Release v0.5.4

What's Changed

• improve 'melange convert python' to remove manual steps by @imjasonh in #846
• fix docs for --runner by @imjasonh in #848
• format manifests with yam by @imjasonh in #849
• convert python: don't overwrite existing files by @imjasonh in #850
• default --use-github=true by @imjasonh in #847
• fix and continuously validate SBOMs by @imjasonh in #851
• Add jsonschema generation binary. by @wlynch in #861
• Fix lints, or ignore safe ones. No functional changes. by @vaikas in #865
• Fix the lint warnings in pkg/linter by @vaikas in #866
• UTC-ify source date epoch when set by @imjasonh in #868
• support resource requests and timeouts by @imjasonh in #869
• Fix capitalization of SBOM originators by @imjasonh in #867
• Add Test pipelines by @vaikas in #864
• cleanup: don't use pkg/errors by @imjasonh in #870
• Ensure jsonschema is kept up to date. by @wlynch in #862
• build(deps): bump github.com/klauspost/compress from 1.17.2 to 1.17.4 by @dependabot in #874
• build(deps): bump google.golang.org/api from 0.150.0 to 0.152.0 by @dependabot in #873
• build(deps): bump go.opentelemetry.io/otel from 1.20.0 to 1.21.0 by @dependabot in #857
• build(deps): bump k8s.io/apimachinery from 0.28.3 to 0.28.4 by @dependabot in #853
• build(deps): bump sigs.k8s.io/release-utils from 0.7.6 to 0.7.7 by @dependabot in #852
• prefix should be /usr by @lpcalisi in #863
• schema: update for new test pipeline configuration by @kaniini in #875
• build(deps): bump k8s.io/client-go from 0.28.3 to 0.28.4 by @dependabot in #855
• build(deps): bump chainguard.dev/apko from 0.11.3-0.20231103184130-c376bfafbda0 to 0.12.0 by @dependabot in #872
• build(deps): bump golang.org/x/sys from 0.14.0 to 0.15.0 by @dependabot in #871

New Contributors

• @lpcalisi made their first contribution in #863

Full Changelog: v0.5.3...v0.5.4

Release v0.5.3

What's Changed

• use forked alpine-go in go-apk by @imjasonh in #815
• test runtime replacements by @imjasonh in #837
• apply substitutions to .environment.contents.packages by @imjasonh in #838
• update go-apk dependency by @imjasonh in #842
• build(deps): bump cloud.google.com/go/storage from 1.33.0 to 1.35.1 by @dependabot in #840
• build(deps): bump google.golang.org/api from 0.149.0 to 0.150.0 by @dependabot in #835
• move spammy logs to debugf by @imjasonh in #807
• pipelines: go/build: add support for go.mod overlay files by @kaniini in #843
• build(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 by @dependabot in #841
• build(deps): bump go.opentelemetry.io/otel from 1.19.0 to 1.20.0 by @dependabot in #839
• build(deps): bump golang.org/x/time from 0.3.0 to 0.4.0 by @dependabot in #825
• build(deps): bump github.com/sigstore/cosign/v2 from 2.2.0 to 2.2.1 by @dependabot in #836
• Update release.md by @imjasonh in #844

