
+      expected-commit: 3bb637c0261f8c08d4346175bb8b1024719a1f11
       repository: https://github.com/argoproj/argo-workflows
       tag: v${{package.version}}
 
-  - uses: go/bump
-    with:
-      deps: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.6.0
-
   - runs: |
       # NODE_OPTIONS has to been set
       sed -i 's/NODE_OPTIONS='\''[^'\'']*'\''/NODE_OPTIONS='\''--openssl-legacy-provider'\''/g' ui/package.json

From 184d2ecba96081756f7f6ab33c388f339f7ba068 Mon Sep 17 00:00:00 2001
From: cpanato <ctadeu@gmail.com>
Date: Tue, 18 Jun 2024 09:53:46 +0200
Subject: [PATCH 50/51] rebuild dask-gateway

---
 dask-gateway.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dask-gateway.yaml b/dask-gateway.yaml
index c34bbd3350c..3238a40ae24 100644
--- a/dask-gateway.yaml
+++ b/dask-gateway.yaml
@@ -1,7 +1,7 @@
 package:
   name: dask-gateway
   version: 2024.1.0
-  epoch: 5
+  epoch: 6
   description: "A multi-tenant server for securely deploying and managing Dask clusters."
   copyright:
     - license: BSD-3-Clause
@@ -40,8 +40,8 @@ pipeline:
 
   - runs: |
       cd ${{package.name}}
-      # Mitigate GHSA-753j-mpmx-qq6g
-      sed -i 's|tornado|tornado>=6.4.1|g' requirements.txt
+      # Mitigate GHSA-753j-mpmx-qq6g, GHSA-w235-7p84-xx57
+      sed -i 's|tornado|tornado==6.4.1|g' requirements.txt
 
       # Build package
       python -m gpep517 build-wheel --wheel-dir dist --output-fd 1

From e0d22281571524e7a128e05ee003223a86d62a28 Mon Sep 17 00:00:00 2001
From: cpanato <ctadeu@gmail.com>
Date: Tue, 18 Jun 2024 10:36:03 +0200
Subject: [PATCH 51/51] try to mitigate GHSA-7v5v-9h63-cj86 for
 kubeflow-centraldashboard

---
 kubeflow-centraldashboard.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kubeflow-centraldashboard.yaml b/kubeflow-centraldashboard.yaml
index 5d628208296..63525b11e84 100644
--- a/kubeflow-centraldashboard.yaml
+++ b/kubeflow-centraldashboard.yaml
@@ -1,7 +1,7 @@
 package:
   name: kubeflow-centraldashboard
   version: 1.8.0
-  epoch: 4
+  epoch: 5
   description: Landing page and central dashboard for Kubeflow deployments
   copyright:
     - license: MIT
@@ -34,11 +34,11 @@ pipeline:
       # Create "overrides" section of package.json
       jq '.overrides |= (if . then . else {} end)' package.json > temp.json && mv temp.json package.json
 
-      for override in '"ajv"="^6.12.3"' '"node-fetch"="^2.6.7"' '"node-forge"="^1.3.0"' '"axios"="^1.6.0"' '"qs"="^6.7.3"' '"underscore"="^1.12.1"' '"minimatch"="^3.0.5"' '"path-parse"="^1.0.7"' '"word-wrap"="^1.2.4"' '"protobufjs"="^6.11.4"' '"request"="^2.88.0"' '"monorepo-symlink-test"="^0.0.0"' '"tough-cookie"="^4.1.3"' '"ws"="^6.2.2"' '"follow-redirects"="^1.15.6"' '"express"="^4.19.2"' ; do
+      for override in '"ajv"="^6.12.3"' '"node-fetch"="^2.6.7"' '"node-forge"="^1.3.0"' '"axios"="^1.6.0"' '"qs"="^6.7.3"' '"underscore"="^1.12.1"' '"minimatch"="^3.0.5"' '"path-parse"="^1.0.7"' '"word-wrap"="^1.2.4"' '"protobufjs"="^6.11.4"' '"request"="^2.88.0"' '"monorepo-symlink-test"="^0.0.0"' '"tough-cookie"="^4.1.3"' '"ws"="^6.2.2"' '"follow-redirects"="^1.15.6"' '"express"="^4.19.2"' '"@grpc/grpc-js"="^1.10.9"' ; do
         jq ".overrides.${override}" package.json > temp.json && mv temp.json package.json
       done
 
-      for dep in '"express"="^4.19.2"' ; do
+      for dep in '"express"="^4.19.2"' '"@grpc/grpc-js"="^1.10.9"' ; do
         jq ".dependencies.${dep}" package.json > temp.json && mv temp.json package.json
       done