Add exclude-reason field to existing configs with comments.

[wlynch]

Moves existing update field comments into new exclude-reason field. This is intented to track why auto-update is disabled for a particular package.

Related: https://github.com/chainguard-dev/mono/issues/18290, https://github.com/wolfi-dev/wolfictl/pull/1060/files

Pre-review Checklist

For new package PRs only

• This PR is marked as fixing a pre-existing package request bug
  • Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency
• REQUIRED - The package is available under an OSI-approved or FSF-approved license
• REQUIRED - The version of the package is still receiving security updates
• This PR links to the upstream project's support policy (e.g. endoflife.date)

For new version streams

• The upstream project actually supports multiple concurrent versions.
• Any subpackages include the version string in their package name (e.g. name: ${{package.name}}-compat)
• The package (and subpackages) provides: logical unversioned forms of the package (e.g. nodejs, nodejs-lts)
• If non-streamed package names no longer built, open PR to withdraw them (see WITHDRAWING PACKAGES)

For package updates (renames) in the base images

When updating packages part of base images (i.e. cgr.dev/chainguard/wolfi-base or ghcr.io/wolfi-dev/sdk)

• REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk images successfully build
• REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk contain no obsolete (no longer built) packages
• Upon launch, does apk upgrade --latest successfully upgrades packages or performs no actions

For security-related PRs

• The security fix is recorded in the advisories repo

For version bump PRs

• The epoch field is reset to 0

For PRs that add patches

• Patch source is documented

[rawlingsj]

We may need to split this up into batches so that the presubmit build can run fully.

Also looks like the update check fails to unmarshal the exclude-reason, additionally it looks like the wolfictl lint warning is causing the CI check to fail

[wlynch]

Any prior art for how fine we should split this up?

The lint failing sounds like a wolfictl bug. I can dig into it.

[wlynch]

https://github.com/wolfi-dev/wolfictl/pull/1066/files

[rawlingsj]

We could try the big batch and see how it goes, at least we wont build new versions once it's merged to main as changes to the update block to not cause new apk versions to be built.

The lint bug is fixed now yay thanks! On quick glance it looks like genuine lint errors.