Full Changelog: v0.5.2...v0.5.3

Release v0.5.2

What's Changed

• Document the release steps. by @vaikas in #759
• Add APK linting to Melange by @Elizafox in #760
• replace the fetch python url to more friendly URI by @cpanato in #761
• document full-version, add pointer to docs. by @vaikas in #753
• Centralize SOURCE_DATE_EPOCH parsing. by @wlynch in #767
• Add multiple Python packages post-linter by @Elizafox in #764
• build(deps): bump google.golang.org/api from 0.147.0 to 0.148.0 by @dependabot in #774
• build(deps): bump k8s.io/client-go from 0.28.2 to 0.28.3 by @dependabot in #773
• build(deps): bump github.com/klauspost/compress from 1.17.1 to 1.17.2 by @dependabot in #771
• build(deps): bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in #768
• build(deps): bump chainguard.dev/apko from 0.10.1-0.20230918194837-e9722fcc3e50 to 0.11.0 by @dependabot in #770
• build(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 by @dependabot in #782
• Improve linter diagnostic output by @Elizafox in #783
• Fix ownership not being preserved by @epsilon-phase in #781
• linter: refactor check block generation in tests by @Elizafox in #786
• melange bump: only reset the epoch if version changes, else increment it by @rawlingsj in #733
• Add Python docs linter by @Elizafox in #789
• readlinkfs: ignore security.selinux xattrs by @joemiller in #790
• Rename Python linters to python/* by @Elizafox in #791
• drop sync-issues-to-project-board.yaml not used anymore by @cpanato in #765
• SCA: add python dependency generator by @kaniini in #788
• Add python/test linter by @Elizafox in #795
• SCA refactoring, part 1 by @kaniini in #793
• Add json tags to melange Configuration. by @wlynch in #796
• Separate out package and build lints by @Elizafox in #797
• Fix ownership issue by @epsilon-phase in #784
• Add SBOM linter by @Elizafox in #801
• pipelines: add npm-install pipeline by @julienv3 in #763
• build(deps): bump sigs.k8s.io/release-utils from 0.7.5 to 0.7.6 by @dependabot in #798
• build(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible by @dependabot in #800
• build(deps): bump chainguard.dev/apko from 0.11.1-0.20231026220613-a2b17f6490d2 to 0.11.1 by @dependabot in #799
• Fix Typo in the ./hack/make-devenv.sh by @debasishbsws in #727
• Add linters for documentation and object files by @epsilon-phase in #806
• Add a test to ensure that ranges are handled properly. by @epsilon-phase in #809
• Bump go-apk and use faster tarfs implementation by @jonjohnsonjr in #810
• Filter out noise opening non-ELF files by @jonjohnsonjr in #811
• Bump go-apk by @jonjohnsonjr in #812
• Fix deduplication of strings because slices.Compact doesn't sort the input by @kaniini in #814
• Remove impossible errors by @jonjohnsonjr in #816
• Make loadUse test actually test something by @jonjohnsonjr in #817
• Remove impossible errors by @jonjohnsonjr in #818
• Get rid of PackageContext and SubpackageContext by @jonjohnsonjr in #819
• Error early if uses and runs are both present by @jonjohnsonjr in #820
• remove unimplemented references to fulcio support by @imjasonh in #830
• fail if 'with' is used with 'runs' by @imjasonh in #829
• Delete no-op sbom code by @jonjohnsonjr in #832
• Plumb check configs through to linters by @jonjohnsonjr in #833
• GithubReleaseMonitor: add tagprefix and tagcontains to be used in git… by @ajayk in #834

New Contributors

• @epsilon-phase made their first contribution in #781
• @joemiller made their first contribution in #790
• @julienv3 made their first contribution in #763
• @debasishbsws made their first contribution in #727
• @ajayk made their first contribution in #834

Full Changelog: v0.5.1...v0.5.2

Release v0.5.1

What's Changed

• update with 0.5.0 changes by @joshrwolf in #740
• Fix and update deprecated fields for goreleaser by @cpanato in #741
• Track vendored deps for .PKGINFO by @jonjohnsonjr in #721
• Extricate config stuff from linter. by @Elizafox in #746
• build(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 by @dependabot in #749
• build(deps): bump sigs.k8s.io/release-utils from 0.7.5-0.20230601212346-3866fe05b204 to 0.7.5 by @dependabot in #745
• build(deps): bump golang.org/x/sync from 0.3.0 to 0.4.0 by @dependabot in #744
• Add function to lint APK files. by @Elizafox in #750
• linter: fix a typo in package linting function by @Elizafox in #752
• build(deps): bump google.golang.org/api from 0.143.0 to 0.146.0 by @dependabot in #751
• Fix a bug where substitutions were not done for runtime. by @vaikas in #754
• build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @dependabot in #755
• build(deps): bump github.com/lima-vm/lima from 0.17.2 to 0.18.0 by @dependabot in #756
• build(deps): bump google.golang.org/api from 0.146.0 to 0.147.0 by @dependabot in #757
• build(deps): bump github.com/klauspost/compress from 1.17.0 to 1.17.1 by @dependabot in #758

Full Changelog: v0.5.0...v0.5.1

Release v0.5.0

What's Changed

• Rename Contexts to Builds by @jonjohnsonjr in #525
• Add missing context propagation by @jonjohnsonjr in #527
• Bug fix: silent env var replacement by @luhring in #533
• Add otel spans by @jonjohnsonjr in #529
• Bump apko dep to pick up otel spans by @jonjohnsonjr in #535
• docs: explain how build cache works practically by @luhring in #537
• build: package: forcibly treat libc as a shared library by @kaniini in #538
• Change git-checkout depth default to 1 by @luhring in #539
• Fix/python version issue by @mesaglio in #532
• pull in apko with fix for blank SOURCE_DATE_EPOCH by @deitch in #542
• Remove use of deprecated WaitImmediate by @jonjohnsonjr in #528
• lima startup issues fixed by @deitch in #543
• add dir option to ruby pipelines as not all gemspecs live in the root… by @rawlingsj in #544
• K8s runner template bugs by @joshrwolf in #550
• K8s runner retry exec by @joshrwolf in #549
• Refactor some pipelines to more safely use pipeline expansions by @kaniini in #554
• Default remove builder by @joshrwolf in #552
• use go-apk.FullFS for retrieving builder workspaces by @joshrwolf in #548
• Correct the variable name in the patch pipeline by @mattmoor in #555
• Stop breaking github action. by @mesaglio in #546
• Pod names must be RFC1123 compliant by @mattmoor in #557
• K8s runner fetch workspace tgz by @joshrwolf in #551
• Avoid using pargzip for compression by @jonjohnsonjr in #558
• Add more otel spans to k8s runner by @jonjohnsonjr in #565
• build(deps): bump k8s.io/client-go from 0.27.3 to 0.27.4 by @dependabot in #562
• skip the cache mount for kubernetes runner builds by @joshrwolf in #566
• Make sure we log errors. by @mattmoor in #570
• Log errors bundling, enable GGCR Warn/Progress logs by @mattmoor in #574
• add k8s runner config loading from envvars by @joshrwolf in #571
• Remove wget -q from fetch by @mattmoor in #575
• Several fixes to k8s runner. by @mattmoor in #578
• Tweak the strip pipeline so that it never fails for deleted files by @mattmoor in #573
• convert/python: check if release is found by @Dentrax in #572
• Fix subpackage SBOM generation by @jonjohnsonjr in #569
• build(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 by @dependabot in #530
• build(deps): bump github.com/klauspost/pgzip from 1.2.5 to 1.2.6 by @dependabot in #561
• build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 by @dependabot in #564
• build(deps): bump google.golang.org/api from 0.129.0 to 0.133.0 by @dependabot in #576
• build(deps): bump github.com/docker/docker from 24.0.2+incompatible to 24.0.5+incompatible by @dependabot in #577
• build(deps): bump google.golang.org/api from 0.133.0 to 0.134.0 by @dependabot in #580
• build(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.1 by @dependabot in #579
• Refactor the config/logging stuff out of build by @Elizafox in #581
• renovate: update to use new config infrastructure by @Elizafox in #585
• pipelines: meson/configure: explicitly invoke meson setup action by @kaniini in #582
• Updates on ci and release by @cpanato in #583
• Make var transforms work in bump by @Elizafox in #586
• container: bubblewrap: do not defer closing files by @kaniini in #596
• build: package: add pkgconf-based SCA to catalog SDKs which use it by @kaniini in #590
• doc and lint revisions by @jessp01 in #598
• build(deps): bump google.golang.org/api from 0.134.0 to 0.136.0 by @dependabot in #597
• build(deps): bump golang.org/x/sys from 0.10.0 to 0.11.0 by @dependabot in #594
• build(deps): bump github.com/lima-vm/lima from 0.16.0 to 0.17.0 by @dependabot in #593
• build(deps): bump github.com/google/go-containerregistry from 0.15.2 to 0.16.1 by @dependabot in #592
• Version transform block in melange by @Elizafox in #588
• Add docs about custom pipelines, defining and using. by @vaikas in #604
• Support for setting context in .melange.k8s.yaml by @tcnghia in #605
• allow override go version for uses: go/build and go/install by @rawlingsj in #606
• add melange sign command, slightly refactor and make public the signing methods by @joshrwolf in #607
• plumb through SDE to EmitSignature by @joshrwolf in #608
• support substitutions in provides lists by @imjasonh in #610
• Set reasonable concurrency levels for pgzip by @jonjohnsonjr in #611
• Bump pkgconfig to pick up the openblas fix. by @dlorenc in #612
• Bump pkg-config again to actually pick up the openblas fix. by @dlorenc in #618
• Add ${{targets.contextdir}} by @kaniini in #622
• add --force option to recreate apk indexes with given signatures by @joshrwolf in #626
• sign: do not rename across device boundaries by @kaniini in #627
• Fix the links to commands, fix the URLs generated. by @vaikas in #624
• cli: index: add --signing-key, --source and --merge options by @kaniini in #629
• docs: typo in go-build example by @acuteaura in #630
• Bump apko and fix everything I broke by @jonjohnsonjr in #631
• Print the path to generated melange config. by @vaikas in #636
• feat: support --recurse-submodules in git clone by @stormqueen1990 in #639
• readlinkfs: ignore some security-module specific xattrs by @kaniini in #640
• Add --wolfi-defaults flag, clean up flag handling. by @vaikas in #641
• Start of exhaustively documenting the build file. by @vaikas in #609
• Add a maven/configure-mirror pipeline to redirect to GCP. by @dlorenc in #644
• Add flags for resolving git tags, release-monitoring by @vaikas in #643
• add builtin pipelines for python by @imjasonh in #642
• remove extra backtick. by @vaikas in #647
• Bunch of lint fixes. No functional changes. by @vaikas in #645
• Change GeneratedMelangeConfig to embed pkg/config/config instead of redefining it. by @vaikas in #650
• Fix syntax in maven pipeline (and add test). by @dlorenc in #652
• package: dereference symlinks for aliased pkg-config modules by @kaniini in #653
• Fix issue: #658 by @vaikas in #659
• feat: add output logs for the apkbuild converter by @stormqueen1990 in #660
• Change default python-v...

Release v0.4.0

What's Changed

• update NEWS for melange 0.3.0. by @kaniini in #357
• Add darwin goreleaser target (macOS) by @jdolitsky in #359
• Upgrade go to 1.20 and clean up ci by @cpanato in #358
• Allow construction of empty packages without environment/pipelines by @kaniini in #360
• build: fix SBOM language gathering for subpackage pipelines by @kaniini in #361
• package: allow any library which has a SONAME to be a provider by @kaniini in #362
• Fix goreleaser cosign flags by @jdolitsky in #365
• Bump apko to pick up busybox detection fix. by @dlorenc in #366
• melange bump: optional flag to modify git-checkout pipeline expected-… by @rawlingsj in #367
• make original test commit sha different from the new expected sha to … by @rawlingsj in #368
• fix: log package new names+versions when regenerating index by @imjasonh in #369
• add a update.manual: key to indicate a package should be manually u… by @rawlingsj in #371
• Add --arch to melange index to skip packages with the wrong arch by @kaniini in #372
• index: rework architecture filtering by @kaniini in #375
• feat: respect target-architecture to filter archs by @imjasonh in #376
• export mutate functions as these are very useful to be called outside… by @rawlingsj in #377
• update to apko git by @kaniini in #379
• Use logrus for logging, like apko by @kaniini in #380
• build(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.2 by @dependabot in #382
• build(deps): bump actions/add-to-project from 0.4.1 to 0.5.0 by @dependabot in #373
• feat: send useragent in HTTP requests by @imjasonh in #378
• upgrade alpine pkgs lima by @developer-guy in #289
• build(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 by @dependabot in #383
• Upgrade to apko 0.7.4-20230411 snapshot. by @kaniini in #386
• Use formatted YAML encoder from yam by @luhring in #385
• build: package: append subpackages to build log by @kaniini in #387
• pipelines: autoconf/make-install: delete all GNU libtool metadata files by @kaniini in #388
• Do not depend on concrete logger by @luhring in #389
• Print full uri to debug file download errors by @patflynn in #390
• update apko to 20230413 snapshot by @kaniini in #391
• fix 403 error when melange bumping some packages, https://www.netfilt… by @rawlingsj in #392
• build(deps): bump actions/checkout from 3.5.0 to 3.5.2 by @dependabot in #393
• Fix parse configuration's use of abstract filesystems by @luhring in #395
• update apko dependency to 20230419 snapshot by @kaniini in #397
• update apko to 20230420, use apko log.Logger everywhere by @kaniini in #399
• build(deps): bump google.golang.org/api from 0.116.0 to 0.119.0 by @dependabot in #398
• upgrade apko to 20230421 snapshot by @kaniini in #400
• build(deps): bump github.com/docker/docker from 23.0.3+incompatible to 23.0.4+incompatible by @dependabot in #402
• cli: build: warn when no work to do instead of throwing an error by @kaniini in #403
• bump to latest apko which handles file overwrites by @deitch in #404
• add a strip-suffix: key to melange update struct to indicate strippin… by @rawlingsj in #405
• add ignore-regex-patterns update config to indicate you want to ign… by @rawlingsj in #406
• simplify DataItems to use the builtin marshallable map type by @joshrwolf in #407
• update alpine-go to include replaces hotfix by @kaniini in #410
• use go-apk library instead of apko by @deitch in #411
• move signing funcs to rely on external go-apk library by @deitch in #412
• build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.6.1-0.20230428211436-f22972d078c8 to 0.7.0 by @dependabot in #414
• Add name method to build config by @luhring in #419
• build: add support for configurable logging policies by @kaniini in #420
• Add trimpath to the go pipeline. by @dlorenc in #424
• build: package: skip SONAME analysis when ELF interpreter setting is present by @kaniini in #425
• chore: improve mac quick-start guide by @AlexsJones in #427
• Add an optional "deps" paramter to the go/build pipeline. by @dlorenc in #428
• pipelines: patch: add support for quilt patch-series files by @kaniini in #429
• build(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 by @dependabot in #432
• Set builddate in our .PKGINFO control data. by @mattmoor in #435
• use latest version of melange in lima configuration file by @developer-guy in #436
• add multiple runner options by @deitch in #263
• Add go vendor support to the go build pipeline. by @dlorenc in #440
• add configuration field inline docs by @joshrwolf in #430
• add extra logging when runner fails to TestUsability by @rawlingsj in #446
• default for mac is docker, not bwrap by @deitch in #447
• Update distroless references by @jonjohnsonjr in #452
• Update README.md by @imjasonh in #453
• Allow built in melange pipelines to be used in subpackages by @rawlingsj in #455
• Try to make install work on Linux and Mac. by @amouat in #451
• Pull in index builddate support. by @mattmoor in #460
• build(deps): bump github.com/docker/docker from 23.0.4+incompatible to 24.0.1+incompatible by @dependabot in #458
• Pull in the latest go-apk for xattrs support by @mattmoor in #462
• upgrade go-apk to latest commit, implement go-apk XattrFS interfaces by @kaniini in #463
• build(deps): bump google.golang.org/api from 0.119.0 to 0.123.0 by @dependabot in #457
• Require that build config YAML has only known fields by @luhring in #465
• include filename when parsing fails by @imjasonh in #466
• Remove secfixes and advisories altogether by @luhring in #468
• Validate configuration at the end of parsing by @luhring in #469
• upgrade alpine-lima to 3.18 by @developer-guy in #467
• add wolfictl by @developer-guy in #473
• Bump apko and fix what that breaks by @jonjohnsonjr in #477
• build(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 by @dependabot in #439
• build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 by @dependabot in #448
• Refactor index code, support writing APKINDEX JSON representation natively by @kaniini in #478
• build(deps): bump github.com/lima-vm/lima from 0.14.2 to 0.16.0 by @dependabot in #479
• build(deps): bump sigstore/cosign-installer from 3.0.2 to 3.0.5 by @dependabot in https://github.com/chainguard-dev/melan...

Release v0.3.2

Changelog

• 4ed1d07 Merge pull request #364 from jdolitsky/release-0.3.x

Release v0.2.0

Changelog

• 160cd0d Merge pull request #228 from chainguard-dev/chore/news-0.2

Release v0.1.0

Changelog

• 4144a8a melange 0.1.0